{"id":260,"date":"2024-09-07T07:54:52","date_gmt":"2024-09-07T07:54:52","guid":{"rendered":"https:\/\/paradoxa.me\/?p=260"},"modified":"2024-09-19T08:18:34","modified_gmt":"2024-09-19T08:18:34","slug":"soc-lv-1-try-hack-me","status":"publish","type":"post","link":"https:\/\/paradoxa.me\/index.php\/2024\/09\/07\/soc-lv-1-try-hack-me\/","title":{"rendered":"~ SOC lv.1 – Try Hack Me"},"content":{"rendered":"

SOC lv.1
\nfrom Try Hack Me<\/h1>\n

# <\/strong>Introduction<\/strong><\/h2>\n

While the Jr. Penetration tester was a red team path and also more in-line with the Complete Beginner path; the SOC lv.1 path ,as expected, dives in the opposite spectrum (also known as the blue team).<\/p>\n

The Path covers lots of subjects and it is definitely overwhelming in size.
\nI must say though, once you start the challenges you soon realize that to complete them, you don\u2019t need to know all the different tools…
\nThat\u2019s said I love the fact that they explain so many different ones and they all have pro and cons.<\/p>\n

This article differs from previous ones, as the goal here, is to summarize and briefly describe what we learn in each module and room so I can quickly come back to compare my notes with the material learned.<\/p>\n

Let\u2019s begin…<\/p>\n

# <\/strong>Section 1: <\/strong>Cyber Defence Framework<\/strong><\/h2>\n

– Jr Sec Analyst Intro<\/h3>\n

SOC\u2019s Three-Tier Model, responsibilities and a Practical Example<\/p>\n

– Pyramid of Pain<\/h3>\n

Illustrates how, increasing difficulty for adversaries to operate, corresponds to the type of indicators you detect and counter.
\nTrvial (hash value), Easy (IP addr,), Simple (domain names), Annoying (network and host artifacts), Challenging (tools) and Tough (TTPs).<\/p>\n

– Cyber Kill Chain<\/h3>\n

Outlines the steps attackers take, from Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, to data exfiltration, to help us as defenders detect and stop threats at each stage.<\/p>\n

– Unified Kill Chain<\/h3>\n

Combines attack stages from various models to provide a comprehensive framework for identifying and disrupting cyberattacks. Divided in three phases: In (Initial Foothold), Through (Network propagation) and Out (Action on Objective).<\/p>\n

– Diamond Model<\/h3>\n

Links adversaries, victims, capabilities and infrastructure to analyses and understand better cyber threats.<\/p>\n

– MITRE<\/h3>\n

Describes the Mitre ATT&CK which is a comprehensive framework that categorizes and tracks cyber adversary tactics, techniques, and procedures (TTPs) to help organizations detect, respond to, and defend against cyber threats.
\nBut also dives in the Repository (CAR), Mitre Engage Framework and Mitre D3F3ND: a website resource for cybersecurity countermeasure.<\/p>\n

– Summit<\/h3>\n

A challenge where we use Pyramid of Pain and Mitre\u2019s acquired knowledge.<\/p>\n

– Eviction<\/h3>\n

Another challenge to put into practices more MITRE ATT&CK teachings.<\/p>\n

# Section 2: <\/strong>Cyber Threat Intelligence<\/strong><\/h2>\n

– Intro to Cyber Threat Intel<\/h3>\n

Introduce us to CTI (cyber threat intelligence) lifecycle, frameworks & standards.<\/p>\n

– Threat Intelligence tools<\/h3>\n

Introduce us to OSINT research and tools such as Urlscan.io, Abuse.ch, Phishtool and Cisco Talos.<\/p>\n

– YARA<\/h3>\n

Used for identifying and classifying malware by creating rules that match patterns of malicious code, files, or behaviors. It\u2019s often called the “pattern-matching Swiss army knife” for malware researchers<\/p>\n

– OpenCTI<\/h3>\n

Open-source threat intelligence platform that centralizes, structures, and visualizes cyber threat information, helping organizations track and analyse threats for improved decision-making and response. It supports collaboration by integrating various data sources, including MITRE ATT&CK, to enhance threat intelligence operations.<\/p>\n

– MISP<\/h3>\n

Malware Information Sharing Platform is an open-source threat intelligence platform for sharing and correlating structured threat data across organizations.<\/p>\n

– Friday Overtime<\/h3>\n

End of the section challenge<\/p>\n

– Trooper<\/h3>\n

Another end of the section challenge focused on OpenCTI<\/p>\n

# Section 3: Network <\/strong>Security & Traffic Analysis<\/strong><\/h2>\n

– Traffic Analysis Essential<\/h3>\n

Explains the levels of security Control: Physical, Technical and Administrative.
\nAnd also the main approaches: Access Control (Firewall, NAC, IAM, Segmentation, VPN\u2026) and Threat Control (IDS\/IPS, Endpoint Protection, SIEM\u2026)<\/p>\n

– Snort<\/h3>\n

Open-source network intrusion detection system (NIDS) used to monitor and analyze network traffic for signs of malicious activity. Can be also use in IPS mode<\/p>\n

– Snort Challenge \u2013 The Basics<\/h3>\n

– Snort Challenge \u2013 Live Attacks<\/h3>\n

– NetworkMiner<\/h3>\n

Network forensics tool that extracts and analyzes data from network traffic captures to help identify and investigate network incidents.<\/p>\n

– Zeek<\/h3>\n

Formerly known as Bro, is a network security monitoring platform that provides detailed logs and insights into network traffic for threat detection and analysis.<\/p>\n

– Zeek Exercise<\/h3>\n

– Brim<\/h3>\n

Brim is an open-source tool for viewing and analyzing big network traffic files, offering a user-friendly interface to explore and investigate network data collected by Zeek and other sources.<\/p>\n

– Whireshark: the basics<\/h3>\n

Widely used GUI network protocol analyses that captures and displays network traffic in real-time, allowing detailed inspection and troubleshooting of network issues.<\/p>\n

– Whireshark: Packet Operation<\/h3>\n

Packet filtering: prior (Capture Filter) or later (Display Filter) by using syntax, operators and expressions<\/p>\n

– Whireshark: Traffic Analysis<\/h3>\n

How to recognise anomalies such as if we are victim of a NMAP scan, Man In the Middle and from other sources and protocols<\/p>\n

– Tshark: The Basics<\/h3>\n

Basically the command-line version of Wireshark, used in the same way for capturing and analyzing network traffic without a graphical interface.<\/p>\n

– Tshark: CLI Wireshark Feature<\/h3>\n

Wireshark commands translated in the CLI<\/p>\n

– Tshark Challenge 1: Teamwork<\/h3>\n

– Tshark Challenge 2: Directory<\/h3>\n

# Section 4: <\/strong>Endpoint Security Monitoring<\/strong><\/h2>\n

– Intro to Endpoint Security<\/h3>\n

Start introducing us to the client logs<\/p>\n

– Core Windows Process<\/h3>\n

Show us what a normal behaviour looks like on a windows operating system.<\/p>\n

– Sysinternals<\/h3>\n

Sysinternals is a suite of advanced system utilities for Windows that help with system troubleshooting, monitoring, and diagnostics.<\/p>\n

– Windows Event Logs<\/h3>\n

Record system, security, and application events on Windows machines, aiding in troubleshooting and monitoring.<\/p>\n

– Sysmon<\/h3>\n

System Monitor is a Windows Sysinternals tool that provides detailed information about system activity, including process creation, network connections, and file modifications, to help with forensic analysis and threat detection.<\/p>\n

– Osquery: The Basics<\/h3>\n

Tool for querying system data with SQL-like queries.<\/p>\n

– Wazuh<\/h3>\n

Open-source security monitoring platform for intrusion detection, log analysis, and compliance management.<\/p>\n

– Monday Monitor<\/h3>\n

End of the section challenge focused on Wazuh and Sysmon<\/p>\n

– Retracted<\/h3>\n

End of the section challenge<\/p>\n

# Section 5: <\/strong>SIEM (Security Information and Event Managment)<\/strong><\/h2>\n

– Introduction to SIEM<\/h3>\n

Security Information and Event Management is a centralized system for collecting, analysing, and managing security data from across an organization’s IT infrastructure.<\/p>\n

– Investigating with ELK 101<\/h3>\n

A set of tools (Elasticsearch, Logstash, and Kibana) used for searching, analysing, and visualizing log data in real-time<\/p>\n

– ItsyBitsy<\/h3>\n

Challenge focused on ELK<\/p>\n

– Splunk: Basics<\/h3>\n

A SIEM platform for searching, monitoring, and analyzing machine data through a web-based interface, commonly used for log management and operational intelligence.<\/p>\n

– Incident Handling with Splunk<\/h3>\n

Use Splunk by following the Cyber Kill Chain Phases.<\/p>\n

– Investigation with Splunk<\/h3>\n

Challenge focused on Splunk<\/p>\n

– Benign<\/h3>\n

Another Challenge focused on Splunk<\/p>\n

# Section 6: <\/strong>DFIR<\/strong> (Digital Forensic & Incident Response)<\/strong><\/h2>\n

– DIFR: An Introduction<\/h3>\n

Digital Forensics and Incident Response is the field focused on investigating cyber incidents and breaches to identify, mitigate, and recover from security threats.<\/p>\n

– Windows Forensic 1<\/h3>\n

Exploring Windows Registry and system infos<\/p>\n

– Windows Forensic 2<\/h3>\n

File system (FAT\/NTFS) and file recovery<\/p>\n

– Linux Forensic<\/h3>\n

System infos and configuration followed by logs files<\/p>\n

– Autopsy<\/h3>\n

A digital forensics platform used for analyzing hard drives and mobile devices, providing tools for data recovery, investigation, and evidence presentation.<\/p>\n

– RedLine<\/h3>\n

A malware analysis and incident response tool used to gather information from infected systems, such as processes, network connections, and system artifacts, to aid in forensic investigations.<\/p>\n

– Kape<\/h3>\n

A digital forensics tool used to collect, analyse, and process data from various sources, such as disk images, memory dumps, and log files, to support investigations and incident response.<\/p>\n

– Volatility<\/h3>\n

An open-source framework for analysing memory dumps to investigate and extract information about running processes, network connections, and other system activities during an incident or forensic examination.<\/p>\n

– Velociraptor<\/h3>\n

An open-source endpoint monitoring and response tool used for detecting and investigating suspicious activities and anomalies on systems. It provides a lightweight, flexible approach for querying and analysing data across endpoints.<\/p>\n

– TheHive Project<\/h3>\n

An open-source incident response platform designed for managing and analyzing security incidents. It provides a collaborative environment for security teams to handle investigations, track incidents, and document findings.<\/p>\n

– Intro to Malware Analysis<\/h3>\n

Fundamentals techniques of Static and Dynamic Malware Analysis and anti-analysis.<\/p>\n

– Unattendent<\/h3>\n

Windows OS Challenge focused on Registry and Autopsy<\/p>\n

– Disgruntled<\/h3>\n

Linux OS Challenge focused on CLI commands and Linux logs<\/p>\n

– Critical<\/h3>\n

Linux Os Challenge focused on memory forensics with Volatility<\/p>\n

– Secret Recipe<\/h3>\n

Windows OS Final challenge<\/p>\n

# Section 7: <\/strong>Phishing<\/strong><\/h2>\n

– Phishing Analysis Fundamentals<\/h3>\n

Introduction on how email works<\/p>\n

– Phishing Emails in Action<\/h3>\n

What to look for to check if an email is legit or a phishing Attack<\/p>\n

– Phishing Analysis Tools<\/h3>\n

Main tools to detect and analyse emails including the PhishToll<\/p>\n

– Phishing Prevention<\/h3>\n

Preventing measure to reduce the risk of attacks (DKIM, DMARC, S\/MIME)<\/p>\n

– The Greenholt Phish<\/h3>\n

Challenge analyse emails and attachment<\/p>\n

– Snapped Phish-ing Line<\/h3>\n

Final Challenge, analyse email and discover the attacker objective<\/p>\n

# Section 8: <\/strong>SOC lv.1 Capstone Challenges<\/strong><\/h2>\n

– Tempest<\/h3>\n

Windows OS Challenge focused on logs, Sysmon, Wireshark and Brim<\/p>\n

– Boogeyman 1<\/h3>\n

Analysing the First attack attempt made by the Boogeyman organization focused on Phishing, Windows logs, Tshark and JQ<\/p>\n

– Boogeyman 2<\/h3>\n

Analysing the Second attack on an Ubuntu machine focused on Phishing and Volatility.<\/p>\n

– Boogeyman 3<\/h3>\n

Analysing the last attack on a Windows machine focused on Sysmon and ELK.<\/p>\n

# Conclusion<\/strong><\/h2>\n

In terms of it\u2019s structure, nothing new thankfully, in the sense that Try Hack Me always have a good amount practice for each subject explained.
\nI think the challenges are more engaging, especially the Capstone section when you have an Enemy that keeps coming back\u2026<\/p>\n

It could be also because, with the knowledge gained you can Improve your security posture of your environment straight away such as me with Snort for example.<\/p>\n

The Verdict therefore is very positive, there where only a couple of rooms that unfortunately where time consuming as RedLine was very slow but that was the tool not the path itself, and I\u2019m still glad I was able to play with RedLine at the end of the day.<\/p>\n

I\u2019ll be honest; before I started the path I was planning, once finished, to go back to red side but since I enjoyed the blue team, I will double down with the \u201cSecurity Engineer\u201d before embarking in the \u201cRed Teaming\u201d path.<\/p>\n","protected":false},"excerpt":{"rendered":"

SOC lv.1 from Try Hack Me # Introduction While the Jr. Penetration tester was a red team path and also more in-line with the Complete Beginner path; the SOC lv.1 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":23,"footnotes":""},"categories":[38,44],"tags":[56,53,52,54,42],"class_list":["post-260","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-tryhackme","tag-blue-team","tag-dfir","tag-siem","tag-soc","tag-try-hack-me"],"_links":{"self":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/260","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/comments?post=260"}],"version-history":[{"count":1,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/260\/revisions"}],"predecessor-version":[{"id":261,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/260\/revisions\/261"}],"wp:attachment":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/media?parent=260"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/categories?post=260"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/tags?post=260"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}