Hello 👋

Analyze network traffic for LLMNR/NBT-NS poisoning attacks using Wireshark to identify the rogue machine, compromised accounts, and affected systems. When I first saw this lad and the description I was a little confused what LLMNR and NBT-NS poisoning attackers were. I’m familiar with poisoning attacks like ARP and DNS, but the LLMNR and NBT-NS protocols didn’t ring a bell for me. A lot of cybersecurity is research and understanding concepts, so I was happy to jump into this lab from CyberDefenders and learn something new. ...

Investigate an insider threat by analyzing GitHub repositories for exposed credentials, using OSINT tools to correlate online accounts, and performing image analysis to identify locations. Unlike in any of my previous write-ups, this time I completed the entire lab before sitting down to write this. I think it’s important to keep the flow of how I answered all the questions, including any mistakes or rabbit-holes. With an OSINT focused room like this one it’s very easy to find false-positives and go on a deep dive on profiles that aren’t related at all to the target. ...

Analyze malware artifacts using threat intelligence platforms like VirusTotal to identify IOCs, C2 servers, and understand adversary tactics. Back again for another CyberDefenders lab. This time, the Yellow RAT Lab. My previous writeup had a similar premise to this lab; Analyze a malware sample and identify the TTP, IOCs, and anything else that can potentially be used to build detection rules or map out the adversary further. Let’s get into it! Scenario Here’s the introductory text we get for this lab: ...

Back to CyberDefenders again today. This time doing the Oski lab. From the looks of things this is more of a Malware analysis type lab. Here’s the description: Analyze a sandbox report using Any.Run to identify Stealc malware behavior, extract configuration details, and map observed tactics to MITRE ATT&CK. Let’s take a look at the scenario further! Introduction The accountant at the company received an email titled “Urgent New Order” from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file? ...

Catch the phish before the phish catches you. Introduction Back to a brand new (at the time of writing) TryHackMe room. There’s been a trend of Phishing related challenges lately on this blog. Being able to recognize phishing emails, and analyze the process of what happens when a phishing link is clicked is an important tool to have as an analyst. This challenge room is Easy. The information given is rather introductory as well, which is nice to see if you’re still starting out using THM. ...