TryHackMe: MISP Walkthrough (SOC Level 1)

• Introduction to MISP and why it was developed.
• Use cases MISP can be applied to
• Core features and terminologies.
• Dashboard Navigation.
• Event Creation and Management.
• Feeds and Taxonomies.

MISP (Malware Information Sharing Platform) is an open-source platform for collecting, storing, and sharing threat intelligence and Indicators of Compromise (IOCs) related to malware, cyberattacks, financial fraud, and other cyber threats. It operates within communities of trusted members and supports closed, semi-private, and public sharing models. The platform integrates with tools like Network Intrusion Detection Systems (NIDS), log analysis tools, and Security Information and Event Management Systems (SIEM).

Use Cases:

• Malware Reverse Engineering: Understanding malware behavior through shared indicators.
• Security Investigations: Using IOCs to investigate breaches.
• Intelligence Analysis: Tracking adversary capabilities.
• Law Enforcement: Supporting forensic investigations.
• Risk Analysis: Researching and assessing emerging threats.
• Fraud Analysis: Detecting financial fraud via shared indicators.

Core Functionalities:

• IOC Database: Stores technical and non-technical threat information.
• Automatic Correlation: Identifies relationships between attributes and indicators.
• Data Sharing: Supports distributed sharing among MISP instances.
• Import & Export Features: Integrates with systems like NIDS, HIDS, and OpenIOC.
• Event Graph: Visualizes relationships between objects and attributes.
• API Support: Enables system integration for event and intelligence sharing.

Key Terms:

• Events: Linked collections of threat data.
• Attributes: Specific data points in events.
• Objects & Object References: Composed attributes and their relationships.
• Sightings: Time-specific detections for credibility.
• Tags & Taxonomies: Classification and labeling tools.
• Galaxies: Knowledge bases for labeling events/attributes.
• Indicators: Data used to detect malicious activity.

Dashboard Features

• Home Button: Returns to the start screen or a custom home page.
• Event Actions: Manage events, including creation, modification, deletion, publishing, searching, and listing attributes.
• Dashboard: Create custom dashboards using widgets.
• Galaxies: Access a list of MISP Galaxies.
• Input Filters: View or modify rules for data entry, including blocklists and validation rules.
• Global Actions: Access your profile, manuals, news, active organizations, and contribution histograms.
• User Options: Notifications, user profile, and logout functionality.

Event Management Workflow

1. Event Creation:
   • Store general information about incidents or investigations.
   • Define descriptions, risk levels, and distribution levels (e.g., organization-only, community-only, connected communities, or all communities).
   • Optionally use sharing groups for predefined distribution lists.
2. Populating Events:
   • Use templates for specific categories (e.g., phishing email) to add predefined fields.
   • Add attributes manually or via batch imports (e.g., lists of IP addresses) or integrate data from formats like OpenIOC.
   • Include file attachments (e.g., malware samples, reports) and mark malicious files to ensure secure handling.
   • For Intrusion Detection Systems (IDS): Attributes can be flagged for use in IDS signatures
3. Publishing Events:
   • After creation, the organisation admin will review and publish events to make them accessible via defined distribution channels. This will also share the events to the distribution channels set during the creation of the events.

This streamlined process enables analysts to effectively track, manage, and share threat intelligence using MISP.

CIRCL (Computer Incident Respons Center Luxembourg) published an event associated with PupyRAT infection. Your organisation is on alert for remote access trojans and malware in the wild, and you have been tasked to investigate this event and correlate the details with your SIEM. Use what you have learned from the room to identify the event and complete this task.

Start by starting up the attachment machine in task 3. Login with the provided initials. Let’s move on with question 1.

Answer: 1145

Answer:Remote Access

Click on the Event ID to see the details of the event.

Once you are on the event page, look at the list of attributes in the bottom.

Great job everybody! We are done with this short, and theory heavy room. I think the scenario in the end really showed the value of the MISP platform. I am sure we will cover more another day.

In the meanwhile, come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox.