Jasper Alblas
TryHackMe: Threat Intelligence Tools Walkthrough (SOC Level 1)
Welcome to this walkthrough of the Threat Intelligence Tools Room on TryHackMe. In this room we will cover different OSINT tools used to conduct security threat assessments and investigations.
This room is part of the SOC Level 1 Path.
Room URL: https://tryhackme.com/r/room/threatinteltools
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Now, let’s move on!
Table of Contents
Task 1: Room Outline
This room will cover the concepts of Threat Intelligence and various open-source tools that are useful. The learning objectives include:
- Understanding the basics of threat intelligence & its classifications.
- Using UrlScan.io to scan for malicious URLs.
- Using Abuse.ch to track malware and botnet indicators.
- Investigate phishing emails using PhishTool
- Using Cisco’s Talos Intelligence platform for intel gathering.
Questions
Read the description! Continue to the next task.
Answer: No answer needed
Task 2: Threat Intelligence
Threat Intelligence involves analyzing data to identify patterns and mitigate risks from existing or emerging threats targeting organizations, industries, sectors, or governments. To reduce risks, key questions include: Who’s attacking? What are their motivations and capabilities? What indicators should be monitored?
Threat Intelligence classifications include:
- Strategic Intel: High-level insights into threats and risks, guiding business decisions.
- Technical Intel: Identifying attack evidence and artifacts to inform defense mechanisms.
- Tactical Intel: Examining adversaries’ tactics, techniques, and procedures (TTPs) to improve security controls.
- Operational Intel: Understanding an adversary’s motives and targeted assets to enhance defenses.
Questions
I’ve read on Threat Intel and the classifications
Answer: No answer needed
Task 3: UrlScan.io
Urlscan.io is a free service for scanning and analyzing websites, automating the process of crawling websites to track activities and interactions. When a URL is submitted, the service records information such as domains, IP addresses, requested resources, technologies used, and other metadata.
Key areas of the URL scan results include:
- Summary: General information about the URL, including IP address, domain registration, page history, and a screenshot.
- HTTP: Details about HTTP connections, including data fetched and file types.
- Redirects: Information on any identified redirects (HTTP or client-side).
- Links: Outgoing links from the homepage.
- Behaviour: Variables and cookies found, which may indicate the site’s frameworks.
- Indicators: Lists of IPs, domains, and hashes linked to the site. These indicators do not necessarily indicate malicious activity.
Note that results may vary over time due to the dynamic nature of internet activities.
Questions
What was TryHackMe’s Cisco Umbrella Rank based on the screenshot?
The screenshot tells use the answer in the summary section, which covers a variety of info on the TryHackMe domain. The section mentions: The Cisco Umbrella rank of the primary domain is 345612.
Answer: 345612
How many domains did UrlScan.io identify on the screenshot?
In the same summary section, on the first line, it mentions that this website contained 17 IPs in 4 countries across 13 domains…
Answer: 13
What was the main domain registrar listed on the screenshot?
In the screenshot you will find a section called Live information. In it you will find the main domain registrar. In this case it is NAMECHEAP INC.
Answer: NAMECHEAP INC
What was the main IP address identified for TryHackMe on the screenshot?
Another time we have to look at the summary section. Here it says the IPv6 IP Address on line 2: 2606:4700:10::ac43:1b0a.
Answer: 2606:4700:10::ac43:1b0a
Task 4: Abuse.ch
Abuse.ch is a cybersecurity research project hosted by the Bern University of Applied Sciences in Switzerland. It focuses on tracking malware and botnets through various platforms:
- Malware Bazaar: A database for malware collection and analysis, supporting sample uploads, hunting with tags and signatures, and dashboard tools.
https://bazaar.abuse.ch/ - Feodo Tracker: Tracks botnet C2 servers (e.g., Dridex, Emotet) and provides searchable intelligence, IP blocklists, and mitigation information.
https://feodotracker.abuse.ch/ - SSL Blacklist: Identifies malicious SSL connections and JA3 fingerprints, offering downloadable deny lists for threat hunting.
https://sslbl.abuse.ch/ - URLhaus: Shares and tracks malicious URLs used for malware distribution, with feeds customizable by country, ASN, or TLD.
https://urlhaus.abuse.ch/ - ThreatFox: Shares and exports malware IOCs in formats like MISP, Suricata rules, and CSV files.
https://threatfox.abuse.ch/
Each platform provides essential tools and resources for security analysts to detect, investigate, and mitigate cyber threats.
Questions
The IOC 212.192.246.30:5555 is identified under which malware alias name on ThreatFox?
IOC stands for Indicator of Compromise.
We can simply search for the specified IOC by looking in the ThreatFox database:
https://threatfox.abuse.ch/browse
Enter ioc:212.192.246.30:5555 in the search input field.
The results show that the malware name is Mirai, but we need the alias here. So click into the details, and you will find the answer.
The page is found here:
https://threatfox.abuse.ch/ioc/395319/
The answer is Katana.
Answer: Katana
Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?
Go to this page:
https://sslbl.abuse.ch/ja3-fingerprints/ to search for JA3 fingerpints.
Search for the string in the question, and you will find the following result:
https://sslbl.abuse.ch/ja3-fingerprints/51c64c77e60f3980eea90869b68c58a8
Answer: Dridex
From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?
Visit the statistics page on: https://urlhaus.abuse.ch/statistics/.
Search on the page for AS14061.
You should find the following result:
| Rank | ASN | Country | Average Reaction Time | Malware URLs |
|---|---|---|---|---|
| 1 | AS4837 CHINA169-Backbone | CN | 2 days, 13 hours, 56 minutes | 889’814 |
| 2 | AS9829 BSNL-NIB | IN | 9 hours, 21 minutes | 401’019 |
| 3 | AS4134 CHINANET-BACKBONE | CN | 4 days, 2 hours, 55 minutes | 184’326 |
| 4 | AS17488 HATHWAY-NET-AP | IN | 5 hours, 59 minutes | 142’586 |
| 5 | AS8661 PTK | AL | 2 days, 1 hours, 28 minutes | 97’550 |
| 6 | AS207569 I-SERVERS-NORTH-EU | RU | 23 hours, 40 minutes | 91’316 |
| 7 | AS17816 CHINA169-GZ | CN | 1 day, 8 hours, 58 minutes | 84’562 |
| 8 | AS13335 CLOUDFLARENET | US | 3 days, 7 hours, 36 minutes | 84’482 |
| 9 | AS14061 DIGITALOCEAN-ASN | US | 4 days, 9 hours, 39 minutes | 57’692 |
Answer: DIGITALOCEAN-ASN
Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?
Start by going to the following page:
https://feodotracker.abuse.ch/browse/
Search for the mentioned IP address and you will get the following result.
In case you are unsure, the country code GE stands for Georgia.
Answer: Georgia
Task 5: PhishTool
Email Phishing: A primary method for initiating cyberattacks, phishing emails trick users into interacting with malicious files or links. These attacks often lead to malware infections, credential theft, financial fraud, or ransomware.
PhishTool: A tool designed to elevate phishing awareness and assist in email security through detailed analysis and reporting.
Key Features of PhishTool:
- Email Analysis: Extracts metadata and investigates headers, attachments, URLs, and security details (SPF, DKIM, DMARC).
- Heuristic Intelligence: Integrates OSINT for insights into attackers’ tactics and techniques (TTPs).
- Classification & Reporting: Allows quick classification of emails and generates forensic reports.
PhishTool Versions:
- Community: Focuses on core features like analysis and reporting.
- Enterprise: Includes additional capabilities like user-reported phishing management, reporting back findings, and integration with Microsoft 365 and Google Workspace.
PhishTool Dashboard Highlights:
- Analysis Tab: Upload emails for in-depth examination, review headers, attachments, and URLs, and flag malicious indicators.
- Resolution: Classify emails, set flagged artifacts, and finalize analysis details.
- Other Tabs:
- History: Tracks all previous submissions.
- In-tray (Enterprise): Processes reports from team integrations.
Questions
We will now play a scenario: You are a SOC Analyst and have been tasked to analyse a suspicious email, Email1.eml. To solve the task, open the email using Thunderbird on the attached VM, analyse it and answer the questions below.
Note: The email is saved in the Emails folder on the Desktop. Open Email1.eml. The email looks like this:
Let’s have a go at these questions.
What social media platform is the attacker trying to pose as in the email?
If you have used LinkedIn before, you will recognize it immediately.
Answer: LinkedIn
What is the senders email address?
You can see the answer in the complete top of the screenshot.
Answer: darkabutla@sc500.whpservers.com
What is the recipient’s email address?
Another easy one, which can easily be seen in the header.
Answer: cabbagecare@hotsmail.com
What is the Originating IP address? Defang the IP address.
Now the questions get more difficult. For this we need to look at the Message Source. You can find it under View > Message Source, or by pressing Ctrl+U.
This opens a text file with a lot more information.
Of special interest to us is the following information:
We can defang this IP (204.93.183.11) by using CyberChef:
https://gchq.github.io/CyberChef/#recipe=Defang_IP_Addresses()
Defanging simply means modifying the IP Address to a more human-readable format or preventing someone from clicking on it.
Cyberchef will give the answer in the output field if you put the found IP address in the input field.
Answer: 204[.]93[.]183[.]11
How many hops did the email go through to get to the recipient?
Here comes the final phishing question. If you go back to the message source and read from the beginning you can find 4 different sections starting with Received:
Answer: 4
Task 6: Cisco Talos Intelligence
Cisco Talos is a cybersecurity team that provides actionable threat intelligence and protection against emerging threats through its platform, Talos Intelligence. It collects and analyzes extensive data from Cisco products to offer insights and defense capabilities.
Key Teams in Cisco Talos:
- Threat Intelligence & Interdiction: Correlates and tracks threats, turning IOCs into detailed intelligence.
- Detection Research: Analyzes vulnerabilities and malware to develop detection rules.
- Engineering & Development: Maintains and updates inspection engines for emerging threats.
- Vulnerability Research & Discovery: Identifies and reports security vulnerabilities to vendors.
- Communities: Manages the team’s public image and open-source contributions.
- Global Outreach: Shares intelligence through publications for customers and the security community.
Talos Intelligence Dashboard Features:
- Reputation Lookup: Interactive world map showing email traffic and categorizing emails as legitimate, spam, or malware. Detailed data on IPs and hostnames is accessible via markers.
- Vulnerability Information: Reports on disclosed and zero-day vulnerabilities, including CVEs, CVSS scores, timelines, and Snort rules.
- Reputation Center: Enables threat data searches for IPs and SHA256 file hashes. Provides insights into email and spam data.
Talos Intelligence equips analysts with tools for threat detection, analysis, and actionable insights.
Questions
Use the information gathered from inspecting the Email1.eml file from Task 5to answer the following questions using Cisco Talos Intelligence. Please note that the VM launched in Task 5 would not have access to the Internet.
What is the listed domain of the IP address from the previous task?
Visit Talos Intelligence: https://talosintelligence.com/
The IP Address we found in the previous task was 204.93.183.11.
Search for the IP and you will reach the following page:
https://talosintelligence.com/reputation_center/lookup?search=204.93.183.11
Answer: scnet.net
(Note: I tried multiple times, and sometimes I got another domain which was not accepted!)
What is the customer name of the IP address?
Talos did not provide this information, so I visited the following page:
https://lookup.icann.org/en/lookup
Search for the IP and you will get the answer:
Answer: Complete Web Reviews
Task 7: Scenario 1
Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.
Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email2.emlfound on the VM attached to Task 5 and use the information to answer the questions.
Questions
According to Email2.eml, what is the recipient’s email address?
Open up Email2.eml found on the VM (/home/ubuntu/Desktop/Emails).
You will find the recipient email in the header.
Answer: chris.lyons@supercarcenterdetroit.com
On VirusTotal, the attached file can also be identified by a Detection Alias, which starts with an H.
Now, I did not want to transfer the attachment to my own PC and was unable to use a AttackBox as I had no way to transfer the file from the VM without internet.
Knowing VirusTotal, I remember that we can search on file hashes. These files hashes uniquely identify a file, and can therefore be used to search on malware on VirusTotal.
We can find the hash with the sha256sum program:
The hash is 435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28.
Searching on VirusTotal brings us to the following page:
https://www.virustotal.com/gui/file/435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28
Here, different security vendors have analyzed the file, each with their own Detection Alias. The one THM expects is the alias given by Avira (no cloud): HIDDENEXT/Worm.Gen
Answer: HIDDENEXT/Worm.Gen
Task 8: Scenario 2
One down, one to go. Let’s move on!
Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.
Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email3.eml found on the VM attached to Task 5 and use the information to answer the questions.
Questions
What is the name of the attachment on Email3.eml?
Open up Email3 in the same location as Email1 and Email2.
Once more an email with attachment. The attachment is called Sales_Receipt 5606.xls.
Answer: Sales_Receipt 5606.xls
What malware family is associated with the attachment on Email3.eml?
As before, I will read the hash value of the file. This time I will use the md5sum program.
The md5 hash is e63deaea51f7cc2064ff808e11e1ad55.
Again, we can search on VirusTotal with this hash, which will lead to the following page:
https://www.virustotal.com/gui/file/b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d
If you read under Associations you will find the answer: Dridex.
Answer: Dridex
Task 9: Conclusion
You have come to the end of the room. However, this is just the tip of the iceberg for open-source threat intelligence tools that can help you as an analyst triage through incidents. There are plenty of more tools that may have more functionalities than the ones discussed in this room.
Check out these rooms to dive deeper into Threat Intelligence:
Questions
Read the above and completed the room
Answer: No answer needed
Congratulations on completing Threat Intelligence Tools!!!
This room covered a bunch of Threat Intelligence Tools, and gave us the know how on how to investigate the threat of files, URLs and more. I hope you like it as much as I did. Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox.
Find more of my walkthrough here.
Like my articles?
You are welcome to comment this article, and please share with friends 🙂
I would be even more grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
