TryHackMe: Threat Intelligence Tools Walkthrough (SOC Level 1)

January 6, 2025 Jasper
Welcome to this walkthrough of the Cyber Threat Intel Room on TryHackMe.
In this room we will cover different OSINT tools used to conduct security threat assessments and investigations.

This room is part of the SOC Level 1 Path.

Room URL: https://tryhackme.com/r/room/threatinteltools

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by these challenges on HTB and THM.

Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Now, let’s move on!


Task 1: Room Outline

This room will cover the concepts of Threat Intelligence and various open-source tools that are useful. The learning objectives include:

  • Understanding the basics of threat intelligence & its classifications.
  • Using UrlScan.io to scan for malicious URLs.
  • Using Abuse.ch to track malware and botnet indicators.
  • Investigate phishing emails using PhishTool
  • Using Cisco’s Talos Intelligence platform for intel gathering.

Questions

Read the description! Continue to the next task.

Answer: No answer needed


Task 2: Threat Intelligence

Threat Intelligence involves analyzing data to identify patterns and mitigate risks from existing or emerging threats targeting organizations, industries, sectors, or governments. To reduce risks, key questions include: Who’s attacking? What are their motivations and capabilities? What indicators should be monitored?

Threat Intelligence classifications include:

  1. Strategic Intel: High-level insights into threats and risks, guiding business decisions.
  2. Technical Intel: Identifying attack evidence and artifacts to inform defense mechanisms.
  3. Tactical Intel: Examining adversaries’ tactics, techniques, and procedures (TTPs) to improve security controls.
  4. Operational Intel: Understanding an adversary’s motives and targeted assets to enhance defenses.

Questions

I’ve read on Threat Intel and the classifications

Answer: No answer needed


Task 3: UrlScan.io

Urlscan.io is a free service for scanning and analyzing websites, automating the process of crawling websites to track activities and interactions. When a URL is submitted, the service records information such as domains, IP addresses, requested resources, technologies used, and other metadata.

Key areas of the URL scan results include:

  1. Summary: General information about the URL, including IP address, domain registration, page history, and a screenshot.
  2. HTTP: Details about HTTP connections, including data fetched and file types.
  3. Redirects: Information on any identified redirects (HTTP or client-side).
  4. Links: Outgoing links from the homepage.
  5. Behaviour: Variables and cookies found, which may indicate the site’s frameworks.
  6. Indicators: Lists of IPs, domains, and hashes linked to the site. These indicators do not necessarily indicate malicious activity.

Note that results may vary over time due to the dynamic nature of internet activities.

Questions

What was TryHackMe’s Cisco Umbrella Rank based on the screenshot?

The screenshot tells use the answer in the summary section, which covers a variety of info on the TryHackMe domain. The section mentions: The Cisco Umbrella rank of the primary domain is 345612.

Answer:345612

How many domains did UrlScan.io identify on the screenshot?

In the same summary section, on the first line, it mentions that this website contained 17 IPs in 4 countries across 13 domains…

Answer: 13

What was the main domain registrar listed on the screenshot?

In the screenshot you will find a section called  Live information. In it you will find the main domain registrar. In this case it is NAMECHEAP INC.

Answer:NAMECHEAP INC

What was the main IP address identified for TryHackMe on the screenshot?

Another time we have to look at the summary section. Here it says the IPv6 IP Address on line 2: 2606:4700:10::ac43:1b0a.

Answer:2606:4700:10::ac43:1b0a


Task 4: Abuse.ch

Abuse.ch is a cybersecurity research project hosted by the Bern University of Applied Sciences in Switzerland. It focuses on tracking malware and botnets through various platforms:

  1. Malware Bazaar: A database for malware collection and analysis, supporting sample uploads, hunting with tags and signatures, and dashboard tools.
    https://bazaar.abuse.ch/
  2. Feodo Tracker: Tracks botnet C2 servers (e.g., Dridex, Emotet) and provides searchable intelligence, IP blocklists, and mitigation information.
    https://feodotracker.abuse.ch/
  3. SSL Blacklist: Identifies malicious SSL connections and JA3 fingerprints, offering downloadable deny lists for threat hunting.
    https://sslbl.abuse.ch/
  4. URLhaus: Shares and tracks malicious URLs used for malware distribution, with feeds customizable by country, ASN, or TLD.
    https://urlhaus.abuse.ch/
  5. ThreatFox: Shares and exports malware IOCs in formats like MISP, Suricata rules, and CSV files.
    https://threatfox.abuse.ch/

Each platform provides essential tools and resources for security analysts to detect, investigate, and mitigate cyber threats.

Questions

The IOC 212.192.246.30:5555 is identified under which malware alias name on ThreatFox?

IOC stands for Indicator of Compromise.

We can simply search for the specified IOC by looking in the ThreatFox database:

https://threatfox.abuse.ch/browse/

Enter ioc:212.192.246.30:5555 in the search input field.

ThreatFox results

ThreatFox results

The results show that the malware name is Mirai, but we need the alias here. So click into the details, and you will find the answer. The page is found here:
https://threatfox.abuse.ch/ioc/395319/

Malware details

Malware details

The answer is Katana.

Answer: Katana

Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?

Go to this page: https://sslbl.abuse.ch/ja3-fingerprints/ to search for JA3 fingerpints.

Search for the string in the question, and you will find the following result:

https://sslbl.abuse.ch/ja3-fingerprints/51c64c77e60f3980eea90869b68c58a8/

SSL blacklist result

SSL blacklist result

Answer: Dridex

From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?

Visit the statistics page on: https://urlhaus.abuse.ch/statistics/.

Search on the page for AS14061.

You should find the following result:

RankASNCountryAverage Reaction TimeMalware URLs
1AS4837 CHINA169-Backbone CN2 days, 13 hours, 56 minutes889’814
2AS9829 BSNL-NIB IN9 hours, 21 minutes401’019
3AS4134 CHINANET-BACKBONE CN4 days, 2 hours, 55 minutes184’326
4AS17488 HATHWAY-NET-AP IN5 hours, 59 minutes142’586
5AS8661 PTK AL2 days, 1 hours, 28 minutes97’550
6AS207569 I-SERVERS-NORTH-EU RU23 hours, 40 minutes91’316
7AS17816 CHINA169-GZ CN1 day, 8 hours, 58 minutes84’562
8AS13335 CLOUDFLARENET US3 days, 7 hours, 36 minutes84’482
9AS14061 DIGITALOCEAN-ASN US4 days, 9 hours, 39 minutes57’692


Answer
:DIGITALOCEAN-ASN

Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?

Start by going to the following page: https://feodotracker.abuse.ch/browse/

Search for the mentioned IP address and you will get the following result.

Feudo Tracker results

Feudo Tracker results

In case you are unsure, the country code GE stands for Georgia.

Answer: Georgia


Task 5: PhishTool

Email Phishing: A primary method for initiating cyberattacks, phishing emails trick users into interacting with malicious files or links. These attacks often lead to malware infections, credential theft, financial fraud, or ransomware.

PhishTool: A tool designed to elevate phishing awareness and assist in email security through detailed analysis and reporting.

Key Features of PhishTool:

  • Email Analysis: Extracts metadata and investigates headers, attachments, URLs, and security details (SPF, DKIM, DMARC).
  • Heuristic Intelligence: Integrates OSINT for insights into attackers’ tactics and techniques (TTPs).
  • Classification & Reporting: Allows quick classification of emails and generates forensic reports.

PhishTool Versions:

  • Community: Focuses on core features like analysis and reporting.
  • Enterprise: Includes additional capabilities like user-reported phishing management, reporting back findings, and integration with Microsoft 365 and Google Workspace.

PhishTool Dashboard Highlights:

  • Analysis Tab: Upload emails for in-depth examination, review headers, attachments, and URLs, and flag malicious indicators.
  • Resolution: Classify emails, set flagged artifacts, and finalize analysis details.
  • Other Tabs:
    • History: Tracks all previous submissions.
    • In-tray (Enterprise): Processes reports from team integrations.

Questions

We will now play a scenario: You are a SOC Analyst and have been tasked to analyse a suspicious email, Email1.eml. To solve the task, open the email using Thunderbird on the attached VM, analyse it and answer the questions below.

Note: The email is saved in the Emails folder on the Desktop. Open Email1.eml. The email looks like this:

Suspicious email

Suspicious email

Let’s have a go at these questions.

What social media platform is the attacker trying to pose as in the email?

If you have used LinkedIn before, you will recognize it immediately.

AnswerLinkedIn

What is the senders email address?

You can see the answer in the complete top of the screenshot.

Answer:darkabutla@sc500.whpservers.com

What is the recipient’s email address?

Another easy one, which can easily be seen in the header.

Answer: cabbagecare@hotsmail.com

What is the Originating IP address? Defang the IP address.

Now the questions get more difficult. For this we need to look at the Message Source. You can find it under View > Message Source, or by pressing Ctrl+U.

Message source option

Message source option

This opens a text file with a lot more information.

Of special interest to us is the following information:

We can defang this IP (204.93.183.11) by using CyberChef:

https://gchq.github.io/CyberChef/#recipe=Defang_IP_Addresses()

Defanging simply means modifying the IP Address to a more human-readable format or preventing someone from clicking on it.

Cyberchef will give the answer in the output field if you put the found IP address in the input field.

Answer: 204[.]93[.]183[.]11

How many hops did the email go through to get to the recipient?

Here comes the final phishing question. If you go back to the message source and read from the beginning you can find 4 different sections starting with Received:

Email hops

Email hops

Answer: 4


Task 6: Cisco Talos Intelligence

Cisco Talos is a cybersecurity team that provides actionable threat intelligence and protection against emerging threats through its platform, Talos Intelligence. It collects and analyzes extensive data from Cisco products to offer insights and defense capabilities.

Key Teams in Cisco Talos:

  1. Threat Intelligence & Interdiction: Correlates and tracks threats, turning IOCs into detailed intelligence.
  2. Detection Research: Analyzes vulnerabilities and malware to develop detection rules.
  3. Engineering & Development: Maintains and updates inspection engines for emerging threats.
  4. Vulnerability Research & Discovery: Identifies and reports security vulnerabilities to vendors.
  5. Communities: Manages the team’s public image and open-source contributions.
  6. Global Outreach: Shares intelligence through publications for customers and the security community.

Talos Intelligence Dashboard Features:

  • Reputation Lookup: Interactive world map showing email traffic and categorizing emails as legitimate, spam, or malware. Detailed data on IPs and hostnames is accessible via markers.
  • Vulnerability Information: Reports on disclosed and zero-day vulnerabilities, including CVEs, CVSS scores, timelines, and Snort rules.
  • Reputation Center: Enables threat data searches for IPs and SHA256 file hashes. Provides insights into email and spam data.

Talos Intelligence equips analysts with tools for threat detection, analysis, and actionable insights.

Questions

Use the information gathered from inspecting the Email1.eml file from Task 5to answer the following questions using Cisco Talos Intelligence. Please note that the VM launched in Task 5 would not have access to the Internet.

What is the listed domain of the IP address from the previous task?

Visit Talos Intelligence: https://talosintelligence.com/

The IP Address we found in the previous task was 204.93.183.11.
Search for the IP and you will reach the following page:

https://talosintelligence.com/reputation_center/lookup?search=204.93.183.11

IP Owner Domain

IP Owner Domain

Answer: scnet.net

(Note: I tried multiple times, and sometimes I got another domain which was not accepted!)

What is the customer name of the IP address?

Talos did not provide this information, so I visited the following page:

https://lookup.icann.org/en/lookup

Search for the IP and you will get the answer:

WHOIS info

WHOIS info

Answer: Complete Web Reviews

 


Task 7: Scenario 1

Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported. 

Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email2.eml found on the VM attached to Task 5 and use the information to answer the questions.

Questions

According to Email2.eml, what is the recipient’s email address?

Open up Email2.eml found on the VM (/home/ubuntu/Desktop/Emails).

Investigating Email 2

Investigating Email 2

You will find the recipient email in the header.

Answer:chris.lyons@supercarcenterdetroit.com

On VirusTotal, the attached file can also be identified by a Detection Alias, which starts with an H.

Now, I did not want to transfer the attachment to my own PC and was unable to use a AttackBox as I had no way to transfer the file from the VM without internet.

Knowing VirusTotal, I remember that we can search on file hashes. These files hashes uniquely identify a file, and can therefore be used to search on malware on VirusTotal.
We can find the hash with the sha256sum program:

Sha256sum

Sha256sum

The hash is 435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28.

Searching on VirusTotal brings us to the following page:

https://www.virustotal.com/gui/file/435bfc4c3a3c887fd39c058e8c11863d5dd1f05e0c7a86e232c93d0e979fdb28

VirusTotal results

VirusTotal results

Here, different security vendors have analyzed the file, each with their own Detection Alias. The one THM expects is the alias given by Avira (no cloud): HIDDENEXT/Worm.Gen

Answer:HIDDENEXT/Worm.Gen


Task 8: Scenario 2

One down, one to go. Let’s move on!

Scenario: You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported. 

Task: Use the tools and knowledge discussed throughout this room (or use your resources) to help you analyze Email3.eml found on the VM attached to Task 5 and use the information to answer the questions.

Questions

What is the name of the attachment on Email3.eml?

Open up Email3 in the same location as Email1 and Email2.

Email3 contents

Email3 contents

Once more an email with attachment. The attachment is called Sales_Receipt 5606.xls.

Answer:Sales_Receipt 5606.xls

What malware family is associated with the attachment on Email3.eml?

As before, I will read the hash value of the file. This time I will use the md5sum program.

md5sum of file

md5sum of file

The md5 hash is e63deaea51f7cc2064ff808e11e1ad55.

Again, we can search on VirusTotal with this hash, which will lead to the following page:

https://www.virustotal.com/gui/file/b8ef959a9176aef07fdca8705254a163b50b49a17217a4ff0107487f59d4a35d

Dridex Malware

Dridex Malware

If you read under Associations you will find the answer: Dridex.

Answer: Dridex


Task 9: Conclusion

You have come to the end of the room. However, this is just the tip of the iceberg for open-source threat intelligence tools that can help you as an analyst triage through incidents. There are plenty of more tools that may have more functionalities than the ones discussed in this room.

Check out these rooms to dive deeper into Threat Intelligence:

Questions

Read the above and completed the room

Answer: No answer needed


Congratulations on completing Threat Intelligence Tools!!!

Congratulations on completing Threat Intelligence Tools!!!

Congratulations on completing Threat Intelligence Tools!!!

This room covered a bunch of Threat Intelligence Tools, and gave us the know how on how to investigate the threat of files, URLs and more. I hope you like it as much as I did. Come back soon for more walkthroughs of rooms on TryHackMe and HackTheBox.


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be even more grateful if you support me by buying me a cup of coffee:

Buy me a coffee

Buy me a coffee

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

https://referral.hackthebox.com/mzwwXlg

Leave a Reply

Your email address will not be published. Required fields are marked *