Intro to ISAC TryHackme
By Shamsher khna This is a Writeup of Tryhackme room “Intro to ISAC”
Introduction:-
Threat Intelligence, also known as TI and Cyber Threat Intelligence also known as, CTI, is used to provide information about the threat landscape specifically adversaries and their TTPs. Typically CTI revolves around APT groups and/or other threats, these can be well-known groups or up and coming new threats.
Data must be analyzed to be considered threat intelligence. Once analyzed and actionable, then it becomes threat intelligence. The data needs context around to become intel.
CTI is a precautionary measure that companies use or contribute to so that other corporations do not get hit with the same attacks. Of course, adversaries change their TTPs all the time so the TI landscape is constantly changing.
What are ISACs
According to the National Council of ISACs, “Information Sharing and Analysis Centers (ISACs) are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators”. ISACs can be community-centered or vendor-specific. ISACs include CTI from threat actors as well as mitigation information in the form of IOCs, YARA rules, etc. ISACs maintain situational awareness by sharing and collaborating to maintain CTI, through a National Council of ISACs.
Below is a list of ISACs that can help a blue team we will only be showcasing a few in this room.
This room will specifically focus on AlienVault OTX and ThreatConnect; however, there are many more ISACs that can be used to gather threat intelligence. I encourage you to go out and research others on your own to get a good feeling for what you like and what various ISACs can offer.
Scenario 1
Your incident response team has quarantined a suspicious bin file. The team thinks it is a ransomware variation. Investigate and create indicators for the file.
You can find the shellcode C:\Users\Jon\Documents\Scenarios\Scenario 1
Scenario 2
You have been assigned to analyze this week’s quarantined files. The file is thought to be an unknown trojan or a new strain of the emotet malware. Investigate and create indicators for the file.
You can find the shellcode C:\Users\Jon\Documents\Scenarios\Scenario 2
username:jon , password: alqfna22
xfreerdp /u:"jon" /p:alqfna22 /v:10.10.26.213Run this command in your Terminal to start RDP
Question 1. What is the name of the file from Scenario 1?
Answer: 29D6161522C7F7F21B35401907C702BDDB05ED47.bin
Question 2. What is the size of the file from Scenario 1 in bytes?
Answer: 96,535
Question 3. What is the size on disk of the file from Scenario 1 in bytes?
Answer: 98,304
Question 4. What is the MD5 hash of the file from Scenario 1?
Open WinMD5 tool and select Scenario 1 file
Answer: 8b***************************6a
Question 5. What is the name of the file from Scenario 2?
Answer: cryptowall.bin
Question 6. What is the size of the file from Scenario 2 in bytes?
Answer: 246,272
Question 7. What is the size on disk of the file from Scenario 2 in bytes?
Answer: 249,856
Question 8. What is the MD5 hash of the file from Scenario 2?
Now again click on WinMD5 tool and select cryptowall.bin file
Answer: 47****************************c7
Follow on LinkedIn Instagram Twitter
Written by Shamsher khan
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
