Open in app

Sign in

Write

Sign in

TryHackMe

Threat Intelligence Tools WriteUp

Fahri Korkmaz
3 min readDec 4, 2022

Threat Intelligence

In threat intelligence, you try to analyze data and information, so you can find ways to mitigate a risk. While performing threat intelligence you should try to answer these questions:

  • Who’s attacking you?
  • What’s their motivation?
  • What are their capabilities?
  • What artefacts and indicators of compromise should you look out for?

There are 4 types of threat intelligence:

  • Strategic Intel
  • Technical Intel
  • Tactical Intel
  • Operational Intel

UrlScan.io

With Urlscan.io you can automate the process of browsing and crawling throug a website.

What is TryHackMe’s Cisco Umbrella Rank?

345612

How many domains did UrlScan.io identify?

13

What is the main domain registrar listed?

NAMECHEAP INC

What is the main IP address identified?

2606:4700:10::ac43:1b0a

Abuse.ch

Abuse.ch is used to identify and track malware and botnets. There are 5 platforms:

  • Malware Bazaar: For Sharing malware samples
  • Feodo Tracker: Used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot.
  • SSL Blacklist: For collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s fingerprints.
  • URL Haus: For sharing malware distribution sites.
  • Threat Fox: For sharing indicators of compromise (IOCs).

The IOC 212.192.246.30:5555 is linked to which malware on ThreatFox?

Katana

Which malware is associated with the JA3 Fingerprint 51c64c77e60f3980eea90869b68c58a8 on SSL Blacklist?

Dridex

From the statistics page on URLHaus, what malware-hosting network has the ASN number AS14061?

DIGITALOCEAN-ASN

Which country is the botnet IP address 178.134.47.166 associated with according to FeodoTracker?

Georgia

PhishTool

With PhishTool analysts can easily analyze potential phishing emails.

What organisation is the attacker trying to pose as in the email?

What is the senders email address?

What is the recipient’s email address?

What is the Originating IP address? Defang the IP address.

How many hops did the email go through to get to the recipient?

4

Cisco Talos Intelligence

Cisco Talos provides intelligence, visibility on indicators, and protection against emergin threats through data collected from their products.

What is the listed domain of the IP address from the previous task?

What is the customer name of the IP address?

Scenario 1

According to Email2.eml, what is the recipient’s email address?

From Talos Intelligence, the attached file can also be identified by the Detection Alias that starts with an H…

HIDDENEXT/Worm.Gen

Scenario 2

What is the name of the attachment on Email3.eml?

What malware family is associated with the attachment on Email3.eml?

Tryhackme
Ctf
Ctf Writeup
Cybersecurity
Blue Team

--

--

Fahri Korkmaz

Written by Fahri Korkmaz

271 Followers

Red Teaming | Penetration Testing

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams