[THM] SOC Workbooks and Lookups
This is a full walkthrough with answers and explanations for the TryHackMe room "SOC Workbooks and Lookups".
[THM] SOC Workbooks and Lookups
Link to the room: https://tryhackme.com/room/socworkbookslookups.
[Task 2] Assets & Identities
Looking at the identity inventory, what is the role of R.Lund at the company?
1
US Financial Adviser
Check the “Role” column in the identity inventory table for R.Lund.
Checking the asset inventory, what data does the HQ-FINFS-02 server store?
1
Financial records
Check the “Purpose” column in the asset inventory table for HQ-FINFS-02.
Finally, does the file sharing from the scenario look legitimate and expected? (Yea/Nay)
1
Yea
[Task 3] Network Diagrams
network diagram
According to the network diagram, which service is exposed on the TCP/10443 port?
1
VPN
Now, which subnet would the server behind 172.16.15.99 IP belong to?
1
Database subnet
Finally, does the scenario look like a True Positive (TP) or False Positive (FP)?
1
TP
VPN brute force, DB scan, switching subnets is something that can turn on your inner SOC radar.
[Task 4] Workbooks Theory
Unusual Login Location Workbook
Which SOC role would use workbooks the most (e.g. SOC Manager)?
1
SOC L1 Analyst
What is the process of gathering user, host, or IP context using TI and lookups?
1
Enrichment
Enrichment: Use Threat Intelligence and identity inventory to get information about the affected user
Looking at the workbook example, what platform is used as an identity inventory source?
1
BambooHR
Review the enrichment stage in the workbook.
[Task 5] Workbooks Practice
What flag did you receive after completing the first workbook?
1
THM{the_most_common_soc_workbook}
What flag did you receive after completing the second workbook?
1
THM{be_vigilant_with_powershell}
What flag did you receive after completing the third workbook?
1
THM{asset_inventory_is_essential}
This post is licensed under CC BY 4.0 by the author.