IR Playbooks TryHackMe Walkthrough Writeup THM | — SuNnY

Kudos to The Creators of this Room :

Room Type :

Free Room
Anyone can deploy virtual machines in the room (without being subscribed)!

Task 1 : Introduction

This module is a basic intro to this room :

Task 2 : The Incident Response Documentation Universe

Task 2 Question : Can multiple use cases trigger a single playbook? y/n

Yes, multiple use cases can trigger a single playbook.

Task 3 : IR Process and Playbooks: Preparation

Task 3 — Question : What stage of the IR process can be translated into prerequisites for the playbooks?

The Preparation stage of the Incident Response (IR) process can be translated into prerequisites for playbooks. This stage involves defining policies, processes, and tools that must be in place before an incident occurs. It ensures that the team is ready to respond effectively

Task 3 is now Complete !

Task 4 : IR Process and Playbooks: Detection and Analysis

Task 4 Question : What steps should we follow if the incident is a False Positive?

If an incident is identified as a false positive, These steps should be followed :

Document the False Positive: Record all relevant details of the alert, including why it was deemed a false positive, to maintain a clear audit trail.
Analyze the Root Cause: Investigate why the alert was triggered and determine whether it was due to a misconfiguration, incorrect detection logic, or unusual but benign activity.
Update Detection Logic: If necessary, adjust or fine-tune detection rules or thresholds to reduce similar false positives in the future.
Communicate with the Team: Notify relevant team members or stakeholders that the alert was a false positive and explain the actions taken.
and in the end →

Close the Incident: Properly mark the incident as resolved and close the ticket in the incident tracking system, categorizing it as a false positive.

Task 5 : IR Process and Playbooks: Containment, Eradication, and Recovery

Task 5 — Question : To recover systems affected by an incident, which configuration should we bring them back to?

To recover systems affected by an incident, they should be brought back to their last known good configuration. This is the system state before the incident occurred, where the system was functioning normally without any compromise or corruption.

Task 6 : IR Process and Playbooks: Post-Incident Activity

Task 6 Question : What is the last stage of the IR process?

The last stage of the Incident Response (IR) process is typically referred to as Post-Incident Activity

Task 7 : Putting It Into Practice

This module requires to start the VM

Once you start the machine , the details are shared to you :

Note the ip address for you would be different

After following the link asked in the module we get a login page

The user credentials are being shared →

elastic : elastic 

After successfully login in , we see a dashboard →

Task 7 — Question 1 : What is the name of the process that initiated this communication?

Let’s check the information provided to us →

The hint for Question 1 :

Hint for Task 7 Question 1 is given

we have a search string to check the destination ip address along with date

We see the Process name with the date and ip filters →

Task 7 — Question 2 : Is this process malicious, as per VirusTotal? y/n

we can find the VirusTotal website from google →

There are three ways to check — with File , URL and by Searching

We can find a URL from the elastic search

URL That we found →

http://schemas.microsoft.com/win/2004/08/events/event

Now let’s use the URL above and search on VirusTotal →

The URL is clean and free from being Malicious

Task 7 Question 3 : What is the name of the parent process of this process?

by Adding filter , we see the paent process name entry value

By selecting the parent_process_name the first value is our answer

Task 7 — Question 4 : This process’s parent was launched by another process, which is a notorious ransomware. Which ransomware is that?

Let’s ask our Friend google —

You can also use the Chart set to — Bar Vertical Stacked and get the same result from the filter option .

Task 7 — Question 5 : Which playbook should be followed to respond to this incident?

malware playbook

Task 7 — Question 6 : Is this incident an FP (False Positive) or a TP (True Positive)?

TP

Task 7 Question 7 : In case the incident is a TP, what will be the next step in the IR process?

Containment

Task 7 is now Complete !

Task 8 : Conclusion

We have successfully completed the room !

Room Pwned !! Congratulations !!

Hope you have enjoyed this room as much i did

Let’s Connect on Linkedin → https://linkedin.com/in/sunnysinghverma

You can also add me Respect on — Hack The Box if you want i would really appreciate it :)

https://app.hackthebox.com/users/1585635

My TryHackMe Profile Page →

https://tryhackme.com/p/SuNnY

if you did you can add a clap to this article to let me know and if you loved this article you can click clap icon upto 50 times to let me know and that will make my day 🤗
You can also follow me on medium to get more articles about CTFs and Cybersecurity in the near Future but don’t forget to hit that email notification icon right next to the follow me button

Thank you !
SuNnY