kyjonin

This room aims to introduce the process of analysing endpoint and network logs from a compromised asset. Given the artefacts, we will aim to uncover the incident from the Tempest machine. In this scenario, you will be tasked to be one of the Incident Responders that will focus on handling and analysing the captured artefacts of a compromised machine. Try it here at: https://tryhackme.com/room/tempestincident Prerequisites Labs suggested by THM: Windows Event Logs Sysmon Wireshark: Packet Operations Brim Note: I will only be using Sysmon and Wireshark. Following along up until the end of task 3 where we have our logs ready for some analysis, we must provide some SHA256 hashes. [Task 3 Preparation — Tools and Artifacts] This can be retrieved a variety of ways, let’s use Powershell and just get all answer’s at once using: Note, the directory is where all files are currently present [Question 1] What is the SHA256 hash of the capture.pcapng file? Answer: CB3A1E6ACFB246F256FBFEFDB6F494941A...