=

Baselines and Anomalies: TryHackMe CTF Writeup / walkthrough

Task 1 - Introduction

^

Q1. Let's begin.

No Answer Needed

Task 2 - Baselining Hardware Inventory

^
  1. Download the given file , It would be a xlsx file with similar name of Asset-Inventory-with-Anomalies-1733034688169.xlsx
  2. Open the file in any xlsx viewer. Data within the file looks like following :
    xlsx file content

Q1. What is the name of the workstation that has the anomalous IP address?

Lets find the anomalous ip address of the workstation in above file.

  • Look at carefully at the files, the entry no 16 have different ip which somehow doesnot matches anyone of that workstations ip address. br
    xlsx entry

Answer 👉 WS-LON-004

Q2. What is the name of the server with the anomalous IP address?

  • Similarly look at the ip address of servers that looks different.
  • Look at entry no 8 , which have different ip
    xlsx entry

Answer 👉 SVR-NYC-BKUP01

Q3. Which workstation has a device model different from the rest?

  • Now this time look at the device model of each workstations
  • You can easily find the different device model with your sharp eyes
    xlsx entry

Answer 👉 WS-NYC-004

Task 3 - Baselining Software Inventory

^

Q1. There are two installed software programs that should not be included in Anna's list. Which ones are they? Share their serial numbers. Answer format: X, Y

  • Think like a detective, which software should not be there.
  • Althogh software looks trusted , but ... why are there multiple software with the same service and having much less workstations !!
    anna's software list

Answer 👉 9, 15

Task 4 - Living Off the Land

^

Q1. When trying to identify if an activity was performed by the administrator or not, what is the biggest tool that a defender can use?

admin activity

Answer 👉 communication

Q2. Which process can be used to track and approve changes to the firewall Access Control List?

Change Management and Approvals

Answer 👉 Change Management and Approvals

Task 5 - Baselining Network Traffic

^

Q1. If we are looking for DNS traffic bypassing the local DNS server, what should we exclude from the search of all queries to the DNS port?

internal dns server

Answer 👉 Internal DNS server

Task 6 - Baselining Identity and Access Management

^

Q1. What kind of alert should be generated if a user logs in from two vastly geographically different places in a short amount of time?

impossible travel

Answer 👉 Impossible travel

Task 7 - Identifying Suspicious Environment Specific Use Cases

^
  • Start the machine and wait for 5 minutes
  • Visit the given url ()
  • Click on 3 line on top left then click on discover
    menu button
  • Make sure that sorted is selected
    elastic discover kibana

Q1. You have been alerted of a login outside of normal office hours on the 27th of July, 2024. Can you identify the time this login happened?

  • Now we know that a login alert occure on 27th July 2024,outside of normal office hours
  • Change the time from 26th July 2024 to 28th July 2024
    search time update
  • We know that this event occure outside of normal of office hours, which can be possibly to early in morning or late night
  • Lets analyze the first events of the day , there are 8 events. Click on the event
    narrow down the events
  • From Available fields click on plus(+) icon of description , domain, hardware_info_ip
    adding fields
  • Now we can easily find the answer of each question by just looking at the dashboard.
    updated dshboard

Answer 👉 06:37:07.659259000

Q2. Which user logged in at this time?

Answer 👉 Mia Perez

Q3. This user performed anomalous activities from two different machines; what is the IP address of the other machine?

Answer 👉 192.168.1.36

Q4. What suspicious domain does this user connect to?

Answer 👉 c2server.com

Task 8 - Conclusion

^

Q1. I am ready to hunt for anomalies.

No Answer Needed

(If you have any type of query / Question / suggestion .. feel free to ask below. We would be happy to connect you. Have a great day buddy!!)