Baselines and Anomalies: TryHackMe CTF Writeup / walkthrough

Task 1 - Introduction

Q1. Let's begin.

No Answer Needed

Task 2 - Baselining Hardware Inventory

Download the given file , It would be a xlsx file with similar name of Asset-Inventory-with-Anomalies-1733034688169.xlsx
Open the file in any xlsx viewer. Data within the file looks like following :

Q1. What is the name of the workstation that has the anomalous IP address?

Lets find the anomalous ip address of the workstation in above file.

Look at carefully at the files, the entry no 16 have different ip which somehow doesnot matches anyone of that workstations ip address. br

Answer 👉 WS-LON-004

Q2. What is the name of the server with the anomalous IP address?

Similarly look at the ip address of servers that looks different.
Look at entry no 8 , which have different ip

Answer 👉 SVR-NYC-BKUP01

Q3. Which workstation has a device model different from the rest?

Now this time look at the device model of each workstations
You can easily find the different device model with your sharp eyes

Answer 👉 WS-NYC-004

Task 3 - Baselining Software Inventory

Q1. There are two installed software programs that should not be included in Anna's list. Which ones are they? Share their serial numbers. Answer format: X, Y

Think like a detective, which software should not be there.
Althogh software looks trusted , but ... why are there multiple software with the same service and having much less workstations !!

Answer 👉 9, 15

Task 4 - Living Off the Land

Q1. When trying to identify if an activity was performed by the administrator or not, what is the biggest tool that a defender can use?

Answer 👉 communication

Q2. Which process can be used to track and approve changes to the firewall Access Control List?

Answer 👉 Change Management and Approvals

Task 5 - Baselining Network Traffic

Q1. If we are looking for DNS traffic bypassing the local DNS server, what should we exclude from the search of all queries to the DNS port?

Answer 👉 Internal DNS server

Task 6 - Baselining Identity and Access Management

Q1. What kind of alert should be generated if a user logs in from two vastly geographically different places in a short amount of time?

Answer 👉 Impossible travel

Task 7 - Identifying Suspicious Environment Specific Use Cases

Start the machine and wait for 5 minutes
Visit the given url ()
Click on 3 line on top left then click on discover
Make sure that sorted is selected

Q1. You have been alerted of a login outside of normal office hours on the 27th of July, 2024. Can you identify the time this login happened?

Now we know that a login alert occure on 27th July 2024,outside of normal office hours
Change the time from 26th July 2024 to 28th July 2024
We know that this event occure outside of normal of office hours, which can be possibly to early in morning or late night
Lets analyze the first events of the day , there are 8 events. Click on the event
From Available fields click on plus(+) icon of description , domain, hardware_info_ip
Now we can easily find the answer of each question by just looking at the dashboard.

Answer 👉 06:37:07.659259000

Q2. Which user logged in at this time?

Answer 👉 Mia Perez

Q3. This user performed anomalous activities from two different machines; what is the IP address of the other machine?

Answer 👉 192.168.1.36

Q4. What suspicious domain does this user connect to?

Answer 👉 c2server.com

Task 8 - Conclusion

Q1. I am ready to hunt for anomalies.

No Answer Needed

Prev Next

CAPA: The Basics01/02/25 ctf → thm → capa-the-basics

SQLMap: The Basics31/01/25 ctf → thm → sqlmap-the-basics

SQL Fundamentals31/01/25 ctf → thm → sql-fundamentals

Powershell30/01/25 programming → powershell