Incident-Response

During Advent of Cyber, a room felt manageable — not because the concepts were simple, but because the room told you which system to examine, confirmed that a threat was present, and guaranteed that completing the steps would surface an answer. That structure is useful for learning. It is also the exact thing that disappears in a real investigation. The gap between TryHackMe and real incident response is not difficulty. It is the absence of a defined answer. ...

In a live security environment, alerts fire without labels. No task question. No confirmation that something is there. No rubric for how long to spend on a given signal before surfacing it. The volume on day one is unlike anything a certification exam simulates, and the volume is not the problem. Calibration is. The credential gets you past the filter. What you do with alerts in the first 90 days determines whether you clear probation. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Threat Intelligence, Containment Strategies, Incident Response, Wireshark Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room is a lecture-heavy introduction to threat intelligence creation and containment strategies within the incident response cycle. Most tasks pair reading with a single comprehension question. The practical at the end drops a packet capture on the desktop and asks you to pull three specific values from the traffic. Wireshark filtering gets you there fast. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Persistence Mechanisms, Backdoors, Incident Response, Linux Forensics Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. A server is already compromised. The attacker believes they cleared out. Your job is finding what they left behind before the machine goes back to production. The IR team has isolated the machine and handed you credentials for an account with root privileges. Five backdoors are planted somewhere on the system. Finding them requires knowing what a clean Linux install looks like. Anything that doesn’t match is a lead. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: Incident Response, CSIRT, Digital Forensics, Log Management, Windows Event Logs Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room covers the Preparation phase of the incident response lifecycle, the foundation that determines whether a team can respond to a breach effectively or scramble in the dark. You take the role of an incident responder building out the people, processes, and technology required to detect and contain adversarial activity before the next room moves into identification and scoping. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Incident Response, Security Alerts, Asset Inventory, IoC Management Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room positions you as an incident responder at SwiftSpend Financial (SSF), a fictional organization facing a potential security compromise. You work through a series of support tickets in Outlook, cross-reference an Asset Inventory, and populate a Spreadsheet of Doom (SoD) with indicators of compromise. The room frames itself around identification, scoping, and the feedback loop between the two. In practice, it functions as an email reading exercise where you extract IoCs from ticket exchanges and map them to organizational assets. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Medium Topics: Incident Response, Eradication, Remediation, MITRE ATT&CK, Jenkins, Cyber Kill Chain Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This is the fourth room in the Live IR Module, picking up after Preparation, Identification and Scoping, and Threat Intel and Containment. By this point the scope is set and the bad guys are identified. The job now is to remove them cleanly, patch what let them in, and bring systems back online without handing the attacker a warning signal in the process. The room tests your sleuthing ability as much as your IR theory — and the MITRE ATT&CK Framework proves its worth again. ...