Tryhackme

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: x86 Assembly, Opcodes, MOV/LEA/NOP, Arithmetic Instructions, Logical Instructions, Flags, Conditionals, Branching, Stack Operations, Function Calls Link: x86 Assembly Crash Course on TryHackMe Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. Assembly is the lowest level of human-readable language and the highest level a compiled binary can be reliably decompiled to. When you open a malware sample in Ghidra or x64dbg, you are reading assembly. There is no layer above it. This room covers the instructions you will see on every analysis: MOV, LEA, NOP, ADD, SUB, XOR, CMP, TEST, JMP, PUSH, POP, and CALL. Complete the x86 Architecture Overview room first if you have not already. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: CPU Architecture, x86 Registers, Memory Layout, Stack Analysis, Malware Analysis Fundamentals Link: x86 Architecture Overview on TryHackMe Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room gives you the mental model that makes malware analysis readable. Before you open a binary in Ghidra or step through a sample in x64dbg, you need to know what the CPU is actually doing with its registers and memory. The room covers Von Neumann architecture, x86 registers from EAX down to the segment registers, the four-section memory layout, and the stack. It takes about an hour. If you plan to do any serious reverse engineering, that hour is not optional. ...

During Advent of Cyber, a room felt manageable — not because the concepts were simple, but because the room told you which system to examine, confirmed that a threat was present, and guaranteed that completing the steps would surface an answer. That structure is useful for learning. It is also the exact thing that disappears in a real investigation. The gap between TryHackMe and real incident response is not difficulty. It is the absence of a defined answer. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Threat Intelligence, Containment Strategies, Incident Response, Wireshark Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room is a lecture-heavy introduction to threat intelligence creation and containment strategies within the incident response cycle. Most tasks pair reading with a single comprehension question. The practical at the end drops a packet capture on the desktop and asks you to pull three specific values from the traffic. Wireshark filtering gets you there fast. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Persistence Mechanisms, Backdoors, Incident Response, Linux Forensics Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. A server is already compromised. The attacker believes they cleared out. Your job is finding what they left behind before the machine goes back to production. The IR team has isolated the machine and handed you credentials for an account with root privileges. Five backdoors are planted somewhere on the system. Finding them requires knowing what a clean Linux install looks like. Anything that doesn’t match is a lead. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Easy Topics: Incident Response, CSIRT, Digital Forensics, Log Management, Windows Event Logs Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room covers the Preparation phase of the incident response lifecycle, the foundation that determines whether a team can respond to a breach effectively or scramble in the dark. You take the role of an incident responder building out the people, processes, and technology required to detect and contain adversarial activity before the next room moves into identification and scoping. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Easy Topics: Incident Response, Security Alerts, Asset Inventory, IoC Management Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room positions you as an incident responder at SwiftSpend Financial (SSF), a fictional organization facing a potential security compromise. You work through a series of support tickets in Outlook, cross-reference an Asset Inventory, and populate a Spreadsheet of Doom (SoD) with indicators of compromise. The room frames itself around identification, scoping, and the feedback loop between the two. In practice, it functions as an email reading exercise where you extract IoCs from ticket exchanges and map them to organizational assets. ...

Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Top 1% Difficulty: Medium Topics: Incident Response, Eradication, Remediation, MITRE ATT&CK, Jenkins, Cyber Kill Chain Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This is the fourth room in the Live IR Module, picking up after Preparation, Identification and Scoping, and Threat Intel and Containment. By this point the scope is set and the bad guys are identified. The job now is to remove them cleanly, patch what let them in, and bring systems back online without handing the attacker a warning signal in the process. The room tests your sleuthing ability as much as your IR theory — and the MITRE ATT&CK Framework proves its worth again. ...

TryHackMe: Atomic Bird Goes Purple #2 Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Medium Topics: Purple Teaming, Threat Emulation, Atomic Red Team, Credential Access, Defense Evasion, Persistence, Registry Manipulation, Service Creation Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. ...

TryHackMe: Atomic Bird Goes Purple #1 Author: Mario Martinez Jr. (ku5e / Gary7) | TryHackMe USA Rank #76 | Top 1% Difficulty: Medium Topics: Purple Teaming, Threat Emulation, Atomic Red Team, Windows Event Logs, Sysmon, Aurora EDR Answers are redacted within the narrative to allow you to complete the tasks on your own, but a full table of answers is available at the end of this walkthrough. This room puts you inside a Purple Team exercise built around the Atomic Red Team project. You emulate real adversary tactics across system discovery, credential capture, file manipulation, clipboard abuse, and system file hijacking, then investigate the artifacts each technique leaves behind. The goal is not just to run attacks but to understand what defenders see when those attacks run. ...