Table of Contents

In this post, we talked about MISP, its uses cases and features. We also covered how to share Malware indicators of compromise using MISP platform. Finally, we solved the room named TryHackMe MISP.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Network Packets Analysis Study Notes

OSCP Study Notes

What is MISP

MISP is an open-source threat information platform that facilitates the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud or any intelligence within a community of trusted members.
The threat information can be distributed and consumed by Network Intrusion Detection Systems (NIDS), log analysis tools and Security Information and Event Management Systems (SIEM).

MISP Use Cases

Malware Reverse Engineering: Sharing of malware indicators to understand how different malware families function.

Security Investigations:Searching, validating and using indicators in investigating security breaches.

Intelligence Analysis:Gathering information about adversary groups and their capabilities.

Law Enforcement:Using indicators to support forensic investigations.

Risk Analysis:Researching new threats, their likelihood and occurrences.

Fraud Analysis:Sharing of financial indicators to detect financial fraud.

Key Functionalities of Malware Information Sharing Platforms

  • IOC database: This allows for the storage of technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack campaigns or analysis.
  • Data Sharing: This allows for sharing of information using different models of distributions and among different MISP instances.
  • Import & Export Features: This allows the import and export of events in different formats to integrate other systems such as NIDS, HIDS, and OpenIOC.
  • Event Graph: Showcases the relationships between objects and attributes identified from events.
  • API support: Supports integration with own systems to fetch and export events and intelligence.

Room Answers | TryHackMe MISP

How many distribution options does MISP provide to share threat information?
4

Which user has the role to publish events?

Organisation Admin

What event ID has been assigned to the PupyRAT event?
1145

The event is associated with the adversary gaining __ into organisations.

Remote Access

What IP address has been mapped as the PupyRAT C2 Server

89.107.62.39

From the Intrusion Set Galaxy, what attack group is known to use this form of attack?

Magic Hound

There is a taxonomy tag set with a Certainty level of 50. Which one is it?

OSINT

TryHackMe MISP

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles