We discussed and introduced TheHive platform which is used as a security incident response platform for collaboration and exchanging of incident information.

Blue Team Study Notes

The Complete Practical Web Application Penetration Testing Course

Hive Project Overview

The Hive Project is designed to facilitate collaboration and information exchange between security analysts, especially in Security Operations Centers (SOC).It’s compared to other collaboration tools like Google Workspace, Microsoft Teams, and Trello but focuses specifically on managing security incidents.

Key features include live streaming, where multiple analysts can share information about an incident in real-time, and case management.

Core Functions of the Hive

Case Creation and Task Management: Analysts can create cases, assign tasks, and document relevant information such as tasks, observables (e.g., IP addresses, file hashes, domains), and TTPs (Tactics, Techniques, and Procedures from MITRE ATT&CK).

Observables: Analysts document key information during an investigation, such as Indicators of Compromise (IOCs), IPs, and other artifacts.

TTPs: The attack methods and procedures used by the attacker are also recorded, aiding in a detailed analysis.

Integration with Other Platforms

The Hive supports integration with SIEMs (Security Information and Event Management systems) and other sources, allowing the importation of events.It can also be integrated with MISP (Malware Information Sharing Platform) to share and store threat intelligence, such as malware-related information and IOCs.

FTP Data Exfiltration Case Example

The video provides a practical example of using the Hive to investigate a data exfiltration incident over the FTP protocol.

The investigation shows how to analyze traffic, identify source and destination IPs, and review FTP commands used during the attack.A file named flag.txt is exfiltrated, which becomes a key observable in the case.

Creating a Case in the Hive

The video walks through creating a case titled “FTP Data Exfiltration”, including defining the severity, TLP (Traffic Light Protocol), PAP (Permissible Actions Protocol), and adding tags.The tasks involve identifying the source of the attack, the target host, and the data being exfiltrated, which are assigned to team members.

TyrHackMe TheHive Project | Room Answers

Which open-source platform supports the analysis of observables within TheHive?

Cortex


Which pre-configured account cannot manage any cases?

Admin

Which permission allows a user to create, update or delete observables?

manageObservable


Which permission allows a user to execute actions?

manageAction


Where are the TTPs imported from?

MITRE ATT&CK

According to the Framework, what type of Detection “Data source” would our investigation be classified under?

Network Traffic

Upload the pcap file as an observable. What is the flag obtained from https://MACHINE_IP//files/flag.html

THM{FILES_ARE_OBSERVABLES}

Video Walkthrough

, ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles