In this post, we talked about MISP, its uses cases and features. We also covered how to share Malware indicators of compromise using MISP platform. Finally, we solved the room named TryHackMe MISP.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

Network Packets Analysis Study Notes

OSCP Study Notes

What is MISP

MISP is an open-source threat information platform that facilitates the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud or any intelligence within a community of trusted members.
The threat information can be distributed and consumed by Network Intrusion Detection Systems (NIDS), log analysis tools and Security Information and Event Management Systems (SIEM).

Purpose: Designed to collect, store, and share threat intelligence specifically related to malware and its indicators of compromise (IOCs).Scope:

  • Helps security professionals and organizations collaborate on malware analysis.
  • Focuses exclusively on malware-related threats and their indicators.
MISP Use Cases

Reverse Engineering:

  • Sharing IOCs aids in understanding how various malware families function.
  • Helps malware analysts reverse engineer malicious software.

Security Investigations:

  • Provides a repository for IOCs to assist in identifying and analyzing security breaches.
  • Enables validation of potential threats during an ongoing investigation.

Intelligence Analysis:

  • Collects adversary group data, including their tactics, techniques, and procedures (TTPs).
  • Aligns with frameworks like MITRE ATT&CK to categorize adversary behaviors.

Risk Analysis:

  • Assists in understanding the likelihood and potential impact of malware attacks.
  • Evaluates emerging threats for risk management in organizations.

Key Functionalities of Malware Information Sharing Platforms

  • IOC database: This allows for the storage of technical and non-technical information about malware samples, incidents, attackers and intelligence.
  • Automatic Correlation: Identification of relationships between attributes and indicators from malware, attack campaigns or analysis.
  • Data Sharing: This allows for sharing of information using different models of distributions and among different MISP instances.
  • Import & Export Features: This allows the import and export of events in different formats to integrate other systems such as NIDS, HIDS, and OpenIOC.
  • Event Graph: Showcases the relationships between objects and attributes identified from events.
  • API support: Supports integration with own systems to fetch and export events and intelligence.

Dashboard Walkthrough

  • Live Feed:
    • Displays real-time events created by analysts.
    • Events include IOCs and metadata about specific malware families.
  • Event Actions:
    • Analysts can create and manage malware-related events.
    • Options include adding IOCs, categorizing data, and controlling distribution levels.

Creating Events and Attributes in MISP

  1. Adding Events:
    • Analysts provide event details such as:
      • Description of the malware.
      • Distribution settings to control visibility.
      • Threat level and type of analysis (initial, ongoing, completed).
    • Events require admin approval before being published.
  2. Adding Attributes:
    • Attributes provide more granular details about malware, including:
      • Categories: Antivirus detection, network activity, payload delivery, etc.
      • Types: IP addresses, file hashes, text comments, etc.
      • Example: Adding a destination IP associated with a Command and Control (C2) server.
  3. Adding Attachments:
    • Malware samples can be uploaded as attachments.
    • Samples are protected (e.g., password-zipped) to prevent accidental execution.

MISP Practical Application

  • Demonstration of creating an event, adding IOCs, and configuring attributes.
  • Example:
    • Adding IP addresses and file hashes.
    • Marking attributes for IDS export to enhance network security.
  • Uploading malware samples under appropriate categories (e.g., payload delivery).

Room Answers | TryHackMe MISP

How many distribution options does MISP provide to share threat information?
4

Which user has the role to publish events?

Organisation Admin

What event ID has been assigned to the PupyRAT event?
1145

The event is associated with the adversary gaining __ into organisations.

Remote Access

What IP address has been mapped as the PupyRAT C2 Server

89.107.62.39

From the Intrusion Set Galaxy, what attack group is known to use this form of attack?

Magic Hound

There is a taxonomy tag set with a Certainty level of 50. Which one is it?

OSINT

TryHackMe MISP

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles