TryHackMe Linux Threat Detection 2 - Full Walkthrough 2025

🐱 Explore the first actions of attackers after breaching a Linux server and learn how to detect them. 🦒 🐪 Room Link: https://tryhackme.com/room/linuxthreatdetection2 🐲 What happens next after threat actors enter the Linux system? What commands do they run, and what goals do they aim to achieve? In this room, you'll find out by exploring common attack techniques, detecting them in logs, and analyzing a real-world cryptominer infection from start to finish. 🎯🎯 Learning Objectives 🎯🎯 📌 Explore how to identify Discovery commands in logs 📌 Learn common threats endangering Linux servers 📌 Know how attackers upload malware onto their victims 📌 Practice your skills by uncovering a real cryptominer attack 🎯🎯 Room Tasks:🎯🎯 🦠 [00:00] Task 1: Introduction & Lab 🦟 [02:45] Task 2: Discovery Overview - Run systemd-detect-virt to detect the system's cloud. What is the command's output you discovered? - Now run ps aux and look for EDR or antivirus processes. What is the full path to the detected antimalware binary? 🐶 [10:10] Task 3: Detecting Discovery - What is the path of the script that initiated the "hostname" command? - What was the last Discovery command launched by the script? - Looking at the script content, what's the email of the script author? 🥝 [17:35] Task 4: Motivation for Attacks - From which domain was the Elastic agent downloaded? - What is the full path to the downloaded "helper.sh" script? - Which of the downloaded files is more likely to be malicious: The one downloaded with curl or wget? 🦊 [28:00] Task 5: Dota3: First Actions - Which IP address managed to brute-force the exposed SSH? - Which command did the attacker use to list the last logged-in users? - Which three EDR processes did the attacker look for with "egrep"? Answer Format: Separated by a comma, in alphabetical order. 🥨 [46:07] Task 6: Dota3: Miner Setup - What is the name of the malicious archive that was transferred via SCP? - What was the full command line of the cryptominer launch? - Which IP address range did the attacker scan for an exposed SSH? Answer Example: 10.0.0.1-10.0.0.126. 🐅 [52:57] Task 7: Conclusion 🎯 Websites link from the video: 🎯 📌 Dota3 Malware Again and Again: https://www.countercraftsec.com/blog/dota3-malware-again-and-again/ 📌 Hygiene, Hygiene, Hygiene! [Guest Diary]: https://isc.sans.edu/diary/31260 ⚠️ Educational Purpose Only This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems. #tryhackme #linux #DFIR