Logo
Threat Intelligence Tools

Threat Intelligence Tools

tapiwamla tapiwamla
June 17, 2025
4 min read
cybersecurity threatintel
index

Student: Tapiwanashe Mlambo
Room Link: https://tryhackme.com/room/threatinteltools

🧠 Introduction

In this room, I explored foundational threat intelligence concepts and practiced using publicly available tools for gathering Indicators of Compromise (IOCs), analyzing malware infrastructure, and understanding attacker behavior.

Rather than theoretical intel only, the tasks emphasized practical threat hunting β€” using services like Abuse.ch, urlscan.io, and Cisco’s Talos Intelligence β€” all tools relied on by SOC analysts, incident responders, and blue teamers in real-world environments.

πŸ“š What I Learned

πŸ”Ή Threat Intelligence Types

  • Strategic Intel: Long-term risk analysis for business decisions
  • Tactical Intel: Adversary TTPs β€” useful for improving detection systems
  • Technical Intel: Low-level artefacts like IPs, hashes, and domain names
  • Operational Intel: Intelligence around specific planned or ongoing attacks

πŸ”Ή Key Questions Intel Answers:

  • Who’s attacking?
  • Why are they targeting us?
  • What are they using?
  • How can we detect and respond?

πŸ› οΈ Tools & Practical Exercises

πŸ” 1. URLScan.io

Purpose: Analyze a suspicious domain or link by watching how it behaves when loaded in a browser.

Task: Searched a suspicious domain to observe all the requests it makes, third-party connections, and how many external assets are loaded.

What I Learned:

  • Even legitimate-looking domains may load resources from shady subdomains.
  • URLScan helps identify phishing campaigns or malware delivery platforms by showing hidden redirects and scripts.

πŸ“Έ URLScan report for tryhackme.com URLScan report for tryhackme.com

πŸ”— 2. Abuse.ch Platforms

Abuse.ch is an open-source intelligence project focused on malware, botnets, and C2 infrastructure. I explored several of their tools:

βœ… a. ThreatFox

  • Task: Searched IOC 212.192.246.30:5555
  • Finding: This IP is flagged as a malware C2 server, linked to botnet activity.

Insight: ThreatFox maps IOCs to known malware families β€” useful for identifying malicious infrastructure before an attack escalates.

πŸ“Έ ThreatFox IOC details with malware label ThreatFox IOC details with malware label

βœ… b. SSL Blacklist (SSLBL)

  • Task: Queried JA3 fingerprint 51c64c77e60f3980eea90869b68c58a8
  • Finding: Identified as a malicious SSL fingerprint used by multiple malware variants.

Insight: Attackers often reuse JA3 signatures β€” tracking SSL fingerprints can detect encrypted C2 traffic without decrypting it.

πŸ“Έ SSLBL JA3 fingerprint result SSLBL JA3 fingerprint result

βœ… c. URLHaus

  • Task: Searched recent URLs associated with malware distribution
  • Observation: Found several payload delivery sites using legitimate-looking domains (typosquatting).

πŸ“Έ URLHaus database entry URLHaus database entry

βœ… d. Feodo Tracker

  • Task: Browsed active C2 servers for Emotet, Dridex, and Trickbot
  • Use Case: Helpful for updating firewall and proxy blocklists in real-time.

πŸ“Έ Feodo Tracker C2 list Feodo Tracker C2 list

πŸ“§ 3. PhishTool

Task: Analyzed email headers and content to detect phishing tactics

  • Checked SPF/DKIM validation
  • Reviewed sender reputation and link behavior
  • Flagged suspicious attachments

Key Takeaway: PhishTool helps automate phishing email triage and enables defenders to respond faster.

πŸ›‘οΈ 4. Talos Intelligence (Cisco)

Task: Checked reputation of domains and IPs

  • Queried known phishing links
  • Compared results with ThreatFox and URLHaus

Why It Matters: Talos combines Cisco telemetry with public data. Using multiple sources increases IOC confidence.

πŸ“Έ Talos domain or IP reputation report Talos domain or IP reputation report

πŸ§ͺ Scenario-Based Tasks

πŸ”Ž Scenario 1: Malware Hash Lookup

  • Step 1: Found the file hash from the malicious attachment
  • Step 2: Queried hash on VirusTotal
  • Result: Confirmed malware classification, including AV detection names and behavior signatures

πŸ“Έ VirusTotal scan result VirusTotal scan result

πŸ’­ Key Insights & Reflections

  • Correlation is Key: No single tool is enough β€” real power lies in cross-referencing findings across platforms (ThreatFox + Talos + URLHaus = more confidence).
  • Threat Intel Is Continuous: Indicators change fast. Tools like Feodo Tracker update daily β€” automation is critical for staying ahead.
  • Real-World Application: I can use these tools in incident response, phishing analysis, or as part of SOC workflows.

βœ… Final Thoughts

This room helped bridge theory with practice. It felt less like a simulation and more like hands-on analyst work β€” exploring actual malware, IOCs, and using the same tools professionals use in the field.

Module completion final screenshot

πŸ—‚οΈ References