# How Security Analysts Fail | Learn with Hack The Box

## Метаданные

- **Канал:** Hack The Box
- **YouTube:** https://www.youtube.com/watch?v=rEvlaw_eqs0
- **Дата:** 07.05.2026
- **Длительность:** 8:35
- **Просмотры:** 1,490
- **Источник:** https://ekstraktznaniy.ru/video/51731

## Описание

Ever wonder how an attack slips by trained defenders? Looking to double the prizes for our video giveaways? 🤔

Then check it!

In this episode of Learn with HTB, @CyberStudies shows us a couple of quick examples of why some due diligence is key for anyone looking into a security career. 

Be sure to comment below and answer our question in this video for a chance to win a prize! Help us reach 10k views, and we will double the prize we give out this time. 🔥

Additionally, we are still working on getting the Hype feature set up, so stay tuned for that! 

Join our community and find fellow security nerds on Discord: https://discord.com/invite/hackthebox

#HTB #CaptureTheFlag #CyberSecurity #LearnHacking #BlueTeam #Infosec #CareerGrowth

## Транскрипт

### Segment 1 (00:00 - 05:00) []

If you're not looking hard enough, an attack can simply sneak right past you. On today's episode, we're going to discuss a way of gaining a little bit of a danger sense when things feel a little bit too normal. So, buckle up cuz we're going to dive into some of the simple things that even veteran SOC analysts miss. So, before we get into the weeds here, I want to discuss a new thing we're trying with a learn with Hack The Box series. So, we're introducing these challenge questions that you can answer down in the comments below to have a chance to win a prize. Now, in this particular video, if we can get our viewage, viewership, over 10,000, we're actually going to double down and give away two prizes instead of one. So, make sure you get down in the comment section down below. Make sure to hit like and subscribe. Do all the cool YouTube algorithm things. But, also, let's show some love to the new YouTube hype button. So, if we can get some more viewership on this video and get this out to more defenders in our space. So, let's talk about failure. Now, when it comes to security analyst work, it's not this big obvious red flashing lights kind of a thing. Failure is actually very quiet. In our space, we're inundated with a lot of alerts. And so, it it's very easy to say, "Hey, we're going to look at the high criticality stuff. The low criticality stuff can wait until later. " Or, we're looking at, you know, 50-plus events in a short given time, it's easy to just trust the system and say, "Hey, it was already remediated. No need to go back and double-check the work. " In the sense of digging through, you know, a lot of our failure comes from just not being curious, but rather just turning into this complacent thing that just checks the box. So, the first big trap that we're going to go over tonight is something that I've personally dubbed the VirusTotal Mirage. Now, what this is you take a file hash from an alert and you throw it into VirusTotal or your scanner of choice, and you're going to see something that's indicative of zero out of blank uh detections found. So, you know, the common thought is, "Hey, there's no, you know, malicious, you know, activity found on this. What a sigh of relief. We're going to mark this as a false positive and move on with our way. " But, I'm going to show you a quick demo on why that may not be the case. All right, so we're currently in our lab environment and I went ahead and created a simple script that would demonstrate kind of like beaconing activity. So, what it would do is it would act as a C2 beaconing node that would reach out over HTTP. So, it's very simple put-together script here, uh couple liners here. Uh and I'm going to go ahead and throw that into PowerShell. So, let's go ahead and use Python in my environment here and then we're going to do listener. py. So, we're going to get that listener going and it's waiting for that uh C2 to start beaconing out. So, then over here Python and then we're going to do the VT demo. So, once we fire this here, on the left here we're going to see the activity as it's kicking off these beacons here and it's going to do six of those. Uh so, it's going to be creating actual traffic in our network and actually goes through and creates like marker files. It's semi-indicative of what an actual C2 attack would look like. This is just a very basic demo. Uh but all of this is to say, this is what it's currently doing. It's dropping files onto the host machine. It is moving across the network. Uh it is making that beaconing scheduled activity. This looks kind of suspicious in nature. So, what we're going to do is we're going to stop all of this really quick. Do do do. And what we're going to do is we're going to take that file that we created, our Python file, and we are going to drop it into VirusTotal. Now, VirusTotal here, this is not the only scanner, but this is the big, you know, popular, you know, scanner. Uh and we're going to go through do File Explorer. We're going to pull that file really quick. And we are just going to toss it right into our scanner. Let's confirm that upload. And — [clears throat] — again, the activity itself was super suspicious. Everything about it was nothing about it seemed legitimate in nature and it's going to go through it's going to crunch. It's going to say, "Hey, based off of the hash that was in our file or our alerts, um it's going to go through and run it through all these different scanners that we're going to see here. If they've seen this activity before and with any luck, we should see right here that there is no security issues whatsoever. A zero out of 62. This is clean, uh so to speak. Uh but what's going on is because it's never seen this activity before, it just doesn't know what it's currently looking at. It can look at the behaviors, but it can only do so much. And who's in you know, what if this changes in the future? We don't know, but uh in its current state, this is what we're looking at. So, all these scanners say that this is uh you know, undetected issues, uh more analysis needed. So, this is where the failure actually starts. So, if you have a zero threat score, it doesn't mean that the file itself is safe. It just means the specific hash has not been found by vendors or scanners in the wild. Uh if you have a threat actor that makes something cool and custom, no one's seen it before, it's just going to be a zero threat score cuz they just don't know. No one's done the analysis yet. Uh

### Segment 2 (05:00 - 08:00) [5:00]

but if you have a Word document that is reaching out to a foreign IP address that is not approved in scope of work, the threat score doesn't even matter, right? You you're trusting the behavior itself uh over the threat score. So, follow your intuition, you know, make sure you're doing the proper analysis cuz these things are simple, easy kills. This leads me to my first challenge question for the sweepstakes offered in this video. So, what is the first thing we look for when we have a high severity alert and everything looks a little bit too clean? Drop your thinking process down below in the comments. Another way that analysts can miss the mark is by simply confusing malicious [clears throat] activity with admin activity. Now, this is a classic textbook example, but we're looking at something like uh odd PowerShell commands that are encoded or uh someone running PSExec in your environment. You know, you of think this is weird on its own, so you dig into it and you see that it was ran by a domain admin and in the active directory details, it was just Bob from the IT team. So, you think, "Hey, no big deal. It's just Bob doing Bob things. " and you just leave it as is without digging any further into it. This is a massive win for threat actors. Threat actors love using pwned IT admin credentials because the typical analyst is almost conditioned by accident, unfortunately. Uh they're conditioned to almost ignore this activity. This activity is typical nature. As long as these individuals, these trusted agents, are doing their work, you know, as admin IT, um they're fine. And that's could be further from the truth. So, we have to look at things not so much from a capability standpoint, but rather from an intent standpoint. So, it's, "Hey, is Bob doing this activity? " That's not so much weird uh as much as it is, "Hey, Bob is doing that activity on a Sunday at 3:00 a. m. " Like, it's just basic analysis. It's not even that technical. Uh it's just sometimes we leave these crown jewels, these important IT accounts, uh with the doors wide open. Another challenge question would be, "What is the weirdest thing that you've seen a legitimate admin do in your environment that turned out to be authorized? " I myself have seen some really weird stuff, and so I'd love to read your comments down below. So, where do we go from here? I mentioned at the beginning of the video, we want to develop that danger sense where things look a little bit too good on the tool set, uh but the activity itself is not necessarily aligning with that. You know, if you have a hunch, you want to stick with it. Um it's a lot easier to take care of things by spending a little more time on the front end and making sure the incident is actually closed out and good. Those alerts are good. As opposed to coming into the office the next day and there's a bunch of laughing skulls and crossbones on everyone's computer display. You know, you close that more alerts, but I mean, now you can't access them, you know? — But you know, maintain a good baseline to the best of your ability in your environment and it's kind of making sure the networks are working the way they're supposed to and you know, just staying curious in a you know, quiet time. If you want to make sure you're not a statistic in one of those breach reports, you got to keep sharpening those defensive skills. For those who are just getting started or trying to get ahead, I highly recommend the learn with Hack The Box Academy module. This will allow you to kind of get an experience lay of the land of the guided learning experience that Hack The Box has to offer. For our more advanced users who are trying to get to the deep end of the pool, I highly recommend some of our advanced modules in the learn with Hack The Box Academy. Particularly the persistence tradecraft analysis modules as well as the privilege escalation. These are the ones that are going to show you how the pros hide and then how we then sniff them out. But thank you guys so much for watching. Remember to get those comments down below for the sweepstakes offerings as well as smashing that like and hype button. Thank you so much for watching and have a good one.