📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • MISP Lab 01: Introduction
  • 1. Introduction
  • 2. MISP Docker setup
  • 3. Pulling a feed of events
  • 4. Viewing an Event
  • 3. Security Questions
  • 4. Answers

Was this helpful?

  1. Threat Intelligence

MISP Exercise 1

PreviousThreat IntelligenceNextMISP Exercise 2

Last updated 3 years ago

Was this helpful?

MISP Lab 01: Introduction

1. Introduction

In this Lab you will learn about MISP. MISP stands for Malware Information Sharing Platform and is used by many organisations around the world. The project is also Open Source.

The main purpose of MISP is to have a central system for registering, tracking and analysing malware.

2. MISP Docker setup

  1. Download Docker Image

cd /home/hacker/ git clone https://github.com/Hacking-Lab/misp-docker-image.git

  1. Start the docker container with the following command:

cd /home/hacker/misp-docker-image docker-compose up

Connect to MISP by opening your preferred web browser and open the url http://misp.localhost.

The MISP instance initialises all labs. Please wait until you are able to see the Hacking-Lab icon.

Login with the following credentials:

User: admin@misp-lab.com Password: compass

3. Pulling a feed of events

At this point, your MISP instance does not have any event it's database. Therefore we will subscribe to a feed which will populate your instance with events.

Sync Actions -> List Feeds

You will now see two default feeds. But they are not enabled, so no events are pulled from these sources. Please enable the feed with id 1 by clicking the checkmark and then hit enable selected.

Fetch and store all data

You can find the running background jobs under Administration -> Jobs . It should look something like this.

After a while, events will show up under Home . Take a look at some of the pulled events.

4. Viewing an Event

After a few minutes MISP should have pulled multiple events from the feed into its database. To view the Event, go to

Home -> List Events

You will see a list of all the events gathered by the feed you subscribed earlier. It should look something like this.

Please view two other events and compare the events. Click around and see what information can be stored and how this might be useful.

To shutdown your MISP instance, go back to your terminal window and press CTRL + C once. This command stops your docker containers. The data will be persistent.

^CGracefully stopping... (press Ctrl+C again to force)
Stopping misp-instance-E                    ... done
Stopping misp-instance-B                    ... done
Stopping misp-instance-A                    ... done
Stopping misp-instance-default              ... done
Stopping misp-docker-image_errorservice_1   ... done
Stopping database-instance-B                ... done
Stopping database-instance-default          ... done
Stopping database-instance-E                ... done
Stopping database-instance-A                ... done
Stopping traefik                            ... done

After the docker containers have been stopped, please executed the following command to delete the data folder. This will clean your instance for the next lab.

cd /home/hacker/misp-docker-image docker-compose down sudo rm -rf data-instance-default/

3. Security Questions

  1. Describe in your own words: What is MISP?

  2. Note what you think MISP is used for.

  3. Explain what a feed is.

4. Answers

The main purpose of MISP is to have a central system for registering, tracking and analysing malware.

MISP is an open source software solution for collecting, storing, distributing and sharing cybersecurity indicators and threats about cyber security incidents analysis and malware analysis.

Feeds are remote or local ressources containing indicators that can be automatically imported into MISP at regular intervals.