AI/ML Security Threats: AI Cyber Assistant Practical

Introduction

One of the more interesting ideas in modern cybersecurity is using AI to fight AI. It sounds paradoxical at first, but as threats grow more sophisticated, so do the tools we use to counter them. TryHackMe's AI/ML Security Threats room puts this concept into practice with a hands-on task that gives you access to your own AI cyber assistant. The goal is simple: explore how AI can be leveraged in a defensive security context.

This walkthrough covers Task 6 — the practical portion of the room — where I used the AI assistant across four real-world security scenarios.

AI for Defensive Security Use Cases within this practical

• Log Analysis — feeding it an SSH auth log line and getting a breakdown of a potential brute-force attempt
• Regex Generation — asking it to write a pattern to detect failed SSH logins in Linux auth logs
• Phishing Detection — submitting a suspicious email and having it flag the red flags (spoofed domain, urgency tactics, misspelled sender)
• Threat Hunting — generating realistic corporate threat hunting scenarios (lateral movement, DNS recon, persistence via scheduled tasks)

Log Analysis:

The assistant broke the log entry down clearly:

• The event occurred on April 22nd at 11:45:09 on an Ubuntu system
• The SSH daemon (sshd, process ID 1245) recorded a failed login attempt
• Someone tried to authenticate as admin — flagged as an invalid user
• The connection originated from IP 203.0.113.55 via port 56231 using SSH-2

The assistant concluded this was likely a brute-force or unauthorized access attempt, and offered to help analyze or respond further.

Regex Generation:

The assistant returned the following:

• Failed password for — matches the exact failure phrase
• (invalid user )? — optional, captures attempts flagged as invalid users
• \w+ — matches the username
• from — literal string
• \b(?:\d{1,3}\.){3}\d{1,3}\b — matches a valid IPv4 address
• port \d+ — matches the port number
• ssh2 — confirms SSH protocol version 2

Writing regex from scratch for log parsing is tedious and error-prone. Having an AI generate and explain a pattern in seconds — and offer variations — is exactly the kind of workflow optimization that makes a difference in real environments.

Phishing Detection:

The assistant flagged four red flags:

1. Suspicious URL — the link points to microsoft365-support-verify.com, not an official Microsoft domain
2. Urgent and alarmist language — the 12-hour deadline and account suspension threat are designed to pressure the user into acting without thinking
3. Misspelled sender address — m1crosoft365-security.com substitutes the letter i with the number 1, a classic typosquatting trick
4. Generic greeting — "Dear User" instead of a personalized name is a common indicator of mass phishing campaigns

In conclusion, the email is very likely a phishing attempt designed to steal credentials by impersonating Microsoft. Phishing remains one of the most effective attack vectors. An AI assistant that can instantly dissect the anatomy of a phishing email — and explain why each element is suspicious — is a powerful training and triage tool.

Threat Hunting:

The assistant returned the following

1. Lateral Movement via Windows Administration Tools Attackers frequently abuse legitimate tools like PowerShell, WMIC, and PsExec to move laterally after initial compromise. Analysts should hunt for high volumes of PowerShell executions, commands spawning from unusual parent processes, or remote PowerShell sessions reaching multiple hosts unexpectedly.

2. Reconnaissance Using Network Scanning or DNS Anomalies Adversaries often conduct network discovery through DNS queries to map out valuable assets and open ports. Look for unusual DNS query patterns, high volumes of NXDOMAIN responses, or scanning activity targeting sensitive internal hosts from newly added devices.

3. Persistence via Scheduled Tasks or Autorun Entries After gaining a foothold, attackers establish persistence through scheduled tasks, services, or autostart entries. Analysts should review recently created or modified scheduled tasks and startup entries that deviate from known baselines — paying close attention to suspicious names, commands, or execution paths.

Threat hunting is often an open-ended, experience-driven discipline. AI instantly generate realistic, structured scenarios is valuable both for seasoned analysts who want a starting point and for those newer to the field building their intuition.

Flag:

Flag for this practical was:

thm{DNS over HTTPS (DoH) Port/SYN flood timeout/ windows ephemeral port range size}

Therefore flag is:

thm{443/60/16384}