Giters

Anonymous4717 / BTL1-Cheatsheet

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

BTL1-Cheatsheet

These notes will come handy in exam.

SOC Fundamentals

List of common ports.

Port Service Description
20,21 FTP File Transfer Protocol used to transfer files b/w systems.
22 SSH Secure Shell Protocol allows users to securely connect to a remote host.
23 Telnet Used before SSH, allows users to connect to a remote host, doesn't offer encryption.
25 SMTP Simple Mail Transfer Protocol used to send emails between servers within the network, or over the internet.
53 DNS Domain Name System converts human-readable domain names to machine-readable IP address.
67,68 DHCP Dynamic Host Configuration Protocol assign IP address-related information to any hosts on the network automatically.
80 HTTP Hypertext Transfer Protocol allows browsers (Chrome, Firefox, etc) to connect to web servers and request contents.
443 HTTPS Hypertext Transfer Protocol Secure is a secure version of HTTP Protocol which allows browsers to securely connect to web servers and request contents.
514 Syslog Syslog server listens for incoming Syslog notifications, transported by UDP packets.

Phishing Analysis

Gathering IOCs

  1. Email Artifacts :
  • Sending Email Address
  • Subject Line
  • Recipient Email Addresses
  • Sending Server IP & Reverse DNS
  • Reply-To Address
  • Date & Time
  1. Web Artifacts :
  • Full URLs
  • Domain Names
  1. File Artifacts :
  • Attachment Name
  • MD5, SHA1, SHA256 Hash Value

Analyzing Artifacts

  1. Visualization Tools - URL2PNG, URLScan, AbuseIPDB
  2. URL Reputation Tools - VirusTotal, URLScan, URLhaus, WannaBrowser
  3. File Reputation Tools - VirusTotal, Talos File Reputation
  4. Malware Sandboxing - Hybrid Analysis, Any.run, VirusTotal, Joe Sandbox

Digital Forensics

  1. Data Representation can be done in following ways,
  • Base64
  • Hexadecimal
  • Octal
  • ASCII
  • Binary
  1. File Carving :
scalpel -b -o <output> <disk image file>
  1. Hashes :
  • Windows -

By default, get-filehash command will generate SHA256 sum of a file,

get-filehash <file>

To generate MD5 hash of a file,

get-filehash -algorithm MD5 <file>

To generate SHA1 hash of a file,

get-filehash -algorithm SHA1 <file>
  • Linux -
md5sum <file>
sha1sum <file>
sha256sum <file>

  1. Find digital evidence with

    • FTK Imager - Import .img file in FTK imager
    • KAPE - Can be used for fast acquisition of data.

  2. Windows Investigations :

  • LNK Files - These files can be found at
C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent
  • Prefetch Files -
    • PECmd - This tool can be used to view the prefetch files. PECmd.exe -f <path/to/file.pf>

These files can be found at

C:\Windows\Prefetch
  • Jumplist Files - These files can be found at
C:\Users\% USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\%USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\CustomDestinations
  • Logon Events
    • ID 4624 - successful logons to the system.
    • ID 4672 - Special Logon events where administrators logs in.
    • ID 4625 - Failed Logon events.
    • ID 4634 - Logoffs from the current session.

These event logs can be found at

C:\Windows\System32\winevt\Logs
  • Capture and view the browser history with
    • Browser History Viewer
    • Browser History Capturer

  1. Linux Investigations :

    • /etc/passwd - contains all information about users in the system.
    • /etc/shadow - contains encrypted passwords
    • Unshadow - used to combine the passwd and shadow files.
    • /var/lib - In /var/lib/dpkg/status location, this file includes a list of all installed software packages.
    • .bash_history - contains all the issued commands by the users.
    • Hidden Files - isuch files whose name begins with .
    • Clear Files - files that are accessible through standard means.
    • Steganography - practice of concealing messages or information within other non-secret text or data.

  2. Volatility -

Find the imageinfo of the file,

volatility -f /path/to/file.mem imageinfo

List the processes of a system,

volatility -f /path/to/file.mem --profile=PROFILE pslist

View the process listing in tree form,

volatility -f /path/to/file.mem --profile=PROFILE pstree

View command line of the specific process with PID XXXX,

volatility -f /path/to/file.mem --profile=PROFILE dlllist -p XXXX

View Network Connections,

volatility -f /path/to/file.mem --profile=PROFILE netscan

Dumping the process with a specific PID XXXX,

volatility -f /path/to/file.mem --profile=PROFILE procdump -p XXXX -D /home/ubuntu/Desktop

Print all available processes,

volatility -f memdump.mem --profile=PROFILE psscan

Print expected and hidden processes,

volatility -f memdump.mem --profile=PROFILE psxview

Create a timeline of events from the memory image,

volatility -f memdump.mem --profile=PROFILE timeliner

Pull internet browsing history,

volatility -f memdump.mem --profile=PROFILE iehistory

Identify any files on the system from the memory image,

volatility -f memdump.mem --profile=PROFILE filescan
  1. Metadata - Data about data
  • Exiftool
exiftool <file>

Security Information and Event Management

SPLUNK

Queries must start by referencing the dataset,

index="botsv1"

To search for a source IP (src) address with a value of 127.0.0.1,

index="botsv1" src="127.0.0.1"

To search for a destination IP (dst) address that this source IP address made a connection with a value of X.X.X.X,

index="botsv1" src="127.0.0.1" dst="X.X.X.X"

Incident Response

  1. Network Analysis - use Wireshark to import .pcap, .pcapng files.

  2. CMD : Command prompt can be used to view the valuable information,

To view the network configuration of the system,

ipconfig /all

To check running processes and programs,

tasklist

Display running processes and the associated binary file that was executed to create the process,

wmic process get description, executablepath

To view all number of users in the command prompt

net users

List all users that are in the administrators user group,

net localgroup administrators

List all users in RDP group,

net localgroup "Remote Desktop Users"

List all services and detailed information about each one,

sc query | more

List open ports on a system, which could show the presence of a backdoor,

netstat -ab
  1. Powershell - Can also be used often retrieve much more information.

These commands will get network-related information from the system,

Get-NetIPConfiguration
Get-NetIPAddress

List all local users on the system,

Get-LocalUser

Provide a specific user to the command to only get information about them,

Get-LocalUser -Name BTLO | select *

Quickly identify running services on the system in a nice separate window,

Get-Service | Where Status -eq "Running" | Out-GridView

Group running processes by their priority value,

Get-Process | Format-Table -View priority

Collect specific information from a service by including the name in the command (-Name ‘namehere’) or the Id, as shown above and below,

Get-Process -Id 'idhere' | Select *

Scheduled Tasks are often abused and utilized a common persistence technique,

Get-ScheduledTask

Specify the task, and retrieving all properties for it,

Get-ScheduledTask -TaskName 'PutANameHere' | Select *

Changing the Execution Policy applied to our user,

Set-ExecutionPolicy Bypass -Scope CurrentUser
  1. DeepBlueCLI - PowerShell script that was created by SANS to aid with the investigation and triage of Windows Event logs.

To process log.evtx,

./DeepBlue.ps1 log.evtx

DeepBlue will point at the local system's Security or System event logs directly,

# Start the Powershell as Administrator and navigate into the DeepBlueCli tool directory, and run the script

./DeepBlue.ps1 -log security
./DeepBlue.ps1 -log system

# if the script is not running, then we need to bypass the execution policy
Set-ExecutionPolicy Bypass -Scope CurrentUser

About