BTFM Blue Team Field Manual
ALN WHITE BEN (LRK Version 1
H ac k e d t o P D F b y : 0 E8 0 0 ( 2/ 1 3 /2 0 17 ) 1
BTFM. Copyright© 2017 2017 by Alan White and Ben Clark
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, without prior written permissio permission n of the copyright owner.
ISBN-13: ISBN-10:
978-1541016361 154101636X
Technical Editor: Matt Hulse
Product and company names mentioned herein may be the trademarks of their respective respective owners. Rather than use a trademark symbol wth every occurrence of a trademarked name, the author uses uses the names only in an editori editoril l fashion, with no intention of infringement infring ement of the trademark. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. The information in this book is distributed "s is". While every precauton was taken to ensure the accuracy of of the material, the author author assumes no responsibility or liablity for errors or omissions, or for damages resulting from the use of the information contaned herein.
2
PREFACE
BTFM Command-Line Syntax: Notation
Description Generic Linux/*nux shell prompt, sudo may also be used with $
C:\>
Windows Prompt, may require Administrator CMD prompt
PS C:\>
Windows PowerShell
>
Generic prompt, multi OS
, ,, , etc. Scan and show open ports: # Scan two common TCP ports, HTTP and HTTPS: Scan UDP and and TCP toget together, her, be verbose verbose on a single host and include optional skip ping: 241> txt <ESULTS <ESULTS FIE NME>.html nsus [-vh] <ORT> 11 Step 12: un scan: Basic ping scan and write output to file: C:> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168. .%I I fnd "Reply" >> .txt /config /logfilemaxsze 0xffffffff.ml Format-List 15 cerutil -hashfile HA C:> certutil -ashfile MD5 nbs -c Script loop scan: C> or /L % in (1,1,254) do nbstat -An 192.168..%.txt) do @echo %i & net use \\ %i /: 2>nul && pause.txt) do (or /f %j in ( NAME>.tx) .tx) do echo %i:%j & @et se \ DDRESS> % u:%i 2>nul 2>nu l & echo %i:% %i:% >> success.x && ne use \<P ADDRESS> /del) /n os+iis+sql+password Basic scan of a target IP range: / os+iis+sql+password Basic scan of a target computer names in text file:.x /n os+iis+sql+passwor" -o rdn lii 0 > :achine.x List user accounts inactive longer than 3 weeks:,d=,dc= -l whencreated, whenchnged -p onelevel -r "(ObjectCateory=user)" f The last logon timestmp format in UTC: YYYYMMDDHHMMSS Alt option:dc= -ltr (&(obectCtegory=Person) (jectCasUer)(whnCretd201500000.Z))" Alt option:c= - (&(objectCateory=Peron) (obectClasUser)(wered=00000000.)) Using PowerShell, dump new Active Directory accounts accounts in last 90 Days: {} >> mds ums.txt \;txt; ASSORDS>txt; # > - 0; echo $usrame:$li $usrame:$line; ne; doe<<SER SER NMES>,txt" start= disabled C:\> sc stop "" C\> wmic service where name'' call hangeStartmode Disaled\FILE AME> E> * /doain /doain C:\> net user -u -p > >> C:WindowsSystem32\drivers\etc\hosts -n 1 f Add the Applocker cmdets into PowerShe: and current Appocker policy will be overwritten: PS C:> Get-ApplockerFienformatio -Evetlog LogPath "Microsoft-Windows-AppLocker/EXE a DLL" EventType Auited I New-ApplockerPoicy -RueType Pubisher,Hash -User omain\<RO> gnorMissingFinormation I Set-ApplocerPoicy ">IN>.N={31B2F340016 112945F 0004B9849}N=N=S,= 0004B9849}N= N=S,=I>,= I>,= om" -Fiter -Fiter Denied Forma Format-List t-List -Propr -Pr oprty ty Pat Path h > C:Deni C:Denid dFi Fies es.tx .txt t -ser Fiter Exprt-CSV <athTExportResutsTCSV>D=' TrgetPath 'OU=D=D' Alt Option: C> dmve "N=,OU=D,D" -newparent OU,D=D=.exe f Disable Remote Desktop: > reg ad "HKLMSYSTMuentont "HKLMSYSTMu entonto olSetontro lSetontrol lTemina eve" f v fDnyTSnncin REGDWORD 1 32 -NePassord $newpd -Reset -Passhru I Set-ADuser ChangePasswordAtogon $rue' -AD enabled -eq 'rue ChangePasswordAtLogon $rue 1 # ufw llw f IP ADDRS> poo udp o any po 443 N> >> /ets /ets Check if hosts hosts file is working, by sending ping to 127.00.1: ad eabe SEC e Ub. # apt-ge isal racon and . HOST2 HOS T2 IP ADDESS> ADDESS> any -P out ipsec es/transport//eqie; pdadd ADDRESS> HOSTl IP DDESS> any - in ipsec esp/transport//require; esp/transpor t//require; /etcacoonacoon.conf o o OST Step 3: dit /etcacoonacoon.conf DDRS> DDRS > and OST2 I DDSS>, og notify; notify; ath pre_shaed_key " "/etcracoon/p /etcracoon/psktxt"; sktxt"; ath certiicate "/et/racoon/erts"; remote anonmous { exchane_mode mainagressive; rosa { enryption_ag nryption_agorithm orithm aes_256; hash_agorithm sh256; athentiatin_mtho athen tiatin_mtho pre_hared_key; dh_gop modp1024; modp1024; } >/etc/rcoon/psk.txt /etc/racoon/sk.txt,pap - any s TRGET P ADRES> an port 80 # > -p 50005 50005 "cat "c at - > /tmp/r /tmp/remo emotc tcapt apture ure.pc .pcap" ap" Grab traffic hat contains the word pass:@< ADDRESS>:/, :443 # openssl s_lient -connect :443 /ev/null sed -ne '/-BEGIN CERTIFICATE-,/-END ERTIFICATE-' > .em Examine and verify the certificate and check for Self-Signed: #.peme -noout -issuer subjet -startdate -enddate -fingerprint -Y "ssl handshae iphersuites" -Vx grep "Server Nae:" srt niq - sort -r.pap awk 'BEGIN {c=0;} { if ($0 �/ �/ [ ]+Certificate$/) {c=; rint "=======================================";} if i c==) rint $0; }' ($0 !�/ +/ {=0;} i,pcap Get absolute date and time stamp: Not ARP and not UDP:.pcap > tshark -r cap -Rhttprequest -Rhttprequest -T fields fie lds -e httphost -e http.request.ur http.request.ur se sed d -e s?*$// I sed -e s#"(*)t(*#http://2# I sort I unq -c I sort -rn I head > tshark -n -c 100 -e ipsrc -Rdsflags.response -Rdsflags.response eq 1 -T felds ort ort 3 > tshark -n -e http.rquesturi -Rhtt.rquest -Rhtt.rquest -T fields I gre exe tsrk -n -c - htthst -Rhttrequest -Rhttrequest -T felds ort 80 I sort I un -c I sort -r >snortsnort.conf, lgp >pa a -A consle -l lgs.bat Aba indows Honey Ports Powerhell cript: - Detect rogue scanning with Labrea Tarpit: #,txt Get a specific lst of events based on Event ID: I grep -v -E "favicon ico I robots txt" ook at Apache Logs for files requested: 63 Look where traffc s comng from:.txt C:\> gpresult / reprt.htm /F C:\> wmic fe List GPO software installed:\myls.etx wetti i ep plicatio wett ATmlos.et -ccepteula -h 12 -x 75\.txt") > .txt This deletes all logs: Find files with bad signature into csv: > > <UU <UU ILN ILNA A> >c csv sv Fin and show only unsigne files with bad signature in C: Run Malware scan (Windows Defender) offline: Ref. http://windows.microsoft.comen us/windows/what-is-windows-defender-offline C:\> MpmdRn.exe -SignatueUpdte C:\> MpCmdRn.exe -San View the root user bash history: # at roo,ba_story,ef Y> he head ad Get full file information: Check for rootkits or signs of compromise: Run unix-privsec-check tool: Send to VirusTota: #! perl -slw use strict; open EXE, '<:raw', $ARGV[0] or die "AGV[0]} >};; ie "ARGV[0 "AR GV[0]] is not a .exe or .dll (sig=' (sig =' ${ \subst ${ \substr r dos, 0, 2 }') unless substr( $dos, 0, 2 ) eq 'Z'; my coffoff = 8+ unpack 'x60 V', $dos; read( X, $do read( $dos, s, $cof $coffoff foff - 655 65536 36 + 4, 65536 or ie$! if coffoff > 65536; my $ts = unpack "x $coffoff V", $dos; $coffoff prin int t " $A GV[0] : , defined$ts $A ? ( scalar( locltie$ts) 11 "has unfathoable.raw prfie=Win7SPFix64 mfid -D / Find Malware with PID in memory dump using Find Volatility: # phon vo.py -f raw profile=Win7SPFix64 mlfid -p -D / Find suspicious processes using Volatility: # pthn v.y -f .raw rfie=WinSPFix64 rfie=W inSPFix64 pslist # pyhon ol.py -f rw rfie=WinSPix64 pstree Find suspic suspicious ious dlls using Volatility: Volatility: rw NAE>rw # thon voy -f raw rfile=Win7SPFix64 dump -D / DIRE CTORY> Malware analysis pa parsing rsing Tool: Ref. htps://github.com/Defense-Cyber-Crime htps://github.com/Defense-Cyber-Crime Center/DC3-MWCP Center/ DC3-MWCP Install dc3-mwcp tool: # setp.py instal Use dc3-mwcp tool tool to parse suspicious file: # mwcp-toolpy p -d 'resource='/<USPICIOUS FILE AME>' -F pikey= htp://wwwvirtlcm/vtapi/v/file/can #, ime forat=raw" forat= raw"/exe / # dc3d if=/dev/ f=/ev/\.g hash=md5 og=//.og@ dd of= # -l bzp2 -d dd of=/dev/sdb\Windows60KB934307-x86.msu T update a specific package: To update a specific package: # ym update Kali: # apt-gt pdate && apt-gt pgrde -Path \\SeGpoBcku Start Volume Shadow Service: ?GLOALOOT\DecHaddkolumeShadwCp\ \\?GLOALOOT\DecHaddkolumeShadwCp\ \\ Revert back to a selected shadow file on Windows Server and Windows 8:\" Revert back to a selected previous file version or @GMT file name for specific previous version using volrest.exe: Prm s x8)Wndow Rsrc Kssrest.ex" \ahstc$CURENT FI NAE O @G ILE NAME RO S MND ABVE> :: : b Z 0 Revert back a directory and subdirectory files previous version using volrest.exe: Confirm #.ex PS C:> Stop-Process -ID /home/qarantine/\HKM\Software\\HKM\Sof tware\ Get registry value remotely:\HKM\Software\\HKM\So ftware\ Test to see Registry Path exists: \<ESINTION COMPUTER>\ /E Check to see if certain file extensions are directory: <ILE NAME 2> > GANTEVEYONEEA :\> net she MyShre_RWc:\ GRANTEVERYONE,ULL -p /C C:\<RORAM>.exe C:\> psxec @(:\<ARGET FILE IST>.txt -u -p C:\<OGA>exe >> C:txt C:> pexec.exe @(:\<RE FIE LIS>.csv -u \ -p <ASWORD> /c C:\<RORAM>.exe\ SHARE>\xt nog) -DifferenceObjec (Get-Content .og Remote task execution using PowerShell: {} PowerShell Command Help: -fu tcpump tcp ump -i any -U -s 0 -w - 'o 'ot t por port t ' # fse shf @:/ �/ pw Decode XOR and search for http: NAME> pcap -q -z io,phs #.pcp ARP awk F ',' '{pint $1"."$2 $2", ","$ $4} ort "$3 3","$4 }' I sor t I uniq -c sot -n ti # thak -r pcp -q -q -z io,phs grep apduplate-ddress-detected 
