/etc/racoon/sk.txt
#
Step 5: Restart service on both systems.
srce seey restart
Check security associations, associations, configuration and polices: #
setkey -D
#
setkey -DP
42
43
3 DETECT (VISIBILITY)
44
NETWORK MONITORING
TCPDUMP View ASCII (-A) or HEX (-X) traffic: # tcpdump -A #
tpup -X
View traffic with timestamps and don't convert addresses and be verbose: # tpdup -ttt -n -vv Find top talkers after 1000 packets (Potential DDoS):
tpdup -nn - 1000 jawk '{rin $3} tpdup $3} I ut -. fl-4 sort -n unq - sor -nr
#
Capture traffic on any interface from a target host and specific port and output to a file:
tdup -w ,pap - any s TRGET P ADRES> an port 80 #
View traffic only between two hosts: # dup ho 0.0.0.1 && t 02 View all traffic except from a net or a host: e 96 View host and either of two othe hosts:
tpup ost 10,10,10.10 \(10,10.020 or
,,,3\)
Save pcap file on rotating size: # tpdup -n -s5535 %_%H:%M:S.pap'
-c
10 '%ost_%Y-%
45
Save pcap file to a remote host:
Save pcap file to a remote host:
# tcp tcpdum dump p -w - I ssh > -p 50005 50005 "cat "c at - > /tmp/r /tmp/remo emotc tcapt apture ure.pc .pcap" ap" Grab traffic hat contains the word pass:
tpdump -n -A -s0 I grp pass Gab many clea text protocol passwords:
# tcpump -n -A -s0 port http or port ftp or port mtp or port iap o port pop3 I grp - 'pass=lpwd=log=login=lusr=lusrnalpw=lpasswIP asswd=lpawordlpass:I asswd=lpawordlpass: Iusr:lusname: usr:lusname:I Ipasswor:Iog in:I in: I pass Iusr ' --coor=auto --in-buffrd -B20 Get houghut:
# tc tcpd pdum ump p -w - lp lpv v -bert -bert >/dv >/dv/nu /nu File ou ipv6 taffic:
# tcpdump nt ip6 Filer out ipv4 taffic:
tpdump p6 Script to capture multiple interface tcpdumps to files rotating every hour:
#!/b/bash tcpdump -pni any -s6535 -G 3600 -w any%Y-%m %_H:%M:%S.pcap Scit to move mutie tcdum ies to alternate location:
#/bin/bah whi tru; do sp 1; rsync -azv -progss @< ADDRESS>:/,
Look for suspicious and self-signed SSL certificates:
# tcpdump -s 1500 -A '(tcp[((tc[12:1] & 0xf0) >> 2)+5:1] = 0x01) an (t[((tcp[12:1] & 0xf0) >> 2) :1] 0x16) I
Get SSL Certificate:
# oenssl s_lient -nnet :443 # openssl s_lient -connect :443 /ev/null sed -ne '/-BEGIN CERTIFICATE-,/-END ERTIFICATE-' > .em Examine and verify the certificate and check for Self-Signed: #
openssl x509 -text -in .pem
openssl x509 -in e -noout -issuer subjet -startdate -enddate -fingerprint
#
#
openssl erify <ERT>.pem
Extract Certificate Server Name:
tshark -nr -Y "ssl handshae iphersuites" -Vx grep "Server Nae:" srt niq - sort -r
#
Extract Certificate info for analysis:
ssldump -Nr .pap awk 'BEGIN {c=0;} { if ($0 �/ �/ [ ]+Certificate$/) {c=; rint "=======================================";} if i c==) rint $0; }' ($0 !�/ +/ {=0;} i
#
A
A
47
TSHARK Get list of network interfaces:
> tshark -D Listen on multiple network interfaces:
ak -i -i ethl - et2 - et3 Save to pcap and disable name resolution:
> tshar -nn -w ,pcap Get absolute date and time stamp:
> tshark -t a Get arp or icmp traffc:
ak arp or mp Capture traffic between to [hosts] and/or [nets]:
rk " HOT l>
&
> tshark -n net <ET 1>
host HOS >"
&
net <ET 2>
Filter just host and IPs (or not your IP):
tsark -r F AM>,pcap -q -z hostspv4 > tshark not host Not ARP and not UDP:
tshark not arp and n (up.prt -- 53) Replay a pcap file:
tsark -r I A>.pcap Replay a pcap and just grab hosts and IPs:
tar -r A.pcap - -z osts Setup a captur sssion(duration=60sec):
> tshark -n -a fes:10 -a fesze:100 -a uraton:60 - FI A>,pcp 48
Grab src/dst IPs only:
> tshark -n -e ip.src -e ipdst -T felds -E separator=, -Rip Grab IP of src DNS and DNS query:
> tshark -n -e ip.src -e dsqry.name -E sarator=';' -T felds port 53 Grab HTTP URL host and request:
> tshark -Rhttprequest -Rhttprequest -T felds -E separator='' -e htt.host - httrequest.ur Grab just HTTP host requests:
> tshrk -n -Rhttp.request -Rhttp.request -T felds - htp.host Grab top talkers by IP dst:
> tshark - -c 10 I awk '{prnt $4}' I sort -n I uniq -c I sort -r Grab top stats of protocols:
> tshark -q -z io,phs -r .pcap > tshark -r cap -Rhttprequest -Rhttprequest -T fields fie lds -e httphost -e http.request.ur http.request.ur se sed d -e s?*$// I sed -e s#"(*)t(*#http://2# I sort I unq -c I sort -rn I head > tshark -n -c 100 -e ipsrc -Rdsflags.response -Rdsflags.response eq 1 -T felds ort ort 3 > tshark -n -e http.rquesturi -Rhtt.rquest -Rhtt.rquest -T fields I gre exe tsrk -n -c - htthst -Rhttrequest -Rhttrequest -T felds ort 80 I sort I un -c I sort -r >
49
SNORT Run test on snort config file: #
snort - -c /snortsnort.conf
Use snort(v=verbose,d=dump packet payload): #
snot -dv -r , lg
Replay a log file and match icmp traffic:
# snort -dvr paket.log imp Logs in ASCII: #
snort -K sc -l
Logs in binary: #
sort -l LOG DIRECTORY
Sent events to console:
# snort -q -A console - eth0 -c etcsnrtsnot.conf #
no -c snort.conf -l tmpsoconsole - consoe
Create a single snort rule and save:
y U U u u Test single rule: #
sor s ort t - -c on one. e.r rle le
Run single rule an output to console and logs dir:
md ,lg snot -vd snot -vd - e.rle - p >pa a -A consle -l lgs
#
50
NETWORK CAPTURE (PCAP) TOOLS
EDITCAP
Use to edit a pcap file (split into 1000 ackets): > editcap -F pcap -c 1000 orgnal.cap out_split,pcap
Use to edit a pcap file (split into 1 hour each packets): > editcap -F pca -t+3600 orignal.pcap ousplt.pcap
MERGECAP
Use to merge multiple pcap files: > mergecap -w mrgedcap.pcap cap.pap ca2.pcap cap.pap
51
HONEY TECHNIQUES
WINDOWS Honey Ports indows:
Ref. http://securityweekly.com/wp content/uploads/2013/06/howtogetabe content/uploads/201 3/06/howtogetabetterpentest.pdf tterpentest.pdf tep 1: Create new TCP Firewall Block rule on anything connecting on port 3333:
C:\> echo @cho off for /L %%i in (1,11) do @or / "oken=3" %%j in ('netstat -nao ind ":3333 "') @fr /f "okens= delims=:" %%k in ("%%j" do netsh advfirewal firewall add rulename="HONEY TOKEN ULE" ir=in remoteip=%k ocalport=any protoco=TCP action=block >> .bat A
A
tep 2: Run Batch Script
:> ba indows Honey Ports Powerhell cript:
Ref. https://github.com/Pwdrkeg/honeyport/blob/master/hon eyportps tep 1: Download PowerShell Script
:\> "%ProgamFs%\nternet :\> "%ProgamFs%\nternet Explo Explorer\iexplo rer\iexplore. re.xe xe https:/gthubcom/Pwdrkeghoneyportblobmasteron eyportps tep 2: Run PowerShell Script
> hyrtp
52
Honey Hashes for Windows (Also for Detecting Mimikatz Use) :
Ref. https://isc.sans.edu/forums/diaryDetecting+Mimikatz +Use+On+Your+Network/19311/ Step 1: Create Fake Honey Hash. Note enter a fake password and keep command prompts open to keep password in memory
C:\> runas user:youromain.com\fakeadministratraccont /ntonly cmd.exe Step 2: Query for Remote Access Attempts
C:\> wvtutil qe Systm /q:"*[Systm [(EventID=20274)]]" /f:txt /r:true /c:1 r:remotecomputername Step 3: Query or Faied Login Attempts
C:\> wvtutil q Security /:"*[Sym[(Evnt=464 r ventID4625)]]" /f:text /rd:re /c:5 /r:rmotecmuternm Step 4: (Optional) Run ueries in infinite oop with 30s ause
C:> fr /L %i in (1,0,2) do (Insert Ste 2) & (Insrt Stp 3) & timout 3
LNUX Honey Ports Linux:
Ref. http://securityweekly.comwpcontnt/upoads/203/06/howtogetabetterpentest.pd Step 1: Run a while oop to create TCP Firewall rues to bock any hosts connecting on port 2222
53
# while [ 1 ] ; echo "started" ; do IP='nc -v -l -l -p 22 2>& 2>&11 > /dev/null grep from cut -d[ -f 3 cut -d] -f 1'; iptables -A INPUT -p -p tcp tcp -s ${IP} -j DROP ; done Linux Honey Ports Python Script:
Ref. htts://ghub.comgchetrckhoeyportsblobmaster/ hoeyorts-0.5.py Step 1: Dowload ython Scrpt
# wget https://githubcomgchetrick/honeyports/blob/master/ honeyorts-5py Step 2: Ru Pytho Scrpt
# pytho honeyports-05py -p - Detect rogue scanning with Labrea Tarpit: #
a-ge ntall lbrea
#
labrea -z -s -o -b -v -i eth0 >& tee -a log.tx log.tx
NEA Use netcat to listen for scanning threats: >
c -v -k - 8
>
nc -v -k -l 443
>
nc -v -k -l 3389
54
PASSIVE DNS MONITORING
Use dnstop to monitor DNS requests at any sniffer location: #
apt-get update
#
pt-get instll dnstop
#
dnstop -l 3
Step 1 Ht 2 key to shw query nmes Use dnstop to monitor DNS requests from a pcap file: dnstop -l 3 <CA FIL AM> ,txt
#
55
LOG AUDITING
LOG AUDITING
WINDOWS Increase Log size to support increased auditing:
C:\> reg ad HKLMSoftware\Polices\MirosoftWinows\Eventog\Ap plcation /v MaxSize /t REG_DWORD /d 0x19000 C:> reg ad HKLMSoftwarePolices\Mcrosoft\WindowsEvento\Se curty /v MxSz /t REG_DWORD /d 0x6400 C:\> reg ad HKLM\SoftwaePolicies\MicrosotWindows\EventLo\S sem /v MaxSize / REG_DWORD /d 0x19000 Check settings of Security log:
\ wevutil gl Securiy Check settings of audit policies:
C:\> audtpol /get /categry:* Set Log Auditing on for Success and/or Failure on All Categories:
C:\> audio /set /category:* /successenable /ailure:enable Set Log Auditin on for Success an/or Failure on Subcategories:
:\> auditpol /set /subcategory:"Detaile "Detailed d File hare" /success:enable /faiur:enable :\> auditol /set /subcategory:"File System" success:enabe /ailure:enable C:\> auditol /set /subcategory:"Security ystem Extension" success:enable /ailure:enable
56
C:\> auditpol /set /subcategory:"System Integrity" /success:enabl /failure:enable C:> auditpol /set /subcategory:"Securit State Change" /sucess:enale /failure:enable C:> auditpol set /subcategory:"Other Syst Event" sucess:enable failure:enable C:> auditpol set subategory:"Sstem Integrity" uccess:enable /failure:enable C:> auditpol /set subcategory:"Logon" success:enable /faiure:enable :\> auditpol set /subcategor:"Logoff" /success:enable success:enable failure:enble C:> audtpol set /subcategor:"Accunt Lockout" Lockout " /uccess:enabl failure:nable C:\> auditpol /set /subcategory:"Othr ogon/ogoff Evnts" Ev nts" /sucess:enale /sucess:enale /failure:enable C:\> audtpol /set /subcategory:"Netwo /subcategory:"Netwo Poic Server" sucess:enale faiue:enable C:> auditpol auditpol set subcategor:"Registr" success:enabl failure:enabl C:> auditpol /set subcategor:"SAM" subcategor:"SAM" success:enable failue:enable :> auditpol set subcategory:"Certiication subcategory:"Certiication Servis" Serv is" /sucess:enable /sucess:enable faiureenale :> audtpol set subcategory:"Appication Generated" succes:enable succes:enable failure:nale failure:nale :> audtpol set subcatego: :> subcatego:"Hanle "Hanle Manipulation" sucess:enable ailure:enale C:\> auditpol set /subcategory:"il Share" /sucess:enable /failure:enable C:\> auditpol set /subcategory:"iltering Platfor Platfor Packet Drop" /success:enable faiur:enale 57
C:\> auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable > audtpol /set /subcategory"Other Object Access Events" /success:enable /failureenable C> auditpol /set /subcategory"Detailed ile C> Share" /successenable /ailureenable C:> auditpol /set /subcategory:"Sensitiv C:> /subcategory:"Sensitiv Privleg Use" /successenabl /failureenable C:> auditpol /set /sbcategory"Non Senitive C:> Privilege se" /success:enable ailure:eable > auditpol /set /subcategory"Other rivilege se > ents" /successenable /falureenale C> auditpol /set /subcategory"Process Terminatio" /succes:enable /failureenale C> auditpol /set /sbcategory"DPAI Activity" /successenble /falureenale C:> auditpol C:> auditpol /set /sbcategory:"RPC vents" /succesenable /falreenable auditpol /set /sucategory"rocess Creaton" /successenabe /falure:enable C:> auditpol /set /subcategory"Audit Policy ange" /successenable /falureeale C:\> auditpol /set /sbcategory:"Autentiation Polcy ane" /uccessenable /falreeale :> auito /set /sbcategor /sbcategory y"Autorization Policy Chane" /succes:enable /failreeable C audit auditpol pol /set /sbcategory"MPSSV Rle-Leve Rle-Level l Policy Cane" /success:enable /failure:eale : aditpol /set /sbcategory"ltern latform Policy hane" /successenable /failure:enable :> auditpol /set /subcategory"Other Policy Cane vents" /success:enable /failreenale 58
C:\> auditpol /set /sbcategory:"User Account Management" /success:nable /failure:enable C:\> auditpol /t ubcatgory:"Computr Accout Management" /success:able /failure:enable C:\> auditpol /st /subcategory"Security Group Management" /success:eble /ailure:enbl C> auditpol /set /subcategory"Distribution Group Management" /sccess:enable /ailurenable C:\> audtpol set /subcategory"Application Grop Management" /success:enable failure:enabl C\> udipol /se /subctegor:"Other Account Management Events" /success:enable /alure:enable C:\> audtpol set /subcategor:"Dirctory Service Chnges" /successeable /ailreenable C:\> auditpol /set /subcat C:\> /subcategory: egory:"Dirctory "Dirctory Srice Replcation" /success:enable /ailreable C:\> auditpol /set /subcategory:"Detiled Directory Servce Replication" /successenable /failre:nable C:\> audtpol set /sbcatgory:"Drector Srvic cces" successnable /ailurenable C:\> audtpol set /subcategory:"Kerberos Service Ticket perations" /successenable /failr:nable C:\> audtpol set /subcategory:"Other Account Logn vent" /success:enable /failure:enable C\> aud audpol pol se /subcategory:"Kerbero Authentication Servce" /success:eable /ailure:enable C:\> audtpol /set /subcategor"Credetial Validation" /successenable ailureeabl
Check for list of available logs, size, retention limit: PS C:\> Get-ventog -lst 59
Partial list of Key Security Log Auditing events to monitor:
PS C:\> Get-Eventlog -ewest 5 -ogame appicatio I Format-List Show log from remote system:
PS C:\> Show-Eentlg -computerame Get a specific lst of events based on Event ID:
PS C:> Get-Eventlog Security I ? { $_.Eetd -eq 4800} S > Get-WiEvet -FiterHastabe @{LogName="Security"; @{LogName="Secu rity"; D=4774} Account Accoun t Logon Logon - Aud Audit it Credent Credental al Valid Validaton aton Last 14 Days:
PS C:\> Get-Eventlog Security 4768,4771,4772,4769,477 4768,4771,47 72,4769,4770,4649,4778,7 0,4649,4778,79,4800,4801,48 9,4800,4801,48 02,4803,578,562,56 -after ((get-date)addDays(14)) Acco Ac cou ut t - Lo Logo gon/ n/Lo Logo goff ff::
PS C\> Get-Eventog Security 4625,464,4647,4624,462546484675,6272,6273,6274,62 75,6276,6277,6278,6279,6280, 75,6276,6277 ,6278,6279,6280,4649,4778,4779, 4649,4778,4779,4800,4801 4800,4801 4802,480,578,562,56,4964 -after ((get ate).ddDays(-1)) ccout ccou t Mana Manaeme ement nt - Au Aut t Appl Applcat catn n Group Group Managemnt:
PS C\> Get-Eventlog Securty 48,4784,4785,4786,478,488,4894790,47414742,4 4,4744,44,476,4747,47484749,4750,4751,47524753 ,4759,46,476147624782479,4727,428,47294704 71,472,4474,4735474754,475547564757,475 8,464,4720,422,472,424,425,4726,48,4740,4765, 466,46,4780,481,494,56,5 -after ((get date).adDays(-1)) 60
Detailed Tra Detailed Tracki cking ng - Audit DPAP DPAPI I Activit Activity, y, Process Termination, RPC Events: PS C:\> Get-EventLog Security 4692,693,4694,4695,4689,5712 -after ((get date).addDays(-1))
Domain Ser Domain Servic vice e Access Access - Audi Audit t Directory Directory Ser Servic vice e Access: PS C:\> Get-EventLog Security 4662,5136,5137,138,139,141 -after ((get date)addDays(-1))
Object Acce Object Access ss - Audi Audit t File File Sha Share, re, Fil File e Syst System, em, SAM SAM,, Registry, Certifications: PS C:\> Get-EventLog Security 4671,461,4698,4699,4700,4701,4702,5148,5149,5888,58 89,580,4657,5039,659,4660,4661,4663,4656,4658,4690 ,4874,4875,4880,4881,488,4884,4885,4888,4890,4891,4 89,4895,4896,4898,5145,5140,5142,5143,5144,5168,514 0,5142,5143,5144,5168,5140,5142,5143,5144,5168,4664, 485,5152,513,031,105150,11154,5155,16,51 57,515,5159 -fter ((get-date)ddDys(-1))
Policy Chan Policy Change ge - Audi Audit t Polic Policy y Chan Change, ge, Micr Microsof osoft t Protection Service, Windows Filtering Platform: PS C:\> Get-EventLog Security 4715,4719,4817,4902,4904,4905,4906,407,908,4912,47 13,4716,4717,4718,4739,4864,4865,486,4867,4704,4705 ,4706,4707,4714,4944,4945,4946,4947,4948,4949,490,4 951452,495,4954,4956,4957,4958506,5047,508,544 ,40,470 -ater ((et-date)addDas(-))
Privilege Privil ege Use Use - Audi Audit t Non-Sen Non-Sensiti sitive/ ve/Sen Sensiti sitive ve Privilege Use: PS C:\> Get-EventLog Security 4672,4673,4674 -after ((et-date)addDays(-1))
61
System - Audi System Audit t Secu Security rity State Cha Change nge,, Securit Security y System Extension, System Integrity, System Events:
PS C:\> Get-Eventlog Security 5024,5025,527,5028,5029,5030,5032,5033,534,5035,5 37,5058,50,6400,6401,6402,6403,6404,6405,640,640 ,4608,4609 ,4616, 4621, 4610, 4611, 4614, 4622,4697,4612,4615,4618,4816,5038,5056,557,560,50
61,5062,6281 -after ((get-date).addDays(-1)) Add Microsoft IIS cmdlet:
PS C:\> ad-pssnapin WebAministration PS C:\> Imprt-Mdue ebAdminsraton Get IIS Website info:
PS C:\> Get-IISSite Get IIS Log Path Location:
PS C:\> (Get-WebConfigurationProperty '/system.appcationHost/sites/siteDefauts -Name ogfie.directory).Vaue Set variable for IIS Log Path (default path):
PS C:\> $LogDirPath = "C:\inetpubgs\LogFes\W3SVC" Get IIS HTTP log file list from Last 7 days:
PS C:\> Get-Chi!tem -Path :\inetpub\ogs\LogFies\w3svc -rerse Where Object {$_. astwr astwrtetme tetme -t (ge-dae).addDays(-7} View IIS Logs (Using $LogDirPath variable set above):
PS C:> Get-Content G et-Content $LgDirPath\* $LgDirPa th\* og %{$ -reae #Feds: , } ?{$_ -notmah #} ConvertFro-Csv -Deimiter
62
View IIS Logs:
NAME>,lg %{$_ PS C:\> Get-Content ,lg replace '#Fields: ' ''} 17{$_ -notmatch '#'} ConvertFrom-Csv -Deliiter ' ' Find in IIS logs IP address 192.168.*·* pattern:
PS C:\> Select-String -Path LogDirPath\*,log Pattern 92,68** Find in IIS logs common SQL injection patterns:
PS :\> Select-String -Path $LogDirPth\*, $LogDirPth\*,log @@verson) (sqlmap) I (Connect\(\)) I (cast\() I (char\( (@@verson) ( bchar\ r\() () (sys ) I ( bcha databases) (\(select) I (convert\ (convert\() () I ( Connect\ () I ( count \() I (sys objects)
LINUX
Authentication logs in Ubuntu:
tl /var/loauth. log grep - "fail" /var/og/auth lg User login login logs in Ubuntu:
# ail /var/ Look at samba activity:
gep -i s smb mb valog/sylo Look at cron actiity:
re - crn arlosl Look at sudo activity:
# grep - sudo varlogauth. og Look in Apache Logs for 404 errors: error s:
# grep 404 I grep -v -E "favicon ico I robots txt" ook at Apache Logs for files requested: 63
# head cs_log I wk '{print $7} Monitor fo new created fles every Smn:
- 30 - R / Look where traffc s comng from:
LG FL NAM f v U AN u \" f4 v Montor for TCP connectons every 5 seconds:
5 Install audt framework and revew syscalls/events:
u u x,y xv u m xv Get audt report summary:
u
64
65
4 RESPOND (ANLYSIS)
66
LIVE LI VE TR TRIA IAGE GE - WI WIND NDOW OWS S
SYSTEM INFORMATION C:\> echo %DATE% %TIME% C:\> hostname C:\> systminfo :\> systeminfo systeminfo fidstr /B /:"OS Name" /:"S Verion" :\> wmic csproduct get me C:> wmic bios ge serialnumbe C:> mi coptrtem ls e Ref. htps://techne.microsoft.com/en us/ssinternals/psinfoasx C:\> psinfo -accepteula - -h -d
USER INFORMATION C:> whoam C:\> ne users C:\> net localgroup administrators :\> net grop administrators :\> wmic rdoggl list C:\> wmic seraccont list C:\> wmic group list C:\> wmic nelogin get ame,lastlogon,badpasswordcout ame, lastlogon,badpasswordcout C:\> wmic ntcient st brief C:\> doskey /hisory> history.txt 67
NETWORK INFORMATION (:\> netstat -e (:\> netsa -nob C:\> netstat -nr C:\> netstat -vb
(:\> nbtstat
-s
(:\> route print (:\> arp -a (:\> ipconfig /displaydns (:\> netsh winhttp show proxy (:\> pconfg /allcmpartments /all
(:\> netsh wlan show interfaces C:\> netsh wlan show all C:\> reg qer "HKLM\SOFTWARE\Microsoft\Windows\CrrentVrsion\Int rnet Settins\Cnnctions\WinttpSettings C:\> type %SYSTEMROOT%\sysem32\drivrs\c\hosts C:\> wmic niccofig get descrption,IPddress,MACaddress C:\> wmic netuse et ame,username,connectiontype,localame ame,username,connectiontype, localame
ERCE NFORMATON (:\> at (:\> tasklist :\> tasklist /SVC C:\> tasklist SVC /fi imaename e svchost.exe
C:\> schtasks 68
C:\> net start C:\> sc query C:> wmic service list brief I findstr "Running" config C:\> wmi servie lst config C:\> wmic proess lst brief C:\> wmic process lst status C:\> wmic process list memory C:\> wic job lit brief PS C:\> C:\> Get-Servie I Where-Object { $_.Status -eq "running" } List of all processes and then all loaded modules:
PS C:\> Get-Prcess !selet modules!Foreach et{$.modules} POLCY, PATCH AND SETTNGS NFOATO C:\> set C:\> gpresut /r C:\> gpresult /z > .txt C:\> gpresult / reprt.htm /F C:\> wmic fe List GPO software installed:
C:\> re uery HKM\oftware\Mirosot\indows\Current Version\Grup Policy\AppMgmt ATN AND ATAD NOMATON Startup information:
C:\> wmi startup list full C:\> wi ntdomain list brie 69
View directory contents of startup folder: C:\> dir "%SystemDrive\ProgramDaa\Microsoft\Windows\Start Menu\Programs\Sa rograms\Sartup" rtup" C:\> dir "%SystemDrive%\Documents and Setings\All Users\Start rs\Start Menu\Programs\Sta rams\Startup" rtup" C:\> dir %userproile%\Start Menu\Programs\Startup C:\> ProgramFiles%\Startup\ C:\> dir C:\Winows\Start Menu\Programs\tartp C\> dir Csers\%username%\AppData\Roaming\icrosot\ndo ws\Start Menu\Programs\Startup C\> dir \ProgramData\Microsot\Windo\Start Menu\rogramsStartup ramsStartup C:\> dir "%APPDATA%\Microsoft\Windows\Start Menu\Pro rams\Startup rams\Startup C:\> dir "%ALLUSERSPROFILE\Microsoft\Winows\Start Menu\Programs\Startup rams\Startup C\> dir "%ALSERSPROFIE\Start Menu\Prog Menu\P rograms\Sta rams\Startup rtup C\ type :\Windows\winstart.bat C:\> type %windir%\wininit.ini C:\> type windir%\winini
View autoruns, hide Microsoft Microsoft files: e htps://echn.micosot.com/n us/ysinternals/bb963902.aspx C:> autorunsc -accepteula -m C:\> type :\Autoexec.bat"
Show all autorun files, export to csv and check check with VirusTotal:
C:\> autorunsc.exe -accepteula -a -c -i -e -f -l -m -v HKEY_CLASSES_ROOT:
C: reg query HKCRComfleShellOpenommand HKCRBatfile\Shell\Openommand ommand C:> rg query HKCRBatfile\Shell\Open HKCR\htafile\hell\OpenCommand nCommand C:> C: > reg quer HKCR\htafile\hell\Ope HKCR\Exefile\hell\Open\Command C:\> reg query HKCR\Exefile\hell\Ope n\Command C:\> reg query HKCR\Exefiles\Shell\O HKCR\Exefiles\Shell\Open\Command pen\Command C:> rg qery HKCR\le\shelopnomand HKEYCURRENT_USERS:
HKCUControl C:> reg uery HKCUContro l PanlDesktop" C:\> reg query HKCUoftwreMicrosoftWndowsurrentVersion\Polic HKCUoft wreMicrosoftWndowsurrentVersion\Polic e\Explorer\un C:\> reg query KCU\oftwre\Microsoft\Windos\CurrentVersion\Run C:\> reg query HKCU\oftwareMicrosoft\Wndows\urrentVersion\unon HKCU\oftwareMicrosoft\Wndows\urrentVersion \unon ce C:> reg query HKCUSoftwre\MicrosoftWindowsCurrntVersionRunn HKCUSoftwre\MicrosoftWindowsCurrntVer sionRunn ceEx C:\> reg query KCUSoftware\Microsoft\WindowsCurrntVrsonRunSe KCUS oftware\Microsoft\WindowsCurrntVrsonRunSe rces C: reg query HKUSotwreMcrosoftWdowsCurrentVersiouSe rces r cesOnce Once C:> reg query HKUSoftwareMcrosoftWidowsurretVersionWido HKUSoftware McrosoftWidowsurretVersionWido wsRun 71
C:\> reg query HKU\Software\Microsoft\Windows\urrentVersion\Windo ws\Load C:\> reg query KU\Software\Microsoft\Windows\urrentVersion\ino ws\Scripts C:> reg query «HKSoftwareMicrosoft\Windows NT\urrentVersion\Windows /f run «
C:\ reg quer «HKUSotwareMicrosoftWindows NT\rrentVersion\Windows /f load «
:> reg query HKU\SoftwareMicrosoft\WindowsurrentVersionPoic iesExploreRun C: reg query HKCU\SoftwareMicrosoft\Windowsu HKCU\SoftwareMicro soft\WindowsurrentVersionExplo rrentVersionExplo rer\RecentDocs :> reg query KU\SoftwareMicrosoftWindowsrrentVersionExplo re\omDlg32astVisitedMRU : reg quer HKU\ftware\MicrosotWindows HKU\ftware\Micro sotWindowsrrentVersionExpl rrentVersionExplo o rer\omD1g320pen5aveMR C:\ reg query HKUSoftwareMicrosotW HKUSoftware MicrosotWindowsrrentVer indowsrrentVersionExpl sionExpl rromDg32astisitediMR : reg qer HUSowareMicrosotWindo HUSowareM icrosotWindowsrenVes wsrenVesionExplo ionExplo reromD1g320pen5avePilMR /s C:\> reg query HKU\Software\MicrosoftWindowsurrentVersion\Expo erRunMRU C:\> reg query «HKCU\Software\Microsoft\WindowsCurrentVersion\Exp orerShel Fodrs" 72
C:\> reg query HKCU\SoftwaeMicrosoft\Windows\CurentVersion\Expl H KCU\SoftwaeMicrosoft\Windows\CurentVersion\Expl orerser Shell Foldrs" C:\> reg query HKC\oftware\Microsoft\Windows\Crrent HKC\oft ware\Microsoft\Windows\CrrentVersion\Apple Version\Apple ts\RegEdit /v LastKey C:\> reg uey HKCU\Software\Microsoft\Internet HKCU\Software\Microsoft\Internet Explo Exp lore rer\ r\TypedURLs TypedURLs C:\> reg query HKC\oftware\Policies\icrosof\Windows\Control Panel Deskop" HKEY_LOCAL_MACHINE: HKEY_L OCAL_MACHINE:
C:\> reg quey HKLM\OTWARE\Microsft\Active C:\> etup\Installed Comonens" /s C:\> reg qury HK\OWAR\icrosof\Windows\CurenVersion\epl HK\OWAR\icrosof\Win dows\CurenVersion\epl orerse Shell Folders" C:\> reg qry HKLM\OTWARE\Microsof\Windows\CurrntVesion\epl orer\ell olders" C:\> reg quey HKL\ofware\icrosof\Windows\ HK L\ofware\icrosof\Windows\rentVersion\explo rentVersion\explo e\hellExecuteHooks e\hellExecuteHook s C:> reg quey HKLM\SOFTWARE\Microsoft\Windows\CurentVersion\Expl HKLM\SOFTWARE\Micro soft\Windows\CurentVersion\Expl orer\Browser Helper Objects /s /s C:\> reg quey HKL\OFWARE\Microsoft\Widows\C HKL \OFWARE\Microsoft\Widows\CrentVersion\Polic rentVersion\Polic is\Explorer\Run C:\> reg qey HKLM\OFWARE\Microsoft\Widows\CrrentVersion\Rn C:\> reg quey HK\OWAREicrosofWidows\Crreersion\Rno ce 73
C:\> reg query HKLM\SOFTWARE\Microsoft\WindowsCurrentVersion\unn ceEx C:\> reg query HKLM\SFTWARE\Microsoft\Windows\CurrentVersionunSe rvices C:\> reg query HLM\SFTWARE\Microsoft\Windows\CurrentVersion\unSe rvicesnce C:\> reg query HKLM\SFTWARE\Microoft\Windows\CurrentVersioninlo gon\Uerinit C:\> reg query HKLM\SFTWARE\Microoft\WindowsCurrenVersionshell ServicebjetDelayLa C:\ reg query "HLM\SFTWAE\Microsoft\Windows NT\CurretVersion\ScheduleTaskCacheTasks" /s C:\ reg query HLMSFTWAE\Mcrosoft\Windows NT\CurrentVersion\Windows C:\> reg query HLM\SFTWAEMicrosoft\Windows NTCurrentVersion\Windows /f Appnit_DLLs C:\ reg query HKLMSFTWAEMicrosof\Windows NT\CurrentVersion\Winlogon /f Shell C:\> reg query HKLMSFTW C:\> HKLMSFTWAEMic AEMicrosoft\indows NT\CurrentVersion\Winlogon /f Userinit C:\> reg query HKLMSFTWARE\Poicies\Microsof\Windows\Syste\cri pts C:> reg query HLMSFTWAE HLMS FTWAEClasse Classesbatfileshellopencoand sbatfileshellopencoand C:\> reg query HKLMSFTWARClassescofileshellopencoand
74
C:\> reg query HKLM\SOFTWARE\Classesexefile\shell\open\command C:\> reg query HKLM\SOFTWARE\ClasseshtafileShell\Open\Command C:\> reg query KSOTARE\lassespiffi KSOTARE\ lassespiffileshellopenco leshellopencommand mmand C:\> reg query KL\OFTARow6432Node\Microsoft\indows\Current VersinExplorerBrowser elper Objects" /s 1
C:\> reg query KLM\YTEM\urretControlSe KLM\YTEM\ur retControlSetControlessio tControlession n Manager C:\> reg query KLM\YTEMCurretControlSet\ontrol\ession Manager\KnownDLLs Manager\Kno wnDLLs :\> reg query KLMYTEM\ControlSet001\Control\esson Manager\KnownDLLs Manager\Kn ownDLLs
LOGS
Copy event logs: C:\> evtutil epl Security C:\<ACK UP PAH>\mylos.evtx C:> wetutil epl System C\\myls.etx wetti i ep plicatio wett ATmlos.et
Get list of logs remotely: Rf. https//tchet.micrsot.com/en us/ssinterals/psloglist.aspx > psloglist -ccepteula -h 12 -x 75
Clear all logs and start a baseline log to monitor:
PS C:\> wevtutil el I Foreach-Object {wevtutil l _} List log filenames and path location:
: wmc nevenog get path,flenae,wrteabe Take pre breach log export:
PS C:> wevtutil e I ForEach-ObjectGet-Eventog Log $ _" I xort-Csv -Path (:\
PS C:\ wevtutil e I ForEach-Object{Get-EventLo Lo_" I xort-Csv -Path C:\
PS C:\> Copare-Objec -ReferenceObject $Get Content C:\.txt") > .txt This deletes all logs:
PS C:\> wevttl e I Foreh-Object {wevttil l _} FLS, S AN HAS NFOMATN :\ net use \\<ARGE P ADDRESS C: net share C:\ net sesion C:\ wic vlue list brief \> wic lgcadisk get escriptonfileyste,nae,size C:\ wi hare get ne,path 76
Find multiple file types or a file:
C:\> dir /A /5 /T:A *,exe *,dll *,bat *·PS1 *,zip C:\> ir /A /5 /T:A
C:\> forfiles /p C: /M *,exe /5 /0 +1/1/217 /C "cm /c echo @fate @ftime @path" Find multiple files types using loop:
C:\> for %G in (.exe (.exe .ll .ll .ba .bat t . .s) s) do for forfil files es p "C:" -m *%G -s - +11/17 -c "cm /c eco @fdate @ftime @pat" Search for fles newer than date:
C:\> forfils /C: /5 /0 +1/1/217 /C "cm c echo @path @fte" Find large files: (example <20 MB)
C:\> forfiles /5 / * /C "cm /c if @fsize GEO 29712 echo @pat @fsize" Find files with Alternate Data Streams:
Rf. tts://technt.miosoft.com/n us/sysintnls/streams.sx C:\> tream -s Find files with bad signature into csv:
Rf. tts://tchnet.micosoft.com/n us/syintnls/8744.asx C:\> sigcheck -c -h -s - -nobanner > > <UU <UU ILN ILNA A> >c csv sv Fin and show only unsigne files with bad signature in C:
C\> sigceck -e - -vr -s C:\
77
List loaded unsigned Ds: Ref. https://technet.microsoft.com/en us/sysinternals/bb896656.aspx C:\> litdll.exe -u C\> dlsxe -u Run Malware scan (Windows Defender) offline: Ref. http://windows.microsoft.comen us/windows/what-is-windows-defender-offline C:\> MpmdRn.exe -SignatueUpdte C:\> MpCmdRn.exe -San
78
LIVE TRIA TRIAGE - LINUX
SYSTEM INFORMATION # un ame -a ame # up tie # timed atec at ec tl # mount
USER INFORMATION View logged in in users: # Show i if f a user has ever logged logg ed in remotely:
asl a l sl og # la t View failed logins:
f fll l - View local user accounts: View
# cat/et/pa wd c at/et at/e t/h hdd ow View local groups:
at/et/group View sudo access:
# at/et/uer View accounts with UID 0:
# awk -F: # egrep
'($3 = "0 "0") ") {p ri rint nt} } /e /etc tc /pawd
0+ /etc /pad 79
View root authorized SSH key authentications: # cat /root.sshautorized_keys List of files opened by user: # lsf -u View the root user bash history: # at roo,ba_story
NETWORK INFORMATION
View network interfaces: fnfg View network connections: tsa -ap # etstat -plantux View listening ports: # etstat -nap iew roues: # rute View arp table: # ar a List of processes listening on ports: # sf -
SERVICE INFORMATION
View processes: -ux List of load modules: sm 80
List of open files: # lsof
List of open files, using the network: sf -nPi I cut - 1 -d " "I unq I a - +2
List of open files on specific process: f -
Get all open files of a specific process D: sf -p <ID>
List of unlinked processes running: s L
Get path of suspicious process PD: - - /r /r < <I ID> D>e exe xe
Save file for further malware binary analysis: p pr<ID>exe >,ef
Monitor logs in real-time: e F vargmessages
List services: hknf --st
OLCY ACH A A SETTGS FORMATION
View pam.d files: a epam.dmmn*
81
AUTORN AND AUTOLOAD INFORMATION: List cron jobs:
# crontab -l List cron jobs by root and other UID 0 accounts:
u Review for unusual cron jobs:
/e s ,* LOGS View root user command history:
,*hiy View last logins:
s FILES DRIVES AND SHARES INFORMATION View disk space: #
df h
View directory listing for /etc/init.d:
s . Get more info for a file:
s x <IL NME> Identify file type:
f FILE NAME> Look for immutable files:
s s R g p \ 11
1
82
View directory listing for /root:
#ls -l -la a /r /root Look for files recently modified in current directory:
#l -alt I hed Look for world writable files:
#find/ -xdv -t -typ ype e d\( -p -per erm m -0 -00 02 2 -a ! -pe -perm rm 1 \) -print Look for recent recent created files, in this ase newer than Jan 02, 2017:
#find #f ind/ / -n werm ermt t 21 2177-01 01-0 -02q 2q List all files and attributes:
#find -pinf %m;%Ax;%AT;%Tx;TT%Cx%CT%U%G%;%pn" 1
Look at files in diretory by most recent timestamp:(Could be tampered)
#ls -a -alt lt /< / Y> he head ad Get full file information:
# ta /
#file /<LE PATH> Check for rootkits or signs of compromise: Run unix-privsec-check tool:
#wget http://w.githubusercontent.co/pntstmonky/unix -rivec-check/_x/unix-pivec-check #./unix-privesc-check > utpu.tt
83
Run chkrootkit: ft
apt-get install chkrootkit
#chkrootkit
Run rkhunter: #apt-get install rkhunter #rkhunter --update #rkhuntr -check
Run tiger: #apt-get install tiger #tiger #less #les s /va /var/lo r/log/t g/tige iger/se r/securi curity.r ty.repo eport,* rt,*
Run lynis: #apt-get install lyns #lynis udit system #more /var/logs/lynis. /var/logs/lynis.log log
Run Linux Malware Detect (LMD): #wget http://www.rfxn.com/downloas/ma http://www.rfxn.com/downloas/maldetect ldetect current.tar.gz #tar xfz maldetect-current.tar.g #c maldetect-* ./install.sh
Get LMD updates: #
maldet -u
Run LMD scan on directory:
84
MALWARE ANALYSIS
STATIC ANALYSIS BASICS Mount live Sysinternas toos drive:
\live.sysnternas.comtos Signature check of dl, exe files:
Rf. http://thnt.rft.o/en u/ynterna/bb897441.apx > sgek.ee -u - (: Send to VirusTota:
C> sghek.ee -vt UPOU FILE
NAME>
Windows PE Analysis: View Hex and ASCI of PE{exe or any file), with optional -n first 500 bytes:
# hedump - -n 50 USPCOU FIE NAME> # od - somef.ee #
d somee.ee
In Windows using debug too {works for .java files too:
C> debug
> -d js js pe pe d and get a ge tme he) -q qut bugr Windows PE analysis: PE Fie Compile Date/ime per script blow blow (Windows PE only script)
Rf. http://wwwpr.r/t.ht Rf http://www.prmon.r/bar/?nod_=484287 85
C:\> perl.exe <SCRIPT NAME>.pl #! perl -slw use strict; open EXE, '<:raw', $ARGV[0] or die "AGV[0]
$1" •
.
,
my$do dos s = d{ d{ l lca cal$ l$/ / = \655 \65536 36;; } >};; ie "ARGV[0 "AR GV[0]] is not a .exe or .dll (sig=' (sig =' ${ \subst ${ \substr r dos, 0, 2 }') unless substr( $dos, 0, 2 ) eq 'Z'; my coffoff = 8+ unpack 'x60 V', $dos; read( X, $do read( $dos, s, $cof $coffoff foff - 655 65536 36 + 4, 65536 or ie$! if coffoff > 65536; my $ts = unpack "x $coffoff V", $dos; $coffoff prin int t " $A GV[0] : , defined$ts $A ? ( scalar( locltie$ts) 11 "has unfathoable
timestamp value $ts" ) : 'as no tmestap'; _END_ View strings within PE and optional string length -n option: Using stings in Linux: #
srngs -n 0
ef htts://techneticrosoftco/e us/ssnternls/stringsasx Using strings in Windows:
:\> strings
86
Find Malware in memory dump using Volatility and Windows7SPFix64 profile: Ref, https://github.com/volatilityfoundation/volatiity # python vl.py -f .raw prfie=Win7SPFix64 mfid -D / Find Malware with PID in memory dump using Find Volatility: # phon vo.py -f raw profile=Win7SPFix64 mlfid -p -D / Find suspicious processes using Volatility: # pthn v.y -f .raw rfie=WinSPFix64 rfie=W inSPFix64 pslist # pyhon ol.py -f rw rfie=WinSPix64 pstree Find suspic suspicious ious dlls using Volatility: Volatility: rw NAE>rw # thon voy -f raw rfile=Win7SPFix64 dump -D / DIRE CTORY> Malware analysis pa parsing rsing Tool: Ref. htps://github.com/Defense-Cyber-Crime htps://github.com/Defense-Cyber-Crime Center/DC3-MWCP Center/ DC3-MWCP Install dc3-mwcp tool: # setp.py instal Use dc3-mwcp tool tool to parse suspicious file: # mwcp-toolpy p
87
IDENTIFY MALWARE
PROCESS EXPLORER Ref. https://youtu.be/80vfTA9LrBM Step 1: Look at running processes by running Process
Explorer (GUI) and identify potential indicators indicators of compromise: • • •
•
• • •
Items with no icon Items with no description or company name Unsigned Microsoft images (First add Verified Signer column under View tab->Select Columns, then go to Options tab and choose Verify Image Signatures) Check all running process hashes in Virus Total (Go to Options tab and select Check VirusTotal. VirusTota l.com) com) Suspicious files are in Windows directories or user profile Purple items that are packed or comprssed Items with open TCP/IP endpoints
Step 2: Signature File Check
( See Sigcheck) Step 3: Strings Check
•
•
Right click on suspicious process in Process Explorer and on pop up window choose Strings tab and review for suspicious URLs. Repat for Image and Memory radio buttons. ook for strange URLs in strings
Step 4: DLL View: • • •
Po open with Ctrl+D Ctrl+D Look for suspicious DLLs or services Look for no description or no company name 88
•
Look at VirusTotal Results column
Step 5: Stop and Remove Malware:
• •
Right click and select Suspend for any ientifie suspicious processes Right click and select Terminate Previous Suspended processes
Step 6: Clean up where malicious files Auto start on reboot.
• • •
•
Launch Autoruns Under Options, Check the boxes Verify Code Signatures and Hide Microsoft entries Look for suspicious process file from earler steps on the everything tab an uncheck. Safer to uncheck than delete, delete, in case of error. Press F, to refresh Autoruns, and confirm malicious file has not recreated the malicious entry into the previous unchecked auto start location.
Step 7: Process Monitor
Ref. https://technet.microsoft.com/enus/sysinternals/processmonitor.aspx • •
If malici malicious ous activity is still persistent, run Process Monitor. Look for newly started process that start soon after terminated from previous steps
Step 8: Repeat as needed to find all malicious files and process and/or combine with other tools and suites.
89
FILE HASH ANALYSIS
HASH QUERY
VirusTotal nline API query: Ref. https://www.virustotal.com/en/documentation/public api/ (Prerequisite: Need Need a VT API Key)
Send suspicious hsh to VirtusTotl using cURL: curl -v --requet POST --url hps//wwviruoalcom/vpi/v2/file/repor' -d apikey= -d 'resource='
# 1
Send suspicious file t VirusTotal using cURL: curl -v F 'file=//<USPICIOUS FILE AME>' -F pikey= htp://wwwvirtlcm/vtapi/v/file/can #
Team Cymru API: Ref. https://hash.cymru.com, http://totalhash.com
Team Cymru mlwre hash lookup using whois: (Note: Output is imestamp of last seen and detection rate) #
woi -h hashcymrucom
90
HARD DRIVE AND MEMORY ACQUISITION
WINDOWS
Create memory dump remotely:
Ref. http://kromer.pl/malware-analysis/memory forensics-using-volatility-toolkit-to-extract malware-samples-from-memory-dump/ Ref. http//sourceforge.net/projects/mdd/ Ref. https://technet.microsoft.com/en us/sysinternals/psexec.aspx C: \>
exe.exe exe. exe
AME OR IP ADRE>
-
-u
-
mdd_,3.ex -- C\memory.mp Ref. https://github.com/volatilityfoundation/volatility Extract exe/dll from memory dump:
C\> vlatilit llum -f memo.dm -0 umps/ C\> olatility promemump - memoy.mp -0 umps/ Create hard drive image using dc3dd of C:\:
Ref. https://sourceforge.net/projects/dc3dd/iles/dc3dd/7 .2%2-%2Windos/ C\> c3ddexe f=\\\c f=\AACED R GE DIVEIMAGE NMEd hash=md5 log=MUNED LCAIN\LG LCAIN\L G NAMElo LINUX Create memory dump: #
d if=/dev/fmem of=tmpMEMRY FILE NAME>.d 91
Create memory dump using LiME: Ref. https://github.com/504ensicslabs/lime # wget tts://gthubcom/504ensicsabs/LiME/archive/master .zip #
unzip masterzip
# cd LME-ater/src #
make
#
cp me-*,ko /media/=/media/ExternalUSBDriveName
# nsod lime-3.13.0-79-generic.ko "pat=/meia/Externa "pat=/meia/Exte rnalUSBDriv lUSBDriveName/, ime forat=raw" forat= raw"
Make copy of suspicious process using process ID: # cp /roc//exe /
Grab memory core dump of suspicious process:
oe <>
Strings on gcore file: # srings core.*
Create a hard drive/partition copy with og and hash options: # dd if= of= # dc3d if=/dev/ f=/ev/\.g hash=md5 og=//.og
Create a remote hard drive/partition over SSH: dd f=/dev/ sh @ dd of= #
92
Send hard drive image zipped over netcat: Sending host: bzip2 -c /dev/ nc
#
Receiving host: nc - -l bzp2 -d dd of=/dev/sdb
#
Send hard drive image over netcat: Sending host: #
dd f/ev/ bs=16M c PT
Receiving host with Pipe Viewer meter: nc -p <ME PORT> -l -vv pv -r dd of=/dev/ bs6M
#
93
5 RECOVER ( REMEDIATE)
94
PATCHING
WINDOWS
Single Hotfix update for Windows 7 or higher: C:\> wusa.exe C:\\Windows60KB934307-x86.msu
Set of single hotfix updates for pre Windows 7 by running a batch script: @echo off setlocal set AOE=E\hotix %PATHOFIXE%\Q123456_w2k_sp4_x86.exe / /M %PATHTOFIXES%\Q23321_w2k_s4x86.ex / M ATHOFIXES%\Q123789_w2k_sp4_x86.exe / /M
To check and update Windows 7 or higher: C:\> wuuclt.xe /etectno /datenow
LINUX
Ubuntu: Fetch list of available updates: #
tgt
Strctly ugrade the curren packges: #
t-et urde
Install updates (new ones): #
-t d-rd
Red Hat Enterprise Linux 2.1,3,4:
2te 95
To update non-interactively: # up2date-nox --pdt To install a specific package: # p2a T update a specific package:
# pe - <AE AM> Red Hat Enterprise Linux 5: # pp Red Hat Enterprise Linux 6: # ym pt To list a specific installed package: # lis ntd To update a specific package: # ym update Kali: # apt-gt pdate && apt-gt pgrde
96
BACKUP
WINDOWS Backup GPO Audit Policy to backup file:
C:\> auditpol /bckup /fe:C\adtplcy.csv Restore GPO Audit Policy from backup file:
r Backup All GPOs in doan and save to Path:
PS C:\> Backup-Gpo -All -Path \<ERVER>\
Restore All GPOs in domain and save to Path:
PS C:\> etoe-GPO -All -Domain -Path \\SeGpoBcku Start Volume Shadow Service:
\> et ta VS List all shadow files and storage:
C:\> sad Lt hdwtoage List all shadow files:
C:\> admn Lit hdw Browse Shadow Copy for files/folders:
C:> klk d c: ?GLOALOOT\DecHaddkolumeShadwCp\ \\?GLOALOOT\DecHaddkolumeShadwCp\ \\ Revert back to a selected shadow file on Windows Server and Windows 8:
C:\> sadmn eet hadw /shadw={<HADOW COY ID>} /Focemunt
97
List a files previous versions history using volrest.exe:
Ref. https://www.microsoft.com/en us/download/details.aspx?id=17657 C:\> "\Proram Fie (x86)\Windows Resource Kit\Tool\vorest.exe" "\\localhost\c$\\" Revert back to a selected previous file version or @GMT file name for specific previous version using volrest.exe:
:> sub Z: cahostc$\$ Prm s x8)Wndow Rsrc Kssrest.ex" \ahstc$CURENT FI NAE O @G ILE NAME RO S MND ABVE> :: : b Z 0 Revert back a directory and subdirectory files previous version using volrest.exe:
: > "Pgram Fe Fes s (x86) Wios Resce soesee" c<H FLE*·* :lcahosc$
C:\> wmic shadowcopy call create olume='C:\' Create a shad Create shadow ow copy copy of of volu volume me C on Win Windows dows 7 and 10 usng PowerShell:
P C> g - 32_ocCa(:', CeAcssb Create a shadow Create shadow cop copy y of volume volume C on Windo Windows ws Serv Server er 2003 and 2008:
C:\> vssadin crete shadow /fr=c:
98
Create restore point on Windows: C:\> wmic.exe /Namespace:\\root\default Path SystemResto System Restore re all CreateRestorePint "%DATE%", 10, 7
Start system restore points on Windows XP: C:\> c conig srervice start= disabled C:\> reg ad "HKEY_LOCAL_MACHINE\OFTWARE\Microsoft\Windows NT\CurrentVersion\ystemRestore /v DisableSR /t REG_DWORD /d 1 /f C:\> net stop srservice
Stop system restore points on Windows XP: C:\> sc config srservice start= Auto C:> net start srservice :\> reg add HKEY_LOCL_MACHINE\OFTWARE\Microsoft\Window NT\CurrentVersion\yseestore" /v DsableSR /t REG_DWRD /d 0 /f
List of restore points: P :> G-ComuterRestorePoint
Restore from a specific restore point: P C:\> RestoreComputer RestorePoint Confirm
99
LINUX Reset root password in single user mode: Step 1: Reboot system. #
rbot -f
Step 2: Pess ESC at GRUB sceen. Step 3: Select default enty and then 'e fo edit. Step 4: Scoll down until, you see a line that stats with linux, linux16 o linuxefi. Step 5: At end of that line leave a space and add without quote 'w init=/bin/bash Step 6: Pess Ctl-X to eboot. Step 7: After eboot, should be in single use mode and oot, change passwod. passwod. #
passwd
Step 8: Reboot system.
Reinstall a package:
apt-et nstall --einstall #
Reinstall all packages:
pt-et install --reinstall $(dkg --et sletions gep -v denstall)
#
100
KILL MALWARE PROCESS PROCESS
WINDOWS
Malware Removal: Ref. http://w. http://w.gmer.net/ gmer.net/ C\> gmerxe (GUI)
Kill run running ning malicious file: C> gmerexe -killfile -killfile CWINDOWsystm32drivers.ex
Kill u malicious file PowerShell: P C: Stop-Process -Nam PS C:> Stop-Process -ID
LINUX
Stop a malware process: #
kll MALICIOUS PID>
Change the the malware process from execution and move: # hm -x /srsbin/ /srsbin/SUICIU SUICIU FILE NAME # mkdir /home/qarantine/ /home/qarantine/ mv /sr/sbin/ /home/qarantine/
#
101
6 TACTICS (TP & TRK)
102
OS CHEATS
WINDOWS Pipe output to clipboard:
C:\> some_command.ex lip Output clip to file: (Requires PowerShell 5)
P C: Gt-Clpbor> p. Add time stamps into log file:
C:> cho %ATE% %TME%> <X L,t Add/Modify registry value remotely:
C> reg d \\\HKM\Software\\HKM\Sof tware\ Get registry value remotely:
\> reg query \\\HKM\Software\\HKM\So ftware\ Test to see Registry Path exists:
S C: s-Pah "HKC:oroV" Copy files remotely:
C\> rooopy C:\ \<ESINTION COMPUTER>\ /E Check to see if certain file extensions are directory:
PS C:\> est-Pa C:\Scripts\rive\* -nlude *· * Show contents of a file:
C:\> ype <I N>
103
Combine contents of multiple files: C:\> type <ILE NAME 2> >
Desktops, allows multiple Desktop Screens: Ref. htps://technet.microsoft.com/en us/sysnernals/cc817881
Run live option: C> "%Pogames\teet Exploer\exploe.ee ttpsve.sysnterals.com/desktops.exe
Remote mounting, Read and Read/Write: C:\> net shre MyShare_R=c:\ GANTEVEYONEEA :\> net she MyShre_RWc:\ GRANTEVERYONE,ULL
Remote task execution using PSXC: Ref. https://technet.microsoft.com/en us/sysinternals/psexec.aspx C:> pexec.exe <AET I DESS> -u -p /C C:\<RORAM>.exe C:\> psxec @(:\<ARGET FILE IST>.txt -u -p C:\<OGA>exe >> C:txt C:> pexec.exe @(:\<RE FIE LIS>.csv -u \ -p <ASWORD> /c C:\<RORAM>.exe
Remoe ask execuion and send oupu o share: C:\> wmc ode:ComputerName process call ceate cmde cm dexe xe c netsta netstat t -n > \\\ SHARE>\xt n
104
Compare two files for changes:
PS C:\> Compare-Obje Compare-Object ct (Get-Conten ,og) -DifferenceObjec (Get-Content .og Remote task execution using PowerShell:
PS C:\> Invoke-Command - {} PowerShell Command Help:
PS C:\> Ge-Hep -fu
LINUX Analyze traffic remotely over ssh:
ssh roo@ tcpump tcp ump -i any -U -s 0 -w - 'o 'ot t por port t ' #
Manually add note/data to syslog: #
oger omethin imprta to note in Lo"
#
esg rep
Simple read only mounting:
mou -o ro /ev/
Mounting remotely over SSH: #
apt-ge insta sshfs
#
adduser fse
o o and o back in mkir �/ shf @:/ �/
#
105
Creating SMB share in Linux:
# userad -m pw
b:\\IP ADD OF LIX MB H Copy files to remote system:
cp FIL A AM@DTIATIO I ADD:MOT FOLD Mount and share to remote systm
ont t bf o n= n= M M //V M O A/HA A /nt/M PO/ Monitor a website or file is still up/there
whi :; o cl http: whi http:// //L L h h 1; lp 60; on
106
DECODING
HEX CONVERSION Convert from hex to decimal in Windows:
:\> set /a 0xff 255 PS C\> 0xff 55 Other Basic Math in Windows:
C\> set /a 1+2 3 C\> set /a 3*(9/4) 6 C\> set /a (25)/2 C:\> set /a "32>>3" 4 Decode Base64 text in a file:
C:\> certutil -decode Decode XOR and search for http:
Ref, hps//bog.ddersevens.com/progrms/xrsrch/ p C\> xorsearc,exe i -s
echo 0xffwcalc -d
=
55 107
Convert from decimal to hex in Linux:
$ echo u25s"1wcalc -h = 0xff Decode HTML Strings:
PS C:\> Add-Type -AemblyNme Sytem.Web PS C:\> [Sytem.Uri] ::UneceDattring(HTP%3a%2f%fHello %0World.com) HP://Hell World.com
108
SNORT
SNORT RULES Snort Rules to detect Meterpreter traffic:
Re. https://blog.didierstevens.com/2015/06/16/metasploit -meterpreter-reverse-https-snort-rule/ ert tcp $HOM_ any-> $XNA_ $HPPS (msg"Metaspoi ser Agent String"; fowo_serverestabise; conen:"ser-Aent3a Mozila4,0 (comal\; MIE .\; Winow T 51) 0 a"; htp htpdr; dr; clasp:r clasp:rojan ojan ii; rfrenc:rlblo,diiertvn.com/2015/0/16/qi kot-mtaploit-r-n-ring; i:161800; r:1; rt cp $OME_NET any- $EXTERNL_NET $TTP_PT (mg mg"taploi "taploi r gnt ring; fo:to_rverstblih; conn:"sr-en3a Mozilla/40 (compatile\ (compatile\; ; MSI MS I ,1; indow indow ) 0d 0a" ttp_heaer; classtpe:troan-actv reerence:urlblog,diiersevenscom/015/0/16/qic kpost-metasploi-user-agent-string; sid16181 re1;) re 1;) alert tcp $OMNT any-> $XTERNL_NET $_POT (msg"aploit (msg "aploit ser Agent String"; fow:to_serverestabishe; cntent:Usr-en3 Mozilla/4,0 compatle; IE 7,; nds 6) 0 0a" 0a"; ; http_h http_heae eaer; r; ca cat ty y p:tro p: troan an activit; rferencurblodiierstevens.com/2015/0/16/quc kot-etasploit-usr-ntstring/; id:16182; rev:1; rev: 1; aert tcp $OE_NE any> EERNL_NET $TT_ORTS (msg"etaspoit User gent tring"; 109
fow:to_server,estabished; content:"User-Agentl3al Mozia/40 (compatibe\ MSIE 70\; Windws NT 60\; rident/40\; IMBAR={DB0F6DE-8DE7-4841-908428FA914B0FE}\ LCC\ Nl0d 0al"; http_header; catyperojanactivity reference:ur,bog.idierstevens.com/2015/0/16/quic kpostmetaspoituser-agentstrings/; sid1618003 rev:1;) rev: 1;) aert tc aert tcp p $HO $HOME_ ME_NE NE any -> $EX $EXER ERNAL NALNE NE $H $HP_P P_PORT ORT g"Measpot ser Agent String"; fowto_server,estabished contet:"User-Agentlal Mozi/4.0 (ompaibe\; Metaspoit RPEC)l0d 0al"; http_heaer; casstype:trojan-activity; reference:ur,bogdidertevens.com/2015/0/16/quic pot-metaspoit-uer-agentstrings/ sid1618004; rev:1;) rev: 1;) aert tcp HOM HOMENE ENE any -> $EXERNALNE $EXERNALNE $HP $HP_PO _POT T (mg:"Metaspoi ser Agent tring"; fowtoserver,estabihed; content:"User-Agentl3a Mozia50 (Wndows\ U\; Window N 51\; en-) AppeWbKit/551 (KHL, ie Gecko) Chrome/4.0.2216 afari/5513l0d 0al"; htt_heder ctype:trojn-activity referenceur,bog.didierstevens.com/2015/0/16/uic ot-metaspoit-uer-agentstrings/ sid1618005; rev:1;) rev: 1;) aert tcp $HOM aert $HOME_NE E_NE any -> $EXERNAL_NE $EXERNAL_NE $HP_POR $HP_PORS S (msg msg"Metaspoit "Metaspoit er Aget trig"; trig"; foto_server,estabihed content"User-Agentll Mozia/5.0 (compatibe; Googebot/.1 +http://ww.googe.com/bot.htm)l0d +http://ww.googe.com/bot.htm) l0d 0al"; http_header; casstype:trojan-activity eference:ur,bogdidierstevens.com/2015/0/16/quic kpot-metaspoit-uer-agentstrings/; sid:1618006; rev1;) rev 1;) aert tcp $HOME_NE aert $HOME_NE any -> $EXERNAL_NE $EXERNAL_NE $H $HP_ P_OR ORT T (mg:"Metaspoit (mg: "Metaspoit Uer Agent String"; 110
fow:to_server,estabished; content:"User-Agentl3al Mozia/50 (compatibe\; MSIE 100\; Windows NT 61\; Trient60) l0 0al"; ttp_header; atype:trojan-activity; reference:ur,bog.didierstevens.com/201503/16qic kpost-metsoit-user-agent-strings/; si:1618007; rev:;) rev: ;) Snort Rules to detect PSEXEC traffic:
Ref. ttps:it.comJonLindocker snortbomastersnortuessnasot 972ruesoicoter.res aert aer t tcp $HOME_N $HOME_NET ET any -> $HO $HOME_ ME_NE NE [139, [139,445 445] ] (msg:"POLICY-OTHER se of psexe remote administration too"; fow:to_serve to_server, r,estabished; content:"FFSMBA2"; depth:5; offset:4; content:"C 00p00s00e00x00e00 c00s00v00c"; nocase; metadata:service netbios-ssn; reference:ur,tecnet.microsoft.com/en us/sysintenas/bb7553.asp; astype:poiy voation; si:24008; rev:1;) ert tc ert tcp p $HOME_NE $HOME_NE any -> $HOME_NET $HOME_NET [19 [19,44 ,445] 5] (ms:"POLICY-OTHER use of psexec remte administration too MBv2"; fow:to_server,estbished; ontent:"FESM"; depth:8; nocase; content:"05 00"; witin:2; istance:8; content:"Pl00Sl00El00Xl00El00l00Vl00Cl00"; fast_pattern:ony; metadata:service netbios-ssn; reference:u,tecnet.microsoftcom/n ussysinternas/bb89553.asp[]; casstype:poc vioation; si:30281; re:;)
111
DOS/DDOS
FINGERPRINT DOS/DDOS Fingerprinting the type of DoS/DDoS:
Ref. https://www.trustwave.com/Resources/SpiderLabs Blog/PCAP-Files-Are-Great-Arn-t-They--/ Volumetric: Bandwidth consumption
Example, sustaining sending 1Gb of traffic to 10Mb connection Ref. http://freecode.com/projects/iftop # fo -n and Protocol: Use of specific protocol
Example, SYN Flood, ICMP Flood, UDP flood tshark -r NAME> pcap -q -z io,phs #
tsrk - 00 - -z io,p
tcpmp -tnr -tnr $I awk - '. ' '{print $""$2"."$3""$4}' sort uniq -c sort -n tl tpmp -qnn "tp[tcpfag] & (tp-syn)
!=
0"
netstat -s Example, isolate one protocol and or remove other protocols #
tcpdump -nn not rp and not icmp and not udp
# tcpdump -nn tcp
112
Resource: State and connection exhaustion
Example, Firewall can handle 10,000 simultaneous connections, and attacker sends 20,000 ntstat -n I wk '{rint $6}' I st I uniq -c sort -nr hea
#
Application: Layer 7 attacks
Example, HTTP GT flood, for a large image file. tshark - 10000 -T fields -e http.host uniq -c I sort -r I head -n 10
#
sot I
tshak - capture6 - fields -e http.rquest.ful\_uri sort uniq -c srt -r head -n 10c
#
tpdump -n 'tcp[32:4]
#
=
04 0 445 4554 5420 20' ' I cu cut t -f - -d
II• II
. Example, look for excessive file requests, GF, ZP, JPEG, PDF, PNG. ff:d8 :d8 tshk -Y "htt contain ff "http contains GF89 "http contains 11
#
11
11
11
\x50\x4B\x03\x04
"
11 1 1
http contains %PDF "\x89\x50\x4E\x47"" 11
11 11
11 "http contains\xff\xd8 11 11
11
11
http ontins
Example, Look for web application user-agent pattern of abuse. tcpdump -c 1000 -An -Ann n I grep -Ei 'usr-aent' sort I uniq -c I sot -nr I head -10
#
Example, show HTTP Header of requested resources. #
tcpdum -i e0 -A -s 500 I grep -i fr
Sniff HTTP Headers for signs of repeat abuse: #
tcpdump -s 1024 - -A dst <XAMPL.COM>
113
11
Poison:
Layer 2 attacks
Example, ARP poison, race condition DNS, DHCP ' # cump 'arp r cm cm' tcpdmp -tnr .pcp ARP awk F ',' '{pint $1"."$2 $2", ","$ $4} ort "$3 3","$4 }' I sor t I uniq -c sot -n ti # thak -r pcp -q -q -z io,phs grep apduplate-ddress-detected
114
TOOL SUITES
PREBUILT ISO, VIRTUAL MACHINE AND DISTRIBUTIONS DISTRIBUTIONS
KALI - Open Sour Source ce Pent Pentest esting ing Distri Distributio bution n Ref. https://www.kali.org
SIFT - SAN SANS S Inves Investig tigati ative ve Forens Forensics ics Tool Toolkit kit Ref. http://sift.readthedocs.org/
REMNUX - A Linux REMNUX Linux Tool Toolkit kit for Rever Reverse-E se-Engin ngineeri eering ng and Analyzing Malware Ref. https://remnux.org
OPEN VAS VAS - Ope Open n Source Source vulne vulnerab rabilit ility y scanner scanner and manager Ref. http://www.openvas.org
MOLOCH - La MOLOCH Larg rge e scale scale IPv4 pac packet ket capt capturing uring (PCA (PCAP), P), inexing and atabase system Ref. https://github.com/aolmoloch/wiki
SECURITY SECURIT Y ONION ONION - Linux dist distro ro for intru intrusion sion detection, network security monitorng, and log management Ref. https://security-onion solutions.github.io/security-onion/
NAGIOS - Netw NAGIOS Network ork Monit Monitoring oring,, Ale Alertin rting, g, Respons Response, e, and Reporting Tool Ref. https://www.nagios.org
OSSEC - Sca OSSEC Scalab lable, le, mul multi-p ti-plat latfor form, m, open sourc source e Hos Host t based Intrusion Detection System Ref. http://ossec.github.io
115
SAMURAI SAMURA I WTF WTF - Pre Pre-co -confi nfigur gured ed web pen-t pen-test esting ing environment Ref. http://samurai.inguardians.com
RTIR - Req Reques uest t Tracke Tracker r for for Incide Incident nt Respo Response nse Ref. https://www.bestpractical.com/rtir/
HONEYDRIVE HONEYDR IVE - Pre Pre-co -config nfigure ured d honeyp honeypot ot softwar software e packages Ref. http://sourceforge.net/projects/honeydrive/
The Enha Enhance nced d Mitigat Mitigation ion Expe Experie rience nce Toolkit Toolkit - help helps s prevent vulnerabilities in software from being successfully exploited Ref. https://support.microsoft.com/en-us/kb/2458544
ATTACK ATT ACK SUR SURFAC FACE E ANALY ANALYZER ZER BY BY MICROSOFT MICROSOFT - Base Baseline line Tool Ref. https://www.microsoft.com/en us/download/confirmation.aspx?id=24487
WIND WI NDOW OWS S TO TO GO - US USB B Port Portab able le Win Window dows s 8 Ref. https://technet.microsoft.com/en us/library/hh831833.aspx
WINFE - Wind Windows ows Fore Forensi nsic c Enviro Environment nment on CD/US CD/USB B Ref. http://winfe.wordpress.com/
DCEPT - Dep DCEPT Deploy loying ing and detec detectin ting g use of Active Active Directory honeytokens Ref. https://www.seurewrks.com/blog/dcept
TAILS TAI LS - The Amne Amnesic sic Inco Incognito gnito Live Sys System tem Ref. https://tails.boum.org
116
117
7 INCIDENT MANAGEMENT (CHEKLIST)
118
INCIDENT RESPONSE CHECKLIST
Note: This section is intended to be an incident response guide. Some tasks may not be relevant, required or appropriate. appropriate. Please consider your environment before implementing each step or other steps as needed. IDENTIFICATION TASKS file(s) for analysis? Acquire a copy of Malicious file(s)
Priority: H/M/L Effort: H/M/L
Open/Closed
Malicious effects n sytems lis. Acquire an itemized ist f al known hang on compur yte, fil, stting, rgistry, service add/modifed/deletd or sop/started
Priority: H/M/L I Effort: H/M/L I
Open/losed
Which A/V or malware ols can detec and remove malicious treat?
Priority: H/M/L Effort: H/M/L J
Open/Closed
Wer de malwar/attackr exit th nwork?
Priority: H/M/L Effort: H/M/L
Open/Closed
Maiiou internalrna it/onntin ill activ?
Priority: H/M/L Effort: H/M/L J
Open/Closed
Malware itening n any port?
Priority: H/M/L I Eort: H/M/L I
Open/Closed
Malware meto of rginal infecn, anr weaness?
Priority: H/M/L I Efort: /M/L
Open/Closed
Packt capture of Malare trying t inft other?
Priority: H/M/L Efort: H/M/L 119
Open/Closed
Any packet capture of mlware trying to communicate out of network and ID method of orts, IPs, DNS, etc?
Priority: H/M/L I Effort: H/M/L I
Open/Closed
Malware ose threat to any sensitive data (Files, credentials, Intellectual Proert, PII, etc?
Priority: H/M/L I Effort: H/M/L I
Open/Closed
What are the DNS entres on an nfected system?
Priority: H/M/L Effort: H/M/L
Open/Closed
Is t ossible to detect the first nfected sstm(s)?
Priority H/M/L jEffort: H/M/L
Open/Closed
Has the frst sstems hrd drve been reservd?
Priority: H/M/L Effort: H/M/L
Open/Closed
Do ny scrts need to be rn on lve nfected sstems?
Priority H/M/L I Effort: H/M/L
Open/Closed
Does client have deskto management tool? If so, wht reorts are vailable to nventory all systems and statuses?
Priority: H/M/L Effort: H/M/L
Open/Closed
List of all infected systems?
Priority: H/M/L I Effort: H/M/L
Open/Closed
Identf any atchng mssng wth curret and/or revous vulnerability scan.
Priority: H/M/L Effort H/M/L
Open/Closed
Look for sstems tht hve stoed reorting nto Malware servers for udts, or which ones have stoed gong to AV vendors for udates.
Priority: H/M/L I Effort: H/M/L I
Open/Closed
Look for sstems that have stoed going to Udate server or dirctl to Mcrsoft for udts
120
CONTAINMENT TASKS
How many systems are stil unknown, clar suspicious, or infected? Priority: H/M/L
I
Effort: H/M/L
I
Open/Closed
Open/Closed
Netwrking device(s) changes. (Switches, Routers, Frwalls, IPS, NAC, Wi-Fi, etc.). Priority: H/M/L
Effort:
H/M/L
Active Directry OU islaion of suspected systems. Prorty: H/M/L
Effort:
H/M/L
Open/Closed
User r acco accoun unt t rest restri rict cti ins ns and and Activ Directry - Use rsts. Priority: H/M/L
Effort:
H/M/L
Open/Closed
Activ Directry policies to prohibi threats rom running and/r access. Priorty: H/M/L
Effort:
H/M/L
Open/Closed
Effort:
H/M/L
Open/Closed
rwall lcks. Prority: H/M/L
DNS lcks (null route maware si(s). Priorty: H/M/L
Effort:
H/M/L
Open/Closed
H/M/L
Open/Closed
Wb filtering blocks. Priority: H/M/L
Effort:
121
REMEDIATION TASKS
Administrative AD Password Changes. Priority: H/M/L
I
Effort: H/M/L
I
Open/Closed
Local Administrtive Password Changes. Priority: H/M/L
I
Effort: H/M/L
Open/Closed
I
Open/Closed
I
Open/Closed
I
Open/Closed
User AD assword Changes. Priority: H/M/L
Effort: HM/L
Local User Pssword Changes. Priority: H/M/L
I
Effort: H/M/L
Service Accunt Pasword Changes. Priority: H/M/L
I
Effort: H/M/L
Push Antivirus updates for detected malwre. Priority: H/M/L
Effort: H/M/L
Open/Closed
I
Open/Closed
Try multiple anivirus tools. Priority: H/M/L
I
Effort: H/M/L
What Active Directory GPO polices are set (Logs, Restrictions, ec.)? Priority: H/M/L
I
Effort: H/M/L
I
Open/Closed
What is the network rchitecture and how would Malware trverse? Priority: H/M/L
I
Effort: H/M/L
I
Open/Closed
Are here dditional IDS/IPS segmens tht ned coverage to prevent/detect outbreak?
I
I
Priority: HM/L Effort: H/ML Open/Closed 3rd arty Applications missing patches (Adobe, Jva, etc.)? Priority: H/M/L Effort: H/M/L Open/Closed
Monitor client email for vendor or other business continuiy items of interest. Priority: H/M/L
I
Effort: H/M/L
I
Open/Closed
Monior RDP sessions on externl accessible RDP client system. Priority: H/M/L
Effort: HM/L 122
Open/Closed
Are there any applications in use that are facilitating facilitat ing the attack? If so, are there altenatives?
Priority: H/M/L I Efort: H/M/L Open/Closed Is there a baseline system to review for changes? Priority: H/M/L Effort: H/M/L Open/Closed Monito user name variations. Priority: /M/L Efort: H/M/L Open/Closed Managing and monitoing tasks.
Priority: H/M/L Effort: H/M/L Review border router los. Priority: /M/L Effort: H/M/L Review VPN (rmote (rmote access) logs.
Priority: /M/L Effort: /M/L
Open/Closed Open/Closed
Priority: /M/L Effort: H/M/L
Open/Closed Open/Closed
Priority: /M/L Effort: /M/L AD server logs. Priority: /M/L I Effort: /M/L
Open/Closed I Open/Closed
Citix / VWare o similar logs.
Review accouning server(s) server(s) logs and trends of users.
Review Anti-Virus (licious Code Services) ogs.
Priority: /M/L I Effort: H/M/L I Open/Closed Review email abuse notifications nd logs Priority: H/M/L Effort: /M/L Open/Closed Review DNS logs. Priority: // fort: /M/L Open/osed
Review account and olicy abuse logs.
Priority: /M/L I Effort: H/M/L Review host fiewall logs. Priority: /M/L I fort: H/M/L 123
Open/Closed Open/Closed
OTHER/ LESSONS LEARNED TASKS
Rebuild all systems in life cycle rebuld pln. Priority: H/M/L
I
Efort: H/M/L
I
Open/Closed
Synchonize time services acoss of systems. Priority: H/M/L
Efort: H/M/L
I
Open/Closed
Open/Closed
Create ncdent data eposioy. Priority: H/M/L
I
Efort: H/M/L
Conside host based IPS. Priority: H/M/L
I
Effort: H/M/L
Open/Closed
Consie Nework Access Contol (NAC).
I Open/Closed Efort: H/M/L 3rd Paty nternal/external security and perimeter securty tos and assessment services. Priority: H/M/L
I
Priority: H/M/L
Effort: H/M/L
124
I
Open/Closed
MALWARE ATTRIBUTES CHECKLIST Malware Presence o the System:
uns in memory only, Runs out of registr, or Artifacts on disk Disk file presence hidden, stored in unallocated, free/slack space or encrpted. Has no icon. Has no description or compan name. Unsigned Microsoft images. Are acked and likel encrted. Suspcious DLLs or services. Backups and swaps itself in and out in place of real file. Stas alive working in file pairs Found in embedded deivces, industrial controls and IOT
YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A
Maware Activities
Downloads new code/functionalit. Leverages pivot sstem(s) and network path(s) to exit the victim network including VN/D-Up, HTTP/HTTPS, and other standard or non-standard services and ports. Abilit to leverage mobile devices and other removable media. Abilit to detect and utilize authenticated web proxies. Morps on victim client sstem. Contains red herring (misleading/distracting) features depending on the environment it detects. Abilt to traverse all known operatinq sstems. Abilit to move into embedded devices. 125
YesNoUnknownN/A
YesNoUnknownN/A
YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A YesNoUnknownN/A
Malware Capabilities Ability to conduct most Windows YesNoUnknownN/A based Active Directory commands. Ability to upload and download YesNoUnknownN/A files/payloads. Can use built-in services or purpose built malware for needed YesNoUnknownN/A services. Has several persistent features, YesNojUnknownjN/A making the malware highly resilient to A/V defenses. YesNoUnknownN/A Abil Ab ilit ity y to bru brute te for force ce . YesNoUnknownN/A Abilit to DoS/DDoS tools. Ability to steal and/or pass the YesJNoJUnknownJN/A hash. Ability to conduct credential YesNoJUnknownJN/A harvestin. Privilege escalation capability. YesNoUnknownN/A YesNoUnknownN/A Ransomware or like caabilit. Self-Destruct mode, including YesJNoJUnknownJN/A destructive methods. YesNoUnknownN/A Anti memor forensics Is sandbox aware and virtual YesJNoUnknownJN/A machine aware. Aoply software patch to prevent YesJNoJUnknownJN/A other malware infection C2 techniques techniques:: DNS, HTTP, TTPS, stegonagraphy, cloud, TOR, YesJNojUnknownJN/A online code, etc. One time install/detonation YesNoUnknownN/A Communicates in no predictable patterns including short and YesNoJUnknownN/A long-term sleep techniques. Makes use of compromised CA, in YesNoJUnknownN/A order to hide communications. Timezone and IP Geo aware YesNoUnknownN/A Makes use of well-established commercial compromised web sites YesNoUnknownJN/A for C2, i.e. Dropbox, Gmail, etc.
126
127
8 SECURITY INCIDENT IDENTIFICATON
(SCHEMA)
128
VOCABULARY FOR EVENTS RECORDING AND INCIDENT SHARING (VERIS)
GENERAL Ref. http://veriscommunitynet/
Use this template to identify threats uniformly: incident_id #
security_incident Confirmed, Suspected, False positive, Near miss, No
confidence High, Medium, Low, None
victim.employee_count #
timeline.unit Unknown, NA, Seconds, Minutes, Hours, Days, Weeks, Years, rs, Never Months, Yea
impact.overall_rating Unknown, Insignificant, Distracting, Painful, Damaging, Catastrophic
impact.lossvariety Asset and fraud, Brand damage, Business disruption, Operating costs, Legal and regulatory, Competitive advantage, Response and recovery
impact.loss.rating Unknown, Major, Moderate, Minor, None
129
discovery_method Unknown, Ext - actor disclosure, Ext - fraud Ext t - mo moni nito tori ring ng se serv rvic ice, e, Ext detection, Ex Ext t - un unre rela late ted d pa part rty, y, Ext - audit, Ext customer, Ex unkn un know own, n, I It t - an anti tivi viru rus, s, Int - incident response, Int In t - fi fina nanc ncia ial l au audi dit, t, In Int t - fr frau aud d det detec ecti tion on,, Int HIDS, Int - IT audit, Int - log review, Int - NIDS, Ext Ex t - law en enfo forc rcem emen ent, t, In Int t - se secu curi rity ty al alar arm, m, Int reported by user, Int - unknown, Other
targeted Unknown, Opportunistic, Targeted, NA
cost_corrective_action Unknown, Simple and cheap, Difficult and expensive, Something in-between country Unknown, Two Letter, Other
iso_currency_code AED, BAM, BSD, COP, EGP, GIP, IDR, JPY, LAK, MGA, MYR, PE, RWF, SPL, TOP,
AFN, BBD, BTN, CRC, ERN, GMD, ILS, KES, LBP, MKD, MZN, PGK, SAR, SRD, TRY, uzs, VEF, YER, ZAR,
ALL, BDT, BWP, CUC, ETB, GNF, IMP, KGS, LKR, MMK, NAD, PHP, SBD, STD, TTD, VND, ZMK,
ANG, BHD, BZD, CVE, FJD, YD, IQD, KMF, LSL, MOP, NIO, PLN, SDG, SYP, TWD, vuv, WST, ZWD
AMD, BGN, BYR, CUP, EUR, GTQ, INR, KHR, LRD, MNT, NGN, PKR, SCR, SVC, TVD,
AOA, BIF, CAD, CZK, FKP, HKD, IRR, KPW, LTL, MRO, NOK, PYG, SEK, SZL, TZS, XAF,
130
ARS, BMD, CDF, DJF, GBP, HNL, ISK, KRW, LVL, MUR, NPR, QR, SGD, THB, UAH, XCD,
AUD, BND, CHF, DKK, EL, HRK, JEP, KWD, LYD, MVR, NZD, RON, SHP, TJS, UGX, XDR,
AWG, BOB, CLP, DOP, GP, HTG, JMD, KYD, MAD, MWK, OMR, RSD, SLL, TMT, USD, XOF,
AZN, BRL, CNY, DZD, GHS, HUF, JOD, KZT, MDL, MXN, PAB, RUB, SOS, TND, UYU, XPF,
ACTOR
actor.x.motive Unknown, NA, Espionage, Fear, Financial, Fun, Grudge, Ideology, Convenience, Other
actor.externalvariety >---------
Unknown, Activist, Auditor, Competitor, Customer, Force majeure, Former employee, Nation-state, Organized crime, Acquaintance, State-affiliated, Terrorist, Unaffiliated, Other
actor.nternal.variety f----------
Unknown, Auditor, Call center, Cashier, End-user, Executive, Finance, Helpdesk, Human resources, Maintenance, Manager, Guard, Developer, System admin, Other
131
ACTION
action.malware.variety Backdoor, r, Brute force, Capture app Unknown, Adware, Backdoo data, Capture stored data, Client-side attack, Click fraud, C2, Destroy data, Disable controls, Export rt data, Packet Do, Downloader, Exploit vuln, Expo sniffer, Password dumper, Ram scraper, Ransomware, Rootkit, Scan network, Spam, Spyware/Keylogger, SQL inection, Adminware, Worm, Other action.malware.vector Unknown, Direct install, Download by malware, Email autoexecute, Email link, Email attachment, Instant messaging, Network propagation, Remote injection, Removable media, Web drive-by, Web download, Other action.hacking.variety Unknown, Abuse of functionality, Brute force, Buffer overflow, Cache poisoning, Session prediction, CSRF, XSS, Cryptanalysis, DoS, string Fored red rowsing, Format string Footprinting, Fo attack, Fuzz testing, HTTP request smuggling, HTTP request splitting, HTTP response smuggling, HTTP Response Splitting, Integer overflows, LDAP injection, Mail command injection, MitM, Null byte injection, Offline cracking, OS commanding, Path traversal, RFI, Reverse engineering, Routing detour, Session fixation, Session replay, Soap array abuse, Special element injection, SQLi, SSI injection, URL redirector abuse, Use of backdoor or C2 Use of stolen creds, XML attribute blowup, XML entity expansion, XML external entities, XML injection, XPath injection, XQuery injection, Virtual machine escae, Other action.hacking.vector Unknown, 3rd party desktop, Backdoor or C2, Desktop sharing, Physical access, Command shell, Partner, VPN, Web application, Other
132
action.social.variety Unknown, Baiting, Brbery, Elicitation, Extortion, Forgery, Influence, Scam, Phishing, Pretexting, Propaganda, Spam, Other actionsocal.vector Unknown, Documents, Email, In-person, IM, Phone, Removable media, SMS, Social media, Software, Website, Other actionsocial.target Unknown, Auditor, Call center, Cashier, Customer, End-user, Executive, Finance, Former employee, Heldesk, Human resources, Maintenance, Manager, Partner, Guard, Developer, System admin, Oher action.misuse.variety Unknown, Knowledge abuse, Privilege abuse, Embezzlement, Data mishandling, Email misuse, Net misuse, Illcit content, Unapproved workaround, Unapproved hardware, Unaroved software, Other action.misuse.vecto Unknown, Physical access, LAN access, Remote access, Non-cororate, Other action.physical.variety Unknown, Assault, Sabotage, Snooping, Surveillance, Tamering, Theft, Wiretapping, Connection, Other action.physical.location Unknown, Partner facility, Partner vehicle, Personal residence, Personal vehicle, Public faclity, Public vehicle, Victim secure area, Victim work area, Victim ublc area, Victim grounds, Other action.physical.vecto Unknown, Privileged access, Visitor privileges, Bypassed conrols, Dsaled conrols, Unconroed locaton, Oher
133
action.error.variety Unknown, Classification error, Data entry error, Disposal error, Gaffe, Loss, Maintenance error, Misconfiguration, Misdelivery, Misinformation, Omission, Physical accidents, Capacity shortage, Programming error, Publishing error, Malfunction, Other action.error.vector Unknown, Random error, Carelessness, Inadequate personnel, Inadequate processes, Inadequate technolo, Other action.environmental.variety Unknown, Deterioration, Earthquake, EMI, ESD, Temperature, Fire, Flood, Hazmat, Humidity, Hurricane, Ice, Landslide, Lightning, Meteorite, Particulates, Pathogen, Power failure, Tornado, Tsunami, Vermin, Volcano, Leak, Wind, Other
134
ASSET
asset.variety Auth then enti tica cati tion on,, S - Bacup, s Unknown, S - Au irec ecto tor r y , S - D CS , s Database, S - DHCP, S - Dir fra ame me,, s DNS, S - File, S - Log, S - Mail, S - Mainfr POS S con contr trol olle ler, r, S - Print, s - Payment switch, S - PO Remo mote te acc cces ess, s, S - SCADA, S - Web - Proxy, S - Re reposit posito ory, S - VM host, s alication, S - Code re Oth ther er N - Ac Acc cess reader, N - Camera, N - Firewall, N - HSM, N - IDS N - Broadband, N - PBX, N Private WAN, N - PLC, N - Public WAN, N - RTU, N Router or switch, N - SAN, N - Telehone, N - VoIP adapter, N - LAN, N - WLAN, N - Other U - Auth token, U - Deskto, U - Laptop, U - Media, u Mobile phone, U - Per erip iph her era al, U - POS te termi min nal, u Tablet, U - Telehone, U - VoIP phone, U - Other T Gas s ter ermi mina nal l, T - Kiosk, T - ATM, T - PED ad, T - Ga isk k me med dia ia,, M - Do Doc cum ume ents ts,, M - Other M - Tapes, M - Dis isk k driv ive, e, M - Sma mar rt ca card rd,, M - Flash drive, M - Dis Payment card, M - Other P - System admin, p Cal ll ce cent nter er,, P - Cashier, p Auditor, P - Ca Customer, P - Developer, P - End-user, p Executive, P - Finance, P - Fo Form rmer er em emp plo loy yee ee,, p Guard, P - Heldesk, P - Human resources, p Maintenance, P - Manager, P - Partner, P - Other I
asset.accessibility Unknown, External, Internal, Isolated, NA
asset.ownership Unknown, Victim, Emloyee, Partner, Customer, NA
asset.management Unknown, Internal, External, NA
asset.hosting Unknown, Internal, External shared, External dedicaed, Exernal, NA asset.cloud Hyperv rvisor, isor, Partner application, Hosting Unknown, Hype governance, Customer attack, Hosting
135
ATTRIBUTE
attribute.confidentialitydata_disclosure Unknown, Yes, Potentially, No
attributeconfidentialitydatavariety Unknown, Credentials, Bank, Classified, Copyrighted, Medical, Payment, Personal, Internal, System, Secrets, Other
attributeconfidentialitystate Unknown, Stored, Stored encrypted, Stored unencrypted, Transmitted, Transmitted encrypted, Transmitted unencrypted unencrypted,, Processed
attributeintegrityvariety Unknown, Created account, Hardware tampering, Alter behavior, Fraudulent transaction, Log tampering, Misappropriation, Misrepresentation, Modify conf con figu igurat ration, ion, Modify privileges, Modify data, Software installation, Other
attribute.availabilityvariety Unknown, Destruction, Loss, Interruption, Degrad Deg radation, Acceleration, Obscuration, Other
136
COURSE OF ACTION Structured Threat Information eXp ression (STIX ) (Adapted) ™
https://stixroject.github.i b.i 0 Ref. https://stixroject.githu coa.type Blocking, Redirecting, Harden·g Patching, Rebuilding, Monitoring, Other coaimpac Insignifcant, Distracting, Painful, Damaging, Catastrohic, Unknown coaefficacy Not Effective, Somewhat Effective, Mostly Effective, Comletely Effective, NA coastag e I
Recov overed Prepare, Remedy, Response, Rec coahosting coahosti ng Unknown, Interna, External shared, Exte al deicated, External, NA coaobjective coaobject ive Detect Deny, Dsut Degade
137
Deceve Destroy
KILL CHAIN MAPPING
GATHER DATA FOR MAPPING KILL CHAIN
Ref. http://www.lockheedmartin.com/content/dam/lockheed/d ata/corporate/documents/LM-White-Paper-Intel-Driven Defense.pdf hase
dentified evidence artifact, ifo or int
ourse of ction
Active Reconnaissance
Deec, Deny, Disrupt, egrade, Deceive, Deroy
Customization
Deec Deny sup Degrade eeive, estroy
Delivery
eec eny Diup, Degrade, eceve esroy
Exploitation
etet, eny, Disrupt, Degrade, Deeive, Deroy
Insta Ins ta lation
eec eny rup Degrade eeive, estroy
Command & onto (C2)
eec Deny Diup, Degrade, eceve eroy
Action on Objectives
etet, eny, isrupt, egrade, Deceive, Deroy
138
PRI ORITIZED DEFENDED ASSET LIST (PDAL)
ATA AND PRIORITIZE ASSETS TO DEFEND GATHER D DATA
set: Asset: As Locatio n:
Criticalit :
tion: Desrition: Desri
Vulnerability:
Purpose Time ized: Prioritized: Priorit
Recoverabilit Ranking:
rit Priorit Prio
I
set: Asset: As Locat Lo cation: ion:
Criticalit :
tion: Description: Descrip
Vulnerabilit Vulnerabi lit
Purose Time ized: Priorit Prio ritized:
Recoveabilit Ranking:
Prio rit
II
set: sset: s Locatio n:
Criticalit :
tion: Description: Descrip
Vulnerabilit
Purpose Time ized: Prioritized: Priorit
Recoverabilit Ranking:
rity: Priority: Prio
III
139
SCRATCH PAD
140
SCRATCH PAD
141
10 INDEX (A-Z) A Active Directory .17, 18,19,31 19,31 AdFind ...............19 ............... 19 Alternate Data Streams ......... 77 Apache ..............63 Appocker ..........26 auditd ...............64 ............... 64 Auditpo Aud itpoll 32,56,57, 56,57, 58,59,97 C Certutil ............ 107 Cron .............. 63,82 cURL ...................90 ................... 90 D dc3dd ........... .............91,2 dd91 Decoding Decodin g .......... 107 DHCP ............ 14, 14,20 20 DNS ... 14, 21,25, 25,39 39 DNSCmd .............15 ............. 15 dnstop ................55 ................ 55 dsadd ..................32 .................. 32 dsmove .......... ............... .....3 3 dsquery ......... 17,18 17,18 E editcap ............ ................ ....51 51 F File Checksum Integrity Verifier (FCIV) ........... ............. ..15 15 forfiless ................77 forfile G GMER ........ ............... .......101 101 gpresult ............69 ............ 69 gpupdate ...........32 ........... 32 Group Poic Poicyy Objec Objectt .....................31 ..................... 31 H Hashing .........15, 21
hexdump ............85 ............ 85 I iftop ..................112 .................. 112 initctl ........ ................ ........36 36 IPSEC . ........... ...........30, 40 iptables .. 37, 37,38, 38,40 Pv6 .................... 33 L labrea .......... ............... .....54 54 ldifde ......... ................ .......19 19 LiME ........ ................ .......... ..92 92 Linux Firewall ..... .....37 37 Linux Scripting ...20, ...20, 21,46, 21, 46,53,106 Linux Services .....36 ..... 36 ListDLLs List DLLs ........... ............... ....78 M Mergecap ........... ...........51 51 Microsoft Baseline Security Analyzer (MBSA) ........ ........... ...17 17 Microsoft IIS .......62 .......62 Mimikatz ............. .............53 53 Mklink .......... ................. .......97 mountt ............... moun ............... 106 N nbtscan .............. ................21 nbtstat ............ ................ ....16 Nessus ........... ................ .....11 net user .......... .............. ....25 net view .............. ..............14 14 NetBIOS ..............16 .............. 16 Netcat ................54 ................ 54 netdom ...............18 ............... 18 Netsh23,24, Netsh23, 24,25, 25,30, 30, 31,68 Nmap ............... .. ................ ...11 OpenSSL ........... ............. 47 OpenVAS ...........12 ........... 12 142
p
passwd .............. ................ ..3 PowerShell PowerShe ll ..19,28, 29, 59, 0, 62, 76, 98,105,108 Proxy Auto Config (PAC) ........26,39 ps 36 PsExec ........91, 91,104 104 Psnfo ........... ................. ......67 PsoggedOn ........16 Psogist Psog ist ............75 ............75 pspasswd ...........25 R Racoon .......... ............... .....40 40 Remote Remot e Desktop Protocol (RDP)32 Robocopy .........103 .........103 runas ............... ................... ....53 53 s
SC 23,99 23,99 scp ............. .................... .......106 106 Sigcheck ........77,85 smbclient ............20 ............ 20 smbtree ..............20 .............. 20 Snortt .. 50, Snor 50,109, 109,110, 110, 111 SSH .............80, 80,105 105 ssldump .......... .............. ....47 Sticky Key Keyss ......... ........... 33 T tcpdump45, 46, 112, 113 Team Cymru .......90 TSark .... 47,48, 47,48,49, 112, 113 ufw ............. ..................... ........38 38 unix-privseccheck ......................83 ...................... 83 upstart ........... ............... ....36 36
User Access Control (UAC) ............. ....... ...... 35 V
VirusTotal ........... 90 Volatility ....... 87, 91 Volrest ............... 98 Vssadmin ..... 97, 98 w
Wevtutil. 53, 56, 75, 76
Wget ............ .................. ...... 54 Windows Autorun ............... 69, 70 Windows Defend Defender er ....................... .............. ......... 78 Windows Event Log ................. 60, 61 ............... Windows Firewall .......... 23, 31, 35
Windows Registry 32, 33, 34, 56, 71, 72, 73, 74 Windows Scripting .... 14, 16, 52, 77 wmic ....... 23, 67, 69 wusa .................. 95 X xorsearch .......... 107
Made in the USA San Beardino, CA 10 February 2017