Fundamentals
CIA triad
The CIA triad is a model for classifying the three main components of information security: confidentiality, integrity, and availability. These three components are often referred to as the "CIA triad" because they represent the core principles of information security.

Confidentiality
Confidentiality refers to the protection of information from unauthorized access or disclosure. It is important to ensure that only authorized individuals or systems can access sensitive information.
Confidentiality can be achieved through:
• Encryption
• Strong authentication systems
Integrity
Integrity refers to the accuracy and completeness of information, as well as the protection of information from unauthorized modification. It is important to ensure that information is not corrupted or altered in an unauthorized manner.
Integrity can be achieved through:
• Hashing
• Digital Signatures
• Encryption
• Digital certificates
Availability
Availability refers to the accessibility of information and systems. It is important to ensure that authorized users can access the information and systems they need when they need them.
Availability can be achieved through:
• Redundancy
• Backups
The CIA triad is a useful framework for understanding the key aspects of information security and for developing strategies to protect against various types of threats. By focusing on confidentiality, integrity, and availability, organizations can ensure that their sensitive information and systems are secure and available to authorized users.
Common Ports
Network ports are identified by a number, ranging from 0 to 65535. The most commonly used ports are assigned specific purposes by the Internet Assigned Numbers Authority (IANA). For example, port 80 is used for HTTP traffic, port 443 is used for HTTPS traffic, and port 25 is used for SMTP email traffic.
Cyber Kill Chain
The Cyber Kill Chain is a model that was developed by Lockheed Martin to describe the stages of a typical cyber attack. The model is designed to help organizations understand how an attack progresses, so that they can take steps to prevent or mitigate the attack at each stage.
The seven stages of the Cyber Kill Chain are as follows:
1. Reconnaissance: The attacker gathers information about the target organization and its systems, often through publicly available sources or through social engineering techniques.
2. Weaponization: The attacker prepares the payload (e.g., a malware or exploit) that will be used to attack the target.
3. Delivery: The attacker delivers the payload to the target, often through email attachments, infected websites, or other means of exploiting vulnerabilities.
4. Exploitation: The attacker takes advantage of a vulnerability in the target's systems to execute the payload.
5. Installation: The payload is installed on the target's systems, often in a way that is hidden from the user.
6. Command and control: The attacker establishes a means of communicating with and controlling the payload, often through a network connection.
7. Actions on objectives: The attacker carries out the objectives of the attack, such as stealing data or disrupting services.
Understanding the Cyber Kill Chain can help organizations identify and respond to attacks at each stage, and can help them develop strategies to prevent or mitigate the impact of future attacks.

DNS (Domain Name System)
The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the internet or a private network. It is used to translate human-readable domain names, such as "google.com," into numerical IP addresses that computers can use to communicate with each other.
DNS consists of a hierarchy of servers that are responsible for mapping domain names to IP addresses. At the top of the hierarchy are the root servers, which are responsible for directing traffic to the correct top-level domain (TLD) servers. TLD servers are responsible for directing traffic to the correct domain name servers (DNS), which are responsible for mapping specific domain names to IP addresses.
DNS is an important infrastructure component of the internet, and it plays a critical role in enabling communication between computers and devices on the internet. Without DNS, users would have to remember the numerical IP addresses of websites and other resources, which would be difficult and inconvenient.
To use DNS, a domain owner must register their domain name and configure it with the appropriate DNS records, which specify the IP addresses and other information about the domain. When a user types a domain name into their web browser or sends an email to an address at a particular domain, the DNS system is used to resolve the domain name to the correct IP address and route the traffic to the appropriate destination.


4 types of DNS servers
1. DNS recursor (a.k.a DNS resolver)
The DNS resolver might be operated by an Internet Service Provider (ISP), or other third party such as Google Public DNS (8.8.8.8). The resolver starts by looking in its local cache, if the hostname is found, it is resolved immediately. If not, the resolver starts by querying one of the root DNS servers for the IP of the domain name.
2. Root nameserver
Root servers are DNS nameservers that operate in the root zone and they hold the locations of all the Top Level Domains (TLDs). These servers can directly answer queries for records stored or cached within the root zone, and they can also refer other requests to the appropriate Top Level Domain (TLD) server. The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.
There are 13 logical root name servers specified, with logical names in the form of letter.root-servers.net, where letter ranges from a to m.

3. TLD nameserver
A TLD nameserver maintains information for all the domain names that share a common domain extension, such as .com, .net, or whatever comes after the last dot in a url. For example, a .com TLD nameserver contains information for every website that ends in ‘.com’. If a user was searching for google.com, after receiving a response from a root nameserver, the recursive resolver would then send a query to a .com TLD nameserver, which would respond by pointing to the authoritative nameserver.
4. Authoritative nameserver
An authoritative name server provides actual answer to your DNS queries such as – mail server IP address or web site IP address (A or AAAA address record). It provides original and definitive answers to DNS queries.
DNS record
A Domain Name System (DNS) record is a set of information that is stored in the DNS database and is used to map domain names to IP addresses and other resources. There are many different types of DNS records, each with a specific purpose. Some common types of DNS records include:

Record Type | Description |
---|---|
A | Maps domain names to IPv4 addresses |
AAAA | Maps domain names to IPv6 addresses |
NS (Name Server) | Provides a list of the authoritative name servers responsible for the domain |
CNAME (Canonical Name) | Maps an alias name to a true or canonical domain name |
MX (Mail Exchange) | Provides the domain names of mail servers that receive emails on behalf of a domain |
TXT (Text) | Provides any type of descriptive information in text format. e.g. A sender policy framework (SPF) record is a type of DNS TXT record that lists all the servers authorized to send emails from a particular domain |
SRV (Service Record) | Specifies a host and port for specific services |
SOA (Start of Authority) | Provides important details about a DNS zone; required for every DNS zone |
PTR (Pointer Record) | Provides the domain name associated with an IP address |
CAA (Certification Authority Authorization) | Allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain |
DNS records are an important part of the infrastructure of the internet, and they are used to enable communication between devices and systems on the internet. By configuring DNS records, domain owners can specify how traffic should be routed to their domain, and they can control how their domain is accessed and used.
Email Security
Domain-based Message Authentication Reporting and Conformance (DMARC)
Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol that is designed to detect and prevent email spoofing. DMARC works by allowing a domain owner to publish a policy in the Domain Name System (DNS) that specifies which mechanisms are used to authenticate email sent from their domain, and how receiving mail servers should handle email that fails authentication.
When an email is received, the receiving mail server can check the DMARC policy of the domain that the email claims to be from. If the email fails authentication using the mechanisms specified in the DMARC policy, the receiving server can take a number of actions, such as rejecting the email, quarantining the email, or flagging the email as potentially suspicious.
In addition to helping prevent email spoofing, DMARC can also help protect against spam and phishing attacks. By requiring email to be authenticated using mechanisms such as SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), DMARC can help ensure that only legitimate email is sent from a domain.
DMARC uses DKIM and SPF to verify the legitimacy of an email's from address and quarantine or reject email based on what it finds. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your from address. If the Return-Path path doesn't match your from address, those messages will fail DMARC's SPF alignment test. DMARC checks DKIM alignment by matching the d= domain in the DKIM signature and the from domain. If the d= domain matches the from domain, it pass the DKIM alignment and DMARC validation.

Sender Policy Framework (SPF)
Sender Policy Framework (SPF) is an email authentication protocol that is designed to detect and prevent email spoofing. SPF works by allowing a domain owner to specify which mail servers are authorized to send email on behalf of their domain.
When an email is received, the receiving mail server can check the SPF record of the domain that the email claims to be from. If the server that sent the email is not listed in the SPF record, the email can be flagged as potentially suspicious or fraudulent.
To use SPF, a domain owner must publish an SPF record in the Domain Name System (DNS) for their domain. This record lists the servers that are authorized to send email for the domain, and it can be used by receiving mail servers to verify the authenticity of incoming email.
In addition to helping prevent email spoofing, SPF can also help protect against spam and phishing attacks. By limiting the servers that are authorized to send email for a domain, SPF can help ensure that only legitimate email is sent from that domain.

Specify SPF version at start of record
v=spf1
Mechanisms for specifying authorised senders
Mechanisms | Explanation |
---|---|
ALL | Matches always; used for a default result like -all for all IPs not matched by prior mechanisms. |
IP4 | If the sender is in a given IPv4 address range, match. |
IP6 | If the sender is in a given IPv6 address range, match. |
MX | If the domain name has an MX record resolving to the sender's address, it will match. |
A | If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match. |
PTR | If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match. This mechanism is discouraged and should be avoided, if possible. |
EXISTS | If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries. |
INCLUDE | References the policy of another domain. If that domain's policy passes, this mechanism passes. However, if the included policy fails, processing continues. To fully delegate to another domain's policy, the redirect extension must be used. |
Qualifiers
Qualifiers | Explanation |
---|---|
+ | PASS regardless of match - accept anything from the domain. This can be omitted; e.g., +mx is the same as mx. |
- | FAIL, the mail should be rejected - don't deliver the email if anything does not match. |
? | NEUTRAL - accept it, result interpreted like NONE (no policy). |
~ | SOFTFAIL - accept them, but mark it as 'suspicious'. |
Modifiers
Modifiers | Explanation |
---|---|
exp=some.example.com | If an SMTP receiver rejects a message, it can include an explanation. An SPF publisher can specify the explanation string (ASCII) that senders see. This feature is rarely used. |
redirect=some.example.com | Tells the receiving server to check the SPF record of some.example.com instead of the originating domain. |
Examples:
Allow domain’s MXs to send mail for the domain, prohibit all others
v=spf1 mx ~all
The domain sends no mail at all
v=spf1 -all
The domain allows all IP addresses on the internet to send mail. Though ‘valid’, this is not recommended
v=spf1 +all
Allow any IP address between 192.168.0.1 and 192.168.255.255
v=spf1 ip4:192.168.0.1/16 ~all
The current domain is used
v=spf1 a ~all
Allow mail from specific domain
v=spf1 a:example.com ~all
Tells the receiving server to check the SPF record of google.com instead of the originating domain
v=spf1 redirect=_spf.google.com
Tells the receiving server to also consider the IP addresses listed in the SPF record of another domain (This is commonly set up with multi-domain organizations)
v=spf1 include:_spf.google.com ~all
Domain Keys Identified Mail (DKIM)
Domain Keys Identified Mail (DKIM) is an email authentication protocol that is designed to detect and prevent email spoofing. DKIM works by allowing a domain owner to place a digital signature in the headers of their outbound email messages. The signature is used to verify the authenticity of the email, and it can be used to ensure that the email has not been modified in transit.
To use DKIM, a domain owner must generate a private key and a public key. The private key is used to sign the outbound email messages, and the public key is published in the Domain Name System (DNS) for the domain. When an email is received, the receiving mail server can use the public key to verify the authenticity of the email by checking the digital signature.
In addition to helping prevent email spoofing, DKIM can also help protect against spam and phishing attacks. By requiring email to be authenticated using a digital signature, DKIM can help ensure that only legitimate email is sent from a domain.
DKIM is an important tool for protecting against email fraud and abuse, and it is widely used by email service providers and other organizations to help ensure the security and integrity of email communication.
HTTP Status Codes
HTTP status codes are standardized numerical codes that are used to communicate the status of a HTTP request. HTTP (Hypertext Transfer Protocol) is a protocol for transferring data over the internet, and HTTP status codes are used to indicate the status of a request made using HTTP.
Some of the most commonly used HTTP status codes include:
• 200 OK: The request was successful and the requested information has been transmitted.
• 301 Moved Permanently: The requested resource has been moved to a new URL.
• 400 Bad Request: The request was invalid or could not be understood by the server.
• 401 Unauthorized: The request requires authentication in order to be processed.
• 404 Not Found: The requested resource could not be found.
Status code | Meaning |
---|---|
#1xx | Informational |
100 | Continue |
101 | Switching protocols |
102 | Processing |
103 | Early Hints |
#2xx | Succesful |
200 | OK |
201 | Created |
202 | Accepted |
203 | Non-Authoritative Information |
204 | No Content |
205 | Reset Content |
206 | Partial Content |
207 | Multi-Status |
208 | Already Reported |
226 | IM Used |
#3xx | Redirection |
300 | Multiple Choices |
301 | Moved Permanently |
302 | Found |
303 | See Other |
304 | Not Modified |
305 | Use Proxy |
306 | Switch Proxy |
307 | Temporary Redirect |
308 | Permanent Redirect |
#4xx | Client Error |
400 | Bad Request |
401 | Unauthorized |
402 | Payment Required |
403 | Forbidden |
404 | Not Found |
405 | Method Not Allowed |
406 | Not Acceptable |
407 | Proxy Authentication Required |
408 | Request Timeout |
409 | Conflict |
410 | Gone |
411 | Length Required |
412 | Precondition Failed |
413 | Payload Too Large |
414 | URI Too Long |
415 | Unsupported Media Type |
416 | Range Not Satisfiable |
417 | Expectation Failed |
418 | I'm a Teapot |
421 | Misdirected Request |
422 | Unprocessable Entity |
423 | Locked |
424 | Failed Dependency |
425 | Too Early |
426 | Upgrade Required |
428 | Precondition Required |
429 | Too Many Requests |
431 | Request Header Fields Too Large |
451 | Unavailable For Legal Reasons |
#5xx | Server Error |
500 | Internal Server Error |
501 | Not Implemented |
502 | Bad Gateway |
503 | Service Unavailable |
504 | Gateway Timeout |
505 | HTTP Version Not Supported |
506 | Variant Also Negotiates |
507 | Insufficient Storage |
508 | Loop Detected |
510 | Not Extended |
511 | Network Authentication Required |
598 | Network read timeout error |
599 | Network connect timeout error |
IPV4 Subnet
Subnetting is a way to divide a single network into smaller networks, or subnets, in order to increase security and efficiency.
An IPv4 subnet is identified by a network address and a subnet mask. The network address defines the range of IP addresses that are included in the subnet, and the subnet mask defines which portion of the IP address represents the network and which portion represents the host.
For example, consider the following IP address and subnet mask:
IP address: 192.168.1.100
Subnet mask: 255.255.255.0
The subnet mask of 255.255.255.0 indicates that the first three octets (192.168.1) represent the network portion of the IP address, and the fourth octet (100) represents the host portion. In this case, the subnet would include all IP addresses from 192.168.1.0 to 192.168.1.255.
Prefix size | Network mask | # of IP Addresses | # of Usable IP addresses |
---|---|---|---|
/1 | 128.0.0.0 | 2,147,483,648 | 2,147,483,646 |
/2 | 192.0.0.0 | 1,073,741,824 | 1,073,741,822 |
/3 | 224.0.0.0 | 536,870,912 | 536,870,910 |
/4 | 240.0.0.0 | 268,435,456 | 268,435,454 |
/5 | 248.0.0.0 | 134,217,728 | 134,217,726 |
/6 | 252.0.0.0 | 67,108,864 | 67,108,862 |
/7 | 254.0.0.0 | 33,554,432 | 33,554,430 |
Class A | |||
/8 | 255.0.0.0 | 16,777,216 | 16,777,214 |
/9 | 255.128.0.0 | 8,388,608 | 8,388,606 |
/10 | 255.192.0.0 | 4,194,304 | 4,194,302 |
/11 | 255.224.0.0 | 2,097,152 | 2,097,150 |
/12 | 255.240.0.0 | 1,048,576 | 1,048,574 |
/13 | 255.248.0.0 | 524,288 | 524,286 |
/14 | 255.252.0.0 | 262,144 | 262,142 |
/15 | 255.254.0.0 | 131,072 | 131,070 |
Class B | |||
/16 | 255.255.0.0 | 65,536 | 65,534 |
/17 | 255.255.128.0 | 32,768 | 32,766 |
/18 | 255.255.192.0 | 16,384 | 16,382 |
/19 | 255.255.224.0 | 8,192 | 8,190 |
/20 | 255.255.240.0 | 4,096 | 4,094 |
/21 | 255.255.248.0 | 2,048 | 2,046 |
/22 | 255.255.252.0 | 1,024 | 1,022 |
/23 | 255.255.254.0 | 512 | 510 |
Class C | |||
/24 | 255.255.255.0 | 256 | 254 |
/25 | 255.255.255.128 | 128 | 126 |
/26 | 255.255.255.192 | 64 | 62 |
/27 | 255.255.255.224 | 32 | 30 |
/28 | 255.255.255.240 | 16 | 14 |
/29 | 255.255.255.248 | 8 | 6 |
/30 | 255.255.255.252 | 4 | 2 |
/31 | 255.255.255.254 | 2 | 0 |
/32 | 255.255.255.255 | 1 | 0 |
Private IP addresses
Private IP addresses are IP addresses that are used for communication within a private network, such as a home or corporate network. They are not routed on the Internet and are not reachable from the outside. Private IP addresses are used to identify devices within a private network and to route traffic between devices.
Private IP addresses are often used in conjunction with Network Address Translation (NAT), which allows devices within a private network to communicate with the Internet using a single, shared public IP address. This allows multiple devices to share a single Internet connection and helps to conserve the limited pool of publicly routable IP addresses.
Addresses | Description |
---|---|
10.0.0.0 - 10.255.255.255 | Private IPv4 Addresses |
172.16.0.0 - 172.31.255.255 | Private IPv4 Addresses |
192.168.0.0 - 192.168.255.255 | Private IPv4 Addresses |
127.0.0.0 - 127.255.255.255 | Local Host |
169.254.0.0 - 169.254.255.255 | APIPA |
0.0.0.0/8 | This network |
10.0.0.0/8 | Private IPv4 Address Block |
100.64.0.0/10 | Carrier-grade NAT |
127.0.0.0/8 | Loopback |
127.0.53.53 | Name collision occurrence |
169.254.0.0/16 | Link local |
172.16.0.0/12 | Private IPv4 Address Block |
192.0.0.0/24 | IETF protocol assignments |
192.0.2.0/24 | TEST-NET-1 |
192.168.0.0/16 | Private IPv4 Address Block |
198.18.0.0/15 | Network benchmark testing |
198.51.100.0/24 | TEST-NET-2 |
203.0.113.0/24 | TEST-NET-3 |
224.0.0.0/4 | Multicast |
240.0.0.0/4 | Reserved |
255.255.255.255/32 | Limited broadcast |
Private Information
Private information is any data or personal details that are intended to be kept confidential and are not meant to be shared with others without the owner's consent. Private information can include things like a person's name, address, phone number, date of birth, financial information, medical history, and other sensitive data. It is important to protect private information because it can be used for identity theft or other nefarious purposes if it falls into the wrong hands. It is generally recommended to be cautious about sharing private information online or with anyone you do not know or trust.
Types of private information:
PII stands for "Personally Identifiable Information." It is any information that can be used to identify a specific individual, such as their name, address, phone number, date of birth, social security number, or other personal details. PII is considered to be sensitive information because it can be used to locate, contact, or obtain information about an individual. As a result, it is important to protect PII and handle it with care to prevent it from being accessed or used without the owner's consent. There are also legal requirements in place in many countries that regulate the collection, use, and storage of PII, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.
PPI stands for "Personally Protected Information". It is a term that is sometimes used to refer to personal data that is considered to be sensitive or confidential, and that requires special protection in order to ensure the privacy and security of individuals. PPI may include information such as a person's name, address, phone number, date of birth, financial information, medical history, and other details that are considered to be private and should not be shared without the owner's consent. It is important to handle PPI with care and to take appropriate measures to protect it from unauthorized access or use. This may include measures such as encrypting data, using secure servers, and implementing other security measures to prevent data breaches or unauthorized access to PPI.
PHI stands for "Protected Health Information." It is any information that relates to a person's health, medical history, or treatment that is collected, used, or disclosed by a healthcare provider, health plan, or other covered entity in the course of providing healthcare services. PHI is considered to be sensitive information because it can reveal intimate details about a person's health and medical history, and it is protected by laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. HIPAA sets strict rules for how PHI can be collected, used, and disclosed, and it requires covered entities to implement appropriate safeguards to protect the privacy and security of PHI. HIPAA also gives individuals certain rights with regard to their PHI, such as the right to access, correct, and request restrictions on the use of their PHI.
PCI stands for "Payment Card Industry." PCI refers to a set of security standards that were developed by the major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) to ensure the secure handling of credit card transactions and protect sensitive financial information. The PCI Data Security Standard (PCI DSS) is a set of requirements that apply to all organizations that accept, process, store, or transmit credit card information. It sets out guidelines for the secure handling of credit card data, including requirements for physical security, network security, access controls, and data protection. The PCI DSS is intended to help reduce the risk of credit card fraud and protect the security of sensitive financial information. Compliance with the PCI DSS is mandatory for all merchants and service providers that accept credit cards as a form of payment.
OSI Model
The OSI (Open Systems Interconnection) model is a framework for understanding how communication occurs between different systems in a network. It is a seven-layer model that represents the different stages of communication, from the physical connection between devices to the application layer where the actual communication takes place.
The OSI model is a useful tool for understanding how communication occurs in a network, and it helps to define the roles and responsibilities of the different layers of a networked system.
Types of Cyber Attacks on Each Layer of the OSI Model:

Layer architecture (wikipedia)
Layer | Protocol data unit (PDU) | Function | ||
---|---|---|---|---|
Host layers |
7 | Application | Data | High-level protocols such as for resource sharing or remote file access, e.g. HTTP. |
6 | Presentation | Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption | ||
5 | Session | Managing communication sessions, i.e., continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes | ||
4 | Transport | Segment, Datagram | Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing | |
Media layers |
3 | Network | Packet | Structuring and managing a multi-node network, including addressing, routing and traffic control |
2 | Data link | Frame | Transmission of data frames between two nodes connected by a physical layer | |
1 | Physical | Bit, Symbol | Transmission and reception of raw bit streams over a physical medium |
NTLM
NTLM (NT LAN Manager) is a Microsoft authentication protocol that is used to provide secure network communication and to authenticate users in a Windows network environment. It is a challenge-response protocol that allows a client to prove its identity to a server, and it is typically used to authenticate users on a Windows domain.
NTLM uses hashed passwords and encrypted challenge-response exchanges to authenticate users, and it can also provide authentication for other protocols such as HTTP, FTP, and SMTP. NTLM is generally considered to be less secure than more modern authentication protocols, such as Kerberos, and it is generally recommended to use these newer protocols whenever possible.
The following examples show how the NTLM flow works.

Kerberos
Kerberos is a network authentication protocol that is designed to provide secure communication over a non-secure network, such as the internet. It is named after the three-headed dog of Greek mythology that guarded the gates of the underworld.
In a Kerberos system, a client authenticates itself to a trusted third-party server known as the Key Distribution Center (KDC). The KDC issues a ticket-granting ticket (TGT) to the client, which the client can then use to request access to other resources on the network. These requests are made using service tickets, which are issued by the KDC and contain a cryptographic key that can be used to securely access the desired resource.
Kerberos is widely used in Windows and Linux operating systems, as well as in other networked systems such as Apache and OpenVPN. It is generally considered to be more secure than other authentication protocols, such as NTLM, because it uses strong encryption and does not transmit plaintext passwords over the network.

Kerberos Error Codes
Windows event log entries often contain Kerberos failure codes
Result code | Kerberos RFC description | Notes on common failure codes |
0x0 | No error | |
0x1 | Client's entry in database has expired | |
0x2 | Server's entry in database has expired | |
0x3 | Requested protocol version # not supported | |
0x4 | Client's key encrypted in old master key | |
0x5 | Server's key encrypted in old master key | |
0x6 | Client not found in Kerberos database | Bad user name, or new computer/user account has not replicated to DC yet |
0x7 | Server not found in Kerberos database | New computer account has not replicated yet or computer is pre-w2k |
0x8 | Multiple principal entries in database | |
0x9 | The client or server has a null key | administrator should reset the password on the account |
0xA | Ticket not eligible for postdating | |
0xB | Requested start time is later than end time | |
0xC | KDC policy rejects request | Workstation restriction |
0xD | KDC cannot accommodate requested option | |
0xE | KDC has no support for encryption type | |
0xF | KDC has no support for checksum type | |
0x10 | KDC has no support for padata type | |
0x11 | KDC has no support for transited type | |
0x12 | Clients credentials have been revoked | Account disabled, expired, locked out, logon hours. |
0x13 | Credentials for server have been revoked | |
0x14 | TGT has been revoked | |
0x15 | Client not yet valid - try again later | |
0x16 | Server not yet valid - try again later | |
0x17 | Password has expired | The user’s password has expired. |
0x18 | Pre-authentication information was invalid | Usually means bad password |
0x19 | Additional pre-authentication required* | |
0x1F | Integrity check on decrypted field failed | |
0x20 | Ticket expired | Frequently logged by computer accounts |
0x21 | Ticket not yet valid | |
0x21 | Ticket not yet valid | |
0x22 | Request is a replay | |
0x23 | The ticket isn't for us | |
0x24 | Ticket and authenticator don't match | |
0x25 | Clock skew too great | Workstation’s clock too far out of sync with the DC’s |
0x26 | Incorrect net address | IP address change? |
0x27 | Protocol version mismatch | |
0x28 | Invalid msg type | |
0x29 | Message stream modified | |
0x2A | Message out of order | |
0x2C | Specified version of key is not available | |
0x2D | Service key not available | |
0x2E | Mutual authentication failed | may be a memory allocation failure |
0x2F | Incorrect message direction | |
0x30 | Alternative authentication method required* | |
0x31 | Incorrect sequence number in message | |
0x32 | Inappropriate type of checksum in message | |
0x3C | Generic error (description in e-text) | |
0x3D | Field is too long for this implementation |
TCP vs UDP
Computer Networking Basics
The Internet is a network of connecting devices. Each device, whether it's your smartphone or a server, communicate through the internet protocol suite. The internet protocol suite is a collection of different protocols, or methods, for devices to communicate with each other. Both TCP and UDP are major protocols within the internet protocol suite:

TCP: connection oriented, header file: 20 bytes, speed is less than UDP, used in high reliability services. TCP is heavy-weight. Require three packets to set up a socket connection (Three way handshake: SYN- Synchronize, SYN-ACK, ACK). TCP handles reliability and congestion control, have Acknowledgement segments.
UDP: connectionless oriented, header file: 8 bytes, more speed than TCP, used in real-time services, UDP is lightweight. There is no ordering message, no tracking connection, UDP does not have an option for flow control (Does not have three way handshake), No Acknowledge.
PARAMETER | TCP | UDP |
---|---|---|
Full Form | Transmission Control Protocol | User Datagram Protocol or Universal Datagram Protocol |
Connection | TCP is a connection-oriented protocol. | UDP is a connectionless protocol. |
Half-Closed connection | TCP allows half closed connections | Not applicable for UDP protocol |
Function | As a message makes its way across the internet from one computer to another. This is connection based. | UDP is also a protocol used in message transport or transfer. This is not connection based which means that one program can send a load of packets to another and that would be the end of the relationship. |
Usage | TCP is suited for applications that require high reliability, and transmission time is relatively less critical. | UDP is suitable for applications that need fast, efficient transmission, such as games. UDP's stateless nature is also useful for servers that answer small queries from huge numbers of clients. |
Use by other protocols | HTTP, HTTPs, FTP, SMTP, Telnet, SSH | DNS, DHCP, TFTP, SNMP, RIP, VOIP, IPTV |
Multiplexing & Demultiplexing | Using TCP port number | Using UDP port numbers |
Ordering of data packets | TCP rearranges data packets in the order specified. | UDP has no inherent order as all packets are independent of each other. If ordering is required, it has to be managed by the application layer. |
Speed of transfer | The speed for TCP is slower than UDP. | UDP is faster because error recovery is not attempted. It is a "best effort" protocol. |
Reliability | There is absolute guarantee that the data transferred remains intact and arrives in the same order in which it was sent. | There is no guarantee that the messages or packets sent would reach at all. |
Header Size | TCP header size is 20 bytes | UDP Header size is 8 bytes |
Common Header Fields | Source port, Destination port, Check Sum | Source port, Destination port, Check Sum |
Streaming of data | Data is read as a byte stream, no distinguishing indications are transmitted to signal message (segment) boundaries. | Packets are sent individually and are checked for integrity only if they arrive. Packets have definite boundaries which are honoured upon receipt, meaning a read operation at the receiver socket will yield an entire message as it was originally sent. |
Weight | TCP is heavy-weight. TCP requires three packets to set up a socket connection, before any user data can be sent. TCP handles reliability and congestion control. | UDP is lightweight. There is no ordering of messages, no tracking connections, etc. It is a small transport layer designed on top of IP. |
Data Flow Control | TCP does Flow Control. TCP requires three packets to set up a socket connection, before any user data can be sent. TCP handles reliability and congestion control. | UDP does not have an option for flow control |
Error Checking | TCP does error checking and error recovery. Erroneous packets are retransmitted from the source to the destination. | UDP does error checking but simply discards erroneous packets. Error recovery is not attempted. |
Fields | 1. Sequence Number 2. AcK number 3. Data offset 4. Reserved 5. Control bit 6. Window 7. Urgent Pointer 8. Options 9. Padding 10.Check Sum 11. Source port 12. Destination port |
1. Length 2. Source port 3. Destination port 4. Check Sum |
Acknowledgement | Acknowledgement segments | No Acknowledgment |
Handshake | SYN, SYN-ACK, ACK | No handshake (connectionless protocol) |
A three-way handshake
A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server.
A three-way handshake is also known as a TCP handshake or SYN-SYN-ACK, which requires both the client and server to exchange SYN (synchronization) and ACK (acknowledgment) packets before actual data communication begins.

Step 1: A connection between server and client is established
Step 2: The server receives the SYN packet from the client node
Step 3: Client node receives the SYN/ACK from the server and responds with an ACK packet
For UDP, no three-way handshake is necessary before transmitting data to the intended recipient. So, all or some of the data might arrive — and it may (or may not) arrive in the order as intended. As such, it’s often described as a “best effort.”
When does DNS use TCP?
DNS uses TCP port 53 for Zone transfer (ensure zone data is consistent across DNS servers) and UDP for name, and queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.
Types of Malware
Malware is short for "malicious software," and it refers to any software that is designed to harm or exploit a computer system. Malware can take many forms, including viruses, worms, trojan horses, ransomware, spyware, and adware.
Malware can be spread through a variety of means, including email attachments, infected websites, malicious software downloads, and infected removable media such as USB drives. Once it is installed on a computer, malware can perform a variety of malicious actions, such as deleting files, stealing sensitive information, corrupting data, and using the infected computer to attack other systems.
Type | Description | Real-World Example |
---|---|---|
Ransomware | Disables victim's access to data until ransom is paid | RYUK |
Fileless Malware | Makes changes to files that are native to the OS | Astaroth |
Spyware | Collects user activity data without their knowledge | DarkHotel |
Adware | Serves unwanted advertisements | Fireball |
Trojans | Disguises itself as desirable code | Emotet |
Worms | Spreads through a network by replicating itself | Stuxnet |
Virus | Unlike worms, which are self-contained, viruses need to infect another program in order to operate. | ILOVEYOU |
Rootkits | Gives hackers remote control of a victim's device | Zacinlo |
Keyloggers | Monitors users' keystrokes | Olympic Vision |
Bots | Launches a broad flood of attacks | Echobot |
Mobile Malware | Infects mobile devices | Triada |
Exploits | An exploit is a piece of software or data that opportunistically uses a defect in an operating system or an app to provide access to unauthorized actors. | zero-day (0day) |
Scareware | Scareware tricks users into believing their computer is infected with a virus. Typically, a user will see scareware as a pop-up warning them that their system is infected. | spysheriff |
Malvertising | Injects malicious code within digital ads. Difficult to detect by both internet users and publishers, these infected ads are usually served to consumers through legitimate advertising networks. | Angler |
Polymorphic Virus | Type of malware that is programmed to repeatedly mutate its appearance or signature files through new decryption routines. | Storm Worm |
Utilities
Clear Network Cache
This will clear your DNS cache on Windows, release your IP address, and renew it.
ipconfig/flushdns
ipconfig/release
ipconfig/renew
Regex Cheat Sheet
Regex (short for "Regular Expression") is a special syntax or notation used to match patterns of characters in text. Regular expressions are often used in text processing and data manipulation tasks, such as search and replace operations, data validation, and data scraping.
A regular expression is a sequence of characters that defines a search pattern. It can be used to search for and match specific patterns in text, or to extract specific pieces of information from a larger body of text.
A quick reference guide for regular expressions (regex)
Expression | Description | Example |
---|---|---|
^ | Matches the beginning of a line |
This is a string
|
$ | Matches the end of a line |
This is a string
|
+ | Match the preceding character one or more times |
This is a string
|
. | Wildcard represents any character |
This is a string
|
* | Matches everything |
This is a string
|
| | Matches either (OR) |
This is a string
|
? | Optional quantifier |
http://owlify.xyzhttps://owlify.xyz
http://owlify.xyzhttps://owlify.xyz
|
\s | Matches any space, tab or newline character | This is a string |
\S+ | Matches anything other than whitespaces | This is a string |
\d | Matches any digits 0-9 | This is 1 string |
\D+ | Matches anything other than digits | This is 1 string |
\w+ | Matches any alphanumeric or underscore [a-zA-Z0-9_] | This is a string |
\W+ | Matches anything that is not alphanumeric or underscore | This is #1 string! |
\b | Marks the beginning or end of a word |
This is a string
|
(...) | Capture group (Matches everything enclosed) |
https://owlify.xyz/test
|
(?:...) | Non-capture group (Matches everything enclosed) |
https://owlify.xyz/test
|
[x] | Character Classes/Sets (Matches a range of characters) |
This is 123 string
This is 123 string
This is 123 string
|
{x} | Matches exactly x number of times where x is a number |
T123456123456 654321 1234
d1a3acabd159ce5ec13af46a1cb30816
|
{x,y} | Matches between x and y characters |
1234512345abcdefg |
(?=) | Positive lookahead |
This is a string
|
(?<=) | Positive Lookbehind |
This is a string
|
(?<=x).*(?=y) | Match all characters between 2 strings |
This is a string
|
(?!) | Negative Lookahead |
aa ab ac ad ae af ag
|
(?<!) | Negative Lookbehind |
debt cab bar back bad
|
Useful Linux Commands

Useful Linux command-line utilities


Useful Windows Commands

Useful Windows command-line utilities
FINDSTR
findstr is a built-in tool of the Windows operating system that you may run from the command line to find text in files or in command-line outputs.
Parameters | Description |
---|---|
/B | Matches pattern if at the beginning of a line |
/E | Matches pattern if at the end of a line |
/L | Uses search strings literally |
/R | Uses search strings as regular expressions |
/S | Searches for matching files in the current directory and all subdirectories |
/I | Specifies that the search is not to be case-sensitive |
/X | Prints lines that match exactly |
/V | Prints only lines that do not contain a match |
/N | Prints the line number before each line that matches |
/M | Prints only the filename if a file contains a match |
/O | Prints character offset before each matching line |
/P | Skip files with non-printable characters |
/F:file | Reads file list from the specified file |
/C:string | Uses specified string as a literal search string |
/G:file | Gets search strings from the specified file |
/D:dir | Search a semicolon delimited list of directories |
strings | Text to be searched for |
[drive:][path]filename | Specifies a file or files to search |
For example:
netstat | findstr "8.8.4.4"
findstr /c:"windows 10" file.txt -- Searches the document file.txt for the string "windows 10"
findstr "windows" c:\documents\*.* -- Searches any file under c:\documents for the string "windows"
findstr /s /i Windows *.* -- Searches every file in the current directory and all subdirectories for the word Windows ignoring letter case
findstr /g:criteria.txt /f:filelist.txt > results.out -- search criteria in criteria.txt to search the files listed in filelist.txt
findstr /g:"test.txt" "test2.txt" -- Compare contents of two files and print out their commonalities
Vim text editor

Threat Hunt
Default Windows Processes
Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.
When searching for malicious processes, look for any of these anomalous characteristics:
• Started with the wrong parent process
• Image executable is located in the wrong path
• Misspelled processes
• Processes that are running under the wrong account (incorrect SID)
• Processes with unusual start times (i.e., starts minutes or hours after boot when it should be within seconds of boot)
• Unusual command-line arguments
• Packed executables

Process view on a Windows 10 machine


Process | Process name | Description |
---|---|---|
Alg.exe | Application Layer Gateway Service | This process is used for Internet connection sharing (ICS) and firewall. If you end this program using the Task Manager, you will lose all Internet connectivity until your next system restart or login. |
Audiodg.exe | Windows Audio Device Graph Isolation | This process is the audio component for Windows Vista/7/8/10. This process prevents other software applications from modifying or changing and content or plug-in enhancements. |
Csrss.exe | Client Server Runtime Process | The csrss.exe process is an important part of the Windows operating system. This file is responsible for console windows and the shutdown process, which are critical functions in Windows. The csrss also responsible for creating and/or deleting threads and implementing some portions of the 16-bit virtual MS-DOS environment. |
Ctfmon.exe | Alternative User Input Text Input Processor for Office | Ctfmon.exe controls Alternative User Input and the Office Language bar. It monitors active windows and provides text input service support for speech recognition, handwriting recognition, keyboard translation, and other alternate user input forms. In fact, this file is how you can control the computer via speech or a pen tablet, or using the onscreen keyboard inputs for asian languages. |
Dllhost.exe | DCOM DLL host process | Dllhost.exe is a host for DLL files and binary executables. The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. There can be multiple instances of the DLLhost.exe process running. Dllhost.exe is typically safe as long as the computer is up to date on all security patches and a reliable antivirus is installed. |
Dwm.exe | Microsoft Desktop Window Manager | Dwm.exe is a compositing window manager that renders all those pretty effects in Windows: transparent windows, live taskbar thumbnails, and even high resolution monitor support. In other words, dwm responsible for the graphical effects such as live window previews and a glass-like frame around windows (Aero Glass or Windows Aero), without draining CPU. |
Explorer.exe | Windows Explorer | This is the user shell, which we see as the familiar taskbar, desktop, file manager and other user interface features. Explorer.exe is a Windows process that is run automatically at startup and remains an active process. This Graphical Shell component is responsible for displaying a user-friendly interface that allows access, copy, delete, cut, and perform other actions with files located on the system, as well as connected networks. |
LogonUI.exe | Windows Logon User Interface | Logonui.exe is a legitimate file that is used for facilitating user login into a PC. LogonUI.exe implements the graphical user interface shown when a user is asked to log in to the local machine. |
Lsass.exe | Local security authentication server | Lsass.exe is the Local Security Authority Subsystem Service. It has the file description LSA shell. This file verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. So, Lsass.exe is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on computer. |
Lsm.exe | Local Session Manager Service | LSM is the Local Session Manager Service in Microsoft Windows. The purpose of the genuine lsm.exe process is to manage all connections related to a server. Lsm.exe is considered a section of core Windows functionality. This key process is issued by default on Windows 7, Windows 8 and Windows 10. |
msdt.exe | Microsoft Diagnostic Troubleshooting Wizard | msdt.exe is an executable exe file which belongs to the Diagnostics Troubleshooting Wizard process which comes along with the Microsoft Windows Operating System Software developed by Microsoft Windows Operating System software developer. The Microsoft Support Diagnostic Tool (MSDT) collects information to send to Microsoft Support. Microsoft Support will then analyze this information and use it to determine the resolution to any problems that you may be experiencing on your computer. |
Rundll32.exe | Run a DLL as an App | This program is part of Windows, and is used to run program code in DLL files as if they were within the actual program. Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This file is also commonly used by spyware to launch its own malicious code. |
RuntimeBroker.exe | Runtime Broker | Runtime Broker is a Windows process in Task Manager that helps manage permissions on your PC for apps from Microsoft Store. |
Services.exe | Services and Controller app | This is the Services Control Manager, which is responsible for running, ending, and interacting with system services. Use this program to start services, stop them, or change their default from automatic to manual startup. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program should not be terminated because it is a system process that is needed for your PC to work properly. |
Smss.exe | Session Manager Subsystem | This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the main system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes, and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens normally, the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang). |
Spoolsv.exe | Print+Fax Spooler | The spooler service is responsible for managing spooled print/fax jobs. Spooling allows you to print in the background without your computer being tied up. Spoolsv.exe is an executable file that runs the Print Spooler Service, a process that caches printing jobs into system memory as images. When you print something, the print job is sent to the print spooler, which is responsible for handing it off to the printer. This process should normally not use many of your computer’s resources but this process sometimes takes a huge amount of system resources as processing different file formats into an image suitable for printing often takes time and a lot of memory. |
Svchost.exe | Service Host | This file is an integral part of Windows OS. It cannot be stopped or restarted manually. Windows uses svchost.exe files to launch the DLLs (dynamic-link libraries) that help Windows processes run efficiently. This process manages system services (like Automatic Updates, Windows Firewall, Plug and Play, Windows Themes and many more) that run from .dll files. At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously. If this process uses high cpu resources, it is mostly due because the service “Automatic Updates” is downloading some new Windows update. Of course, if this process uses 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer. |
System | System process | The “system” process is an executable file on your computer’s hard drive. This file contains machine code. The “system” process is responsible for the system memory and compressed memory in the NT kernel. This system process is a single thread running on each processor. It is the host of all kind of drivers (network, disk, USB). Of course, this system process in Windows 10 has a additional task, it is compressing old pages of memory so that you have more free memory to use. Non-system processes like [system process] originate from software you installed on your system. Since most applications store data on your hard disk and in your system’s registry, it is likely that your computer has suffered fragmentation and accumulated invalid entries which can affect your PC’s performance. With start the Windows OS on a PC, the commands contained in “system” process will be executed on your PC. For this purpose, the file is loaded into the main memory (RAM) and runs there as a “System Idle Process” process (also called a task). |
taskhostw.exe | Task Host for Windows | Taskhostw.exe is a Windows operating system file. The main function of taskhostw.exe is to start the Windows Services based on DLLs whenever the computer boots up. It is a host for processes that are responsible for executing a DLL rather than an Exe or Executable file. |
Userinit.exe | Userinit Logon Application file | The userinit.exe is a program that is launched directly after a user logs into Windows. This program restores your profile, fonts, colors, etc for your username. This startup is a required and important system file for Windows. |
Winlogon.exe | Windows Logon Application | The winlogon.exe process is a critical part of the Windows operating system. This process runs in the background. Winlogon is a part of the Windows Login subsystem, and is necessary for user authorization and Windows activation checks. When you sign in, the winlogon.exe process is responsible for loading your user profile into the registry. This allows programs to use the keys under HKEY_CURRENT_USER, which are different for each Windows user account. The Windows Logon also is responsible for locking your PC and starting screen savers after a period of inactivity. |
wininit.exe | Windows Initialization | WinInit.exe is a Windows system process that is started during the system startup phase by another process, smss.exe. Wininit itself runs processes like services.exe to start services, lsass.exe, lsm.exe, winlogon.exe - in other words, other system processes that prepare the system for operation and login. |
Winmgmt.exe | Windows Management Instrumentation (WMI) | Winmgmt.exe is a core component of client management in Windows that provides management information and control in an enterprise environment. The WMI service automatically starts when the first management application or script requests connection to a WMI namespace. Winmgmt is the WMI service within the SVCHOST process running under the “LocalSystem” account. Administrators can employ WMI to query and set information on desktop systems, applications, networks and other enterprise components. |
Wmiprvse.exe | Windows Management Instrumentation | The wmiprvse.exe process is the WMI Provider host. It’s a part of what’s known as the Windows Management Instrumentation (WMI) component within Microsoft Windows that provides management information and control in an enterprise environment. In other words, the WMI Provider Host process allows other applications on your computer to request information about your system. The wmiprvse.exe process runs alongside the WMI core process, WinMgmt.exe. Multiple instances of Wmiprvse.exe can run at the same time under different accounts: LocalSystem, NetworkService or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe. |
Ransomware Encrypted File Extensions List
File extensions (Click to sort) | Description |
---|---|
micro | TeslaCrypt 3.0 ransomware encrypted data |
zepto | Locky ransomware affected data |
cerber | Cerber ransomware affected data |
locky | Locky ransomware affected data |
cerber3 | Cerber 3 ransomware affected data |
cryp1 | CryptXXX ransomware affected data |
mole | CryptoMix (variant) ransomware affected data |
onion | Dharma ransomware affected data |
axx | AxCrypt encrypted data |
osiris | Locky (variant) ransomware affected data |
crypz | CryptXXX ransomware affected data |
crypt | Scatter ransomware affected data |
locked | Various ransomware affected data |
odin | Locky ransomware affected file |
ccc | TeslaCrypt or Cryptowall encrypted data |
cerber2 | Cerber 2 ransomware affected file |
sage | Sage ransomware affected data |
globe | Globe ransomware affected file |
exx | Alpha Crypt encrypted file |
good | Scatter ransomware affected file |
wallet | Globe 3 (variant) ransomware affected file |
1txt | Enigma ransomware affected file |
decrypt2017 | Globe 3 ransomware affected file |
encrypt | Alpha ransomware affected file |
ezz | Alpha Crypt virus encrypted data |
zzzzz | Locky ransomware affected file |
MERRY | Merry X-Mas ransomware affected file |
enciphered | Malware (ransomware) encoded file |
r5a | 7ev3n ransomware affected file |
aesir | Locky ransomware affected file |
ecc | Cryptolocker or TeslaCrypt virus encrypted file |
enigma | Coverton ransomware affected file |
cryptowall | Encrypted file by Cryptowall ransomware |
encrypted | Various ransomware affected file |
loli | LOLI RanSomeWare ransomware affected file |
breaking_bad | Files1147[@]gmail[.]com ransomware affected data |
coded | Anubis ransomware affected file |
ha3 | El-Polocker affected file |
damage | Damage ransomware affected file |
wcry | WannaCry ransomware affected file |
lol! | GPCode ransomware affected file |
cryptolocker | CryptoLocker encrypted file |
dharma | CrySiS ransomware affected file |
MRCR1 | Merry X-Mas ransomware affected file |
sexy | PayDay ransomware affected files |
crjoker | CryptoJoker ransomware affected file |
fantom | Fantom ransomware affected file |
keybtc[@]inbox_com | KeyBTC ransomware affected file |
rrk | Radamant v2 ransomware affected file |
legion | Legion ransomware affected file |
kratos | KratosCrypt ransomware affected file |
LeChiffre | LeChiffre ransomware affected file |
kraken | Rakhni ransomware affected file |
zcrypt | ZCRYPT ransomware affected file |
maya | HiddenTear (variant) ransomware affected file |
enc | TorrentLocker ransomware affected file |
file0locked | Evil ransomware affected file |
crinf | DecryptorMax or CryptInfinite ransomware affected file |
serp | Serpent (variant) ransomware affected file |
potato | Potato ransomware affected file |
ytbl | Troldesh (variant) ransomware affected file |
surprise | Surprise ransomware affected file |
angelamerkel | Angela Merkel ransomware affected file |
windows10 | Shade ransomware affected file |
lesli | CryptoMix ransomware affected file |
serpent | Serpent ransomware affected file |
PEGS1 | Merry X-Mas ransomware affected file |
dale | Chip ransomware affected file |
pdcr | PadCrypt Ransomware script |
zzz | TeslaCrypt ransomware encrypted file |
xyz | TeslaCrypt ransomware encrypted file |
1cbu1 | Princess Locker ransomware affected file |
venusf | Venus Locker ransomware affected file |
coverton | Coverton ransomware affected file |
thor | Locky ransomware affected file |
rnsmwr | Gremit ransomware affected file |
evillock | Evil-JS (variant) ransomware affected file |
R16m01d05 | Ransomware affected data |
wflx | WildFire ransomware affected file |
nuclear55 | Nuke ransomware affected file |
darkness | Rakhni ransomware affected file |
encr | FileLocker ransomware affected file |
rekt | HiddenTear (variant) ransomware affected file |
kernel_time | KeRanger OS X ransomware |
zyklon | ZYKLON ransomware affected file |
Dexter | Troldesh (variant) ransomware affected file |
locklock | LockLock ransomware affected file |
cry | CryLocker ransomware affected file |
VforVendetta | Samsam (variant) ransomware affected file |
btc | Jigsaw Ransomware affected file |
raid10 | Globe [variant] ransomware affected file |
dCrypt | DummyLocker ransomware affected file |
zorro | Zorro ransomware affected file |
AngleWare | HiddenTear/MafiaWare (variant) ransomware affected file |
EnCiPhErEd | Xorist Ransomware affected file |
purge | Globe ransomware affected file |
realfs0ciety[@]sigaint[.]org[.]fs0ciety | Fsociety ransomware affected file |
shit | Locky ransomware affected file |
atlas | Atlas ransomware affected file |
exotic | Exotic ransomware affected file |
crypted | Nemucod ransomware affected file |
padcrypt | PadCrypt ransomware affected file |
xxx | TeslaCrypt 3.0 ransomware encrypted file |
hush | Jigsaw ransomware affected file |
bin | Alpha/Alfa ransomware affected file |
vbransom | VBRansom 7 ransomware affected file |
RMCM1 | Merry X-Mas ransomware affected file |
cryeye | DoubleLocker ransomware affected data |
unavailable | Al-Namrood ransomware affected file |
braincrypt | Braincrypt ransomware affected file |
fucked | Manifestus ransomware affected file |
crypte | Jigsaw (variant) ransomware affected file |
_AiraCropEncrypted | AiraCrop Ransomware affecte file |
stn | Satan ransomware affected file |
paym | Jigsaw Ransomware affected file |
spora | Spora ransomware affected file |
dll | FSociety ransomware affected file |
RARE1 | Merry X-Mas ransomware affected file |
alcatraz | Alcatraz Locker ransomware affected file |
pzdc | Scatter ransomware affected file |
aaa | TeslaCrypt ransomware encrypted file |
encrypted | Donald Trump ransomware affected file |
ttt | TeslaCrypt 3.0 ransomware encrypted file |
odcodc | ODCODC ransomware affected file |
vvv | TeslaCrypt 3.0 ransomware encrypted file |
ruby | Ruby ransomware affected file |
pays | Jigsaw Ransomware affected file |
comrade | Comrade ransomware affected file |
enc | Cryptorium ransomware affected file |
abc | TeslaCrypt ransomware encrypted file |
xxx | help_dcfile ransomware affected file |
antihacker2017 | Xorist (variant) Ransomware affected file |
herbst | Herbst ransomware affacted file |
szf | SZFLocker ransomware affected file |
rekt | RektLocker ransomware affected file |
bript | BadEncriptor ransomware affected file |
crptrgr | CryptoRoger ransomware affected file |
kkk | Jigsaw Ransomware affected file |
rdm | Radamant ransomware affected file |
BarRax | BarRax (HiddenTear variant) ransomware affected file |
vindows | Vindows Locker ransomware affected file |
helpmeencedfiles | Samas/SamSam ransomware affected file |
hnumkhotep | Globe 3 ransomware affected file |
CCCRRRPPP | Unlock92 ransomware affected file |
kyra | Globe ransomware affected file |
fun | Jigsaw Ransomware affected file |
rip | KillLocker ransomware affected file |
73i87A | Xorist Ransomware affected file |
bitstak | Bitstak ransomware affected file |
kernel_complete | KeRanger OS X ransomware file |
payrms | Jigsaw Ransomware affected file |
a5zfn | Alma Locker ransomware affected file |
perl | Bart ransomware affected file |
noproblemwedecfiles | Samas/SamSam ransomware affected file |
lcked | Jigsaw (variant) ransomware affected file |
p5tkjw | Xorist Ransomware affected file |
paymst | Jigsaw Ransomware affected file |
magic | Magic ransomware affected file |
payms | Jigsaw Ransomware affected file |
d4nk | PyL33T ransomware affected file |
SecureCrypted | Apocalypse ransomware affected file |
paymts | Jigsaw Ransomware affected file |
kostya | Kostya ransomware affected file |
lovewindows | Globe (variant) ransomware affected file |
madebyadam | Roga ransomware affected file |
powerfulldecrypt | Samas/SamSam ransomware affected file |
gefickt | Jigsaw (variant) ransomware affected file |
kernel_pid | KeRanger OS X ransomware file |
ifuckedyou | SerbRansom ransomware affected file |
grt | Karmen HiddenTear (variant) ransomware affected file |
conficker | Conficker ransomware affected file |
edgel | EdgeLocker ransomware affected file |
PoAr2w | Xorist Ransomware affected file |
oops | Marlboro ransomware affected file |
adk | Angry Duck ransomware affected file |
encrypted | KeRanger OS X ransomware affected file |
Whereisyourfiles | Samas/SamSam ransomware affected file |
czvxce | Coverton ransomware affected file |
theworldisyours | Samas/SamSam ransomware affected file |
info | PizzaCrypts Ransomware affected file |
razy | Razy ransomware affected file |
rmd | Zeta ransomware affected file |
fun | Jigsaw (variant) ransomware affected file |
kimcilware | KimcilWare ransomware affected file |
paymrss | Jigsaw Ransomware affected file |
dxxd | DXXD ransomware affected file |
pec | PEC 2017 ransomware affected file |
rokku | Rokku ransomware affected file |
lock93 | Lock93 ransomware affected file |
vxlock | vxLock ransomware affected file |
pubg | PUBG ransomware affected data |
crab | GandCrab ransomware affected data |
svchost
Svchost.exe (Service Host) is a generic host process name for services that run on Windows operating systems. It is responsible for running many of the background services that are necessary for the operating system and other programs to function properly.
There can be multiple instances of the Service Host process running at the same time, each one hosting one or more services.
Why are there so many Service Host processes running?
When you start a Windows computer, multiple instances of Svchost.exe are usually launched, each one hosting one or more services. This allows the operating system to manage the services more efficiently by running them in a separate process, rather than as individual programs.
It is normal for there to be multiple Service Host processes running on a Windows computer. These processes are responsible for running many of the background services that are necessary for the operating system and other programs to function properly. Some examples of services that might be hosted by a Service Host process include the Windows Update service, the Network Location Awareness service, and the Remote Procedure Call (RPC) service.
Since it is normal to see many svchost.exe processes in the background, some malicious programs make use of the confusion and masquerade as a legitimate svchost.exe process. svchost.exe is located in C:\Windows\System32 folder. Any file named “svchost.exe” located in another folder can be considered malware. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of “svchost.exe” (Windows allows multiple processes to all display the same name). Some malware injects a .dll file into the authentic svchost process, for example, Win32/Conficker worm.

If we take a look at one of the running “svchost.exe” instance and check its command line, we’ll see something similar to the following:

This instance is hosting four services.
The "-k" flag
In this example, the “svchost.exe” process used the "-k UnistackSvcGroup" parameter. This request will be made to the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
It locates the key which matches the parameter entry "UnistackSvcGroup" and reads it. This string contains the names of the services it will load and run within the context of that svchost.exe instance.

The "-s" flag
The “svchost.exe” process can also be used with the “-s” flag.

When the “-s” flag is used with the "-k" flag, it will tell the “svchost.exe” process to only load a specific service from the specified group. In this example, only the "WpnUserService" will be loaded from the "UnistackSvcGroup".
SIGMA Rule
Sigma is a tool that allows you to create rules to identify patterns in log events. It is named after the Greek letter Sigma (Σ), which is often used to represent the sum of a series of numbers or the standard deviation of a set of data in statistics. Sigma is designed to be used with a variety of different log sources, including system logs, network logs, and security logs.
Sigma rules are written in a specialized language that allows you to specify the patterns that you want to identify in log events. Once you have created your Sigma rules, you can use them to scan log files for specific patterns or to generate alerts when certain patterns are detected.
Sigma is often used in conjunction with other security tools, such as Snort, which is a network intrusion detection and prevention system. Snort can be used to analyze network traffic for signs of malicious activity and to trigger alerts when suspicious activity is detected. By combining Sigma and Snort, you can create a more comprehensive security system that can help protect against a wide range of cyber threats.

YARA Rule
Yara is a tool that allows you to create, analyze, and identify malware and other malicious software. A Yara rule is a set of criteria used to identify and classify malware. Yara rules are written in a specialized language that allows you to specify the characteristics of the malware you are looking for, such as specific strings of text, patterns of code, or other identifying features.
Yara rules are used by cybersecurity professionals to identify and classify malware, and to help protect against cyber threats. Yara rules can be used to scan files, network traffic, and other sources for signs of malware, and can be used in conjunction with other security tools and techniques to help defend against cyber attacks.
Yara rules are typically used to identify specific types of malware, such as viruses, worms, trojans, and other malicious software. They can be used to identify both known and unknown malware, and can be updated and modified as new threats emerge.

Windows Registry
The Windows Registry is a database that stores configuration settings and options for the Microsoft Windows operating system and for applications that run on Windows. It contains information about hardware and software configuration, user preferences, and other data that is used by the operating system and by applications.
The Windows Registry is an important source of information for forensic investigations because it can provide valuable evidence about the activities that have taken place on a computer. For example, the Registry can reveal information about:
• Installed software and hardware: The Registry can contain information about the software and hardware that has been installed on a computer, including the version numbers and installation dates. This can be useful for determining what programs and devices were in use on a computer at a particular time.
• User activity: The Registry can contain information about the user accounts that have been created on a computer and the actions that have been taken by those users. This can include information about file and folder access, network connections, and other activities.
• System configuration: The Registry can contain information about the configuration of the operating system and other software, including the settings and options that have been selected. This can be useful for understanding how a computer was set up and how it was being used.

Windows Registry Structure
The Registry is organized into a tree-like structure. The top-level keys in the Registry are called hives.

HKEY_CLASSES_ROOT (HKCR): This hive contains information about file associations and COM object classes. It is used to associate files with the applications that can open them and to register COM objects so that they can be used by other applications.
HKEY_CURRENT_USER (HKCU): This hive contains information about the current user's preferences and settings. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to the current user.
HKEY_LOCAL_MACHINE (HKLM): This hive contains information about the hardware, software, and security settings of the computer. It also contains information about the user profiles and groups on the computer.
HKEY_USERS (HKU): This hive contains information about all the user profiles on the computer. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to each user.
HKEY_CURRENT_CONFIG (HKCC): This hive contains information about the hardware configuration of the computer. It is used to store information about the devices that are installed on the computer, as well as the configuration settings for those devices.
Wireshark
Wireshark is a free and open-source packet analyzer. It is a tool that allows you to capture and analyze network traffic in order to troubleshoot network problems, examine security issues, and learn more about how networks work.
Wireshark uses a network protocol analyzer to capture and display packets in real-time. It supports a wide range of protocols and can decode and display the contents of the packets in a variety of formats. Wireshark also includes a wide range of filters and display options that allow you to focus on specific packets or types of traffic, and to view the data in a variety of formats.

Enumeration
System Enumeration
Check system information
Displays a list of details about the operating system, computer hardware and software components.
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Check installed updates
Displays all installed Windows and software updates applied to that computer.
wmic qfe
wmic qfe get Caption, Description, HotFixID, InstalledOn
List all drives in the machine
wmic logicaldisk get Caption
fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
[Powershell] Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
List all env variables
Displays the current environment variable settings.
set
[Powershell] Get-ChildItem Env: | ft Key,Value
List Architecture
ver
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%
List installed apps
wmic product get name, version, vendor
List scheduled tasks
Schtasks /query /fo LIST /v
List running services
net start
List running processes
tasklist /SVC
List installed device drivers
driverquery
Query the registry for specific keys, values and/or data
Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
reg query [Root]
Root:
• HKLM = HKey_Local_machine (default)
• HKCU = HKey_current_user
• HKU = HKey_users
• HKCR = HKey_classes_rootScanning registry hives for the value password.
Internal recon, hunting for passwords in Windows registry.
The Windows registry often stores clear-text or encoded passwords used by various applications.reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
List GPO settings (Group Policy Discovery)
gpresult /Z
User Enumeration
List current username
Displays a user name associated with the effective user ID.
whoami
hostname
set computername
echo %USERNAME%
[Powershell] $env:username
Check current user privileges/groups
whoami /priv
whoami /groups
List all users
net users
whoami /all
[Powershell] Get-LocalUser | ft Name,Enabled,LastLogon
[Powershell] Get-ChildItem C:\Users -Force | select Name
Check account policies and password policies
net accounts
View user information
Displays user account information.
net users %username%
List all groups
Displays the name of the server and the names of local groups on the computer.
net localgroup
net localgroup Administrators
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>
[Powershell] Get-LocalGroup | ft Name
[Powershell] Get-LocalGroupMember Administrators | ft Name, PrincipalSource
View user domain
set userdomain
List information about the configuration of the Server or Workstation
net config server
net config workstation
Network Enumeration
List all network interfaces, IP, and DNS
Displays the full TCP/IP configuration for all adapters.
ipconfig /all
wmic nicconfig get description,IPAddress,MACaddress
[Powershell] Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
[Powershell] Get-DnsClientServerAddress -AddressFamily IPv4 | ft
List Routing Table
Displays the entire contents of the IP routing table.
route print
netstat -nr
[Powershell] Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List ARP table
Displays all ARP mapping entries.
arp -a
[Powershell] Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
List Network status
Displays active TCP connections, ports on which the computer is listening.
netstat -ano
List network shares
Displays information about all of the resources that are shared on the local computer.
net share
List all shared resources
Displays detailed information about the currently mapped drives and devices.
net use
List Wi-Fi Credentials
List available AP SSID
netsh wlan show profile
Get the clear-text password use
netsh wlan show profile
key=clear
Windows Firewall Enumeration
Displays Windows Firewall Rules
netsh advfirewall firewall show rule name=all
Displays Current Profile Status
netsh advfirewall show currentprofile
Displays programs that are allowed by the host
netsh firewall show allowedprogram
Displays status of firewall configurataions
netsh firewall show config
Displays the location of the firewall logs
netsh firewall show logging
List firewall's blocked ports
[Powershell] $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports
Defense Evasion
Windows Firewall Defense Evasion
Disable Windows firewall
Windows firewall can be enabled/disabled from command line using netsh command.
netsh firewall set opmode mode=DISABLE
netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off
Delete Firewall Rules
netsh advfirewall firewall delete rule name=""
netsh advfirewall firewall delete rule name="Block Ports"
Web Proxy Defense Evasion
Disable proxy for browsers
Overrides any proxy settings that are provided.
start chrome --no-proxy-server
start msedge --no-proxy-server
Obfuscation
Base64
Base64 encoding is traditionally used to convert binary data to printable text characters. The Base64 encoding scheme is often used to hide the plaintext elements in the early stages of an attack that can't be concealed under the veil of encryption.
Common Base64 Encodings

btoa() and atob() Method
The atob (ASCII to binary) and btoa (binary to ASCII) methods transform content to and from the base64 encoding.
The atob() function decodes a string of data which has been encoded using Base64 encoding.
The btoa() function creates a Base64-encoded ASCII string from a binary string.
atob('aHR0cHM6Ly9vd2xpZnkueHl6')
btoa('owlify.xyz')
HTML Entities
Adversary take advantage of HTML encoding to obfuscate payloads for client-side attacks, hiding them from any server-side defences that are in place.
Example

Powershell encoded command
Adversary commonly hide commands by encoding them using Base64.
powershell.exe -EncodedCommand %redacted base64%
cmd /c powershell.exe -nop -w hidden -encodedcommand %redacted base64%
Example UTF-16 encoding

Example Gunzip

Commandline Obfuscation
Command obfuscation may render rule-based detection useless and can make both static and dynamic detection more difficult.
Environment variables:
Static detection could be bypassed.

set a=/c & set b=calc
cmd %a% %b%
Double quotes:
Static and dynamic detection could be bypassed.

c""m"d"
Carets:
Static detection could be bypassed.

n^e^t u^s^er
Comma/semicolon:
Static and dynamic detection could be bypassed.

cmd,/c;hostname
Frameworks
NIST vs SANS

The difference between the NIST and SANS frameworks lies in how they approach the phases of containment, eradication, and recovery in incident response:
NIST Perspective:
NIST considers containment, eradication, and recovery as interconnected components within a single step. Unlike SANS, NIST doesn't insist on containment before eradication. This approach could be advantageous for organizations with a lower tolerance for threats, where the immediate removal of threats is prioritized over understanding and containing them beforehand.
SANS Perspective:
SANS treats containment, eradication, and recovery as distinct and independent steps. According to SANS, containment should come before eradication. This methodology allows for a more structured approach to isolating the threat and preventing its spread before focusing on eliminating it.
In summary, NIST's approach integrates containment, eradication, and recovery as interconnected actions, potentially suited for organizations prioritizing threat removal. SANS, on the other hand, treats these steps separately, advocating for containment before eradication to ensure controlled response to threats. The choice between these perspectives depends on an organization's risk tolerance and preferred incident response strategy.
Incident Response Guide
1. Preparation:
• Employee Training: Ensuring staff are trained in their incident response roles and responsibilities in the event of a data breach. Well-prepared employees are less likely to make critical errors during an incident.
• Tabletop Exercises: Developing incident response tabletop exercises and conducting mock data breaches periodically to assess the effectiveness of the response plan. These exercises help identify gaps and refine the plan.
• Thorough Documentation: Creating a comprehensive incident response plan that thoroughly outlines the roles and responsibilities of all involved parties. This documentation serves as a guide during real incidents.
Testing and Training: Regularly testing the incident response plan through simulations to ensure that the team understands their roles and the necessary notifications to be made.
2. Identification:
• Incident Confirmation: Determine if a breach or incident has taken place, understanding that they can stem from diverse origins.
• Timing and Discovery: Establish the timing of the event and how it was detected. Identify who found it and through which means.
• Extent of Impact: Investigate whether other areas or systems have been affected and gauge the overall scope of the compromise.
• Operational Impact: Assess whether the incident is impacting regular operations.
• Source Identification: Strive to determine the source or point of entry through which the event occurred.
3. Containment:
• Preserving Evidence: Refrain from deleting data to maintain valuable evidence for understanding the breach origin and prevention planning.
• Preventing Spread: Isolate the breach to prevent further damage. Disconnect affected devices from the Internet if possible.
• Short-term and Long-term Strategies: Have both short-term and long-term containment strategies ready. A redundant system backup can aid in data restoration.
• Backup Strategies: Maintain redundant backups to facilitate data recovery and ensure compromised data isn't permanently lost.
• Enhanced Security Measures: Update and patch systems, review remote access protocols with mandatory multi-factor authentication, and strengthen all access credentials and passwords.
4. Eradication:
• Root Cause Elimination: Identify and eliminate the source of the breach, including securely removing all malware and traces of malicious activity.
• System Refortification: Harden the affected systems by implementing security measures, and apply necessary patches and updates to minimize vulnerabilities.
• Thoroughness: Whether conducted internally or by a third party, the eradication process must be meticulous. Leaving remnants of malware or vulnerabilities can lead to data loss and increased liability.
5. Recovery:
• System Restoration: Return affected systems and devices to production in a timely manner, prioritizing a secure and efficient restoration process.
• Security Measures: Ensure systems are patched, hardened, and thoroughly tested before they are brought back into the operational environment.
• Backup Restoration: Consider restoring systems from trusted backups to a known, clean state, reducing the risk of persistent malware.
• Monitoring and Safeguards: Define a monitoring period for affected systems, observing for any signs of anomalous activity or breaches. Implement tools like file integrity monitoring and intrusion detection/protection systems to prevent future occurrences.
6. Lessons Learned:
• After-Action Meeting: Convene an after-action meeting involving all Incident Response Team members to discuss insights gained from the data breach incident.
• Analysis and Documentation: Thoroughly analyze and document the incident details, identifying successes and areas needing improvement. These insights stem from both actual incidents and tabletop exercises.
• Plan Refinement: Identify strengths and weaknesses in the incident response plan and the organization's security posture. Utilize these findings to refine the response plan and address vulnerabilities.
• Enhanced Training and Security: Determine necessary changes to security measures and employee training based on lessons learned. Focus on rectifying weaknesses exploited by the breach.
• Prevention Strategies: Develop strategies to prevent a recurrence of a similar breach by implementing corrective actions and enhancing preventive measures.
Ransomware Incident Response Guide
1. Preparation:
• Develop an incident response plan that includes specific procedures for ransomware incidents.
• Implement security measures like regular patching, network segmentation, and user training.
• Establish a backup strategy to ensure critical data and systems are regularly backed up and stored offline.
2. Identification:
• Monitor network traffic, system logs, and endpoint behavior.
• Quickly assess incoming alerts and prioritize them based on severity.
• Detect signs of potential ransomware activity, such as unusual encryption patterns or file changes.
• Analyze the attack vector and vulnerabilities exploited by the ransomware.
• Determine the ransomware variant to understand its behavior and capabilities.
3. Containment:
• Isolate affected systems from the network to prevent further ransomware spread.
• Identify the extent of the infection and determine which systems have been compromised.
• Reset passwords for compromised accounts to prevent unauthorized access and hinder the attacker's movement.
4. Eradication:
• Eliminate the source of the ransomware.
• Patch and update systems to prevent future infections through known vulnerabilities.
5. Recovery:
• Restore data and systems from clean backups, ensuring backups are free from malware.
• Implement additional security measures to reinforce the resilience of recovered systems.
6. Lessons Learned:
• Conduct a post-incident review to identify strengths and weaknesses in the response process.
• Update the incident response plan based on lessons learned from the incident.