Fundamentals

CIA triad

The CIA triad is a model for classifying the three main components of information security: confidentiality, integrity, and availability. These three components are often referred to as the "CIA triad" because they represent the core principles of information security.

Confidentiality

Confidentiality refers to the protection of information from unauthorized access or disclosure. It is important to ensure that only authorized individuals or systems can access sensitive information.

Confidentiality can be achieved through:
    • Encryption
    • Strong authentication systems

Integrity

Integrity refers to the accuracy and completeness of information, as well as the protection of information from unauthorized modification. It is important to ensure that information is not corrupted or altered in an unauthorized manner.

Integrity can be achieved through:
    • Hashing
    • Digital Signatures
    • Encryption
    • Digital certificates

Availability

Availability refers to the accessibility of information and systems. It is important to ensure that authorized users can access the information and systems they need when they need them.

Availability can be achieved through:
    • Redundancy
    • Backups

The CIA triad is a useful framework for understanding the key aspects of information security and for developing strategies to protect against various types of threats. By focusing on confidentiality, integrity, and availability, organizations can ensure that their sensitive information and systems are secure and available to authorized users.

Common Ports

Network ports are identified by a number, ranging from 0 to 65535. The most commonly used ports are assigned specific purposes by the Internet Assigned Numbers Authority (IANA). For example, port 80 is used for HTTP traffic, port 443 is used for HTTPS traffic, and port 25 is used for SMTP email traffic.

Cyber Kill Chain

The Cyber Kill Chain is a model that was developed by Lockheed Martin to describe the stages of a typical cyber attack. The model is designed to help organizations understand how an attack progresses, so that they can take steps to prevent or mitigate the attack at each stage.

The seven stages of the Cyber Kill Chain are as follows:

1. Reconnaissance: The attacker gathers information about the target organization and its systems, often through publicly available sources or through social engineering techniques.

2. Weaponization: The attacker prepares the payload (e.g., a malware or exploit) that will be used to attack the target.

3. Delivery: The attacker delivers the payload to the target, often through email attachments, infected websites, or other means of exploiting vulnerabilities.

4. Exploitation: The attacker takes advantage of a vulnerability in the target's systems to execute the payload.

5. Installation: The payload is installed on the target's systems, often in a way that is hidden from the user.

6. Command and control: The attacker establishes a means of communicating with and controlling the payload, often through a network connection.

7. Actions on objectives: The attacker carries out the objectives of the attack, such as stealing data or disrupting services.

Understanding the Cyber Kill Chain can help organizations identify and respond to attacks at each stage, and can help them develop strategies to prevent or mitigate the impact of future attacks.

DNS (Domain Name System)

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the internet or a private network. It is used to translate human-readable domain names, such as "google.com," into numerical IP addresses that computers can use to communicate with each other.

DNS consists of a hierarchy of servers that are responsible for mapping domain names to IP addresses. At the top of the hierarchy are the root servers, which are responsible for directing traffic to the correct top-level domain (TLD) servers. TLD servers are responsible for directing traffic to the correct domain name servers (DNS), which are responsible for mapping specific domain names to IP addresses.

DNS is an important infrastructure component of the internet, and it plays a critical role in enabling communication between computers and devices on the internet. Without DNS, users would have to remember the numerical IP addresses of websites and other resources, which would be difficult and inconvenient.

To use DNS, a domain owner must register their domain name and configure it with the appropriate DNS records, which specify the IP addresses and other information about the domain. When a user types a domain name into their web browser or sends an email to an address at a particular domain, the DNS system is used to resolve the domain name to the correct IP address and route the traffic to the appropriate destination.

4 types of DNS servers

1. DNS recursor (a.k.a DNS resolver)

The DNS resolver might be operated by an Internet Service Provider (ISP), or other third party such as Google Public DNS (8.8.8.8). The resolver starts by looking in its local cache, if the hostname is found, it is resolved immediately. If not, the resolver starts by querying one of the root DNS servers for the IP of the domain name.

2. Root nameserver

Root servers are DNS nameservers that operate in the root zone and they hold the locations of all the Top Level Domains (TLDs). These servers can directly answer queries for records stored or cached within the root zone, and they can also refer other requests to the appropriate Top Level Domain (TLD) server. The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.
There are 13 logical root name servers specified, with logical names in the form of letter.root-servers.net, where letter ranges from a to m.

3. TLD nameserver

A TLD nameserver maintains information for all the domain names that share a common domain extension, such as .com, .net, or whatever comes after the last dot in a url. For example, a .com TLD nameserver contains information for every website that ends in ‘.com’. If a user was searching for google.com, after receiving a response from a root nameserver, the recursive resolver would then send a query to a .com TLD nameserver, which would respond by pointing to the authoritative nameserver.

4. Authoritative nameserver

An authoritative name server provides actual answer to your DNS queries such as – mail server IP address or web site IP address (A or AAAA address record). It provides original and definitive answers to DNS queries.

DNS record

A Domain Name System (DNS) record is a set of information that is stored in the DNS database and is used to map domain names to IP addresses and other resources. There are many different types of DNS records, each with a specific purpose. Some common types of DNS records include:

DNS records are an important part of the infrastructure of the internet, and they are used to enable communication between devices and systems on the internet. By configuring DNS records, domain owners can specify how traffic should be routed to their domain, and they can control how their domain is accessed and used.

Email Security

Domain-based Message Authentication Reporting and Conformance (DMARC)

Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol that is designed to detect and prevent email spoofing. DMARC works by allowing a domain owner to publish a policy in the Domain Name System (DNS) that specifies which mechanisms are used to authenticate email sent from their domain, and how receiving mail servers should handle email that fails authentication.

When an email is received, the receiving mail server can check the DMARC policy of the domain that the email claims to be from. If the email fails authentication using the mechanisms specified in the DMARC policy, the receiving server can take a number of actions, such as rejecting the email, quarantining the email, or flagging the email as potentially suspicious.

In addition to helping prevent email spoofing, DMARC can also help protect against spam and phishing attacks. By requiring email to be authenticated using mechanisms such as SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), DMARC can help ensure that only legitimate email is sent from a domain.

DMARC uses DKIM and SPF to verify the legitimacy of an email's from address and quarantine or reject email based on what it finds. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your from address. If the Return-Path path doesn't match your from address, those messages will fail DMARC's SPF alignment test. DMARC checks DKIM alignment by matching the d= domain in the DKIM signature and the from domain. If the d= domain matches the from domain, it pass the DKIM alignment and DMARC validation.

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an email authentication protocol that is designed to detect and prevent email spoofing. SPF works by allowing a domain owner to specify which mail servers are authorized to send email on behalf of their domain.

When an email is received, the receiving mail server can check the SPF record of the domain that the email claims to be from. If the server that sent the email is not listed in the SPF record, the email can be flagged as potentially suspicious or fraudulent.

To use SPF, a domain owner must publish an SPF record in the Domain Name System (DNS) for their domain. This record lists the servers that are authorized to send email for the domain, and it can be used by receiving mail servers to verify the authenticity of incoming email.

In addition to helping prevent email spoofing, SPF can also help protect against spam and phishing attacks. By limiting the servers that are authorized to send email for a domain, SPF can help ensure that only legitimate email is sent from that domain.

Specify SPF version at start of record

              v=spf1
            

Mechanisms for specifying authorised senders

Qualifiers

Modifiers

Examples:

Allow domain’s MXs to send mail for the domain, prohibit all others

              v=spf1 mx ~all
            

The domain sends no mail at all

              v=spf1 -all
            

The domain allows all IP addresses on the internet to send mail. Though ‘valid’, this is not recommended

              v=spf1 +all
            

Allow any IP address between 192.168.0.1 and 192.168.255.255

              v=spf1 ip4:192.168.0.1/16 ~all
            

The current domain is used

              v=spf1 a ~all
            

Allow mail from specific domain

              v=spf1 a:example.com ~all
            

Tells the receiving server to check the SPF record of google.com instead of the originating domain

              v=spf1 redirect=_spf.google.com
            

Tells the receiving server to also consider the IP addresses listed in the SPF record of another domain (This is commonly set up with multi-domain organizations)

              v=spf1 include:_spf.google.com ~all 
            

Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) is an email authentication protocol that is designed to detect and prevent email spoofing. DKIM works by allowing a domain owner to place a digital signature in the headers of their outbound email messages. The signature is used to verify the authenticity of the email, and it can be used to ensure that the email has not been modified in transit.

To use DKIM, a domain owner must generate a private key and a public key. The private key is used to sign the outbound email messages, and the public key is published in the Domain Name System (DNS) for the domain. When an email is received, the receiving mail server can use the public key to verify the authenticity of the email by checking the digital signature.

In addition to helping prevent email spoofing, DKIM can also help protect against spam and phishing attacks. By requiring email to be authenticated using a digital signature, DKIM can help ensure that only legitimate email is sent from a domain.

DKIM is an important tool for protecting against email fraud and abuse, and it is widely used by email service providers and other organizations to help ensure the security and integrity of email communication.

HTTP Status Codes

HTTP status codes are standardized numerical codes that are used to communicate the status of a HTTP request. HTTP (Hypertext Transfer Protocol) is a protocol for transferring data over the internet, and HTTP status codes are used to indicate the status of a request made using HTTP.

Some of the most commonly used HTTP status codes include:

• 200 OK: The request was successful and the requested information has been transmitted.

• 301 Moved Permanently: The requested resource has been moved to a new URL.

• 400 Bad Request: The request was invalid or could not be understood by the server.

• 401 Unauthorized: The request requires authentication in order to be processed.

• 404 Not Found: The requested resource could not be found.

IPV4 Subnet

Subnetting is a way to divide a single network into smaller networks, or subnets, in order to increase security and efficiency.

An IPv4 subnet is identified by a network address and a subnet mask. The network address defines the range of IP addresses that are included in the subnet, and the subnet mask defines which portion of the IP address represents the network and which portion represents the host.

For example, consider the following IP address and subnet mask:

IP address: 192.168.1.100
Subnet mask: 255.255.255.0

The subnet mask of 255.255.255.0 indicates that the first three octets (192.168.1) represent the network portion of the IP address, and the fourth octet (100) represents the host portion. In this case, the subnet would include all IP addresses from 192.168.1.0 to 192.168.1.255.

Private IP addresses

Private IP addresses are IP addresses that are used for communication within a private network, such as a home or corporate network. They are not routed on the Internet and are not reachable from the outside. Private IP addresses are used to identify devices within a private network and to route traffic between devices.

Private IP addresses are often used in conjunction with Network Address Translation (NAT), which allows devices within a private network to communicate with the Internet using a single, shared public IP address. This allows multiple devices to share a single Internet connection and helps to conserve the limited pool of publicly routable IP addresses.

Private Information

Private information is any data or personal details that are intended to be kept confidential and are not meant to be shared with others without the owner's consent. Private information can include things like a person's name, address, phone number, date of birth, financial information, medical history, and other sensitive data. It is important to protect private information because it can be used for identity theft or other nefarious purposes if it falls into the wrong hands. It is generally recommended to be cautious about sharing private information online or with anyone you do not know or trust.

Types of private information:

PII stands for "Personally Identifiable Information." It is any information that can be used to identify a specific individual, such as their name, address, phone number, date of birth, social security number, or other personal details. PII is considered to be sensitive information because it can be used to locate, contact, or obtain information about an individual. As a result, it is important to protect PII and handle it with care to prevent it from being accessed or used without the owner's consent. There are also legal requirements in place in many countries that regulate the collection, use, and storage of PII, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

PPI stands for "Personally Protected Information". It is a term that is sometimes used to refer to personal data that is considered to be sensitive or confidential, and that requires special protection in order to ensure the privacy and security of individuals. PPI may include information such as a person's name, address, phone number, date of birth, financial information, medical history, and other details that are considered to be private and should not be shared without the owner's consent. It is important to handle PPI with care and to take appropriate measures to protect it from unauthorized access or use. This may include measures such as encrypting data, using secure servers, and implementing other security measures to prevent data breaches or unauthorized access to PPI.

PHI stands for "Protected Health Information." It is any information that relates to a person's health, medical history, or treatment that is collected, used, or disclosed by a healthcare provider, health plan, or other covered entity in the course of providing healthcare services. PHI is considered to be sensitive information because it can reveal intimate details about a person's health and medical history, and it is protected by laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. HIPAA sets strict rules for how PHI can be collected, used, and disclosed, and it requires covered entities to implement appropriate safeguards to protect the privacy and security of PHI. HIPAA also gives individuals certain rights with regard to their PHI, such as the right to access, correct, and request restrictions on the use of their PHI.

PCI stands for "Payment Card Industry." PCI refers to a set of security standards that were developed by the major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) to ensure the secure handling of credit card transactions and protect sensitive financial information. The PCI Data Security Standard (PCI DSS) is a set of requirements that apply to all organizations that accept, process, store, or transmit credit card information. It sets out guidelines for the secure handling of credit card data, including requirements for physical security, network security, access controls, and data protection. The PCI DSS is intended to help reduce the risk of credit card fraud and protect the security of sensitive financial information. Compliance with the PCI DSS is mandatory for all merchants and service providers that accept credit cards as a form of payment.

OSI Model

The OSI (Open Systems Interconnection) model is a framework for understanding how communication occurs between different systems in a network. It is a seven-layer model that represents the different stages of communication, from the physical connection between devices to the application layer where the actual communication takes place.

The OSI model is a useful tool for understanding how communication occurs in a network, and it helps to define the roles and responsibilities of the different layers of a networked system.

Types of Cyber Attacks on Each Layer of the OSI Model:

Layer architecture (wikipedia)

NTLM

NTLM (NT LAN Manager) is a Microsoft authentication protocol that is used to provide secure network communication and to authenticate users in a Windows network environment. It is a challenge-response protocol that allows a client to prove its identity to a server, and it is typically used to authenticate users on a Windows domain.

NTLM uses hashed passwords and encrypted challenge-response exchanges to authenticate users, and it can also provide authentication for other protocols such as HTTP, FTP, and SMTP. NTLM is generally considered to be less secure than more modern authentication protocols, such as Kerberos, and it is generally recommended to use these newer protocols whenever possible.

The following examples show how the NTLM flow works.

Kerberos

Kerberos is a network authentication protocol that is designed to provide secure communication over a non-secure network, such as the internet. It is named after the three-headed dog of Greek mythology that guarded the gates of the underworld.

In a Kerberos system, a client authenticates itself to a trusted third-party server known as the Key Distribution Center (KDC). The KDC issues a ticket-granting ticket (TGT) to the client, which the client can then use to request access to other resources on the network. These requests are made using service tickets, which are issued by the KDC and contain a cryptographic key that can be used to securely access the desired resource.

Kerberos is widely used in Windows and Linux operating systems, as well as in other networked systems such as Apache and OpenVPN. It is generally considered to be more secure than other authentication protocols, such as NTLM, because it uses strong encryption and does not transmit plaintext passwords over the network.

Kerberos Error Codes

Windows event log entries often contain Kerberos failure codes

TCP vs UDP

Computer Networking Basics

The Internet is a network of connecting devices. Each device, whether it's your smartphone or a server, communicate through the internet protocol suite. The internet protocol suite is a collection of different protocols, or methods, for devices to communicate with each other. Both TCP and UDP are major protocols within the internet protocol suite:

TCP: connection oriented, header file: 20 bytes, speed is less than UDP, used in high reliability services. TCP is heavy-weight. Require three packets to set up a socket connection (Three way handshake: SYN- Synchronize, SYN-ACK, ACK). TCP handles reliability and congestion control, have Acknowledgement segments.

UDP: connectionless oriented, header file: 8 bytes, more speed than TCP, used in real-time services, UDP is lightweight. There is no ordering message, no tracking connection, UDP does not have an option for flow control (Does not have three way handshake), No Acknowledge.

A three-way handshake

A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server.
A three-way handshake is also known as a TCP handshake or SYN-SYN-ACK, which requires both the client and server to exchange SYN (synchronization) and ACK (acknowledgment) packets before actual data communication begins.

Step 1: A connection between server and client is established
Step 2: The server receives the SYN packet from the client node
Step 3: Client node receives the SYN/ACK from the server and responds with an ACK packet

For UDP, no three-way handshake is necessary before transmitting data to the intended recipient. So, all or some of the data might arrive — and it may (or may not) arrive in the order as intended. As such, it’s often described as a “best effort.”

When does DNS use TCP?

DNS uses TCP port 53 for Zone transfer (ensure zone data is consistent across DNS servers) and UDP for name, and queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.

Types of Malware

Malware is short for "malicious software," and it refers to any software that is designed to harm or exploit a computer system. Malware can take many forms, including viruses, worms, trojan horses, ransomware, spyware, and adware.

Malware can be spread through a variety of means, including email attachments, infected websites, malicious software downloads, and infected removable media such as USB drives. Once it is installed on a computer, malware can perform a variety of malicious actions, such as deleting files, stealing sensitive information, corrupting data, and using the infected computer to attack other systems.

Utilities

Clear Network Cache

This will clear your DNS cache on Windows, release your IP address, and renew it.

ipconfig/flushdns
ipconfig/release
ipconfig/renew

Regex Cheat Sheet

Regex (short for "Regular Expression") is a special syntax or notation used to match patterns of characters in text. Regular expressions are often used in text processing and data manipulation tasks, such as search and replace operations, data validation, and data scraping.

A regular expression is a sequence of characters that defines a search pattern. It can be used to search for and match specific patterns in text, or to extract specific pieces of information from a larger body of text.

A quick reference guide for regular expressions (regex)

^\w+

\w+$

\i+

...

.*

This|string

https?

https??

? - non lazy
?? - lazy

\bis\b

(https?|ftp):\/\/([^\/\r\n]+)(\/[^\r\n]*)?

Group 1: "https"
Group 2: "owlify.xyz"
Group 3: "/test"

(?:https?|ftp):\/\/([^\/\r\n]+)(\/[^\r\n]*)?

Group 1: "owlify.xyz"
Group 2: "/test"

[0-9]+

[a-zA-Z]+

[^a-zA-Z]+

\b\d{6}\b

[a-f0-9]{32}

[a-f0-9]{5,10}

.*(?=string)

(?<=This).*

(?<=This).*(?=string)

a(?!b)

Match all "a" that are not followed by a "b"

(?<!a)b

Match all "b" that are not preceded by an "a"

Useful Linux Commands

Useful Linux command-line utilities

Useful Windows Commands

Useful Windows command-line utilities

FINDSTR

findstr is a built-in tool of the Windows operating system that you may run from the command line to find text in files or in command-line outputs.

For example:

netstat | findstr "8.8.4.4"

findstr /c:"windows 10" file.txt -- Searches the document file.txt for the string "windows 10"

findstr "windows" c:\documents\*.* -- Searches any file under c:\documents for the string "windows"

findstr /s /i Windows *.* -- Searches every file in the current directory and all subdirectories for the word Windows ignoring letter case

findstr /g:criteria.txt /f:filelist.txt > results.out -- search criteria in criteria.txt to search the files listed in filelist.txt

findstr /g:"test.txt" "test2.txt" -- Compare contents of two files and print out their commonalities

Vim text editor

Threat Hunt

Default Windows Processes

Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.
When searching for malicious processes, look for any of these anomalous characteristics:
    • Started with the wrong parent process
    • Image executable is located in the wrong path
    • Misspelled processes
    • Processes that are running under the wrong account (incorrect SID)
    • Processes with unusual start times (i.e., starts minutes or hours after boot when it should be within seconds of boot)
    • Unusual command-line arguments
    • Packed executables

Process view on a Windows 10 machine

Ransomware Encrypted File Extensions List

svchost

Svchost.exe (Service Host) is a generic host process name for services that run on Windows operating systems. It is responsible for running many of the background services that are necessary for the operating system and other programs to function properly.

There can be multiple instances of the Service Host process running at the same time, each one hosting one or more services.

Why are there so many Service Host processes running?

When you start a Windows computer, multiple instances of Svchost.exe are usually launched, each one hosting one or more services. This allows the operating system to manage the services more efficiently by running them in a separate process, rather than as individual programs.

It is normal for there to be multiple Service Host processes running on a Windows computer. These processes are responsible for running many of the background services that are necessary for the operating system and other programs to function properly. Some examples of services that might be hosted by a Service Host process include the Windows Update service, the Network Location Awareness service, and the Remote Procedure Call (RPC) service.

Since it is normal to see many svchost.exe processes in the background, some malicious programs make use of the confusion and masquerade as a legitimate svchost.exe process. svchost.exe is located in C:\Windows\System32 folder. Any file named “svchost.exe” located in another folder can be considered malware. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of “svchost.exe” (Windows allows multiple processes to all display the same name). Some malware injects a .dll file into the authentic svchost process, for example, Win32/Conficker worm.

If we take a look at one of the running “svchost.exe” instance and check its command line, we’ll see something similar to the following:

This instance is hosting four services.

The "-k" flag

In this example, the “svchost.exe” process used the "-k UnistackSvcGroup" parameter. This request will be made to the following registry location:

					 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
					 

It locates the key which matches the parameter entry "UnistackSvcGroup" and reads it. This string contains the names of the services it will load and run within the context of that svchost.exe instance.

The "-s" flag

The “svchost.exe” process can also be used with the “-s” flag.

When the “-s” flag is used with the "-k" flag, it will tell the “svchost.exe” process to only load a specific service from the specified group. In this example, only the "WpnUserService" will be loaded from the "UnistackSvcGroup".

SIGMA Rule

Sigma is a tool that allows you to create rules to identify patterns in log events. It is named after the Greek letter Sigma (Σ), which is often used to represent the sum of a series of numbers or the standard deviation of a set of data in statistics. Sigma is designed to be used with a variety of different log sources, including system logs, network logs, and security logs.

Sigma rules are written in a specialized language that allows you to specify the patterns that you want to identify in log events. Once you have created your Sigma rules, you can use them to scan log files for specific patterns or to generate alerts when certain patterns are detected.

Sigma is often used in conjunction with other security tools, such as Snort, which is a network intrusion detection and prevention system. Snort can be used to analyze network traffic for signs of malicious activity and to trigger alerts when suspicious activity is detected. By combining Sigma and Snort, you can create a more comprehensive security system that can help protect against a wide range of cyber threats.

YARA Rule

Yara is a tool that allows you to create, analyze, and identify malware and other malicious software. A Yara rule is a set of criteria used to identify and classify malware. Yara rules are written in a specialized language that allows you to specify the characteristics of the malware you are looking for, such as specific strings of text, patterns of code, or other identifying features.

Yara rules are used by cybersecurity professionals to identify and classify malware, and to help protect against cyber threats. Yara rules can be used to scan files, network traffic, and other sources for signs of malware, and can be used in conjunction with other security tools and techniques to help defend against cyber attacks.

Yara rules are typically used to identify specific types of malware, such as viruses, worms, trojans, and other malicious software. They can be used to identify both known and unknown malware, and can be updated and modified as new threats emerge.

Windows Registry

The Windows Registry is a database that stores configuration settings and options for the Microsoft Windows operating system and for applications that run on Windows. It contains information about hardware and software configuration, user preferences, and other data that is used by the operating system and by applications.

The Windows Registry is an important source of information for forensic investigations because it can provide valuable evidence about the activities that have taken place on a computer. For example, the Registry can reveal information about:

• Installed software and hardware: The Registry can contain information about the software and hardware that has been installed on a computer, including the version numbers and installation dates. This can be useful for determining what programs and devices were in use on a computer at a particular time.

• User activity: The Registry can contain information about the user accounts that have been created on a computer and the actions that have been taken by those users. This can include information about file and folder access, network connections, and other activities.

• System configuration: The Registry can contain information about the configuration of the operating system and other software, including the settings and options that have been selected. This can be useful for understanding how a computer was set up and how it was being used.

Windows Registry Structure

The Registry is organized into a tree-like structure. The top-level keys in the Registry are called hives.

HKEY_CLASSES_ROOT (HKCR): This hive contains information about file associations and COM object classes. It is used to associate files with the applications that can open them and to register COM objects so that they can be used by other applications.

HKEY_CURRENT_USER (HKCU): This hive contains information about the current user's preferences and settings. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to the current user.

HKEY_LOCAL_MACHINE (HKLM): This hive contains information about the hardware, software, and security settings of the computer. It also contains information about the user profiles and groups on the computer.

HKEY_USERS (HKU): This hive contains information about all the user profiles on the computer. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to each user.

HKEY_CURRENT_CONFIG (HKCC): This hive contains information about the hardware configuration of the computer. It is used to store information about the devices that are installed on the computer, as well as the configuration settings for those devices.

Wireshark

Wireshark is a free and open-source packet analyzer. It is a tool that allows you to capture and analyze network traffic in order to troubleshoot network problems, examine security issues, and learn more about how networks work.

Wireshark uses a network protocol analyzer to capture and display packets in real-time. It supports a wide range of protocols and can decode and display the contents of the packets in a variety of formats. Wireshark also includes a wide range of filters and display options that allow you to focus on specific packets or types of traffic, and to view the data in a variety of formats.

Enumeration

System Enumeration

Check system information

Displays a list of details about the operating system, computer hardware and software components.

					 systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
					 

Check installed updates

Displays all installed Windows and software updates applied to that computer.

					 wmic qfe
wmic qfe get Caption, Description, HotFixID, InstalledOn
					 

List all drives in the machine

					 wmic logicaldisk get Caption
fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
[Powershell] Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
					 

List all env variables

Displays the current environment variable settings.

					 set
[Powershell] Get-ChildItem Env: | ft Key,Value
					 

List Architecture

					 ver
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%
					 

List installed apps

					 wmic product get name, version, vendor
					 

List scheduled tasks

					 Schtasks /query /fo LIST /v
					 

List running services

					 net start
					 

List running processes

					 tasklist /SVC
					 

List installed device drivers

					 driverquery
					 

Query the registry for specific keys, values and/or data

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

					 reg query [Root]
Root:
    • HKLM = HKey_Local_machine (default)
    • HKCU = HKey_current_user
    • HKU  = HKey_users
    • HKCR = HKey_classes_root

					 
Scanning registry hives for the value password.
Internal recon, hunting for passwords in Windows registry. 
The Windows registry often stores clear-text or encoded passwords used by various applications.
					 reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
					 

List GPO settings (Group Policy Discovery)

					 gpresult /Z
					 

User Enumeration

List current username

Displays a user name associated with the effective user ID.

					 whoami
hostname
set computername
echo %USERNAME%
[Powershell] $env:username
					 

Check current user privileges/groups

					 whoami /priv
whoami /groups
					 

List all users

					 net users
whoami /all
[Powershell] Get-LocalUser | ft Name,Enabled,LastLogon
[Powershell] Get-ChildItem C:\Users -Force | select Name
					 

Check account policies and password policies

					 net accounts
					 

View user information

Displays user account information.

					 net users %username%
					 

List all groups

Displays the name of the server and the names of local groups on the computer.

					 net localgroup
net localgroup Administrators
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>
[Powershell] Get-LocalGroup | ft Name
[Powershell] Get-LocalGroupMember Administrators | ft Name, PrincipalSource
					 

View user domain

					 set userdomain
					 

List information about the configuration of the Server or Workstation

					 net config server
net config workstation
					 

Network Enumeration

List all network interfaces, IP, and DNS

Displays the full TCP/IP configuration for all adapters.

					 ipconfig /all
wmic nicconfig get description,IPAddress,MACaddress
[Powershell] Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
[Powershell] Get-DnsClientServerAddress -AddressFamily IPv4 | ft
					 

List Routing Table

Displays the entire contents of the IP routing table.

					 route print
netstat -nr
[Powershell] Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
					 

List ARP table

Displays all ARP mapping entries.

					 arp -a
[Powershell] Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
					 

List Network status

Displays active TCP connections, ports on which the computer is listening.

					 netstat -ano
					 

List network shares

Displays information about all of the resources that are shared on the local computer.

					 net share
					 

List all shared resources

Displays detailed information about the currently mapped drives and devices.

					net use
					

List Wi-Fi Credentials

					 
List available AP SSID
					 netsh wlan show profile
					 
Get the clear-text password use
					 netsh wlan show profile  key=clear
					 

Windows Firewall Enumeration

Displays Windows Firewall Rules

					netsh advfirewall firewall show rule name=all
					

Displays Current Profile Status

					netsh advfirewall show currentprofile
					

Displays programs that are allowed by the host

					netsh firewall show allowedprogram
				        

Displays status of firewall configurataions

					netsh firewall show config
					

Displays the location of the firewall logs

					netsh firewall show logging
					

List firewall's blocked ports

					[Powershell] $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
					

Defense Evasion

Windows Firewall Defense Evasion

Disable Windows firewall

Windows firewall can be enabled/disabled from command line using netsh command.

							 netsh firewall set opmode mode=DISABLE
netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off
							 

Delete Firewall Rules

							 netsh advfirewall firewall delete rule name=""
netsh advfirewall firewall delete rule name="Block Ports"
							 

Web Proxy Defense Evasion

Disable proxy for browsers

Overrides any proxy settings that are provided.

							 start chrome --no-proxy-server
start msedge --no-proxy-server
							 

Obfuscation

Base64

Base64 encoding is traditionally used to convert binary data to printable text characters. The Base64 encoding scheme is often used to hide the plaintext elements in the early stages of an attack that can't be concealed under the veil of encryption.

Common Base64 Encodings

btoa() and atob() Method

The atob (ASCII to binary) and btoa (binary to ASCII) methods transform content to and from the base64 encoding.
The atob() function decodes a string of data which has been encoded using Base64 encoding.
The btoa() function creates a Base64-encoded ASCII string from a binary string.

							 atob('aHR0cHM6Ly9vd2xpZnkueHl6')
btoa('owlify.xyz')
							 

HTML Entities

Adversary take advantage of HTML encoding to obfuscate payloads for client-side attacks, hiding them from any server-side defences that are in place.

Example

Powershell encoded command

Adversary commonly hide commands by encoding them using Base64.

							 powershell.exe -EncodedCommand %redacted base64%
cmd /c powershell.exe -nop -w hidden -encodedcommand %redacted base64%
							 

Example UTF-16 encoding

Example Gunzip

Commandline Obfuscation

Command obfuscation may render rule-based detection useless and can make both static and dynamic detection more difficult.

Environment variables:

Static detection could be bypassed.

							 set a=/c & set b=calc
cmd %a% %b%
							 

Double quotes:

Static and dynamic detection could be bypassed.

							 c""m"d"
							 

Carets:

Static detection could be bypassed.

							 n^e^t u^s^er
							 

Comma/semicolon:

Static and dynamic detection could be bypassed.

							 cmd,/c;hostname
							 

Frameworks

NIST vs SANS

The difference between the NIST and SANS frameworks lies in how they approach the phases of containment, eradication, and recovery in incident response:

NIST Perspective:

NIST considers containment, eradication, and recovery as interconnected components within a single step. Unlike SANS, NIST doesn't insist on containment before eradication. This approach could be advantageous for organizations with a lower tolerance for threats, where the immediate removal of threats is prioritized over understanding and containing them beforehand.

SANS Perspective:

SANS treats containment, eradication, and recovery as distinct and independent steps. According to SANS, containment should come before eradication. This methodology allows for a more structured approach to isolating the threat and preventing its spread before focusing on eliminating it.

In summary, NIST's approach integrates containment, eradication, and recovery as interconnected actions, potentially suited for organizations prioritizing threat removal. SANS, on the other hand, treats these steps separately, advocating for containment before eradication to ensure controlled response to threats. The choice between these perspectives depends on an organization's risk tolerance and preferred incident response strategy.

Incident Response Guide

1. Preparation:

• Employee Training: Ensuring staff are trained in their incident response roles and responsibilities in the event of a data breach. Well-prepared employees are less likely to make critical errors during an incident.

• Tabletop Exercises: Developing incident response tabletop exercises and conducting mock data breaches periodically to assess the effectiveness of the response plan. These exercises help identify gaps and refine the plan.

• Thorough Documentation: Creating a comprehensive incident response plan that thoroughly outlines the roles and responsibilities of all involved parties. This documentation serves as a guide during real incidents.

Testing and Training: Regularly testing the incident response plan through simulations to ensure that the team understands their roles and the necessary notifications to be made.

2. Identification:

• Incident Confirmation: Determine if a breach or incident has taken place, understanding that they can stem from diverse origins.

• Timing and Discovery: Establish the timing of the event and how it was detected. Identify who found it and through which means.

• Extent of Impact: Investigate whether other areas or systems have been affected and gauge the overall scope of the compromise.

• Operational Impact: Assess whether the incident is impacting regular operations.

• Source Identification: Strive to determine the source or point of entry through which the event occurred.

3. Containment:

• Preserving Evidence: Refrain from deleting data to maintain valuable evidence for understanding the breach origin and prevention planning.

• Preventing Spread: Isolate the breach to prevent further damage. Disconnect affected devices from the Internet if possible.

• Short-term and Long-term Strategies: Have both short-term and long-term containment strategies ready. A redundant system backup can aid in data restoration.

• Backup Strategies: Maintain redundant backups to facilitate data recovery and ensure compromised data isn't permanently lost.

• Enhanced Security Measures: Update and patch systems, review remote access protocols with mandatory multi-factor authentication, and strengthen all access credentials and passwords.

4. Eradication:

• Root Cause Elimination: Identify and eliminate the source of the breach, including securely removing all malware and traces of malicious activity.

• System Refortification: Harden the affected systems by implementing security measures, and apply necessary patches and updates to minimize vulnerabilities.

• Thoroughness: Whether conducted internally or by a third party, the eradication process must be meticulous. Leaving remnants of malware or vulnerabilities can lead to data loss and increased liability.

5. Recovery:

• System Restoration: Return affected systems and devices to production in a timely manner, prioritizing a secure and efficient restoration process.

• Security Measures: Ensure systems are patched, hardened, and thoroughly tested before they are brought back into the operational environment.

• Backup Restoration: Consider restoring systems from trusted backups to a known, clean state, reducing the risk of persistent malware.

• Monitoring and Safeguards: Define a monitoring period for affected systems, observing for any signs of anomalous activity or breaches. Implement tools like file integrity monitoring and intrusion detection/protection systems to prevent future occurrences.

6. Lessons Learned:

• After-Action Meeting: Convene an after-action meeting involving all Incident Response Team members to discuss insights gained from the data breach incident.

• Analysis and Documentation: Thoroughly analyze and document the incident details, identifying successes and areas needing improvement. These insights stem from both actual incidents and tabletop exercises.

• Plan Refinement: Identify strengths and weaknesses in the incident response plan and the organization's security posture. Utilize these findings to refine the response plan and address vulnerabilities.

• Enhanced Training and Security: Determine necessary changes to security measures and employee training based on lessons learned. Focus on rectifying weaknesses exploited by the breach.

• Prevention Strategies: Develop strategies to prevent a recurrence of a similar breach by implementing corrective actions and enhancing preventive measures.

Ransomware Incident Response Guide

1. Preparation:

• Develop an incident response plan that includes specific procedures for ransomware incidents.

• Implement security measures like regular patching, network segmentation, and user training.

• Establish a backup strategy to ensure critical data and systems are regularly backed up and stored offline.

2. Identification:

• Monitor network traffic, system logs, and endpoint behavior.

• Quickly assess incoming alerts and prioritize them based on severity.

• Detect signs of potential ransomware activity, such as unusual encryption patterns or file changes.

• Analyze the attack vector and vulnerabilities exploited by the ransomware.

• Determine the ransomware variant to understand its behavior and capabilities.

3. Containment:

• Isolate affected systems from the network to prevent further ransomware spread.

• Identify the extent of the infection and determine which systems have been compromised.

• Reset passwords for compromised accounts to prevent unauthorized access and hinder the attacker's movement.

4. Eradication:

• Eliminate the source of the ransomware.

• Patch and update systems to prevent future infections through known vulnerabilities.

5. Recovery:

• Restore data and systems from clean backups, ensuring backups are free from malware.

• Implement additional security measures to reinforce the resilience of recovered systems.

6. Lessons Learned:

• Conduct a post-incident review to identify strengths and weaknesses in the response process.

• Update the incident response plan based on lessons learned from the incident.