Fundamentals

CIA triad

The CIA triad is a model for classifying the three main components of information security: confidentiality, integrity, and availability. These three components are often referred to as the "CIA triad" because they represent the core principles of information security.

Confidentiality

Confidentiality refers to the protection of information from unauthorized access or disclosure. It is important to ensure that only authorized individuals or systems can access sensitive information.

Confidentiality can be achieved through:
    • Encryption
    • Strong authentication systems

Integrity

Integrity refers to the accuracy and completeness of information, as well as the protection of information from unauthorized modification. It is important to ensure that information is not corrupted or altered in an unauthorized manner.

Integrity can be achieved through:
    • Hashing
    • Digital Signatures
    • Encryption
    • Digital certificates

Availability

Availability refers to the accessibility of information and systems. It is important to ensure that authorized users can access the information and systems they need when they need them.

Availability can be achieved through:
    • Redundancy
    • Backups

The CIA triad is a useful framework for understanding the key aspects of information security and for developing strategies to protect against various types of threats. By focusing on confidentiality, integrity, and availability, organizations can ensure that their sensitive information and systems are secure and available to authorized users.


Common Ports

Network ports are identified by a number, ranging from 0 to 65535. The most commonly used ports are assigned specific purposes by the Internet Assigned Numbers Authority (IANA). For example, port 80 is used for HTTP traffic, port 443 is used for HTTPS traffic, and port 25 is used for SMTP email traffic.

image

Cyber Kill Chain

The Cyber Kill Chain is a model that was developed by Lockheed Martin to describe the stages of a typical cyber attack. The model is designed to help organizations understand how an attack progresses, so that they can take steps to prevent or mitigate the attack at each stage.

The seven stages of the Cyber Kill Chain are as follows:

1. Reconnaissance: The attacker gathers information about the target organization and its systems, often through publicly available sources or through social engineering techniques.

2. Weaponization: The attacker prepares the payload (e.g., a malware or exploit) that will be used to attack the target.

3. Delivery: The attacker delivers the payload to the target, often through email attachments, infected websites, or other means of exploiting vulnerabilities.

4. Exploitation: The attacker takes advantage of a vulnerability in the target's systems to execute the payload.

5. Installation: The payload is installed on the target's systems, often in a way that is hidden from the user.

6. Command and control: The attacker establishes a means of communicating with and controlling the payload, often through a network connection.

7. Actions on objectives: The attacker carries out the objectives of the attack, such as stealing data or disrupting services.

Understanding the Cyber Kill Chain can help organizations identify and respond to attacks at each stage, and can help them develop strategies to prevent or mitigate the impact of future attacks.

image

DNS (Domain Name System)

The Domain Name System (DNS) is a hierarchical decentralized naming system for computers, services, or other resources connected to the internet or a private network. It is used to translate human-readable domain names, such as "google.com," into numerical IP addresses that computers can use to communicate with each other.

DNS consists of a hierarchy of servers that are responsible for mapping domain names to IP addresses. At the top of the hierarchy are the root servers, which are responsible for directing traffic to the correct top-level domain (TLD) servers. TLD servers are responsible for directing traffic to the correct domain name servers (DNS), which are responsible for mapping specific domain names to IP addresses.

DNS is an important infrastructure component of the internet, and it plays a critical role in enabling communication between computers and devices on the internet. Without DNS, users would have to remember the numerical IP addresses of websites and other resources, which would be difficult and inconvenient.

To use DNS, a domain owner must register their domain name and configure it with the appropriate DNS records, which specify the IP addresses and other information about the domain. When a user types a domain name into their web browser or sends an email to an address at a particular domain, the DNS system is used to resolve the domain name to the correct IP address and route the traffic to the appropriate destination.

image image
4 types of DNS servers

1. DNS recursor (a.k.a DNS resolver)

The DNS resolver might be operated by an Internet Service Provider (ISP), or other third party such as Google Public DNS (8.8.8.8). The resolver starts by looking in its local cache, if the hostname is found, it is resolved immediately. If not, the resolver starts by querying one of the root DNS servers for the IP of the domain name.

2. Root nameserver

Root servers are DNS nameservers that operate in the root zone and they hold the locations of all the Top Level Domains (TLDs). These servers can directly answer queries for records stored or cached within the root zone, and they can also refer other requests to the appropriate Top Level Domain (TLD) server. The root name servers are a critical part of the Internet infrastructure because they are the first step in resolving human-readable host names into IP addresses that are used in communication between Internet hosts.
There are 13 logical root name servers specified, with logical names in the form of letter.root-servers.net, where letter ranges from a to m.

image

3. TLD nameserver

A TLD nameserver maintains information for all the domain names that share a common domain extension, such as .com, .net, or whatever comes after the last dot in a url. For example, a .com TLD nameserver contains information for every website that ends in ‘.com’. If a user was searching for google.com, after receiving a response from a root nameserver, the recursive resolver would then send a query to a .com TLD nameserver, which would respond by pointing to the authoritative nameserver.

4. Authoritative nameserver

An authoritative name server provides actual answer to your DNS queries such as – mail server IP address or web site IP address (A or AAAA address record). It provides original and definitive answers to DNS queries.


DNS record

A Domain Name System (DNS) record is a set of information that is stored in the DNS database and is used to map domain names to IP addresses and other resources. There are many different types of DNS records, each with a specific purpose. Some common types of DNS records include:

image
Record Type Description
A Maps domain names to IPv4 addresses
AAAA Maps domain names to IPv6 addresses
NS (Name Server) Provides a list of the authoritative name servers responsible for the domain
CNAME (Canonical Name) Maps an alias name to a true or canonical domain name
MX (Mail Exchange) Provides the domain names of mail servers that receive emails on behalf of a domain
TXT (Text) Provides any type of descriptive information in text format.
e.g. A sender policy framework (SPF) record is a type of DNS TXT record that lists all the servers authorized to send emails from a particular domain
SRV (Service Record) Specifies a host and port for specific services
SOA (Start of Authority) Provides important details about a DNS zone; required for every DNS zone
PTR (Pointer Record) Provides the domain name associated with an IP address
CAA (Certification Authority Authorization) Allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain

DNS records are an important part of the infrastructure of the internet, and they are used to enable communication between devices and systems on the internet. By configuring DNS records, domain owners can specify how traffic should be routed to their domain, and they can control how their domain is accessed and used.


Email Security

Domain-based Message Authentication Reporting and Conformance (DMARC)

Domain-based Message Authentication Reporting and Conformance (DMARC) is an email authentication protocol that is designed to detect and prevent email spoofing. DMARC works by allowing a domain owner to publish a policy in the Domain Name System (DNS) that specifies which mechanisms are used to authenticate email sent from their domain, and how receiving mail servers should handle email that fails authentication.

When an email is received, the receiving mail server can check the DMARC policy of the domain that the email claims to be from. If the email fails authentication using the mechanisms specified in the DMARC policy, the receiving server can take a number of actions, such as rejecting the email, quarantining the email, or flagging the email as potentially suspicious.

In addition to helping prevent email spoofing, DMARC can also help protect against spam and phishing attacks. By requiring email to be authenticated using mechanisms such as SPF (Sender Policy Framework) or DKIM (DomainKeys Identified Mail), DMARC can help ensure that only legitimate email is sent from a domain.

DMARC uses DKIM and SPF to verify the legitimacy of an email's from address and quarantine or reject email based on what it finds. DMARC looks at the Return-Path of a message to make sure the domain there matches the domain in your from address. If the Return-Path path doesn't match your from address, those messages will fail DMARC's SPF alignment test. DMARC checks DKIM alignment by matching the d= domain in the DKIM signature and the from domain. If the d= domain matches the from domain, it pass the DKIM alignment and DMARC validation.

image

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an email authentication protocol that is designed to detect and prevent email spoofing. SPF works by allowing a domain owner to specify which mail servers are authorized to send email on behalf of their domain.

When an email is received, the receiving mail server can check the SPF record of the domain that the email claims to be from. If the server that sent the email is not listed in the SPF record, the email can be flagged as potentially suspicious or fraudulent.

To use SPF, a domain owner must publish an SPF record in the Domain Name System (DNS) for their domain. This record lists the servers that are authorized to send email for the domain, and it can be used by receiving mail servers to verify the authenticity of incoming email.

In addition to helping prevent email spoofing, SPF can also help protect against spam and phishing attacks. By limiting the servers that are authorized to send email for a domain, SPF can help ensure that only legitimate email is sent from that domain.

image

Specify SPF version at start of record
              v=spf1
            
Mechanisms for specifying authorised senders
Mechanisms Explanation
ALL Matches always; used for a default result like -all for all IPs not matched by prior mechanisms.
IP4 If the sender is in a given IPv4 address range, match.
IP6 If the sender is in a given IPv6 address range, match.
MX If the domain name has an MX record resolving to the sender's address, it will match.
A If the domain name has an address record (A or AAAA) that can be resolved to the sender's address, it will match.
PTR If the domain name (PTR record) for the client's address is in the given domain and that domain name resolves to the client's address (forward-confirmed reverse DNS), match. This mechanism is discouraged and should be avoided, if possible.
EXISTS If the given domain name resolves to any address, match (no matter the address it resolves to). This is rarely used. Along with the SPF macro language it offers more complex matches like DNSBL-queries.
INCLUDE References the policy of another domain. If that domain's policy passes, this mechanism passes. However, if the included policy fails, processing continues. To fully delegate to another domain's policy, the redirect extension must be used.
Qualifiers
Qualifiers Explanation
+ PASS regardless of match - accept anything from the domain. This can be omitted; e.g., +mx is the same as mx.
- FAIL, the mail should be rejected - don't deliver the email if anything does not match.
? NEUTRAL - accept it, result interpreted like NONE (no policy).
~ SOFTFAIL - accept them, but mark it as 'suspicious'.
Modifiers
Modifiers Explanation
exp=some.example.com If an SMTP receiver rejects a message, it can include an explanation. An SPF publisher can specify the explanation string (ASCII) that senders see. This feature is rarely used.
redirect=some.example.com Tells the receiving server to check the SPF record of some.example.com instead of the originating domain.
Examples:

Allow domain’s MXs to send mail for the domain, prohibit all others
              v=spf1 mx ~all
            
The domain sends no mail at all
              v=spf1 -all
            
The domain allows all IP addresses on the internet to send mail. Though ‘valid’, this is not recommended
              v=spf1 +all
            
Allow any IP address between 192.168.0.1 and 192.168.255.255
              v=spf1 ip4:192.168.0.1/16 ~all
            
The current domain is used
              v=spf1 a ~all
            
Allow mail from specific domain
              v=spf1 a:example.com ~all
            
Tells the receiving server to check the SPF record of google.com instead of the originating domain
              v=spf1 redirect=_spf.google.com
            
Tells the receiving server to also consider the IP addresses listed in the SPF record of another domain (This is commonly set up with multi-domain organizations)
              v=spf1 include:_spf.google.com ~all 
            

Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail (DKIM) is an email authentication protocol that is designed to detect and prevent email spoofing. DKIM works by allowing a domain owner to place a digital signature in the headers of their outbound email messages. The signature is used to verify the authenticity of the email, and it can be used to ensure that the email has not been modified in transit.

To use DKIM, a domain owner must generate a private key and a public key. The private key is used to sign the outbound email messages, and the public key is published in the Domain Name System (DNS) for the domain. When an email is received, the receiving mail server can use the public key to verify the authenticity of the email by checking the digital signature.

In addition to helping prevent email spoofing, DKIM can also help protect against spam and phishing attacks. By requiring email to be authenticated using a digital signature, DKIM can help ensure that only legitimate email is sent from a domain.

DKIM is an important tool for protecting against email fraud and abuse, and it is widely used by email service providers and other organizations to help ensure the security and integrity of email communication.


HTTP Status Codes

HTTP status codes are standardized numerical codes that are used to communicate the status of a HTTP request. HTTP (Hypertext Transfer Protocol) is a protocol for transferring data over the internet, and HTTP status codes are used to indicate the status of a request made using HTTP.

Some of the most commonly used HTTP status codes include:

200 OK: The request was successful and the requested information has been transmitted.

301 Moved Permanently: The requested resource has been moved to a new URL.

400 Bad Request: The request was invalid or could not be understood by the server.

401 Unauthorized: The request requires authentication in order to be processed.

404 Not Found: The requested resource could not be found.

Status code Meaning
#1xx Informational
100 Continue
101 Switching protocols
102 Processing
103 Early Hints
#2xx Succesful
200 OK
201 Created
202 Accepted
203 Non-Authoritative Information
204 No Content
205 Reset Content
206 Partial Content
207 Multi-Status
208 Already Reported
226 IM Used
#3xx Redirection
300 Multiple Choices
301 Moved Permanently
302 Found
303 See Other
304 Not Modified
305 Use Proxy
306 Switch Proxy
307 Temporary Redirect
308 Permanent Redirect
#4xx Client Error
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Payload Too Large
414 URI Too Long
415 Unsupported Media Type
416 Range Not Satisfiable
417 Expectation Failed
418 I'm a Teapot
421 Misdirected Request
422 Unprocessable Entity
423 Locked
424 Failed Dependency
425 Too Early
426 Upgrade Required
428 Precondition Required
429 Too Many Requests
431 Request Header Fields Too Large
451 Unavailable For Legal Reasons
#5xx Server Error
500 Internal Server Error
501 Not Implemented
502 Bad Gateway
503 Service Unavailable
504 Gateway Timeout
505 HTTP Version Not Supported
506 Variant Also Negotiates
507 Insufficient Storage
508 Loop Detected
510 Not Extended
511 Network Authentication Required
598 Network read timeout error
599 Network connect timeout error

IPV4 Subnet

Subnetting is a way to divide a single network into smaller networks, or subnets, in order to increase security and efficiency.

An IPv4 subnet is identified by a network address and a subnet mask. The network address defines the range of IP addresses that are included in the subnet, and the subnet mask defines which portion of the IP address represents the network and which portion represents the host.

For example, consider the following IP address and subnet mask:

IP address: 192.168.1.100
Subnet mask: 255.255.255.0

The subnet mask of 255.255.255.0 indicates that the first three octets (192.168.1) represent the network portion of the IP address, and the fourth octet (100) represents the host portion. In this case, the subnet would include all IP addresses from 192.168.1.0 to 192.168.1.255.

Prefix size Network mask # of IP Addresses # of Usable IP addresses
/1 128.0.0.0 2,147,483,648 2,147,483,646
/2 192.0.0.0 1,073,741,824 1,073,741,822
/3 224.0.0.0 536,870,912 536,870,910
/4 240.0.0.0 268,435,456 268,435,454
/5 248.0.0.0 134,217,728 134,217,726
/6 252.0.0.0 67,108,864 67,108,862
/7 254.0.0.0 33,554,432 33,554,430
Class A
/8 255.0.0.0 16,777,216 16,777,214
/9 255.128.0.0 8,388,608 8,388,606
/10 255.192.0.0 4,194,304 4,194,302
/11 255.224.0.0 2,097,152 2,097,150
/12 255.240.0.0 1,048,576 1,048,574
/13 255.248.0.0 524,288 524,286
/14 255.252.0.0 262,144 262,142
/15 255.254.0.0 131,072 131,070
Class B
/16 255.255.0.0 65,536 65,534
/17 255.255.128.0 32,768 32,766
/18 255.255.192.0 16,384 16,382
/19 255.255.224.0 8,192 8,190
/20 255.255.240.0 4,096 4,094
/21 255.255.248.0 2,048 2,046
/22 255.255.252.0 1,024 1,022
/23 255.255.254.0 512 510
Class C
/24 255.255.255.0 256 254
/25 255.255.255.128 128 126
/26 255.255.255.192 64 62
/27 255.255.255.224 32 30
/28 255.255.255.240 16 14
/29 255.255.255.248 8 6
/30 255.255.255.252 4 2
/31 255.255.255.254 2 0
/32 255.255.255.255 1 0

Private IP addresses

Private IP addresses are IP addresses that are used for communication within a private network, such as a home or corporate network. They are not routed on the Internet and are not reachable from the outside. Private IP addresses are used to identify devices within a private network and to route traffic between devices.

Private IP addresses are often used in conjunction with Network Address Translation (NAT), which allows devices within a private network to communicate with the Internet using a single, shared public IP address. This allows multiple devices to share a single Internet connection and helps to conserve the limited pool of publicly routable IP addresses.

Addresses Description
10.0.0.0 - 10.255.255.255 Private IPv4 Addresses
172.16.0.0 - 172.31.255.255 Private IPv4 Addresses
192.168.0.0 - 192.168.255.255 Private IPv4 Addresses
127.0.0.0 - 127.255.255.255 Local Host
169.254.0.0 - 169.254.255.255 APIPA
0.0.0.0/8 This network
10.0.0.0/8 Private IPv4 Address Block
100.64.0.0/10 Carrier-grade NAT
127.0.0.0/8 Loopback
127.0.53.53 Name collision occurrence
169.254.0.0/16 Link local
172.16.0.0/12 Private IPv4 Address Block
192.0.0.0/24 IETF protocol assignments
192.0.2.0/24 TEST-NET-1
192.168.0.0/16 Private IPv4 Address Block
198.18.0.0/15 Network benchmark testing
198.51.100.0/24 TEST-NET-2
203.0.113.0/24 TEST-NET-3
224.0.0.0/4 Multicast
240.0.0.0/4 Reserved
255.255.255.255/32 Limited broadcast

Private Information

Private information is any data or personal details that are intended to be kept confidential and are not meant to be shared with others without the owner's consent. Private information can include things like a person's name, address, phone number, date of birth, financial information, medical history, and other sensitive data. It is important to protect private information because it can be used for identity theft or other nefarious purposes if it falls into the wrong hands. It is generally recommended to be cautious about sharing private information online or with anyone you do not know or trust.

Types of private information:

PII stands for "Personally Identifiable Information." It is any information that can be used to identify a specific individual, such as their name, address, phone number, date of birth, social security number, or other personal details. PII is considered to be sensitive information because it can be used to locate, contact, or obtain information about an individual. As a result, it is important to protect PII and handle it with care to prevent it from being accessed or used without the owner's consent. There are also legal requirements in place in many countries that regulate the collection, use, and storage of PII, such as the General Data Protection Regulation (GDPR) in the European Union and the California Consumer Privacy Act (CCPA) in the United States.

PPI stands for "Personally Protected Information". It is a term that is sometimes used to refer to personal data that is considered to be sensitive or confidential, and that requires special protection in order to ensure the privacy and security of individuals. PPI may include information such as a person's name, address, phone number, date of birth, financial information, medical history, and other details that are considered to be private and should not be shared without the owner's consent. It is important to handle PPI with care and to take appropriate measures to protect it from unauthorized access or use. This may include measures such as encrypting data, using secure servers, and implementing other security measures to prevent data breaches or unauthorized access to PPI.

PHI stands for "Protected Health Information." It is any information that relates to a person's health, medical history, or treatment that is collected, used, or disclosed by a healthcare provider, health plan, or other covered entity in the course of providing healthcare services. PHI is considered to be sensitive information because it can reveal intimate details about a person's health and medical history, and it is protected by laws such as the Health Insurance Portability and Accountability Act (HIPAA) in the United States. HIPAA sets strict rules for how PHI can be collected, used, and disclosed, and it requires covered entities to implement appropriate safeguards to protect the privacy and security of PHI. HIPAA also gives individuals certain rights with regard to their PHI, such as the right to access, correct, and request restrictions on the use of their PHI.

PCI stands for "Payment Card Industry." PCI refers to a set of security standards that were developed by the major credit card companies (Visa, Mastercard, American Express, Discover, and JCB) to ensure the secure handling of credit card transactions and protect sensitive financial information. The PCI Data Security Standard (PCI DSS) is a set of requirements that apply to all organizations that accept, process, store, or transmit credit card information. It sets out guidelines for the secure handling of credit card data, including requirements for physical security, network security, access controls, and data protection. The PCI DSS is intended to help reduce the risk of credit card fraud and protect the security of sensitive financial information. Compliance with the PCI DSS is mandatory for all merchants and service providers that accept credit cards as a form of payment.


OSI Model

The OSI (Open Systems Interconnection) model is a framework for understanding how communication occurs between different systems in a network. It is a seven-layer model that represents the different stages of communication, from the physical connection between devices to the application layer where the actual communication takes place.

The OSI model is a useful tool for understanding how communication occurs in a network, and it helps to define the roles and responsibilities of the different layers of a networked system.

Types of Cyber Attacks on Each Layer of the OSI Model:

image

Layer architecture (wikipedia)

Layer Protocol data unit (PDU) Function
Host
layers
7 Application Data High-level protocols such as for resource sharing or remote file access, e.g. HTTP.
6 Presentation Translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
5 Session Managing communication sessions, i.e., continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
4 Transport Segment, Datagram Reliable transmission of data segments between points on a network, including segmentation, acknowledgement and multiplexing
Media
layers
3 Network Packet Structuring and managing a multi-node network, including addressing, routing and traffic control
2 Data link Frame Transmission of data frames between two nodes connected by a physical layer
1 Physical Bit, Symbol Transmission and reception of raw bit streams over a physical medium

NTLM

NTLM (NT LAN Manager) is a Microsoft authentication protocol that is used to provide secure network communication and to authenticate users in a Windows network environment. It is a challenge-response protocol that allows a client to prove its identity to a server, and it is typically used to authenticate users on a Windows domain.

NTLM uses hashed passwords and encrypted challenge-response exchanges to authenticate users, and it can also provide authentication for other protocols such as HTTP, FTP, and SMTP. NTLM is generally considered to be less secure than more modern authentication protocols, such as Kerberos, and it is generally recommended to use these newer protocols whenever possible.

The following examples show how the NTLM flow works.

image


Kerberos

Kerberos is a network authentication protocol that is designed to provide secure communication over a non-secure network, such as the internet. It is named after the three-headed dog of Greek mythology that guarded the gates of the underworld.

In a Kerberos system, a client authenticates itself to a trusted third-party server known as the Key Distribution Center (KDC). The KDC issues a ticket-granting ticket (TGT) to the client, which the client can then use to request access to other resources on the network. These requests are made using service tickets, which are issued by the KDC and contain a cryptographic key that can be used to securely access the desired resource.

Kerberos is widely used in Windows and Linux operating systems, as well as in other networked systems such as Apache and OpenVPN. It is generally considered to be more secure than other authentication protocols, such as NTLM, because it uses strong encryption and does not transmit plaintext passwords over the network.

image

Kerberos Error Codes

Windows event log entries often contain Kerberos failure codes

Result code Kerberos RFC description Notes on common failure codes
0x0 No error  
0x1 Client's entry in database has expired  
0x2 Server's entry in database has expired  
0x3 Requested protocol version # not supported  
0x4 Client's key encrypted in old master key  
0x5 Server's key encrypted in old master key  
0x6 Client not found in Kerberos database Bad user name, or new computer/user account has not replicated to DC yet
0x7 Server not found in Kerberos database  New computer account has not replicated yet or computer is pre-w2k
0x8 Multiple principal entries in database  
0x9 The client or server has a null key  administrator should reset the password on the account
0xA Ticket not eligible for postdating  
0xB Requested start time is later than end time  
0xC KDC policy rejects request Workstation restriction
0xD KDC cannot accommodate requested option  
0xE KDC has no support for encryption type  
0xF KDC has no support for checksum type  
0x10 KDC has no support for padata type  
0x11 KDC has no support for transited type  
0x12 Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
0x13 Credentials for server have been revoked  
0x14 TGT has been revoked  
0x15 Client not yet valid - try again later  
0x16 Server not yet valid - try again later  
0x17 Password has expired The user’s password has expired.
0x18 Pre-authentication information was invalid Usually means bad password
0x19 Additional pre-authentication required*  
0x1F Integrity check on decrypted field failed  
0x20 Ticket expired Frequently logged by computer accounts
0x21 Ticket not yet valid  
0x21 Ticket not yet valid  
0x22 Request is a replay  
0x23 The ticket isn't for us  
0x24 Ticket and authenticator don't match  
0x25 Clock skew too great Workstation’s clock too far out of sync with the DC’s
0x26 Incorrect net address  IP address change?
0x27 Protocol version mismatch  
0x28 Invalid msg type  
0x29 Message stream modified  
0x2A Message out of order  
0x2C Specified version of key is not available  
0x2D Service key not available  
0x2E Mutual authentication failed  may be a memory allocation failure
0x2F Incorrect message direction  
0x30 Alternative authentication method required*  
0x31 Incorrect sequence number in message  
0x32 Inappropriate type of checksum in message  
0x3C Generic error (description in e-text)  
0x3D Field is too long for this implementation  

TCP vs UDP

Computer Networking Basics

The Internet is a network of connecting devices. Each device, whether it's your smartphone or a server, communicate through the internet protocol suite. The internet protocol suite is a collection of different protocols, or methods, for devices to communicate with each other. Both TCP and UDP are major protocols within the internet protocol suite:

image

TCP: connection oriented, header file: 20 bytes, speed is less than UDP, used in high reliability services. TCP is heavy-weight. Require three packets to set up a socket connection (Three way handshake: SYN- Synchronize, SYN-ACK, ACK). TCP handles reliability and congestion control, have Acknowledgement segments.

UDP: connectionless oriented, header file: 8 bytes, more speed than TCP, used in real-time services, UDP is lightweight. There is no ordering message, no tracking connection, UDP does not have an option for flow control (Does not have three way handshake), No Acknowledge.

PARAMETER TCP UDP
Full Form Transmission Control Protocol User Datagram Protocol or Universal Datagram Protocol
Connection TCP is a connection-oriented protocol. UDP is a connectionless protocol.
Half-Closed connection TCP allows half closed connections Not applicable for UDP protocol
Function As a message makes its way across the internet from one computer to another. This is connection based. UDP is also a protocol used in message transport or transfer. This is not connection based which means that one program can send a load of packets to another and that would be the end of the relationship.
Usage TCP is suited for applications that require high reliability, and transmission time is relatively less critical. UDP is suitable for applications that need fast, efficient transmission, such as games. UDP's stateless nature is also useful for servers that answer small queries from huge numbers of clients.
Use by other protocols HTTP, HTTPs, FTP, SMTP, Telnet, SSH DNS, DHCP, TFTP, SNMP, RIP, VOIP, IPTV
Multiplexing & Demultiplexing Using TCP port number Using UDP port numbers
Ordering of data packets TCP rearranges data packets in the order specified. UDP has no inherent order as all packets are independent of each other. If ordering is required, it has to be managed by the application layer.
Speed of transfer The speed for TCP is slower than UDP. UDP is faster because error recovery is not attempted. It is a "best effort" protocol.
Reliability There is absolute guarantee that the data transferred remains intact and arrives in the same order in which it was sent. There is no guarantee that the messages or packets sent would reach at all.
Header Size TCP header size is 20 bytes UDP Header size is 8 bytes
Common Header Fields Source port, Destination port, Check Sum Source port, Destination port, Check Sum
Streaming of data Data is read as a byte stream, no distinguishing indications are transmitted to signal message (segment) boundaries. Packets are sent individually and are checked for integrity only if they arrive. Packets have definite boundaries which are honoured upon receipt, meaning a read operation at the receiver socket will yield an entire message as it was originally sent.
Weight TCP is heavy-weight. TCP requires three packets to set up a socket connection, before any user data can be sent. TCP handles reliability and congestion control. UDP is lightweight. There is no ordering of messages, no tracking connections, etc. It is a small transport layer designed on top of IP.
Data Flow Control TCP does Flow Control. TCP requires three packets to set up a socket connection, before any user data can be sent. TCP handles reliability and congestion control. UDP does not have an option for flow control
Error Checking TCP does error checking and error recovery. Erroneous packets are retransmitted from the source to the destination. UDP does error checking but simply discards erroneous packets. Error recovery is not attempted.
Fields 1. Sequence Number
2. AcK number
3. Data offset
4. Reserved
5. Control bit
6. Window
7. Urgent Pointer
8. Options
9. Padding
10.Check Sum
11. Source port
12. Destination port
1. Length
2. Source port
3. Destination port
4. Check Sum
Acknowledgement Acknowledgement segments No Acknowledgment
Handshake SYN, SYN-ACK, ACK No handshake (connectionless protocol)
A three-way handshake

A three-way handshake is a method used in a TCP/IP network to create a connection between a local host/client and server.
A three-way handshake is also known as a TCP handshake or SYN-SYN-ACK, which requires both the client and server to exchange SYN (synchronization) and ACK (acknowledgment) packets before actual data communication begins.

image

Step 1: A connection between server and client is established
Step 2: The server receives the SYN packet from the client node
Step 3: Client node receives the SYN/ACK from the server and responds with an ACK packet


For UDP, no three-way handshake is necessary before transmitting data to the intended recipient. So, all or some of the data might arrive — and it may (or may not) arrive in the order as intended. As such, it’s often described as a “best effort.”

When does DNS use TCP?

DNS uses TCP port 53 for Zone transfer (ensure zone data is consistent across DNS servers) and UDP for name, and queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes.


Types of Malware

Malware is short for "malicious software," and it refers to any software that is designed to harm or exploit a computer system. Malware can take many forms, including viruses, worms, trojan horses, ransomware, spyware, and adware.

Malware can be spread through a variety of means, including email attachments, infected websites, malicious software downloads, and infected removable media such as USB drives. Once it is installed on a computer, malware can perform a variety of malicious actions, such as deleting files, stealing sensitive information, corrupting data, and using the infected computer to attack other systems.

Type Description Real-World Example
Ransomware Disables victim's access to data until ransom is paid RYUK
Fileless Malware Makes changes to files that are native to the OS Astaroth
Spyware Collects user activity data without their knowledge DarkHotel
Adware Serves unwanted advertisements Fireball
Trojans Disguises itself as desirable code Emotet
Worms Spreads through a network by replicating itself Stuxnet
Virus Unlike worms, which are self-contained, viruses need to infect another program in order to operate. ILOVEYOU
Rootkits Gives hackers remote control of a victim's device Zacinlo
Keyloggers Monitors users' keystrokes Olympic Vision
Bots Launches a broad flood of attacks Echobot
Mobile Malware Infects mobile devices Triada
Exploits An exploit is a piece of software or data that opportunistically uses a defect in an operating system or an app to provide access to unauthorized actors. zero-day (0day)
Scareware Scareware tricks users into believing their computer is infected with a virus. Typically, a user will see scareware as a pop-up warning them that their system is infected. spysheriff
Malvertising Injects malicious code within digital ads. Difficult to detect by both internet users and publishers, these infected ads are usually served to consumers through legitimate advertising networks. Angler
Polymorphic Virus Type of malware that is programmed to repeatedly mutate its appearance or signature files through new decryption routines. Storm Worm

Utilities

Clear Network Cache

This will clear your DNS cache on Windows, release your IP address, and renew it.

ipconfig/flushdns
ipconfig/release
ipconfig/renew

Regex Cheat Sheet

Regex (short for "Regular Expression") is a special syntax or notation used to match patterns of characters in text. Regular expressions are often used in text processing and data manipulation tasks, such as search and replace operations, data validation, and data scraping.

A regular expression is a sequence of characters that defines a search pattern. It can be used to search for and match specific patterns in text, or to extract specific pieces of information from a larger body of text.

A quick reference guide for regular expressions (regex)

Expression Description Example
^ Matches the beginning of a line
^\w+
This is a string
$ Matches the end of a line
\w+$
This is a string
+ Match the preceding character one or more times
\i+
This is a string
. Wildcard represents any character
...
This is a string
* Matches everything
.*
This is a string
| Matches either (OR)
This|string
This is a string
? Optional quantifier
https?
http://owlify.xyz
https://owlify.xyz
https??
http://owlify.xyz
https://owlify.xyz
? - non lazy
?? - lazy
\s Matches any space, tab or newline character This is a string
\S+ Matches anything other than whitespaces This is a string
\d Matches any digits 0-9 This is 1 string
\D+ Matches anything other than digits This is 1 string
\w+ Matches any alphanumeric or underscore [a-zA-Z0-9_] This is a string
\W+ Matches anything that is not alphanumeric or underscore This is #1 string!
\b Marks the beginning or end of a word
\bis\b
This is a string
(...) Capture group (Matches everything enclosed)
(https?|ftp):\/\/([^\/\r\n]+)(\/[^\r\n]*)?
https://owlify.xyz/test
Group 1: "https"
Group 2: "owlify.xyz"
Group 3: "/test"
(?:...) Non-capture group (Matches everything enclosed)
(?:https?|ftp):\/\/([^\/\r\n]+)(\/[^\r\n]*)?
https://owlify.xyz/test
Group 1: "owlify.xyz"
Group 2: "/test"
[x] Character Classes/Sets (Matches a range of characters)
[0-9]+
This is 123 string
[a-zA-Z]+
This is 123 string
[^a-zA-Z]+
This is 123 string
{x} Matches exactly x number of times where x is a number
\b\d{6}\b
T123456
123456
654321
1234
[a-f0-9]{32}
d1a3acabd159ce5ec13af46a1cb30816
{x,y} Matches between x and y characters
[a-f0-9]{5,10}
12345
12345abcdefg
(?=) Positive lookahead
.*(?=string)
This is a string
(?<=) Positive Lookbehind
(?<=This).*
This is a string
(?<=x).*(?=y) Match all characters between 2 strings
(?<=This).*(?=string)
This is a string
(?!) Negative Lookahead
a(?!b)
aa ab ac ad ae af ag
Match all "a" that are not followed by a "b"
(?<!) Negative Lookbehind
(?<!a)b
debt cab bar back bad
Match all "b" that are not preceded by an "a"

Useful Linux Commands

image

Useful Linux command-line utilities

image image

Useful Windows Commands

image

Useful Windows command-line utilities

FINDSTR

findstr is a built-in tool of the Windows operating system that you may run from the command line to find text in files or in command-line outputs.

Parameters Description
/B Matches pattern if at the beginning of a line
/E Matches pattern if at the end of a line
/L Uses search strings literally
/R Uses search strings as regular expressions
/S Searches for matching files in the current directory and all subdirectories
/I Specifies that the search is not to be case-sensitive
/X Prints lines that match exactly
/V Prints only lines that do not contain a match
/N Prints the line number before each line that matches
/M Prints only the filename if a file contains a match
/O Prints character offset before each matching line
/P Skip files with non-printable characters
/F:file Reads file list from the specified file
/C:string Uses specified string as a literal search string
/G:file Gets search strings from the specified file
/D:dir Search a semicolon delimited list of directories
strings Text to be searched for
[drive:][path]filename Specifies a file or files to search

For example:

netstat | findstr "8.8.4.4"

findstr /c:"windows 10" file.txt -- Searches the document file.txt for the string "windows 10"

findstr "windows" c:\documents\*.* -- Searches any file under c:\documents for the string "windows"

findstr /s /i Windows *.* -- Searches every file in the current directory and all subdirectories for the word Windows ignoring letter case

findstr /g:criteria.txt /f:filelist.txt > results.out -- search criteria in criteria.txt to search the files listed in filelist.txt

findstr /g:"test.txt" "test2.txt" -- Compare contents of two files and print out their commonalities

Vim text editor

image

Threat Hunt

Default Windows Processes

Knowing what’s normal on a Windows host helps cut through the noise to quickly locate potential malware. Use the information below as a reference to know what’s normal in Windows and to focus your attention on the outliers.
When searching for malicious processes, look for any of these anomalous characteristics:
    • Started with the wrong parent process
    • Image executable is located in the wrong path
    • Misspelled processes
    • Processes that are running under the wrong account (incorrect SID)
    • Processes with unusual start times (i.e., starts minutes or hours after boot when it should be within seconds of boot)
    • Unusual command-line arguments
    • Packed executables

image

Process view on a Windows 10 machine



Process Process name Description
Alg.exe Application Layer Gateway Service This process is used for Internet connection sharing (ICS) and firewall. If you end this program using the Task Manager, you will lose all Internet connectivity until your next system restart or login.
Audiodg.exe Windows Audio Device Graph Isolation This process is the audio component for Windows Vista/7/8/10. This process prevents other software applications from modifying or changing and content or plug-in enhancements.
Csrss.exe Client Server Runtime Process The csrss.exe process is an important part of the Windows operating system. This file is responsible for console windows and the shutdown process, which are critical functions in Windows. The csrss also responsible for creating and/or deleting threads and implementing some portions of the 16-bit virtual MS-DOS environment.
Ctfmon.exe Alternative User Input Text Input Processor for Office Ctfmon.exe controls Alternative User Input and the Office Language bar. It monitors active windows and provides text input service support for speech recognition, handwriting recognition, keyboard translation, and other alternate user input forms. In fact, this file is how you can control the computer via speech or a pen tablet, or using the onscreen keyboard inputs for asian languages.
Dllhost.exe DCOM DLL host process Dllhost.exe is a host for DLL files and binary executables. The COM+ hosting process controls processes in Internet Information Services (IIS) and is used by many programs. There can be multiple instances of the DLLhost.exe process running. Dllhost.exe is typically safe as long as the computer is up to date on all security patches and a reliable antivirus is installed.
Dwm.exe Microsoft Desktop Window Manager Dwm.exe is a compositing window manager that renders all those pretty effects in Windows: transparent windows, live taskbar thumbnails, and even high resolution monitor support. In other words, dwm responsible for the graphical effects such as live window previews and a glass-like frame around windows (Aero Glass or Windows Aero), without draining CPU.
Explorer.exe Windows Explorer This is the user shell, which we see as the familiar taskbar, desktop, file manager and other user interface features. Explorer.exe is a Windows process that is run automatically at startup and remains an active process.
This Graphical Shell component is responsible for displaying a user-friendly interface that allows access, copy, delete, cut, and perform other actions with files located on the system, as well as connected networks.
LogonUI.exe Windows Logon User Interface Logonui.exe is a legitimate file that is used for facilitating user login into a PC. LogonUI.exe implements the graphical user interface shown when a user is asked to log in to the local machine.
Lsass.exe Local security authentication server Lsass.exe is the Local Security Authority Subsystem Service. It has the file description LSA shell. This file verifies the validity of user logons to your PC or server. Lsass generates the process responsible for authenticating users for the Winlogon service. So, Lsass.exe is a crucial component of Microsoft Windows security policies, authority domain authentication, and Active Directory management on computer.
Lsm.exe Local Session Manager Service LSM is the Local Session Manager Service in Microsoft Windows. The purpose of the genuine lsm.exe process is to manage all connections related to a server. Lsm.exe is considered a section of core Windows functionality. This key process is issued by default on Windows 7, Windows 8 and Windows 10.
msdt.exe Microsoft Diagnostic Troubleshooting Wizard msdt.exe is an executable exe file which belongs to the Diagnostics Troubleshooting Wizard process which comes along with the Microsoft Windows Operating System Software developed by Microsoft Windows Operating System software developer.
The Microsoft Support Diagnostic Tool (MSDT) collects information to send to Microsoft Support. Microsoft Support will then analyze this information and use it to determine the resolution to any problems that you may be experiencing on your computer.
Rundll32.exe Run a DLL as an App This program is part of Windows, and is used to run program code in DLL files as if they were within the actual program. Since there’s no way to directly launch a DLL file, the rundll32.exe application is simply used to launch functionality stored in shared .dll files. This file is also commonly used by spyware to launch its own malicious code.
RuntimeBroker.exe Runtime Broker Runtime Broker is a Windows process in Task Manager that helps manage permissions on your PC for apps from Microsoft Store.
Services.exe Services and Controller app This is the Services Control Manager, which is responsible for running, ending, and interacting with system services. Use this program to start services, stop them, or change their default from automatic to manual startup. This process also deals with the automatic starting of services during the computers boot-up and the stopping of services during shut-down. This program should not be terminated because it is a system process that is needed for your PC to work properly.
Smss.exe Session Manager Subsystem This is the session manager subsystem, which is responsible for starting the user session. This process is initiated by the main system thread and is responsible for various activities, including launching the Winlogon and Win32 (Csrss.exe) processes, and setting system variables. After it has launched these processes, it waits for either Winlogon or Csrss to end. If this happens normally, the system shuts down; if it happens unexpectedly, Smss.exe causes the system to stop responding (hang).
Spoolsv.exe Print+Fax Spooler The spooler service is responsible for managing spooled print/fax jobs. Spooling allows you to print in the background without your computer being tied up. Spoolsv.exe is an executable file that runs the Print Spooler Service, a process that caches printing jobs into system memory as images. When you print something, the print job is sent to the print spooler, which is responsible for handing it off to the printer.
This process should normally not use many of your computer’s resources but this process sometimes takes a huge amount of system resources as processing different file formats into an image suitable for printing often takes time and a lot of memory.
Svchost.exe Service Host This file is an integral part of Windows OS. It cannot be stopped or restarted manually. Windows uses svchost.exe files to launch the DLLs (dynamic-link libraries) that help Windows processes run efficiently. This process manages system services (like Automatic Updates, Windows Firewall, Plug and Play, Windows Themes and many more) that run from .dll files.
At startup, Svchost.exe checks the services portion of the registry and constructs a list of services that it needs to load. Under normal conditions, multiple instances of Svchost.exe will be running simultaneously.
If this process uses high cpu resources, it is mostly due because the service “Automatic Updates” is downloading some new Windows update. Of course, if this process uses 99% or 100% cpu usage could be caused by downloads due of some hidden malware on your computer.
System System process The “system” process is an executable file on your computer’s hard drive. This file contains machine code. The “system” process is responsible for the system memory and compressed memory in the NT kernel. This system process is a single thread running on each processor. It is the host of all kind of drivers (network, disk, USB).
Of course, this system process in Windows 10 has a additional task, it is compressing old pages of memory so that you have more free memory to use. Non-system processes like [system process] originate from software you installed on your system. Since most applications store data on your hard disk and in your system’s registry, it is likely that your computer has suffered fragmentation and accumulated invalid entries which can affect your PC’s performance.
With start the Windows OS on a PC, the commands contained in “system” process will be executed on your PC. For this purpose, the file is loaded into the main memory (RAM) and runs there as a “System Idle Process” process (also called a task).
taskhostw.exe Task Host for Windows Taskhostw.exe is a Windows operating system file. The main function of taskhostw.exe is to start the Windows Services based on DLLs whenever the computer boots up. It is a host for processes that are responsible for executing a DLL rather than an Exe or Executable file.
Userinit.exe Userinit Logon Application file The userinit.exe is a program that is launched directly after a user logs into Windows. This program restores your profile, fonts, colors, etc for your username. This startup is a required and important system file for Windows.
Winlogon.exe Windows Logon Application The winlogon.exe process is a critical part of the Windows operating system. This process runs in the background. Winlogon is a part of the Windows Login subsystem, and is necessary for user authorization and Windows activation checks.
When you sign in, the winlogon.exe process is responsible for loading your user profile into the registry. This allows programs to use the keys under HKEY_CURRENT_USER, which are different for each Windows user account. The Windows Logon also is responsible for locking your PC and starting screen savers after a period of inactivity.
wininit.exe Windows Initialization WinInit.exe is a Windows system process that is started during the system startup phase by another process, smss.exe. Wininit itself runs processes like services.exe to start services, lsass.exe, lsm.exe, winlogon.exe - in other words, other system processes that prepare the system for operation and login.
Winmgmt.exe Windows Management Instrumentation (WMI) Winmgmt.exe is a core component of client management in Windows that provides management information and control in an enterprise environment. The WMI service automatically starts when the first management application or script requests connection to a WMI namespace. Winmgmt is the WMI service within the SVCHOST process running under the “LocalSystem” account. Administrators can employ WMI to query and set information on desktop systems, applications, networks and other enterprise components.
Wmiprvse.exe Windows Management Instrumentation The wmiprvse.exe process is the WMI Provider host. It’s a part of what’s known as the Windows Management Instrumentation (WMI) component within Microsoft Windows that provides management information and control in an enterprise environment. In other words, the WMI Provider Host process allows other applications on your computer to request information about your system. The wmiprvse.exe process runs alongside the WMI core process, WinMgmt.exe. Multiple instances of Wmiprvse.exe can run at the same time under different accounts: LocalSystem, NetworkService or LocalService. The WMI core WinMgmt.exe is loaded into the shared Local Service host named Svchost.exe.

Ransomware Encrypted File Extensions List

File extensions (Click to sort) Description
micro TeslaCrypt 3.0 ransomware encrypted data
zepto Locky ransomware affected data
cerber Cerber ransomware affected data
locky Locky ransomware affected data
cerber3 Cerber 3 ransomware affected data
cryp1 CryptXXX ransomware affected data
mole CryptoMix (variant) ransomware affected data
onion Dharma ransomware affected data
axx AxCrypt encrypted data
osiris Locky (variant) ransomware affected data
crypz CryptXXX ransomware affected data
crypt Scatter ransomware affected data
locked Various ransomware affected data
odin Locky ransomware affected file
ccc TeslaCrypt or Cryptowall encrypted data
cerber2 Cerber 2 ransomware affected file
sage Sage ransomware affected data
globe Globe ransomware affected file
exx Alpha Crypt encrypted file
good Scatter ransomware affected file
wallet Globe 3 (variant) ransomware affected file
1txt Enigma ransomware affected file
decrypt2017 Globe 3 ransomware affected file
encrypt Alpha ransomware affected file
ezz Alpha Crypt virus encrypted data
zzzzz Locky ransomware affected file
MERRY Merry X-Mas ransomware affected file
enciphered Malware (ransomware) encoded file
r5a 7ev3n ransomware affected file
aesir Locky ransomware affected file
ecc Cryptolocker or TeslaCrypt virus encrypted file
enigma Coverton ransomware affected file
cryptowall Encrypted file by Cryptowall ransomware
encrypted Various ransomware affected file
loli LOLI RanSomeWare ransomware affected file
breaking_bad Files1147[@]gmail[.]com ransomware affected data
coded Anubis ransomware affected file
ha3 El-Polocker affected file
damage Damage ransomware affected file
wcry WannaCry ransomware affected file
lol! GPCode ransomware affected file
cryptolocker CryptoLocker encrypted file
dharma CrySiS ransomware affected file
MRCR1 Merry X-Mas ransomware affected file
sexy PayDay ransomware affected files
crjoker CryptoJoker ransomware affected file
fantom Fantom ransomware affected file
keybtc[@]inbox_com KeyBTC ransomware affected file
rrk Radamant v2 ransomware affected file
legion Legion ransomware affected file
kratos KratosCrypt ransomware affected file
LeChiffre LeChiffre ransomware affected file
kraken Rakhni ransomware affected file
zcrypt ZCRYPT ransomware affected file
maya HiddenTear (variant) ransomware affected file
enc TorrentLocker ransomware affected file
file0locked Evil ransomware affected file
crinf DecryptorMax or CryptInfinite ransomware affected file
serp Serpent (variant) ransomware affected file
potato Potato ransomware affected file
ytbl Troldesh (variant) ransomware affected file
surprise Surprise ransomware affected file
angelamerkel Angela Merkel ransomware affected file
windows10 Shade ransomware affected file
lesli CryptoMix ransomware affected file
serpent Serpent ransomware affected file
PEGS1 Merry X-Mas ransomware affected file
dale Chip ransomware affected file
pdcr PadCrypt Ransomware script
zzz TeslaCrypt ransomware encrypted file
xyz TeslaCrypt ransomware encrypted file
1cbu1 Princess Locker ransomware affected file
venusf Venus Locker ransomware affected file
coverton Coverton ransomware affected file
thor Locky ransomware affected file
rnsmwr Gremit ransomware affected file
evillock Evil-JS (variant) ransomware affected file
R16m01d05 Ransomware affected data
wflx WildFire ransomware affected file
nuclear55 Nuke ransomware affected file
darkness Rakhni ransomware affected file
encr FileLocker ransomware affected file
rekt HiddenTear (variant) ransomware affected file
kernel_time KeRanger OS X ransomware
zyklon ZYKLON ransomware affected file
Dexter Troldesh (variant) ransomware affected file
locklock LockLock ransomware affected file
cry CryLocker ransomware affected file
VforVendetta Samsam (variant) ransomware affected file
btc Jigsaw Ransomware affected file
raid10 Globe [variant] ransomware affected file
dCrypt DummyLocker ransomware affected file
zorro Zorro ransomware affected file
AngleWare HiddenTear/MafiaWare (variant) ransomware affected file
EnCiPhErEd Xorist Ransomware affected file
purge Globe ransomware affected file
realfs0ciety[@]sigaint[.]org[.]fs0ciety Fsociety ransomware affected file
shit Locky ransomware affected file
atlas Atlas ransomware affected file
exotic Exotic ransomware affected file
crypted Nemucod ransomware affected file
padcrypt PadCrypt ransomware affected file
xxx TeslaCrypt 3.0 ransomware encrypted file
hush Jigsaw ransomware affected file
bin Alpha/Alfa ransomware affected file
vbransom VBRansom 7 ransomware affected file
RMCM1 Merry X-Mas ransomware affected file
cryeye DoubleLocker ransomware affected data
unavailable Al-Namrood ransomware affected file
braincrypt Braincrypt ransomware affected file
fucked Manifestus ransomware affected file
crypte Jigsaw (variant) ransomware affected file
_AiraCropEncrypted AiraCrop Ransomware affecte file
stn Satan ransomware affected file
paym Jigsaw Ransomware affected file
spora Spora ransomware affected file
dll FSociety ransomware affected file
RARE1 Merry X-Mas ransomware affected file
alcatraz Alcatraz Locker ransomware affected file
pzdc Scatter ransomware affected file
aaa TeslaCrypt ransomware encrypted file
encrypted Donald Trump ransomware affected file
ttt TeslaCrypt 3.0 ransomware encrypted file
odcodc ODCODC ransomware affected file
vvv TeslaCrypt 3.0 ransomware encrypted file
ruby Ruby ransomware affected file
pays Jigsaw Ransomware affected file
comrade Comrade ransomware affected file
enc Cryptorium ransomware affected file
abc TeslaCrypt ransomware encrypted file
xxx help_dcfile ransomware affected file
antihacker2017 Xorist (variant) Ransomware affected file
herbst Herbst ransomware affacted file
szf SZFLocker ransomware affected file
rekt RektLocker ransomware affected file
bript BadEncriptor ransomware affected file
crptrgr CryptoRoger ransomware affected file
kkk Jigsaw Ransomware affected file
rdm Radamant ransomware affected file
BarRax BarRax (HiddenTear variant) ransomware affected file
vindows Vindows Locker ransomware affected file
helpmeencedfiles Samas/SamSam ransomware affected file
hnumkhotep Globe 3 ransomware affected file
CCCRRRPPP Unlock92 ransomware affected file
kyra Globe ransomware affected file
fun Jigsaw Ransomware affected file
rip KillLocker ransomware affected file
73i87A Xorist Ransomware affected file
bitstak Bitstak ransomware affected file
kernel_complete KeRanger OS X ransomware file
payrms Jigsaw Ransomware affected file
a5zfn Alma Locker ransomware affected file
perl Bart ransomware affected file
noproblemwedecfiles​ Samas/SamSam ransomware affected file
lcked Jigsaw (variant) ransomware affected file
p5tkjw Xorist Ransomware affected file
paymst Jigsaw Ransomware affected file
magic Magic ransomware affected file
payms Jigsaw Ransomware affected file
d4nk PyL33T ransomware affected file
SecureCrypted Apocalypse ransomware affected file
paymts Jigsaw Ransomware affected file
kostya Kostya ransomware affected file
lovewindows Globe (variant) ransomware affected file
madebyadam Roga ransomware affected file
powerfulldecrypt Samas/SamSam ransomware affected file
gefickt Jigsaw (variant) ransomware affected file
kernel_pid KeRanger OS X ransomware file
ifuckedyou SerbRansom ransomware affected file
grt Karmen HiddenTear (variant) ransomware affected file
conficker Conficker ransomware affected file
edgel EdgeLocker ransomware affected file
PoAr2w Xorist Ransomware affected file
oops Marlboro ransomware affected file
adk Angry Duck ransomware affected file
encrypted KeRanger OS X ransomware affected file
Whereisyourfiles Samas/SamSam ransomware affected file
czvxce Coverton ransomware affected file
theworldisyours Samas/SamSam ransomware affected file
info PizzaCrypts Ransomware affected file
razy Razy ransomware affected file
rmd Zeta ransomware affected file
fun Jigsaw (variant) ransomware affected file
kimcilware KimcilWare ransomware affected file
paymrss Jigsaw Ransomware affected file
dxxd DXXD ransomware affected file
pec PEC 2017 ransomware affected file
rokku Rokku ransomware affected file
lock93 Lock93 ransomware affected file
vxlock vxLock ransomware affected file
pubg PUBG ransomware affected data
crab GandCrab ransomware affected data

svchost

Svchost.exe (Service Host) is a generic host process name for services that run on Windows operating systems. It is responsible for running many of the background services that are necessary for the operating system and other programs to function properly.

There can be multiple instances of the Service Host process running at the same time, each one hosting one or more services.

Why are there so many Service Host processes running?

When you start a Windows computer, multiple instances of Svchost.exe are usually launched, each one hosting one or more services. This allows the operating system to manage the services more efficiently by running them in a separate process, rather than as individual programs.

It is normal for there to be multiple Service Host processes running on a Windows computer. These processes are responsible for running many of the background services that are necessary for the operating system and other programs to function properly. Some examples of services that might be hosted by a Service Host process include the Windows Update service, the Network Location Awareness service, and the Remote Procedure Call (RPC) service.

Since it is normal to see many svchost.exe processes in the background, some malicious programs make use of the confusion and masquerade as a legitimate svchost.exe process. svchost.exe is located in C:\Windows\System32 folder. Any file named “svchost.exe” located in another folder can be considered malware. Determining the image path of a process, and its invoking command line, can help identify software masquerading in this way, and help locate the actual program file which is running under the assumed process name of “svchost.exe” (Windows allows multiple processes to all display the same name). Some malware injects a .dll file into the authentic svchost process, for example, Win32/Conficker worm.

image

If we take a look at one of the running “svchost.exe” instance and check its command line, we’ll see something similar to the following:

image

This instance is hosting four services.

The "-k" flag

In this example, the “svchost.exe” process used the "-k UnistackSvcGroup" parameter. This request will be made to the following registry location:

					 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
					 

It locates the key which matches the parameter entry "UnistackSvcGroup" and reads it. This string contains the names of the services it will load and run within the context of that svchost.exe instance.

image

The "-s" flag

The “svchost.exe” process can also be used with the “-s” flag.

image

When the “-s” flag is used with the "-k" flag, it will tell the “svchost.exe” process to only load a specific service from the specified group. In this example, only the "WpnUserService" will be loaded from the "UnistackSvcGroup".


SIGMA Rule

Sigma is a tool that allows you to create rules to identify patterns in log events. It is named after the Greek letter Sigma (Σ), which is often used to represent the sum of a series of numbers or the standard deviation of a set of data in statistics. Sigma is designed to be used with a variety of different log sources, including system logs, network logs, and security logs.

Sigma rules are written in a specialized language that allows you to specify the patterns that you want to identify in log events. Once you have created your Sigma rules, you can use them to scan log files for specific patterns or to generate alerts when certain patterns are detected.

Sigma is often used in conjunction with other security tools, such as Snort, which is a network intrusion detection and prevention system. Snort can be used to analyze network traffic for signs of malicious activity and to trigger alerts when suspicious activity is detected. By combining Sigma and Snort, you can create a more comprehensive security system that can help protect against a wide range of cyber threats.

image

YARA Rule

Yara is a tool that allows you to create, analyze, and identify malware and other malicious software. A Yara rule is a set of criteria used to identify and classify malware. Yara rules are written in a specialized language that allows you to specify the characteristics of the malware you are looking for, such as specific strings of text, patterns of code, or other identifying features.

Yara rules are used by cybersecurity professionals to identify and classify malware, and to help protect against cyber threats. Yara rules can be used to scan files, network traffic, and other sources for signs of malware, and can be used in conjunction with other security tools and techniques to help defend against cyber attacks.

Yara rules are typically used to identify specific types of malware, such as viruses, worms, trojans, and other malicious software. They can be used to identify both known and unknown malware, and can be updated and modified as new threats emerge.

image

Windows Registry

The Windows Registry is a database that stores configuration settings and options for the Microsoft Windows operating system and for applications that run on Windows. It contains information about hardware and software configuration, user preferences, and other data that is used by the operating system and by applications.

The Windows Registry is an important source of information for forensic investigations because it can provide valuable evidence about the activities that have taken place on a computer. For example, the Registry can reveal information about:

• Installed software and hardware: The Registry can contain information about the software and hardware that has been installed on a computer, including the version numbers and installation dates. This can be useful for determining what programs and devices were in use on a computer at a particular time.

• User activity: The Registry can contain information about the user accounts that have been created on a computer and the actions that have been taken by those users. This can include information about file and folder access, network connections, and other activities.

• System configuration: The Registry can contain information about the configuration of the operating system and other software, including the settings and options that have been selected. This can be useful for understanding how a computer was set up and how it was being used.

image

Windows Registry Structure

The Registry is organized into a tree-like structure. The top-level keys in the Registry are called hives.

image

HKEY_CLASSES_ROOT (HKCR): This hive contains information about file associations and COM object classes. It is used to associate files with the applications that can open them and to register COM objects so that they can be used by other applications.

HKEY_CURRENT_USER (HKCU): This hive contains information about the current user's preferences and settings. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to the current user.

HKEY_LOCAL_MACHINE (HKLM): This hive contains information about the hardware, software, and security settings of the computer. It also contains information about the user profiles and groups on the computer.

HKEY_USERS (HKU): This hive contains information about all the user profiles on the computer. It is used to store settings for the desktop, start menu, taskbar, and other elements of the user interface, as well as settings for applications that are specific to each user.

HKEY_CURRENT_CONFIG (HKCC): This hive contains information about the hardware configuration of the computer. It is used to store information about the devices that are installed on the computer, as well as the configuration settings for those devices.


Wireshark

Wireshark is a free and open-source packet analyzer. It is a tool that allows you to capture and analyze network traffic in order to troubleshoot network problems, examine security issues, and learn more about how networks work.

Wireshark uses a network protocol analyzer to capture and display packets in real-time. It supports a wide range of protocols and can decode and display the contents of the packets in a variety of formats. Wireshark also includes a wide range of filters and display options that allow you to focus on specific packets or types of traffic, and to view the data in a variety of formats.

image

Enumeration

System Enumeration

Check system information

Displays a list of details about the operating system, computer hardware and software components.

					 systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Check installed updates

Displays all installed Windows and software updates applied to that computer.

					 wmic qfe
wmic qfe get Caption, Description, HotFixID, InstalledOn
List all drives in the machine
					 wmic logicaldisk get Caption
fsutil fsinfo drives
wmic logicaldisk get caption,description,providername
[Powershell] Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
List all env variables

Displays the current environment variable settings.

					 set
[Powershell] Get-ChildItem Env: | ft Key,Value
List Architecture
					 ver
wmic os get osarchitecture
echo %PROCESSOR_ARCHITECTURE%
List installed apps
					 wmic product get name, version, vendor
					 
List scheduled tasks
					 Schtasks /query /fo LIST /v
					 
List running services
					 net start
					 
List running processes
					 tasklist /SVC
					 
List installed device drivers
					 driverquery
					 
Query the registry for specific keys, values and/or data

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

					 reg query [Root]
Root:
    • HKLM = HKey_Local_machine (default)
    • HKCU = HKey_current_user
    • HKU = HKey_users
    • HKCR = HKey_classes_root

Scanning registry hives for the value password.
Internal recon, hunting for passwords in Windows registry.
The Windows registry often stores clear-text or encoded passwords used by various applications.

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
List GPO settings (Group Policy Discovery)
					 gpresult /Z
					 

User Enumeration

List current username

Displays a user name associated with the effective user ID.

					 whoami
hostname
set computername
echo %USERNAME%
[Powershell] $env:username
Check current user privileges/groups
					 whoami /priv
whoami /groups
List all users
					 net users
whoami /all
[Powershell] Get-LocalUser | ft Name,Enabled,LastLogon
[Powershell] Get-ChildItem C:\Users -Force | select Name
Check account policies and password policies
					 net accounts
					 
View user information

Displays user account information.

					 net users %username%
					 
List all groups

Displays the name of the server and the names of local groups on the computer.

					 net localgroup
net localgroup Administrators
net group “Domain Controllers” /domain
net group “Domain Admins” /domain
net group “Enterprise Admins” /domain
net user /domain <UserName>
[Powershell] Get-LocalGroup | ft Name
[Powershell] Get-LocalGroupMember Administrators | ft Name, PrincipalSource
View user domain
					 set userdomain
					 
List information about the configuration of the Server or Workstation
					 net config server
net config workstation

Network Enumeration

List all network interfaces, IP, and DNS

Displays the full TCP/IP configuration for all adapters.

					 ipconfig /all
wmic nicconfig get description,IPAddress,MACaddress
[Powershell] Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
[Powershell] Get-DnsClientServerAddress -AddressFamily IPv4 | ft
List Routing Table

Displays the entire contents of the IP routing table.

					 route print
netstat -nr
[Powershell] Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
List ARP table

Displays all ARP mapping entries.

					 arp -a
[Powershell] Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
List Network status

Displays active TCP connections, ports on which the computer is listening.

					 netstat -ano
					 
List network shares

Displays information about all of the resources that are shared on the local computer.

					 net share
					 
List all shared resources

Displays detailed information about the currently mapped drives and devices.

					net use
					
List Wi-Fi Credentials
					 

List available AP SSID

netsh wlan show profile

Get the clear-text password use

netsh wlan show profile key=clear

Windows Firewall Enumeration

Displays Windows Firewall Rules
					netsh advfirewall firewall show rule name=all
					
Displays Current Profile Status
					netsh advfirewall show currentprofile
					
Displays programs that are allowed by the host
					netsh firewall show allowedprogram
				        
Displays status of firewall configurataions
					netsh firewall show config
					
Displays the location of the firewall logs
					netsh firewall show logging
					
List firewall's blocked ports

					[Powershell] $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
					

Defense Evasion

Windows Firewall Defense Evasion

Disable Windows firewall

Windows firewall can be enabled/disabled from command line using netsh command.

							 netsh firewall set opmode mode=DISABLE
netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off
Delete Firewall Rules
							 netsh advfirewall firewall delete rule name=""
netsh advfirewall firewall delete rule name="Block Ports"

Web Proxy Defense Evasion

Disable proxy for browsers

Overrides any proxy settings that are provided.

							 start chrome --no-proxy-server
start msedge --no-proxy-server




Obfuscation

Base64

Base64 encoding is traditionally used to convert binary data to printable text characters. The Base64 encoding scheme is often used to hide the plaintext elements in the early stages of an attack that can't be concealed under the veil of encryption.

Common Base64 Encodings

image


btoa() and atob() Method

The atob (ASCII to binary) and btoa (binary to ASCII) methods transform content to and from the base64 encoding.
The atob() function decodes a string of data which has been encoded using Base64 encoding.
The btoa() function creates a Base64-encoded ASCII string from a binary string.

							 atob('aHR0cHM6Ly9vd2xpZnkueHl6')
btoa('owlify.xyz')
HTML Entities

Adversary take advantage of HTML encoding to obfuscate payloads for client-side attacks, hiding them from any server-side defences that are in place.

Example

image


Powershell encoded command

Adversary commonly hide commands by encoding them using Base64.

							 powershell.exe -EncodedCommand %redacted base64%
cmd /c powershell.exe -nop -w hidden -encodedcommand %redacted base64%

Example UTF-16 encoding

image

Example Gunzip

image


Commandline Obfuscation

Command obfuscation may render rule-based detection useless and can make both static and dynamic detection more difficult.


Environment variables:

Static detection could be bypassed.

image
							 set a=/c & set b=calc
cmd %a% %b%

Double quotes:

Static and dynamic detection could be bypassed.

image
							 c""m"d"
							 

Carets:

Static detection could be bypassed.

image
							 n^e^t u^s^er
							 

Comma/semicolon:

Static and dynamic detection could be bypassed.

image
							 cmd,/c;hostname
							 

Frameworks

NIST vs SANS

image

The difference between the NIST and SANS frameworks lies in how they approach the phases of containment, eradication, and recovery in incident response:


NIST Perspective:

NIST considers containment, eradication, and recovery as interconnected components within a single step. Unlike SANS, NIST doesn't insist on containment before eradication. This approach could be advantageous for organizations with a lower tolerance for threats, where the immediate removal of threats is prioritized over understanding and containing them beforehand.


SANS Perspective:

SANS treats containment, eradication, and recovery as distinct and independent steps. According to SANS, containment should come before eradication. This methodology allows for a more structured approach to isolating the threat and preventing its spread before focusing on eliminating it.


In summary, NIST's approach integrates containment, eradication, and recovery as interconnected actions, potentially suited for organizations prioritizing threat removal. SANS, on the other hand, treats these steps separately, advocating for containment before eradication to ensure controlled response to threats. The choice between these perspectives depends on an organization's risk tolerance and preferred incident response strategy.



Incident Response Guide

1. Preparation:

Employee Training: Ensuring staff are trained in their incident response roles and responsibilities in the event of a data breach. Well-prepared employees are less likely to make critical errors during an incident.

Tabletop Exercises: Developing incident response tabletop exercises and conducting mock data breaches periodically to assess the effectiveness of the response plan. These exercises help identify gaps and refine the plan.

Thorough Documentation: Creating a comprehensive incident response plan that thoroughly outlines the roles and responsibilities of all involved parties. This documentation serves as a guide during real incidents.

Testing and Training: Regularly testing the incident response plan through simulations to ensure that the team understands their roles and the necessary notifications to be made.


2. Identification:

Incident Confirmation: Determine if a breach or incident has taken place, understanding that they can stem from diverse origins.

Timing and Discovery: Establish the timing of the event and how it was detected. Identify who found it and through which means.

Extent of Impact: Investigate whether other areas or systems have been affected and gauge the overall scope of the compromise.

Operational Impact: Assess whether the incident is impacting regular operations.

Source Identification: Strive to determine the source or point of entry through which the event occurred.


3. Containment:

Preserving Evidence: Refrain from deleting data to maintain valuable evidence for understanding the breach origin and prevention planning.

Preventing Spread: Isolate the breach to prevent further damage. Disconnect affected devices from the Internet if possible.

Short-term and Long-term Strategies: Have both short-term and long-term containment strategies ready. A redundant system backup can aid in data restoration.

Backup Strategies: Maintain redundant backups to facilitate data recovery and ensure compromised data isn't permanently lost.

Enhanced Security Measures: Update and patch systems, review remote access protocols with mandatory multi-factor authentication, and strengthen all access credentials and passwords.


4. Eradication:

Root Cause Elimination: Identify and eliminate the source of the breach, including securely removing all malware and traces of malicious activity.

System Refortification: Harden the affected systems by implementing security measures, and apply necessary patches and updates to minimize vulnerabilities.

Thoroughness: Whether conducted internally or by a third party, the eradication process must be meticulous. Leaving remnants of malware or vulnerabilities can lead to data loss and increased liability.


5. Recovery:

System Restoration: Return affected systems and devices to production in a timely manner, prioritizing a secure and efficient restoration process.

Security Measures: Ensure systems are patched, hardened, and thoroughly tested before they are brought back into the operational environment.

Backup Restoration: Consider restoring systems from trusted backups to a known, clean state, reducing the risk of persistent malware.

Monitoring and Safeguards: Define a monitoring period for affected systems, observing for any signs of anomalous activity or breaches. Implement tools like file integrity monitoring and intrusion detection/protection systems to prevent future occurrences.


6. Lessons Learned:

After-Action Meeting: Convene an after-action meeting involving all Incident Response Team members to discuss insights gained from the data breach incident.

Analysis and Documentation: Thoroughly analyze and document the incident details, identifying successes and areas needing improvement. These insights stem from both actual incidents and tabletop exercises.

Plan Refinement: Identify strengths and weaknesses in the incident response plan and the organization's security posture. Utilize these findings to refine the response plan and address vulnerabilities.

Enhanced Training and Security: Determine necessary changes to security measures and employee training based on lessons learned. Focus on rectifying weaknesses exploited by the breach.

Prevention Strategies: Develop strategies to prevent a recurrence of a similar breach by implementing corrective actions and enhancing preventive measures.


Ransomware Incident Response Guide

1. Preparation:

• Develop an incident response plan that includes specific procedures for ransomware incidents.

• Implement security measures like regular patching, network segmentation, and user training.

• Establish a backup strategy to ensure critical data and systems are regularly backed up and stored offline.


2. Identification:

• Monitor network traffic, system logs, and endpoint behavior.

• Quickly assess incoming alerts and prioritize them based on severity.

• Detect signs of potential ransomware activity, such as unusual encryption patterns or file changes.

• Analyze the attack vector and vulnerabilities exploited by the ransomware.

• Determine the ransomware variant to understand its behavior and capabilities.


3. Containment:

• Isolate affected systems from the network to prevent further ransomware spread.

• Identify the extent of the infection and determine which systems have been compromised.

• Reset passwords for compromised accounts to prevent unauthorized access and hinder the attacker's movement.


4. Eradication:

• Eliminate the source of the ransomware.

• Patch and update systems to prevent future infections through known vulnerabilities.


5. Recovery:

• Restore data and systems from clean backups, ensuring backups are free from malware.

• Implement additional security measures to reinforce the resilience of recovered systems.


6. Lessons Learned:

• Conduct a post-incident review to identify strengths and weaknesses in the response process.

• Update the incident response plan based on lessons learned from the incident.