Index Item: Incident Handling

2019 Unit Section
Chapter
Specfic Topic/ Tools
Index item
Incident Handling
Incident Handling definitions & Overviiew
IH Process - 6 Main Phases
Preparation
Identification
Identification Occurs where?
Intrustion Discovery - Windows
MITRE ATT&CK Matrix
Identification: Chain of Custody
Containment
Containment - Characterize Incident
Containment - Inform Management
CyberCPR
Containment - Initial Analysis
Containment - Short Term (1) & (2)
Containment - ISP Coordination
Forensic Images
Risk of Continuing Ops
Contaiment - Long term
Eradication
Recovery
Recovery - Artifacts
Lessons Learned
Enterprise Wide - IR
WMIC
SCCM- System Center Config Manger

Powershell
Kansa Soup
Applied Incident Handling
Espionage
Unauthorized Use
Insider Threat
Intellectual Property
Legal & Cybercrime Laws
Appendix A: Vmware & Linux
Appendix B: Linux Cheatsheets
Attack Trends
Hacker Attack Steps

Step 1: Reconnaissance
Whois
DNS Interrogation
Website Searches
Search Engines
Seach Engine - useful searches
Search Engines - FOCA
Recon Vuln Systems
search engine defense

Maltego
Web-Based Recon & Attack Sites
Step 2: Scanning
War Dailing
WarVOX
War Driving
Network Mapping
IP Header
Port Scanning
Nmap
Masscan
EyeWitness
Remux
Port Scanning - defense

Evading IDS/IPS
Vuln Scan - Nessus
Nessus
SMB Session
Step 3: Exploitation
Gaining Access
Physical Access
BGP Hijacking
Netcat Mulitpurpose
Sniffing - passive/active
Bettercap
Arpspoof
Man-in-the-Middle framework
ARP Cache Poisoning
Snarfing Application Layer
Xplico
Foiling DNS
Sniffing SSL & SSH

Subterfuge
SSL warnings
Hijacking Attacks
Identification - Hijacking
Containment - Hijacking
Buffer Overflow
Heap-and-integer-based overflows
Calling Subroutines
Buffer Overflow
Metasploit
Meterpreter
Parser Problems
Endpoint Security Bypass
InstallUtil-ShellCode.cs
InstallUtil.exe/logfile= /LogToConsole=false
Step 3: Exploitation Cont. 1
Gaining Access Cont. 1
Password Cracking
Cain
John the Ripper
Pass-the-hash Attacks
Worms & Bots
Open Web App Sec Project (OWASP)
Web App Attacks
Account Harvesting
Command Inject
SQL Inject
Cross-site scripting
Attacking State Maintence W/wApp manip proxy
Denial-of-serivce
Step 4: Keeping Access
Trojan Backdoors & Malware levels
App-Level Trojans
Virtual Network Computing (VNC)
Common Remote Backdoor Capabilities
Wrappers, Anti-reverse Enginerring, and Packers
Memory Analysis Tool
Rekall
Rootkit Techniques
Rootkit Examples
Step 5: Covering tracks
Covering Tracks in Linux/UNIX
Covering Tracks in Windows
Covering Tracks on Network
Covering Tracks - Stenography

Notes Book.Page
1.17
people, policy, data, soft/hardware, supplies, commos,
transpo, space/stroage, power controls 1.19-47
handlers, control info, commo channels, where to look,
detection, window cheat sheets 1.49-79
Detection: Network, Host, System, Application 1.54-60
Windows: Intrusion Discovery ( leaflet) 1.65-78
Identification Section - blurb 1.83
Establish Chain of Custody 1.85
Sub-phasees, deploy, characterize, notifying mngt, , CyberCPR, 1.87-103
category type of incident, criticality & severity 1.90
Notifying appropriate officials and tracking entry 1.92
web app that tracks incidents & evidence 1.93
Avoid obvious methods for looking for intruder 1.94
short-term containment 1.95-96
may assist in: identification, containment, & recovery 1.97
ASAP, memory & file system, create a hash 1.98
Aquire Logs, how far TA get?, logs of neighboring systems,
bussiness decision 1.100
obtain backups then make changes , if sys can be kept offline

move to eradication phase, if not possible, preform long-term
containment actions 1.101-102
restoring from backups, removing malicious
software,improving defense, vulnerability analysis 1.105-109
get impacted system back into production safely 1.111-114
look for returns of TA, wmic, linux ps, 1.114
Report, Meeting, Apply Fixes 1.115-118
Enterprise Wide - IR| Data: Ingress/Egress , DNS, Web Proxy,
Connection 1.121-124
Articfacts Recovery | Enterprise Wide - IR | Query just about
verything 1.114 | 1.128
Enterprise Wide - IR | Reporting tool - inform you of installed
aoftware on system, even pull drivers, users, services 1.129
Enterprise Wide - IR | Kansa Soup IR tool 1.130 |
uses pwrshell 3 , IR tool 1.131-134
types of incidents 1.135
type of incident | many unauthroized access cases are
espionage , oreo for target analysis, identification, maximixe
data collection, deceiving the TA 1.136-140
Espoinage | abusing normal granted access, comon support
areas: email problems & inappropriate web surfing 1.141-148
definition, handling, identification, assessment checklist (153) 1.150-155
Patents, Copyrights, TM, Trade Secrets 1.157-159
Applied Incident Handling - Country-specific 1.161
1.164
1.215
Motivations, type of attackers, kenetic imppact, hacking for
fun, hacktivism & underground 2.09-15
Reconnaissance, Scanning, Exploitation, Keeping Access,
Covering Tracks 2.17-5.122
2.15-51
Domain Name registration, research, IP Blocks, sample, recon
defense 2.18-22
DNS, nslookup, zone transfer in windows/UNIX 2.24-27
recon website, open source info recon, Pushpin, search
2.29-33
defense
recon w/ : engines, Gmaps physical attacks, tips, Cache &
wayback machine, FOCA, vulnerable systems, automation 2.35-
Search Engines | useful search directives: site, link, intitle,
inurl, related, info 2.27
Search Engines | automated search for various file types,
downloading them, extract metadata, additional features 2.41
searching for vuln systems, rdp, defualt webpages (apache, IIS,
coldfusion), indexable directories, video cameras 2.42
google web master tools, remove: robot.txt, meta tags,
images from google search, snippets, cashed pages 2.44
Gathers information, transforms ex, defenses against maltego 2.46-48
various websites offer abaility to research or attack another
site. Interenet scanning web pages ( traceroute, ping, port
scan, DOS test), shodan 2.50
war drialing, war driving, LAN discovery,Nmap network/port,
evading IDS, vuln scanning, nessus, SMB 2.52-134
dail sequence of phone numbers, attempting to locate modem

carriers or secondary dial tones (remote access routers)
Demon Dailers single number brute force passwords, defense
preparations
2.53-58
War Dialing | wardialing tool, VoIP , IAX protocol support req. ,

Caller ID Spoofing, 8 hours of wardialing into 1 hour (1000
numbers) 2.54-56
wireless misconfigs, tools for wireless LAN discovery, InSSIDer

GUI, Kismet, sniffing, crypto, "easy-creds", karma,
karmetasploit, defense 2.60-76
Nmap -mapping- undestand topology of network, interent
connectivity (DMZ & perimter networks), internal network,
port scan, sweeping for online systems, Zenmap, Traceroute,
defense
2.79-85
Network Mapping | IP packet header 2.80
identify openings on a system & type of system , TCP/UDP ,
Nmap: scan types(92), OS Fingerprinting, Masscan,
EyeWitness, Remux 2.87-103
port scanning | types of scans, ACK scans, OS fingerprinting 2.92-95
Port Scanning - scanner - slow - separate SYNs & SYN/ACK, 2.96
Port Scanning | screenshots websites, VNC, RDP servers. 2.97
Port Scanning | POC tool to demo scanning via multi open

proxies online, reverse multiplexes connections, TA use this to
bounce scanning through proxies to not get caught 2.98
defense, checking, and disabling for windows & linux 2.99-103
Invalid TCP Checksum Bypass,Blending in, Defense 2.107-109
Vulnerability scanning with Nessus, plug-ins, Defense (117) 2.111-117
scan for vulnerabilities 2.111-117
application layer protocol that implements file/printer sharing, 2.121-132
domain auth, remote admin, post 445 ( old systems netbios)
Book 3 - Gaining Access , ends at Endpoint Security Book 3 & 4
Book 3 -4.74
Rubber Ducky - HID (Human Interface Devices) , defense 3.03
Border Gaterway Protocol -BGP - allows routers on internet to

route traffic to correct place. ASN define which IP router is
reponsible. Defense 3.07-09
client/listen mode, commands (3.14), uses (15), data transfer,

port/vuln scan, connecting, backdoors, reverse shells (21),
relays 3.10-26
Wireshark, OSI protocol layering, ARP, mac-to-IP , Name
Resolution, 3.30-55
Ruby Framework used to manipulate ARP mapping on target . 3.36, 38
ARP Cache Poisoning | Manipulate IP-to-MAC added mapping

- feeds false ARP message into LAN so traffic is directed to
attacker for sniffing 3.36
MiTMf | Support ARP cache Poisoning and multi other
incection/TCP stream modification attacks 3.36
Foiling Switches, tools for it on (36) 3.37
once data is flowing through our proxy, you can harvest data,
invoke keylogger, MiTMf has a module called JSKeylogger, also
has screenshots. 3.39
3.40
1) run MiTMf, listens for DNS query for the target domain; 2)
victim runs prog that tries to resolve to target domain; 3)
decide what option next ; 4) tool sends DNS response ,
spoofed ; 5) now you see what they do
3.41-44
Steps listed 3.45, 48
MiTM tool 3.49
dodging, avoiding ssqlstrip, firesheep 3.50-53
responder, attacking WPAD, defense, Identification,
containment, erad, rec 3.56
3.63
3.64
allows to: take over system, escalate priviledges, execute
artitrary commands | moving data around in memory without
checking size (more data than allocated for) 3.67-82
similar core issue to bufferoverflow | non-validated input 3.68
breaks programmed routine and jumps to another part to run
attack 3.71
exploiting, creating, finding, cramming, exploit code, more
characteristics, setting return pointer 3.74-82
BO - Framwork, packaging, arsenal, GUI, exploits in MSF,
payloads, defense for Buffer overflow, code checking tools. 3.83
prg of Metasploit - able to load and interact with DLLs in real
time , create specialied CLI access within running prgms 3.89-90
Buff.O problem area,protocol to grab data from network and
parse it for an application, often run frm root. 3.103-107
external access, creating malware, macros, unicorns,

ghostwriting, editing assembly, app whitelisting, InstallUtil-
ShellCode.cs , InstallUtil.exe/logfile= /LogToConsole=false /U
exeshell.exe
3.108-121
adjust how malware is executed 3.118
when .exe is uninstalled it will execute malicious code 3.119
Continue Gaining access, web apps, DOS Book 4
Password Cracking, Pass the Hash, Wroms, Bots, BeEF 4.01-77
guessing, spraying, THC Hydra, cracking methods, dictionary,
brute force, hybrid, for good reason? 4.01-15
LANMAN, NT Hashes, No Salts - SAM , Rainbow Tables, Cain &

Able, wardriving, sniffer, hash calculator, netowkr
neighborhood explorer, ARP cache poisoning, etc (4.24)
defense, disabling, tools,
4.16-33
multi-platform, feed it encrypted password files, UNIX pass file
format, shadow file format, JtR modes, input/outputs (39),
Hashcat, defense, use PAM for comlexity 4.35-43
architecture, tools, kerberoasting, defense 4.47-51
Multi-exploit, multi-platform, zero-days, fast spreading,

Warhol/Flash Technique, Polymorphic, Payload, Metamorphic,
Bot distro, bot commo, Fast Flux, bot functionality, defense 4.53-73
offer useful items, frameworks, guides, checklists, webgoat,
ZAP 4.77
Account Harvesting, Command Injection, SQL Injection, Cross-

site Scripting 4.79-126
automate harvesting through script, bad/good user ID,
compromised accounts, defense 4.79-84
web apps that allow input from users to process and output. 4.86-89
Flaws in that allow for CMDiNJect | ping , nslookup, defense,
Looking for vulns, database manipulation, examples: finding
errors, dropping data, grabbing more, getting DB structure,. 4.92-99
Defense, identification/containment
Launching attacks, walkthrough, reflected XSS, access to
internal systems (107) , BeEF, Admin Apps, defense 4.101-114
Sessions tracked, specialized browsers, manipulation proxy
architecture, proxies, ZAP, beyond session ID 4.117-125
types of DoS, EDNS, Local DoS, DNS amp Attacks,Bot DoS

Suites, DDoS, Pulsing Zombies (141), Evolution of the Flood,
Low/High Orbit Ion Cannon (LOIC) (HOIC), defense 4.127
Trojan Backdoors, malware levels, apps, VNC, remote
backdoors, wrappers, anti-reverse malware, packers 5.05-61
Levels: Application-level Backdoor, User-Mode Rootkit, Kernal-
Mode Rootkit 5.06-07
client-server , Suites (posion Ivy, dameware, sub7,GhostRAT,
Blackshade), trick user to install, or self install, scareware(16) 5.09-16
remote-acces suite, legit, often abused, platforms, active client
and listening client, WinVNC. 5.10-13
system controls, keyloggerm dialog boxes, lock up or reboot,

access files, create VPNs, camera/audio, similar to
MeterPreter, blending-in names ( SCSI, UPS, server, cleint, and
svchost)
5.15
wrap backdoor tool in other application, creates exe trojans,
AKA Binders, Veil toolkit bypass AV, defense, reversing exes 5.18-20
used to determine attacks actions, need mem dump, Volatile
Systems Volatility framwork, Google Rekall 5.22-28
Google Rekall, mem analysis tool, modules, viewing network

connections, viewing processes, filtering, DLLs and
Commandline 5.23-28
platforms, linux components, hiding , windows user-mode, dll
injection, API hooking, where and what, kernal-mode ( 41) 5.33-49
rooty, avatar, fontanini, defense, Windows, UNIX/Linux,
additoinal detectors, network intel/forensics, 5.51-60
covering tracks on: linux, UNIX, Windows, Network,
stenography
Hiding files, where, dir, Log editing, shell history, accounting
entry editing 5.63-72
Hiding files in NTFS, alternate data streams, finding hidden
streams, Log editing, Meterpreter, defense accounting entry
editing, logon tracer 5.76-89
reverse HTTP Shells, ICMP tunnels, Covert_TCP & IP headers,
Ptunnel Features (98), bounce mode, Gcat (106), 5.93-107
tools (113) ( Jsteg, MP3stego, S-Mail, invisble secrets, stash,
Hydan), detecting (119) defending 5.112-121
Each Color a different book
Column2
1 - Book 1
1 - Incident Handling
1 - Identification
1 - Identification
1 - Identification
1 - Identification
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Enterprise Wide - IR
1 - Book 1
1 - Applied Incident Handling

2 - Hacker Exploits Part 1
2 - Attack Trends
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
- Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning

3 - Exploitation - Gaining Access
-
3 - Sniffing - Passive/Active
3 - Hijacking Attacks
3 - Hijacking Attacks
3 - Buffer Overflow
3 - Buffer Overflow
3 - Buffer Overflow
3 - Buffer Overflow
3 - Buffover Overflow - Metasploit
3 - Buffer Overflow
3 - Endpoint Security Bypass

3 - Endpoint Security Bypass
4 - Password Cracking
4 - Password Cracking
4-
4 - Exploitation - Web App Attacks

4 - Exploitation - DOS
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Covering Tracks
5 - Covering Tracks
5 - Covering Tracks
5 - Covering Tracks
Index item Notes Book.Page Column2
automate harvesting through script, bad/good user ID, compromised
Account Harvesting accounts, defense
4.79-84
Appendix A: Vmware & Linux 1.164 1 - Applied Incident Handling
Appendix B: Linux Cheatsheets 1.215 1 - Applied Incident Handling
client-server , Suites (posion Ivy, dameware, sub7,GhostRAT, Blackshade),
App-Level Trojans trick user to install, or self install, scareware(16) 5 - Keeping Access
5.09-16
Applied Incident Handling types of incidents 1.135 1 - Book 1
ARP Cache Poisoning Foiling Switches, tools for it on (36) 3.37 3 - Sniffing - Passive/Active
ARP Cache Poisoning | Manipulate IP-to-MAC added mapping - feeds false
Arpspoof ARP message into LAN so traffic is directed to attacker for sniffing 3 - Sniffing - Passive/Active
3.36
Motivations, type of attackers, kenetic imppact, hacking for fun,
Attack Trends hacktivism & underground
2.09-15
Attacking State Maintence W/wApp Sessions tracked, specialized browsers, manipulation proxy architecture, 4 - Exploitation - Web App Attacks
manip proxy proxies, ZAP, beyond session ID
4.117-125
Bettercap Ruby Framework used to manipulate ARP mapping on target . 3.36, 38 3 - Sniffing - Passive/Active
Border Gaterway Protocol -BGP - allows routers on internet to route
BGP Hijacking traffic to correct place. ASN define which IP router is reponsible. Defense 3 - Exploitation - Gaining Access
3.07-09
allows to: take over system, escalate priviledges, execute artitrary
Buffer Overflow commands | moving data around in memory without checking size (more 3 - Exploitation - Gaining Access
data than allocated for) 3.67-82
exploiting, creating, finding, cramming, exploit code, more characteristics,
Buffer Overflow setting return pointer 3 - Buffer Overflow
3.74-82
LANMAN, NT Hashes, No Salts - SAM , Rainbow Tables, Cain & Able,
Cain wardriving, sniffer, hash calculator, netowkr neighborhood explorer, ARP 4 - Password Cracking
cache poisoning, etc (4.24) defense, disabling, tools, 4.16-33
Calling Subroutines breaks programmed routine and jumps to another part to run attack 3.71 3 - Buffer Overflow
web apps that allow input from users to process and output. Flaws in that
Command Inject allow for CMDiNJect | ping , nslookup, defense,
4.86-89 4 - Exploitation - Web App Attacks
Common Remote Backdoor system controls, keyloggerm dialog boxes, lock up or reboot, access files,
create VPNs, camera/audio, similar to MeterPreter, blending-in names 5 - Keeping Access
Capabilities ( SCSI, UPS, server, cleint, and svchost) 5.15
obtain backups then make changes , if sys can be kept offline move to
Contaiment - Long term eradication phase, if not possible, preform long-term containment actions 1.101-102 1 - Containment
Containment Sub-phasees, deploy, characterize, notifying mngt, CyberCPR, 1.87-103 1 - Incident Handling
Containment - Characterize Incident category type of incident, criticality & severity 1.90 1 - Containment
Containment - Hijacking 3.64 3 - Hijacking Attacks
Containment - Inform Management Notifying appropriate officials and tracking entry 1.92 1 - Containment
Containment - Initial Analysis Avoid obvious methods for looking for intruder 1.94 1 - Containment
Containment - ISP Coordination may assist in: identification, containment, & recovery 1.97 1 - Containment
Containment - Short Term (1) & (2) short-term containment 1.95-96 1 - Containment
tools (113) ( Jsteg, MP3stego, S-Mail, invisble secrets, stash, Hydan),
Covering Tracks - Stenography detecting (119) defending 5 - Covering Tracks
5.112-121
Covering Tracks in Linux/UNIX Hiding files, where, dir, Log editing, shell history, accounting entry editing 5.63-72 5 - Covering Tracks
Hiding files in NTFS, alternate data streams, finding hidden streams, Log
Covering Tracks in Windows editing, Meterpreter, defense accounting entry editing, logon tracer
5 - Covering Tracks
5.76-89
reverse HTTP Shells, ICMP tunnels, Covert_TCP & IP headers, Ptunnel
Covering Tracks on Network Features (98), bounce mode, Gcat (106), 5 - Covering Tracks
5.93-107
Launching attacks, walkthrough, reflected XSS, access to internal systems
Cross-site scripting (107) , BeEF, Admin Apps, defense
4.101-114
CyberCPR web app that tracks incidents & evidence 1.93 1 - Containment
types of DoS, EDNS, Local DoS, DNS amp Attacks,Bot DoS Suites, DDoS,
Denial-of-serivce Pulsing Zombies (141), Evolution of the Flood, Low/High Orbit Ion Cannon 4 - Exploitation - DOS
(LOIC) (HOIC), defense 4.127
DNS Interrogation DNS, nslookup, zone transfer in windows/UNIX 2.24-27 2 - Reconnaissance
external access, creating malware, macros, unicorns, ghostwriting, editing
Endpoint Security Bypass assembly, app whitelisting, InstallUtil-ShellCode.cs , 3 - Exploitation - Gaining Access
InstallUtil.exe/logfile= /LogToConsole=false /U exeshell.exe 3.108-121
Enterprise Wide - IR Enterprise Wide - IR| Data: Ingress/Egress , DNS, Web Proxy, Connection 1.121-124 1 - Incident Handling
restoring from backups, removing malicious software,improving defense,
Eradication vulnerability analysis 1.105-109 1 - Incident Handling
type of incident | many unauthroized access cases are espionage , oreo
Espionage for target analysis, identification, maximixe data collection, deceiving the
TA 1.136-140 1 - Applied Incident Handling
Evading IDS/IPS Invalid TCP Checksum Bypass,Blending in, Defense 2.107-109 2 - Scanning
EyeWitness Port Scanning | screenshots websites, VNC, RDP servers. 2.97 2 - Scanning
1) run MiTMf, listens for DNS query for the target domain; 2) victim runs
Foiling DNS prog that tries to resolve to target domain; 3) decide what option next ; 4) 3 - Sniffing - Passive/Active
tool sends DNS response , spoofed ; 5) now you see what they do 3.41-44
Forensic Images ASAP, memory & file system, create a hash 1.98 1 - Containment
Gaining Access Book 3 -4.74 3 - Exploitation - Gaining Access
Gaining Access Cont. 1 Password Cracking, Pass the Hash, Wroms, Bots, BeEF 4.01-77 4 - Exploitation - Gaining Access
Hacker Attack Steps Reconnaissance, Scanning, Exploitation, Keeping Access, Covering Tracks 2.17-5.122 2 - Attack Trends
Heap-and-integer-based overflows similar core issue to bufferoverflow | non-validated input 3.68 3 - Buffer Overflow
responder, attacking WPAD, defense, Identification, containment, erad,
Hijacking Attacks rec 3 - Exploitation - Gaining Access
3.56
handlers, control info, commo channels, where to look, detection, window
Identification cheat sheets 1.49-79 1 - Incident Handling
Identification - Hijacking 3.63 3 - Hijacking Attacks
Identification Occurs where? Detection: Network, Host, System, Application 1.54-60 1 - Identification
Identification: Chain of Custody Establish Chain of Custody 1.85 1 - Identification
IH Process - 6 Main Phases 1.17 1 - Incident Handling
Incident Handling 1.01 1 - Book 1
Incident Handling definitions &
Overviiew 1.05 1 - Incident Handling
Insider Threat definition, handling, identification, assessment checklist (153) 1.150-155 1 - Applied Incident Handling
InstallUtil.exe/logfile= when .exe is uninstalled it will execute malicious code 3 - Endpoint Security Bypass
/LogToConsole=false 3.119
InstallUtil-ShellCode.cs adjust how malware is executed 3.118 3 - Endpoint Security Bypass
Intellectual Property Patents, Copyrights, TM, Trade Secrets 1.157-159 1 - Applied Incident Handling
Intrustion Discovery - Windows Windows: Intrusion Discovery ( leaflet) 1.65-78 1 - Identification
IP Header Network Mapping | IP packet header 2.80 2 - Scanning
multi-platform, feed it encrypted password files, UNIX pass file format,
John the Ripper shadow file format, JtR modes, input/outputs (39), Hashcat, defense, use 4 - Password Cracking
PAM for comlexity 4.35-43
Kansa Soup uses pwrshell 3 , IR tool 1.131-134 1 - Enterprise Wide - IR
Legal & Cybercrime Laws Applied Incident Handling - Country-specific 1.161 1 - Applied Incident Handling
Lessons Learned Report, Meeting, Apply Fixes 1.115-118 1 - Incident Handling
Maltego Gathers information, transforms ex, defenses against maltego 2.46-48 2 - Reconnaissance
MiTMf | Support ARP cache Poisoning and multi other incection/TCP
Man-in-the-Middle framework stream modification attacks
3.36
Masscan Port Scanning - scanner - slow - separate SYNs & SYN/ACK, 2.96 2 - Scanning
used to determine attacks actions, need mem dump, Volatile Systems
Memory Analysis Tool Volatility framwork, Google Rekall
5 - Keeping Access
5.22-28
BO - Framwork, packaging, arsenal, GUI, exploits in MSF, payloads,
Metasploit defense for Buffer overflow, code checking tools. 3 - Buffer Overflow
3.83
prg of Metasploit - able to load and interact with DLLs in real time , create
Meterpreter specialied CLI access within running prgms
3 - Buffover Overflow - Metasploit
3.89-90
MITRE ATT&CK Matrix Identification Section - blurb 1.83 1 - Identification
Nessus scan for vulnerabilities 2.111-117 2 - Scanning
client/listen mode, commands (3.14), uses (15), data transfer, port/vuln
Netcat Mulitpurpose scan, connecting, backdoors, reverse shells (21), relays
3.10-26
Nmap -mapping- undestand topology of network, interent connectivity
Network Mapping (DMZ & perimter networks), internal network, port scan, sweeping for 2 - Scanning
online systems, Zenmap, Traceroute, defense 2.79-85
Nmap port scanning | types of scans, ACK scans, OS fingerprinting 2.92-95 - Scanning
Open Web App Sec Project (OWASP) offer useful items, frameworks, guides, checklists, webgoat, ZAP 4.77 4 - Exploitation - Gaining Access
Buff.O problem area,protocol to grab data from network and parse it for
Parser Problems an application, often run frm root. 3 - Buffer Overflow
3.103-107
Pass-the-hash Attacks architecture, tools, kerberoasting, defense 4.47-51 4 - Exploitation - Gaining Access
guessing, spraying, THC Hydra, cracking methods, dictionary, brute force,
Password Cracking hybrid, for good reason? 4 - Exploitation - Gaining Access
4.01-15
Physical Access Rubber Ducky - HID (Human Interface Devices) , defense 3.03 3 - Exploitation - Gaining Access
identify openings on a system & type of system , TCP/UDP , Nmap: scan
Port Scanning types(92), OS Fingerprinting, Masscan, EyeWitness, Remux 2 - Scanning
2.87-103
Port Scanning - defense defense, checking, and disabling for windows & linux 2.99-103 2 - Scanning
Powershell Enterprise Wide - IR | Kansa Soup IR tool 1.130 1 - Enterprise Wide - IR
people, policy, data, soft/hardware, supplies, commos, transpo,
Preparation space/stroage, power controls 1.19-47 1 - Incident Handling
searching for vuln systems, rdp, defualt webpages (apache, IIS,
Recon Vuln Systems coldfusion), indexable directories, video cameras 2 - Reconnaissance
2.42
Recovery get impacted system back into production safely 1.111-114 1 - Incident Handling
Recovery - Artifacts look for returns of TA, wmic, linux ps, 1.114 1 - Incident Handling
Google Rekall, mem analysis tool, modules, viewing network connections,
Rekall viewing processes, filtering, DLLs and Commandline 5 - Keeping Access
5.23-28
Port Scanning | POC tool to demo scanning via multi open proxies online,
Remux reverse multiplexes connections, TA use this to bounce scanning through 2 - Scanning
proxies to not get caught 2.98
Aquire Logs, how far TA get?, logs of neighboring systems, bussiness
Risk of Continuing Ops decision 1.100 1 - Containment
rooty, avatar, fontanini, defense, Windows, UNIX/Linux, additoinal
Rootkit Examples detectors, network intel/forensics, 5 - Keeping Access
5.51-60
platforms, linux components, hiding , windows user-mode, dll injection,
Rootkit Techniques API hooking, where and what, kernal-mode ( 41)
5 - Keeping Access
5.33-49
SCCM- System Center Config Manger Enterprise Wide -system,

IR | Reporting tool - inform you of installed aoftware on
even pull drivers, users, services 1.129 1 - Enterprise Wide - IR
Search Engines | useful search directives: site, link, intitle, inurl, related,
Seach Engine - useful searches info
2 - Reconnaissance
2.27
google web master tools, remove: robot.txt, meta tags, images from
search engine defense google search, snippets, cashed pages 2 - Reconnaissance
2.44
recon w/ : engines, Gmaps physical attacks, tips, Cache & wayback
Search Engines machine, FOCA, vulnerable systems, automation 2 - Reconnaissance
2.35-
Search Engines | automated search for various file types, downloading
Search Engines - FOCA them, extract metadata, additional features 2 - Reconnaissance
2.41
application layer protocol that implements file/printer sharing, domain
SMB Session auth, remote admin, post 445 ( old systems netbios)
2.121-132 2 - Scanning
once data is flowing through our proxy, you can harvest data, invoke
Snarfing Application Layer keylogger, MiTMf has a module called JSKeylogger, also has screenshots. 3 - Sniffing - Passive/Active
3.39
Sniffing - passive/active Wireshark, OSI protocol layering, ARP, mac-to-IP , Name Resolution, 3.30-55 3 - Exploitation - Gaining Access
Sniffing SSL & SSH Steps listed 3.45, 48 3 - Sniffing - Passive/Active
Looking for vulns, database manipulation, examples: finding errors,
SQL Inject dropping data, grabbing more, getting DB structure,. Defense, 4.92-99 4 - Exploitation - Web App Attacks
identification/containment
SSL warnings dodging, avoiding ssqlstrip, firesheep 3.50-53 3 - Sniffing - Passive/Active
Step 1: Reconnaissance 2.15-51 2 - Hacker Exploits Part 1
war drialing, war driving, LAN discovery,Nmap network/port, evading IDS,
Step 2: Scanning vuln scanning, nessus, SMB 2 - Hacker Exploits Part 1
2.52-134
Step 3: Exploitation Book 3 - Gaining Access , ends at Endpoint Security Book 3 & 4 3 - Hacker Exploits Part 2
Step 3: Exploitation Cont. 1 Continue Gaining access, web apps, DOS Book 4 4 - Hacker Exploits Part 3
Trojan Backdoors, malware levels, apps, VNC, remote backdoors,
Step 4: Keeping Access wrappers, anti-reverse malware, packers
5.05-61
Step 5: Covering tracks covering tracks on: linux, UNIX, Windows, Network, stenography 5 - Hacker Exploits Part 4
Subterfuge MiTM tool 3.49 3 - Sniffing - Passive/Active
Levels: Application-level Backdoor, User-Mode Rootkit, Kernal-Mode
Trojan Backdoors & Malware levels Rootkit 5 - Keeping Access
5.06-07
Espoinage | abusing normal granted access, comon support areas: email
Unauthorized Use problems & inappropriate web surfing 1.141-148 1 - Applied Incident Handling
remote-acces suite, legit, often abused, platforms, active client and
Virtual Network Computing (VNC) listening client, WinVNC. 5 - Keeping Access
5.10-13
Vuln Scan - Nessus Vulnerability scanning with Nessus, plug-ins, Defense (117) 2.111-117 2 - Scanning
dail sequence of phone numbers, attempting to locate modem carriers or
War Dailing secondary dial tones (remote access routers) Demon Dailers single 2 - Scanning
number brute force passwords, defense preparations 2.53-58
wireless misconfigs, tools for wireless LAN discovery, InSSIDer GUI, Kismet,
War Driving sniffing, crypto, "easy-creds", karma, karmetasploit, defense 2 - Scanning
2.60-76
War Dialing | wardialing tool, VoIP , IAX protocol support req. , Caller ID
WarVOX Spoofing, 8 hours of wardialing into 1 hour (1000 numbers) 2 - Scanning
2.54-56
Web App Attacks Account Harvesting, Command Injection, SQL Injection, Cross-site Scripting
4.79-126 4 - Exploitation - Web App Attacks
various websites offer abaility to research or attack another site. Interenet
Web-Based Recon & Attack Sites scanning web pages ( traceroute, ping, port scan, DOS test), shodan 2 - Reconnaissance
2.50
Website Searches recon website, open source info recon, Pushpin, search defense 2.29-33 2 - Reconnaissance
Whois Domain Name registration, research, IP Blocks, sample, recon defense 2.18-22 2 - Reconnaissance
WMIC Articfacts Recovery | Enterprise Wide - IR | Query just about verything 1.114 | 1.128 1 - Enterprise Wide - IR
Multi-exploit, multi-platform, zero-days, fast spreading, Warhol/Flash
Worms & Bots Technique, Polymorphic, Payload, Metamorphic, Bot distro, bot commo, 4 - Exploitation - Gaining Access
Fast Flux, bot functionality, defense 4.53-73
Wrappers, Anti-reverse Enginerring, wrap backdoor tool in other application, creates exe trojans, AKA Binders, 5 - Keeping Access
and Packers Veil toolkit bypass AV, defense, reversing exes
5.18-20
Xplico 3.40 3 - Sniffing - Passive/Active

Index Item: Incident Handling

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Index Item: Incident Handling

Uploaded by

Copyright:

Available Formats

2019 Unit Section

Contaiment - Long term

SCCM- System Center Config Manger

Hacker Attack Steps

Seach Engine - useful searches

Search Engines - FOCA

Recon Vuln Systems

search engine defense

Web-Based Recon & Attack Sites

Port Scanning - defense

Snarfing Application Layer

Sniffing SSL & SSH

Endpoint Security Bypass

John the Ripper

Worms & Bots

Open Web App Sec Project (OWASP)

Web App Attacks

Attacking State Maintence W/wApp manip proxy

Step 4: Keeping Access

Trojan Backdoors & Malware levels

Virtual Network Computing (VNC)

Common Remote Backdoor Capabilities

Wrappers, Anti-reverse Enginerring, and Packers

Memory Analysis Tool

Step 5: Covering tracks

Covering Tracks in Linux/UNIX

Covering Tracks in Windows

Covering Tracks on Network

Covering Tracks - Stenography

obtain backups then make changes , if sys can be kept offline

dail sequence of phone numbers, attempting to locate modem

War Dialing | wardialing tool, VoIP , IAX protocol support req. ,

wireless misconfigs, tools for wireless LAN discovery, InSSIDer

Port Scanning | POC tool to demo scanning via multi open

Border Gaterway Protocol -BGP - allows routers on internet to

client/listen mode, commands (3.14), uses (15), data transfer,

ARP Cache Poisoning | Manipulate IP-to-MAC added mapping

external access, creating malware, macros, unicorns,

LANMAN, NT Hashes, No Salts - SAM , Rainbow Tables, Cain &

Multi-exploit, multi-platform, zero-days, fast spreading,

Account Harvesting, Command Injection, SQL Injection, Cross-

types of DoS, EDNS, Local DoS, DNS amp Attacks,Bot DoS

system controls, keyloggerm dialog boxes, lock up or reboot,

Google Rekall, mem analysis tool, modules, viewing network

1 - Applied Incident Handling

2 - Hacker Exploits Part 1

2 - Hacker Exploits Part 1

2 - Hacker Exploits Part 1

3 - Hacker Exploits Part 2

3 - Exploitation - Gaining Access

3 - Exploitation - Gaining Access

3 - Exploitation - Gaining Access

3 - Exploitation - Gaining Access

3 - Exploitation - Gaining Access

3 - Buffover Overflow - Metasploit

3 - Exploitation - Gaining Access

3 - Endpoint Security Bypass

4 - Exploitation - Gaining Access

4 - Exploitation - Gaining Access

4 - Exploitation - Gaining Access

4 - Exploitation - Gaining Access

4 - Exploitation - Web App Attacks

4 - Exploitation - Web App Attacks