Professional Documents
Culture Documents
Chapter
Specfic Topic/ Tools
Index item
Incident Handling
Incident Handling definitions & Overviiew
IH Process - 6 Main Phases
Preparation
Identification
Identification Occurs where?
Intrustion Discovery - Windows
MITRE ATT&CK Matrix
Identification: Chain of Custody
Containment
Containment - Characterize Incident
Containment - Inform Management
CyberCPR
Containment - Initial Analysis
Containment - Short Term (1) & (2)
Containment - ISP Coordination
Forensic Images
Risk of Continuing Ops
Eradication
Recovery
Recovery - Artifacts
Lessons Learned
Enterprise Wide - IR
WMIC
Unauthorized Use
Insider Threat
Intellectual Property
Legal & Cybercrime Laws
Appendix A: Vmware & Linux
Appendix B: Linux Cheatsheets
Attack Trends
Step 2: Scanning
War Dailing
WarVOX
War Driving
Network Mapping
IP Header
Port Scanning
Nmap
Masscan
EyeWitness
Remux
BGP Hijacking
Netcat Mulitpurpose
Sniffing - passive/active
Bettercap
Arpspoof
Man-in-the-Middle framework
ARP Cache Poisoning
Xplico
Foiling DNS
Buffer Overflow
Heap-and-integer-based overflows
Calling Subroutines
Buffer Overflow
Metasploit
Meterpreter
Parser Problems
InstallUtil-ShellCode.cs
InstallUtil.exe/logfile= /LogToConsole=false
Step 3: Exploitation Cont. 1
Gaining Access Cont. 1
Password Cracking
Cain
Pass-the-hash Attacks
Account Harvesting
Command Inject
SQL Inject
Cross-site scripting
Denial-of-serivce
App-Level Trojans
Rekall
Rootkit Techniques
Rootkit Examples
1.17
people, policy, data, soft/hardware, supplies, commos,
transpo, space/stroage, power controls 1.19-47
handlers, control info, commo channels, where to look,
detection, window cheat sheets 1.49-79
Detection: Network, Host, System, Application 1.54-60
Windows: Intrusion Discovery ( leaflet) 1.65-78
Identification Section - blurb 1.83
Establish Chain of Custody 1.85
Sub-phasees, deploy, characterize, notifying mngt, , CyberCPR, 1.87-103
category type of incident, criticality & severity 1.90
Notifying appropriate officials and tracking entry 1.92
web app that tracks incidents & evidence 1.93
Avoid obvious methods for looking for intruder 1.94
short-term containment 1.95-96
may assist in: identification, containment, & recovery 1.97
ASAP, memory & file system, create a hash 1.98
Aquire Logs, how far TA get?, logs of neighboring systems,
bussiness decision 1.100
once data is flowing through our proxy, you can harvest data,
invoke keylogger, MiTMf has a module called JSKeylogger, also
has screenshots. 3.39
3.40
1) run MiTMf, listens for DNS query for the target domain; 2)
victim runs prog that tries to resolve to target domain; 3)
decide what option next ; 4) tool sends DNS response ,
spoofed ; 5) now you see what they do
3.41-44
Steps listed 3.45, 48
MiTM tool 3.49
dodging, avoiding ssqlstrip, firesheep 3.50-53
responder, attacking WPAD, defense, Identification,
containment, erad, rec 3.56
3.63
3.64
allows to: take over system, escalate priviledges, execute
artitrary commands | moving data around in memory without
checking size (more data than allocated for) 3.67-82
similar core issue to bufferoverflow | non-validated input 3.68
breaks programmed routine and jumps to another part to run
attack 3.71
exploiting, creating, finding, cramming, exploit code, more
characteristics, setting return pointer 3.74-82
BO - Framwork, packaging, arsenal, GUI, exploits in MSF,
payloads, defense for Buffer overflow, code checking tools. 3.83
prg of Metasploit - able to load and interact with DLLs in real
time , create specialied CLI access within running prgms 3.89-90
Buff.O problem area,protocol to grab data from network and
parse it for an application, often run frm root. 3.103-107
Column2
1 - Book 1
1 - Incident Handling
1 - Incident Handling
1 - Incident Handling
1 - Incident Handling
1 - Identification
1 - Identification
1 - Identification
1 - Identification
1 - Incident Handling
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Containment
1 - Incident Handling
1 - Incident Handling
1 - Incident Handling
1 - Incident Handling
1 - Incident Handling
1 - Enterprise Wide - IR
1 - Enterprise Wide - IR
1 - Enterprise Wide - IR
1 - Enterprise Wide - IR
1 - Book 1
1 - Applied Incident Handling
2 - Attack Trends
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Reconnaissance
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
- Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
2 - Scanning
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Sniffing - Passive/Active
3 - Hijacking Attacks
3 - Hijacking Attacks
3 - Buffer Overflow
3 - Buffer Overflow
3 - Buffer Overflow
3 - Buffer Overflow
3 - Buffer Overflow
4 - Password Cracking
4 - Password Cracking
4-
4 - Exploitation - DOS
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Keeping Access
5 - Covering Tracks
5 - Covering Tracks
5 - Covering Tracks
5 - Covering Tracks
Index item Notes Book.Page Column2
automate harvesting through script, bad/good user ID, compromised
Account Harvesting accounts, defense
4 - Exploitation - Web App Attacks
4.79-84
Appendix A: Vmware & Linux 1.164 1 - Applied Incident Handling
Appendix B: Linux Cheatsheets 1.215 1 - Applied Incident Handling
client-server , Suites (posion Ivy, dameware, sub7,GhostRAT, Blackshade),
App-Level Trojans trick user to install, or self install, scareware(16) 5 - Keeping Access
5.09-16
Applied Incident Handling types of incidents 1.135 1 - Book 1
ARP Cache Poisoning Foiling Switches, tools for it on (36) 3.37 3 - Sniffing - Passive/Active
ARP Cache Poisoning | Manipulate IP-to-MAC added mapping - feeds false
Arpspoof ARP message into LAN so traffic is directed to attacker for sniffing 3 - Sniffing - Passive/Active
3.36
Motivations, type of attackers, kenetic imppact, hacking for fun,
Attack Trends hacktivism & underground
2 - Hacker Exploits Part 1
2.09-15
Attacking State Maintence W/wApp Sessions tracked, specialized browsers, manipulation proxy architecture, 4 - Exploitation - Web App Attacks
manip proxy proxies, ZAP, beyond session ID
4.117-125
Bettercap Ruby Framework used to manipulate ARP mapping on target . 3.36, 38 3 - Sniffing - Passive/Active
Border Gaterway Protocol -BGP - allows routers on internet to route
BGP Hijacking traffic to correct place. ASN define which IP router is reponsible. Defense 3 - Exploitation - Gaining Access
3.07-09
allows to: take over system, escalate priviledges, execute artitrary
Buffer Overflow commands | moving data around in memory without checking size (more 3 - Exploitation - Gaining Access
data than allocated for) 3.67-82
exploiting, creating, finding, cramming, exploit code, more characteristics,
Buffer Overflow setting return pointer 3 - Buffer Overflow
3.74-82
LANMAN, NT Hashes, No Salts - SAM , Rainbow Tables, Cain & Able,
Cain wardriving, sniffer, hash calculator, netowkr neighborhood explorer, ARP 4 - Password Cracking
cache poisoning, etc (4.24) defense, disabling, tools, 4.16-33
Calling Subroutines breaks programmed routine and jumps to another part to run attack 3.71 3 - Buffer Overflow
web apps that allow input from users to process and output. Flaws in that
Command Inject allow for CMDiNJect | ping , nslookup, defense,
4.86-89 4 - Exploitation - Web App Attacks
Common Remote Backdoor system controls, keyloggerm dialog boxes, lock up or reboot, access files,
create VPNs, camera/audio, similar to MeterPreter, blending-in names 5 - Keeping Access
Capabilities ( SCSI, UPS, server, cleint, and svchost) 5.15
obtain backups then make changes , if sys can be kept offline move to
Contaiment - Long term eradication phase, if not possible, preform long-term containment actions 1.101-102 1 - Containment
Containment Sub-phasees, deploy, characterize, notifying mngt, CyberCPR, 1.87-103 1 - Incident Handling
Containment - Characterize Incident category type of incident, criticality & severity 1.90 1 - Containment
Containment - Hijacking 3.64 3 - Hijacking Attacks
Containment - Inform Management Notifying appropriate officials and tracking entry 1.92 1 - Containment
Containment - Initial Analysis Avoid obvious methods for looking for intruder 1.94 1 - Containment
Containment - ISP Coordination may assist in: identification, containment, & recovery 1.97 1 - Containment
Containment - Short Term (1) & (2) short-term containment 1.95-96 1 - Containment
tools (113) ( Jsteg, MP3stego, S-Mail, invisble secrets, stash, Hydan),
Covering Tracks - Stenography detecting (119) defending 5 - Covering Tracks
5.112-121
Covering Tracks in Linux/UNIX Hiding files, where, dir, Log editing, shell history, accounting entry editing 5.63-72 5 - Covering Tracks
Hiding files in NTFS, alternate data streams, finding hidden streams, Log
Covering Tracks in Windows editing, Meterpreter, defense accounting entry editing, logon tracer
5 - Covering Tracks
5.76-89
reverse HTTP Shells, ICMP tunnels, Covert_TCP & IP headers, Ptunnel
Covering Tracks on Network Features (98), bounce mode, Gcat (106), 5 - Covering Tracks
5.93-107
Launching attacks, walkthrough, reflected XSS, access to internal systems
Cross-site scripting (107) , BeEF, Admin Apps, defense
4 - Exploitation - Web App Attacks
4.101-114
CyberCPR web app that tracks incidents & evidence 1.93 1 - Containment
types of DoS, EDNS, Local DoS, DNS amp Attacks,Bot DoS Suites, DDoS,
Denial-of-serivce Pulsing Zombies (141), Evolution of the Flood, Low/High Orbit Ion Cannon 4 - Exploitation - DOS
(LOIC) (HOIC), defense 4.127
DNS Interrogation DNS, nslookup, zone transfer in windows/UNIX 2.24-27 2 - Reconnaissance
external access, creating malware, macros, unicorns, ghostwriting, editing
Endpoint Security Bypass assembly, app whitelisting, InstallUtil-ShellCode.cs , 3 - Exploitation - Gaining Access
InstallUtil.exe/logfile= /LogToConsole=false /U exeshell.exe 3.108-121
Enterprise Wide - IR Enterprise Wide - IR| Data: Ingress/Egress , DNS, Web Proxy, Connection 1.121-124 1 - Incident Handling
restoring from backups, removing malicious software,improving defense,
Eradication vulnerability analysis 1.105-109 1 - Incident Handling
type of incident | many unauthroized access cases are espionage , oreo
Espionage for target analysis, identification, maximixe data collection, deceiving the
TA 1.136-140 1 - Applied Incident Handling
Evading IDS/IPS Invalid TCP Checksum Bypass,Blending in, Defense 2.107-109 2 - Scanning
EyeWitness Port Scanning | screenshots websites, VNC, RDP servers. 2.97 2 - Scanning
1) run MiTMf, listens for DNS query for the target domain; 2) victim runs
Foiling DNS prog that tries to resolve to target domain; 3) decide what option next ; 4) 3 - Sniffing - Passive/Active
tool sends DNS response , spoofed ; 5) now you see what they do 3.41-44
Forensic Images ASAP, memory & file system, create a hash 1.98 1 - Containment
Gaining Access Book 3 -4.74 3 - Exploitation - Gaining Access
Gaining Access Cont. 1 Password Cracking, Pass the Hash, Wroms, Bots, BeEF 4.01-77 4 - Exploitation - Gaining Access
Hacker Attack Steps Reconnaissance, Scanning, Exploitation, Keeping Access, Covering Tracks 2.17-5.122 2 - Attack Trends
Heap-and-integer-based overflows similar core issue to bufferoverflow | non-validated input 3.68 3 - Buffer Overflow
responder, attacking WPAD, defense, Identification, containment, erad,
Hijacking Attacks rec 3 - Exploitation - Gaining Access
3.56
handlers, control info, commo channels, where to look, detection, window
Identification cheat sheets 1.49-79 1 - Incident Handling
Identification - Hijacking 3.63 3 - Hijacking Attacks
Identification Occurs where? Detection: Network, Host, System, Application 1.54-60 1 - Identification
Identification: Chain of Custody Establish Chain of Custody 1.85 1 - Identification
IH Process - 6 Main Phases 1.17 1 - Incident Handling
Incident Handling 1.01 1 - Book 1
Incident Handling definitions &
Overviiew 1.05 1 - Incident Handling
Insider Threat definition, handling, identification, assessment checklist (153) 1.150-155 1 - Applied Incident Handling
InstallUtil.exe/logfile= when .exe is uninstalled it will execute malicious code 3 - Endpoint Security Bypass
/LogToConsole=false 3.119
InstallUtil-ShellCode.cs adjust how malware is executed 3.118 3 - Endpoint Security Bypass
Intellectual Property Patents, Copyrights, TM, Trade Secrets 1.157-159 1 - Applied Incident Handling
Intrustion Discovery - Windows Windows: Intrusion Discovery ( leaflet) 1.65-78 1 - Identification
IP Header Network Mapping | IP packet header 2.80 2 - Scanning
multi-platform, feed it encrypted password files, UNIX pass file format,
John the Ripper shadow file format, JtR modes, input/outputs (39), Hashcat, defense, use 4 - Password Cracking
PAM for comlexity 4.35-43
Kansa Soup uses pwrshell 3 , IR tool 1.131-134 1 - Enterprise Wide - IR
Legal & Cybercrime Laws Applied Incident Handling - Country-specific 1.161 1 - Applied Incident Handling
Lessons Learned Report, Meeting, Apply Fixes 1.115-118 1 - Incident Handling
Maltego Gathers information, transforms ex, defenses against maltego 2.46-48 2 - Reconnaissance
MiTMf | Support ARP cache Poisoning and multi other incection/TCP
Man-in-the-Middle framework stream modification attacks
3 - Sniffing - Passive/Active
3.36
Masscan Port Scanning - scanner - slow - separate SYNs & SYN/ACK, 2.96 2 - Scanning
used to determine attacks actions, need mem dump, Volatile Systems
Memory Analysis Tool Volatility framwork, Google Rekall
5 - Keeping Access
5.22-28
BO - Framwork, packaging, arsenal, GUI, exploits in MSF, payloads,
Metasploit defense for Buffer overflow, code checking tools. 3 - Buffer Overflow
3.83
prg of Metasploit - able to load and interact with DLLs in real time , create
Meterpreter specialied CLI access within running prgms
3 - Buffover Overflow - Metasploit
3.89-90
MITRE ATT&CK Matrix Identification Section - blurb 1.83 1 - Identification
Nessus scan for vulnerabilities 2.111-117 2 - Scanning
client/listen mode, commands (3.14), uses (15), data transfer, port/vuln
Netcat Mulitpurpose scan, connecting, backdoors, reverse shells (21), relays
3 - Exploitation - Gaining Access
3.10-26
Nmap -mapping- undestand topology of network, interent connectivity
Network Mapping (DMZ & perimter networks), internal network, port scan, sweeping for 2 - Scanning
online systems, Zenmap, Traceroute, defense 2.79-85
Nmap port scanning | types of scans, ACK scans, OS fingerprinting 2.92-95 - Scanning
Open Web App Sec Project (OWASP) offer useful items, frameworks, guides, checklists, webgoat, ZAP 4.77 4 - Exploitation - Gaining Access
Buff.O problem area,protocol to grab data from network and parse it for
Parser Problems an application, often run frm root. 3 - Buffer Overflow
3.103-107
Pass-the-hash Attacks architecture, tools, kerberoasting, defense 4.47-51 4 - Exploitation - Gaining Access
guessing, spraying, THC Hydra, cracking methods, dictionary, brute force,
Password Cracking hybrid, for good reason? 4 - Exploitation - Gaining Access
4.01-15
Physical Access Rubber Ducky - HID (Human Interface Devices) , defense 3.03 3 - Exploitation - Gaining Access
identify openings on a system & type of system , TCP/UDP , Nmap: scan
Port Scanning types(92), OS Fingerprinting, Masscan, EyeWitness, Remux 2 - Scanning
2.87-103
Port Scanning - defense defense, checking, and disabling for windows & linux 2.99-103 2 - Scanning
Powershell Enterprise Wide - IR | Kansa Soup IR tool 1.130 1 - Enterprise Wide - IR
people, policy, data, soft/hardware, supplies, commos, transpo,
Preparation space/stroage, power controls 1.19-47 1 - Incident Handling
searching for vuln systems, rdp, defualt webpages (apache, IIS,
Recon Vuln Systems coldfusion), indexable directories, video cameras 2 - Reconnaissance
2.42
Recovery get impacted system back into production safely 1.111-114 1 - Incident Handling
Recovery - Artifacts look for returns of TA, wmic, linux ps, 1.114 1 - Incident Handling
Google Rekall, mem analysis tool, modules, viewing network connections,
Rekall viewing processes, filtering, DLLs and Commandline 5 - Keeping Access
5.23-28
Port Scanning | POC tool to demo scanning via multi open proxies online,
Remux reverse multiplexes connections, TA use this to bounce scanning through 2 - Scanning
proxies to not get caught 2.98
Aquire Logs, how far TA get?, logs of neighboring systems, bussiness
Risk of Continuing Ops decision 1.100 1 - Containment
rooty, avatar, fontanini, defense, Windows, UNIX/Linux, additoinal
Rootkit Examples detectors, network intel/forensics, 5 - Keeping Access
5.51-60
platforms, linux components, hiding , windows user-mode, dll injection,
Rootkit Techniques API hooking, where and what, kernal-mode ( 41)
5 - Keeping Access
5.33-49
once data is flowing through our proxy, you can harvest data, invoke
Snarfing Application Layer keylogger, MiTMf has a module called JSKeylogger, also has screenshots. 3 - Sniffing - Passive/Active
3.39
Sniffing - passive/active Wireshark, OSI protocol layering, ARP, mac-to-IP , Name Resolution, 3.30-55 3 - Exploitation - Gaining Access
Sniffing SSL & SSH Steps listed 3.45, 48 3 - Sniffing - Passive/Active
Looking for vulns, database manipulation, examples: finding errors,
SQL Inject dropping data, grabbing more, getting DB structure,. Defense, 4.92-99 4 - Exploitation - Web App Attacks
identification/containment
SSL warnings dodging, avoiding ssqlstrip, firesheep 3.50-53 3 - Sniffing - Passive/Active
Step 1: Reconnaissance 2.15-51 2 - Hacker Exploits Part 1
war drialing, war driving, LAN discovery,Nmap network/port, evading IDS,
Step 2: Scanning vuln scanning, nessus, SMB 2 - Hacker Exploits Part 1
2.52-134
Step 3: Exploitation Book 3 - Gaining Access , ends at Endpoint Security Book 3 & 4 3 - Hacker Exploits Part 2
Step 3: Exploitation Cont. 1 Continue Gaining access, web apps, DOS Book 4 4 - Hacker Exploits Part 3
Trojan Backdoors, malware levels, apps, VNC, remote backdoors,
Step 4: Keeping Access wrappers, anti-reverse malware, packers
5 - Hacker Exploits Part 4
5.05-61
Step 5: Covering tracks covering tracks on: linux, UNIX, Windows, Network, stenography 5 - Hacker Exploits Part 4
Subterfuge MiTM tool 3.49 3 - Sniffing - Passive/Active
Levels: Application-level Backdoor, User-Mode Rootkit, Kernal-Mode
Trojan Backdoors & Malware levels Rootkit 5 - Keeping Access
5.06-07
Espoinage | abusing normal granted access, comon support areas: email
Unauthorized Use problems & inappropriate web surfing 1.141-148 1 - Applied Incident Handling
remote-acces suite, legit, often abused, platforms, active client and
Virtual Network Computing (VNC) listening client, WinVNC. 5 - Keeping Access
5.10-13
Vuln Scan - Nessus Vulnerability scanning with Nessus, plug-ins, Defense (117) 2.111-117 2 - Scanning
dail sequence of phone numbers, attempting to locate modem carriers or
War Dailing secondary dial tones (remote access routers) Demon Dailers single 2 - Scanning
number brute force passwords, defense preparations 2.53-58
wireless misconfigs, tools for wireless LAN discovery, InSSIDer GUI, Kismet,
War Driving sniffing, crypto, "easy-creds", karma, karmetasploit, defense 2 - Scanning
2.60-76
War Dialing | wardialing tool, VoIP , IAX protocol support req. , Caller ID
WarVOX Spoofing, 8 hours of wardialing into 1 hour (1000 numbers) 2 - Scanning
2.54-56
Web App Attacks Account Harvesting, Command Injection, SQL Injection, Cross-site Scripting
4.79-126 4 - Exploitation - Web App Attacks
various websites offer abaility to research or attack another site. Interenet
Web-Based Recon & Attack Sites scanning web pages ( traceroute, ping, port scan, DOS test), shodan 2 - Reconnaissance
2.50
Website Searches recon website, open source info recon, Pushpin, search defense 2.29-33 2 - Reconnaissance
Whois Domain Name registration, research, IP Blocks, sample, recon defense 2.18-22 2 - Reconnaissance
WMIC Articfacts Recovery | Enterprise Wide - IR | Query just about verything 1.114 | 1.128 1 - Enterprise Wide - IR
Multi-exploit, multi-platform, zero-days, fast spreading, Warhol/Flash
Worms & Bots Technique, Polymorphic, Payload, Metamorphic, Bot distro, bot commo, 4 - Exploitation - Gaining Access
Fast Flux, bot functionality, defense 4.53-73
Wrappers, Anti-reverse Enginerring, wrap backdoor tool in other application, creates exe trojans, AKA Binders, 5 - Keeping Access
and Packers Veil toolkit bypass AV, defense, reversing exes
5.18-20
Xplico 3.40 3 - Sniffing - Passive/Active