These notes will come handy in exam.
List of common ports.
Port | Service | Description |
---|---|---|
20,21 | FTP | File Transfer Protocol used to transfer files b/w systems. |
22 | SSH | Secure Shell Protocol allows users to securely connect to a remote host. |
23 | Telnet | Used before SSH, allows users to connect to a remote host, doesn't offer encryption. |
25 | SMTP | Simple Mail Transfer Protocol used to send emails between servers within the network, or over the internet. |
53 | DNS | Domain Name System converts human-readable domain names to machine-readable IP address. |
67,68 | DHCP | Dynamic Host Configuration Protocol assign IP address-related information to any hosts on the network automatically. |
80 | HTTP | Hypertext Transfer Protocol allows browsers (Chrome, Firefox, etc) to connect to web servers and request contents. |
443 | HTTPS | Hypertext Transfer Protocol Secure is a secure version of HTTP Protocol which allows browsers to securely connect to web servers and request contents. |
514 | Syslog | Syslog server listens for incoming Syslog notifications, transported by UDP packets. |
- Email Artifacts :
- Sending Email Address
- Subject Line
- Recipient Email Addresses
- Sending Server IP & Reverse DNS
- Reply-To Address
- Date & Time
- Web Artifacts :
- Full URLs
- Domain Names
- File Artifacts :
- Attachment Name
- MD5, SHA1, SHA256 Hash Value
- Visualization Tools - URL2PNG, URLScan, AbuseIPDB
- URL Reputation Tools - VirusTotal, URLScan, URLhaus, WannaBrowser
- File Reputation Tools - VirusTotal, Talos File Reputation
- Malware Sandboxing - Hybrid Analysis, Any.run, VirusTotal, Joe Sandbox
- Data Representation can be done in following ways,
- Base64
- Hexadecimal
- Octal
- ASCII
- Binary
- File Carving :
scalpel -b -o <output> <disk image file>
- Hashes :
- Windows -
By default, get-filehash
command will generate SHA256 sum of a file,
get-filehash <file>
To generate MD5 hash of a file,
get-filehash -algorithm MD5 <file>
To generate SHA1 hash of a file,
get-filehash -algorithm SHA1 <file>
- Linux -
md5sum <file>
sha1sum <file>
sha256sum <file>
-
Find digital evidence with
- FTK Imager - Import .img file in FTK imager
- KAPE - Can be used for fast acquisition of data.
-
Windows Investigations :
- LNK Files - These files can be found at
C:\Users\$USER$\AppData\Roaming\Microsoft\Windows\Recent
- Prefetch Files -
- PECmd - This tool can be used to view the prefetch files.
PECmd.exe -f <path/to/file.pf>
- PECmd - This tool can be used to view the prefetch files.
These files can be found at
C:\Windows\Prefetch
- Jumplist Files - These files can be found at
C:\Users\% USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\Users\%USERNAME%\AppData\ Roaming\Microsoft\Windows\Recent\CustomDestinations
- Logon Events
- ID 4624 - successful logons to the system.
- ID 4672 - Special Logon events where administrators logs in.
- ID 4625 - Failed Logon events.
- ID 4634 - Logoffs from the current session.
These event logs can be found at
C:\Windows\System32\winevt\Logs
- Capture and view the browser history with
- Browser History Viewer
- Browser History Capturer
-
Linux Investigations :
- /etc/passwd - contains all information about users in the system.
- /etc/shadow - contains encrypted passwords
- Unshadow - used to combine the passwd and shadow files.
- /var/lib - In
/var/lib/dpkg/status
location, this file includes a list of all installed software packages. - .bash_history - contains all the issued commands by the users.
- Hidden Files - isuch files whose name begins with .
- Clear Files - files that are accessible through standard means.
- Steganography - practice of concealing messages or information within other non-secret text or data.
-
Volatility -
Find the imageinfo of the file,
volatility -f /path/to/file.mem imageinfo
List the processes of a system,
volatility -f /path/to/file.mem --profile=PROFILE pslist
View the process listing in tree form,
volatility -f /path/to/file.mem --profile=PROFILE pstree
View command line of the specific process with PID XXXX,
volatility -f /path/to/file.mem --profile=PROFILE dlllist -p XXXX
View Network Connections,
volatility -f /path/to/file.mem --profile=PROFILE netscan
Dumping the process with a specific PID XXXX,
volatility -f /path/to/file.mem --profile=PROFILE procdump -p XXXX -D /home/ubuntu/Desktop
Print all available processes,
volatility -f memdump.mem --profile=PROFILE psscan
Print expected and hidden processes,
volatility -f memdump.mem --profile=PROFILE psxview
Create a timeline of events from the memory image,
volatility -f memdump.mem --profile=PROFILE timeliner
Pull internet browsing history,
volatility -f memdump.mem --profile=PROFILE iehistory
Identify any files on the system from the memory image,
volatility -f memdump.mem --profile=PROFILE filescan
- Metadata - Data about data
- Exiftool
exiftool <file>
Queries must start by referencing the dataset,
index="botsv1"
To search for a source IP (src) address with a value of 127.0.0.1,
index="botsv1" src="127.0.0.1"
To search for a destination IP (dst) address that this source IP address made a connection with a value of X.X.X.X,
index="botsv1" src="127.0.0.1" dst="X.X.X.X"
-
Network Analysis - use Wireshark to import .pcap, .pcapng files.
-
CMD : Command prompt can be used to view the valuable information,
To view the network configuration of the system,
ipconfig /all
To check running processes and programs,
tasklist
Display running processes and the associated binary file that was executed to create the process,
wmic process get description, executablepath
To view all number of users in the command prompt
net users
List all users that are in the administrators user group,
net localgroup administrators
List all users in RDP group,
net localgroup "Remote Desktop Users"
List all services and detailed information about each one,
sc query | more
List open ports on a system, which could show the presence of a backdoor,
netstat -ab
- Powershell - Can also be used often retrieve much more information.
These commands will get network-related information from the system,
Get-NetIPConfiguration
Get-NetIPAddress
List all local users on the system,
Get-LocalUser
Provide a specific user to the command to only get information about them,
Get-LocalUser -Name BTLO | select *
Quickly identify running services on the system in a nice separate window,
Get-Service | Where Status -eq "Running" | Out-GridView
Group running processes by their priority value,
Get-Process | Format-Table -View priority
Collect specific information from a service by including the name in the command (-Name ‘namehere’) or the Id, as shown above and below,
Get-Process -Id 'idhere' | Select *
Scheduled Tasks are often abused and utilized a common persistence technique,
Get-ScheduledTask
Specify the task, and retrieving all properties for it,
Get-ScheduledTask -TaskName 'PutANameHere' | Select *
Changing the Execution Policy applied to our user,
Set-ExecutionPolicy Bypass -Scope CurrentUser
- DeepBlueCLI - PowerShell script that was created by SANS to aid with the investigation and triage of Windows Event logs.
To process log.evtx,
./DeepBlue.ps1 log.evtx
DeepBlue will point at the local system's Security or System event logs directly,
# Start the Powershell as Administrator and navigate into the DeepBlueCli tool directory, and run the script
./DeepBlue.ps1 -log security
./DeepBlue.ps1 -log system
# if the script is not running, then we need to bypass the execution policy
Set-ExecutionPolicy Bypass -Scope CurrentUser