OAS TRAINING - HackMD

# OAS TRAINING ## Belgacom https://theintercept.com/2014/12/13/belgacom-hack-gchq-inside-story/ ## Grant Crab https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/ ## Risk Management CVE CVE-2017-5638: Apache Struts 2 Vulnerability Leads to Remote Code Execution https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2017-5638-apache-struts-vulnerability-remote-code-execution/ ### DEMO 1 : Vulnerable Web Applications #### Access this link https://oas-training.herokuapp.com/ and create an account in there #### Follow the Tutorial res.end(require('fs').readdirSync('.').toString()) res.end(require('fs').readdirSync('..').toString()) res.end(require('fs').readFileSync(filename)) # HTTP Methods curl -X HEAD -I https://oas-training.herokuapp.com ## Grok http://grokdebug.herokuapp.com/ ## Events https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES ## Metadefender https://metadefender.opswat.com/ ## US CERT https://www.us-cert.gov/ncas/alerts/TA17-164A ## Firehol https://iplists.firehol.org/ ## ISACS https://www.nationalisacs.org/ ## SANS DFIR https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf ## Supply Chain Attacks https://threatpost.com/wipro-confirms-hack/143826/ https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/ https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/ ## Gitlab Postmortem https://about.gitlab.com/blog/2017/02/10/postmortem-of-database-outage-of-january-31 ## CVSS ## https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf ## Documentation https://nvd.nist.gov/vuln-metrics/cvss ## Sample calculators https://nvd.nist.gov/Vulnerability-Metrics/Calculator-Product-Integration ## https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator ## Compute the CVSS of a known attack. https://www.cvedetails.com/vulnerability-list.php?vendor_id=0&product_id=0&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=1&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&cweid=0&order=1&trc=7853&sha=1b24fccb15090079e49c0131be821c96dc2f001c # Examples https://www.first.org/cvss/v3-1/cvss-v31-examples_r1.pdf ## Kill Chain Lateral Movement JAPAN CSIRT https://www.jpcert.or.jp/english/pub/sr/Detecting%20Lateral%20Movement%20through%20Tracking%20Event%20Logs_version2.pdf ## USE CASES https://github.com/michaelhidalgo/usecases ## Report a breach https://ico.org.uk/for-organisations/report-a-breach/ Base 64 echo "This text is encoded " | base64 echo "a" https://gist.github.com/michaelhidalgo/fcc7cce0a085cfd620ef1be39c931376 ## Attck to Elk https://github.com/michaelhidalgo/attack-to-elk ## Cabby Docker ## docker run --rm eclecticiq/cabby taxii-discovery --path https://test.taxiistand.com/read-only/services/discovery ## Get collections ### sudo docker run --rm eclecticiq/cabby taxii-collections --path https://test.taxiistand.com/read-only/services/collection-management ### Poll a specific collection ### sudo docker run --rm eclecticiq/cabby taxii-poll --path https://test.taxiistand.com/read-only/services/poll --collection single-binding-slow ## HailaTaxi ## Discovery sudo docker run --rm eclecticiq/cabby taxii-discovery --path http://hailataxii.com/taxii-discovery-service ## Get all the collections sudo docker run --rm eclecticiq/cabby taxii-collections --path http://hailataxii.com/taxii-data ## POLL a specifi collection sudo docker run --rm eclecticiq/cabby taxii-poll --path http://hailataxii.com/taxii-data --collection guest.CyberCrime_Tracker # Create an account on OTX ### https://otx.alienvault.com/taxii/discovery ## Discovering ### docker run --rm eclecticiq/cabby taxii-discovery --path https://otx.alienvault.com/taxii/discovery ## List all collections ### sudo docker run --rm eclecticiq/cabby taxii-collections --path https://otx.alienvault.com/taxii/collections ## Polling user_AlienVault ### sudo docker run --rm eclecticiq/cabby taxii-poll --path https://otx.alienvault.com/taxii/poll --collection user_AlienVault