├── Soc-analyst ├── Bean │ └── Readme.md ├── MEGO │ └── Readme.md ├── 55H-Access │ └── Readme.md ├── FourOFour │ └── Readme.md ├── Pass-Reset │ └── Readme.md ├── Phisher │ └── Readme.md ├── USB-Case │ └── Readme.md ├── Creepy-DNS │ ├── repeated.py │ └── README.md ├── Competition │ └── Readme.md ├── Smart-Role │ └── Readme.md ├── SIEM-Port │ └── Readme.md ├── CVE-Number │ └── Readme.md ├── Bean-Detector │ └── Readme.md ├── Remote-Hacker │ └── Readme.md ├── Backdoor │ └── Readme.md └── WormSeen │ └── README.md ├── AllInOne ├── Missey.md ├── Brut3Forc3.md ├── activeattack.md └── README.md ├── Threat-hunter ├── YaraMagic.md ├── WithIncode.md └── README.md └── README.md /Soc-analyst/Bean/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/MEGO/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/55H-Access/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/FourOFour/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/Pass-Reset/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/Phisher/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/USB-Case/Readme.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Soc-analyst/Creepy-DNS/repeated.py: -------------------------------------------------------------------------------- 1 | with open('output2_single_line.txt', 'r') as file: 2 | content = file.read() 3 | 4 | unique_content = ''.join(char for i, char in enumerate(content) if char != content[i - 1]) 5 | 6 | with open('output2_single_line_cleaned.txt', 'w') as file: 7 | file.write(unique_content) 8 | -------------------------------------------------------------------------------- /AllInOne/Missey.md: -------------------------------------------------------------------------------- 1 | I see Hex data but separated now i need to automate that 2 | 3 | └─# tshark -r Missey.pcap -Y "tcp.analysis.push_bytes_sent==6" -x > hexpush.txt 4 | 5 | found this : 6 | 70505176335852577a75324b5a4f556a4a563877344363486f72786836716b30397c464c41477b4d31355345445f494e425937247d 7 | it's hex and i found : pPQv3XRWzu2KZOUjJV8w4CcHorxh6qk09|FLAG{M15SED_INBY7$} -------------------------------------------------------------------------------- /Soc-analyst/Competition/Readme.md: -------------------------------------------------------------------------------- 1 | ## Solution : 2 | ### Description : Special kind of cybersecurity competition designed to challenge its participants to solve computer security problems 3 | 4 | To solve this Challenge, I Copy the description of the Challenge and I submit it on Google. 5 | Then it's return: 6 | 7 | ### A capture the flag (CTF) competition is a special kind of cybersecurity competition designed to challenge its participants to solve cyber security problems and/or capture and defend computer systems. 8 | 9 | 10 |
  • 11 |
    12 | Flag 13 | CTF 14 |
    15 |
    • -------------------------------------------------------------------------------- /Soc-analyst/Smart-Role/Readme.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | 3 | skills of collecting information out of cyberspace that has been previously analysed and shared between organisations about different attack scenarios and vectors.What is the role name of the above definition 4 | ## Solution 5 | In the Lessons and introductions of Soc Analayst there is : 6 | ##### Cyber Threat Intelligence 7 | ### Cyber threat intelligence is the skill of collecting information out of cyberspace that has been previously analyzed and shared between organizations about different attack scenarios and vectors. 8 | 9 | 10 |
  • 11 |
    12 | Flag 13 | flag{Threat Intelligence} 14 |
    15 |
    • -------------------------------------------------------------------------------- /Threat-hunter/YaraMagic.md: -------------------------------------------------------------------------------- 1 | # Description 2 | Help us!Here is a copy of a folder of ours, 3 | we need to scan this folder with this Yara rule and check if we have any matches!, 4 | scan this folder with the rule and provide us with the matched filename. 5 | Flag format: FLAG{filename} 6 | 7 | # SOlution 8 | The challenge provide us a yara rule, we need only to run it on this folder 9 | here is the rule: 10 | ``` 11 | root@nenandjabhata:/home/files/Yara Magic# cat rule.yara 12 | rule MySuperCoolRule 13 | { 14 | strings: 15 | 16 | $my_hex_string = { 54 4f 4b 41 } 17 | 18 | condition: 19 | $my_hex_string 20 | } 21 | 22 | ``` 23 | I just run 24 | ```terminal 25 | root@nenandjabhata:/home/files/Yara Magic# yara -f rule.yara Folder/ 26 | MySuperCoolRule Folder//12776 27 | ``` 28 | 29 | `FLAG{12776}` -------------------------------------------------------------------------------- /Soc-analyst/SIEM-Port/Readme.md: -------------------------------------------------------------------------------- 1 | ## Description 2 | Your company planning to use Qradar as SIEM tool and you planning to receives logs from different different devices like routers, switches and some other devices, What Is The Default TLS Syslog Port That QRadar Listens On? 3 | 4 | ## Solution 5 | To solve this, Very easy because the only tool you need to know how to use is google 6 | Just Copy the Description and Past in Google or ChatGPT 7 | I found this Questions Links : ```https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjjxc-surmAAxVaXvEDHeDUB6wQFnoECBIQAQ&url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F66268845%2Fqradar-no-listening-on-514-port&usg=AOvVaw2PckjPqaX_0gaSf7RKEx6g&opi=89978449``` 8 | 9 |
  • 10 |
    11 | Flag 12 | flag{514} 13 |
    14 |
    • -------------------------------------------------------------------------------- /Soc-analyst/CVE-Number/Readme.md: -------------------------------------------------------------------------------- 1 | ## Solution 2 | ### Description: What is the CVE ID that is related to EternalBlue 3 | ##### Flag Format: XXX-XXXX-XXXX 4 | 5 | To Solve this challenge Just google it and i found this article, https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-0144 6 | ``` 7 | The SMBv1 server in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607; and Windows Server 2016 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows SMB Remote Code Execution Vulnerability." This vulnerability is different from those described in CVE-2017-0143, CVE-2017-0145, CVE-2017-0146, and CVE-2017-0148. 8 | ``` 9 | 10 |
  • 11 |
    12 | Flag 13 | cve-2017-0144 14 |
    15 |
    • -------------------------------------------------------------------------------- /Threat-hunter/WithIncode.md: -------------------------------------------------------------------------------- 1 | # Description 2 | Flag rises within the code. Our developer thinks encoding is safe, try to find the location 3 | flag format: Flag{location} 4 | 5 | # Solution 6 | In this challenge, we need to know some knowledge about writing Yara rules. 7 | i will write a yara rule for word `Flag`, Because in the challenge description it say: `Flag rises within the code.` 8 | first i will encode the `Flag` word into `base64`, 9 | i will got this : `RmxhZw==` and then encode this also into `hex`, i got `526d78685a773d3d` 10 | 11 | Now writing the rule: 12 | Here is the Documentation: https://yara.readthedocs.io/en/stable/writingrules.html 13 | ``` 14 | rule unknown 15 | { 16 | strings: 17 | $hex = {526d78685a773d3d} 18 | condition: 19 | $hex 20 | } 21 | 22 | ``` 23 | When i execute it: 24 | ```terminal 25 | root@nenandjabhata:/home/files# yara -f rule.yara Code/ 26 | unknown Code//6645 27 | ``` 28 | We got the `Code//6645` but it's not the location. 29 | to get our location, we need to use the `-s` flag to print matching strings. 30 | 31 | ```terminal 32 | root@nenandjabhata:/home/files# yara -s -f rule3.yara Code/ 33 | unknown Code//6645 34 | 0x2460:$hex: 52 6D 78 68 5A 77 3D 3D 35 | ``` 36 | Now we need just to decode the `0x2460` from hex to Decimal to get our location 37 | Links : https://www.rapidtables.com/convert/number/hex-to-decimal.html 38 | Flag{9312} -------------------------------------------------------------------------------- /Soc-analyst/Creepy-DNS/README.md: -------------------------------------------------------------------------------- 1 | Our NMS detect a suspected traffic, your task is to investigate the captured traffic and find the anomaly reason 2 | 3 | # solution 4 | 5 | i have used tshark to see what's on the dns 6 | `└─# tshark -Y 'dns' -r dns.pcapng` 7 | in the dns, i see like subdomains, 8 | ``` 9 | m.cybertalents.com 10 | Z.cybertalents.com 11 | ``` 12 | i think i need to fetch these first char on the dns. now i will ask GPT 13 | i make the dns on a file, then i just used : 14 | `└─# cat dns.output | grep -E '\b[a-zA-Z0-9_-]+\.cybertalents\.com\b' | awk '{print $12}' | tee -a output2.txt` 15 | Now i will use sublime text to remove all char i don't want. 16 | 17 | remove spaces: `sed -i '/^[[:space:]]*$/d' output2.txt` 18 | 19 | Now i have Repeated character i will remove them: 20 | it's like this 21 | `ZZmmxxhhZZ33tt00cc22hhBBccmmttffSSXXNNffQQXXddllcczzBBttZZVV99OOZZXXRR33MMHHJJrraaWW55nnXX33RRvvMMGGxx99` 22 | Now i make a small script: 23 | ```python 24 | with open('output2_single_line.txt', 'r') as file: 25 | content = file.read() 26 | 27 | unique_content = ''.join(char for i, char in enumerate(content) if char != content[i - 1]) 28 | 29 | with open('output2_single_line_cleaned.txt', 'w') as file: 30 | file.write(unique_content) 31 | 32 | ``` 33 | 34 | Now when i open the ouput: `└─# cat output2_single_line_cleaned.txt 35 | ZmxhZ3t0c2hBcmtfSXNfQXdlczBtZV9OZXR3MHJraW5nX3RvMGx9 ` 36 | Now i will just decoded it as base64 37 | 38 | ``` 39 | └─# echo "ZmxhZ3t0c2hBcmtfSXNfQXdlczBtZV9OZXR3MHJraW5nX3RvMGx9" | base64 -d 40 | flag{tshArk_Is_Awes0me_Netw0rking_to0l} 41 | ``` -------------------------------------------------------------------------------- /AllInOne/Brut3Forc3.md: -------------------------------------------------------------------------------- 1 | we suspect that one of our server at 192.168.250.70 was attacked by a web brute forcing attack, we need to identify: 2 | 3 | 4 | 5 | X: What is the attacker’s IP address. 6 | Y: The Average password length (decimal number). 7 | 8 | Credentials: cybertalents/cybertalents 9 | 10 | in the lessons Hunting for HTTP brute forcing attempts by counting the connections from an IP to our web server. 11 | index=* sourcetype="stream:http" | stats count by src_ip 12 | first i go to the search bar and i typed 13 | index=* sourcetype="stream:http" 14 | then i add the dest_ip for our server 15 | index=* sourcetype="stream:http" dest_ip="192.168.250.70" 16 | now i set the http method to post for logins 17 | index=* sourcetype="stream:http" dest_ip="192.168.250.70" http_method=POST 18 | count it by src_IP 19 | index=* sourcetype="stream:http" dest_ip="192.168.250.70" http_method=POST 20 | | stats count by src_ip 21 | 23.22.63.114 412 22 | 40.80.148.42 12844 23 | 24 | we found these two IPs now we will see the data for these 2 IPs 25 | i begin with the second who have a lot of packets 26 | for the first: index=* sourcetype="stream:http" dest_ip="192.168.250.70" http_method=POST src_ip="40.80.148.42" 27 | and in form_data i haven't found any bruteforce. 28 | Now for second : index=* sourcetype="stream:http" dest_ip="192.168.250.70" http_method=POST src_ip="23.22.63.114" 29 | i found here 30 | username=admin&0960d493674eb04861bd64da9b662118=1&task=login&return=aW5kZXgucGhw&option=com_login&passwd=arthur 31 | and it's the attacker IP: 23.22.63.114 32 | password batman length 6 33 | flag{23.22.63.114_6} -------------------------------------------------------------------------------- /AllInOne/activeattack.md: -------------------------------------------------------------------------------- 1 | can use also https://github.com/WithSecureLabs/chainsaw 2 | i got a file log ../logs.evtx 3 | 4 | Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions: 5 | 6 | 1. What is the domain's SID? 7 | 2. The attacker failed to login to some accounts, What is the attacker's machine IP address? 8 | 3. What is the workstation's name that the attacker was using to authenticate with the administrator account? 9 | 10 | Flag format: Flag{ANS1_ANS2_ANS3} 11 | 12 | I will use evtxtract to extract it to .xml file 13 | 14 | └─# python3 /root/environment/myenv/bin/evtxtract logs.evtx > logs.xml 15 | 16 | Now have extracted, 17 | i know the attaccker failled login and i searched on google 18 | Look for event ID 4625 which is triggered when a failed logon is registered. Open Event Viewer in Active Directory and navigate to Windows Logs> Security. The pane in the center lists all the events that have been setup for auditing. You will have to go through events registered to look for failed logon attempts. 19 | 20 | and i found : 21 | `pbarker 22 | marvel.local192.168.80.128 24 | 44236 25 | ` 26 | user pbarker and found IP. now i need the SID and for fcastle also 27 | : but these SID was same 28 | `S-1-5-21-271597537-2992796785-3713134209-1105 pbarker 29 | ` 30 | `S-1-5-21-271597537-2992796785-3713134209-1103 fcastle` 31 | in this case the domain SID will be 32 | S-1-5-21-271597537-2992796785-3713134209 the last four number is not on it 33 | for the login as admin i search for event id 4776 34 | Introduction. Event ID 4776 is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos. 35 | then i found : 36 | ` 37 | fcastle 38 | KALI 39 | 0x00000000 40 | but logged as fcastle 41 | and then i found 42 | administrator 43 | THEPUNISHER` 44 | Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER} -------------------------------------------------------------------------------- /Soc-analyst/Bean-Detector/Readme.md: -------------------------------------------------------------------------------- 1 | ### Description 2 | You have received the alert in your company WAF that web attack happened recently. Please check and identify the below details
    3 | X : Attacker IP
    4 | Y : Name of Vulnerability Scanner used by the Attacker
    5 | Z : number of bytes in the sensitive files Leaked
    6 | W : Date and time of the Sucessful attack (xx/xx/xxxx:xx:xx:xx)
    7 | ### Solution 8 | To solve this challenge also, you need just to know some command line tool usage like: grep and cat 9 | 10 | ``` 11 | $ cat beansdetectorlogs | grep -e "flag.txt" -e "200 " 12 | 172.17.0.1 - - [12/Jun/2022:11:04:11 +0000] "GET /files/skel/ HTTP/1.1" 200 184 "-" "Wfuzz/2.2" "-" 13 | 172.17.0.1 - - [12/Jun/2022:11:04:11 +0000] "GET /files/skel/.bashrc HTTP/1.1" 200 3526 "-" "Wfuzz/2.2" "-" 14 | 172.17.0.1 - - [12/Jun/2022:11:04:11 +0000] "GET /files/skel/.profile HTTP/1.1" 200 675 "-" "Wfuzz/2.2" "-" 15 | 172.17.0.1 - - [12/Jun/2022:11:04:11 +0000] "GET /files/skel/200 HTTP/1.1" 404 169 "-" "Wfuzz/2.2" "-" 16 | 172.17.0.1 - - [12/Jun/2022:11:04:15 +0000] "GET / HTTP/1.1" 200 404 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0" "-" 17 | 172.17.0.1 - - [12/Jun/2022:11:04:31 +0000] "GET /files../ HTTP/1.1" 200 2482 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0" "-" 18 | 172.17.0.1 - - [12/Jun/2022:11:04:38 +0000] "GET /files../home/ HTTP/1.1" 200 302 "http://localhost/files../" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0" "-" 19 | 172.17.0.1 - - [12/Jun/2022:11:05:12 +0000] "GET /files../home/flag.txt HTTP/1.1" 200 49 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0" "-" 20 | 21 | ``` 22 | I launch this command and in the last line i got the sensitive file flag.txt and it response successfuly with a 200 response.
    23 | Now we need to answer the challenge Questions:
    24 | We see that The attacker IP is 172.17.0.1, and the tool that used by the attacker is Wfuzz.
    25 | The Date and time of Sucessfull attck is also in that 200 last response. and it's 12/Jun/2022:11:05:12. We need to transform June by number, that will be 12/06/2022.
    26 | The number of bytes in that sensitive files will be found near 200 response and it's "49".
    27 | 28 |
  • 29 |
    30 | Flag 31 | Bro, read all the Writeup and solve the challenge: the flag format is : flag{X:Y:Z:W}
    32 |
    • 33 | 34 | 35 | -------------------------------------------------------------------------------- /Soc-analyst/Remote-Hacker/Readme.md: -------------------------------------------------------------------------------- 1 | ### Description 2 | Our SoC L1 reported that she received alert of suspicious login detected by company user “Kvasir” on 13/06/2022.
    3 | Please do check and return by your analysis:
    4 | 5 | X: Session Duration spent by the attacker on the system (HH:MM:SS)
    6 | 7 | Y: The application used by the user after login (xxxx.exe)
    8 | 9 | Z: Identify the SHA256 of this application W: Attacker IP address
    10 | 11 | A: Attacker Machine host name
    12 | 13 | Flag format: flag{X:Y:Z:A}
    14 | 15 | 16 | ### Solution 17 | To solve this challenge, Many people used Windows OS to analyze this file. I used Linux to Solve it and here is how i proceed.
    18 | 19 | On github, i found a tool named evtxtract, that can help me to transform my evtx into xml file. Then i install it.
    20 | Now i proceed for conversion for evtx files .
    21 | ``` 22 | $ evtxtract Microsoft-Windows-Sysmon_4Operational.evtx > Windows-Sysmon_4Operational.xml 23 | INFO:root:recovered 20044 complete records 24 | INFO:root:recovered 0 incomplete records 25 | ``` 26 | ``` 27 | $ evtxtract Security.evtx > Security.xml 28 | INFO:root:recovered 6178 complete records 29 | INFO:root:recovered 0 incomplete records 30 | ``` 31 | Now, on the description i see that the supscious login was detected on 13/06/2022. I click on CTRL+F and try to find that date on the Security.xml file.
    32 | Then , I found the computer name on a date 2022-06-13
    33 | ``` 34 | DESKTOP-9BBI1VE
    35 | ``` 36 | For the Session Duration spent by the attacker on the system, You need to identify the login then also check the logoff and calculate it.
    37 | I found also the IP adress in the XML code, and this LogonType
    38 | In Windows, LogonType codes are used to identify different types of logon events for security auditing purposes. The value "3" for "LogonType" typically indicates a network logon, which means a user has connected to a remote system (over the network) and logged in with their credentials.
    39 | ``` 40 | 3 41 | NtLmSsp 42 | NTLM 43 | Nitro 44 | - 45 | - 46 | 0 47 | 0x0000000000000000 48 | - 49 | 192.168.1.58 50 | 0 51 |
    52 | ``` 53 | Find IP address and Workstation Name. 54 | To find the Application used by the attacker, we should look for a process created by a user.
    55 | In Sysmon (System Monitor), a process creation event with an ID of "1" refers to the process creation event type. Sysmon is a Windows system service and device driver that monitors and logs various system activities to help detect and investigate potential security threats.
    56 | So now, we need to return and look at when the user logged into the system and then read the events by date
    57 | We will find sethc.exe, Win32calc.exe and then identify which one of these applications is started by the ParentUser. You will find that application Sha256.
    58 | 59 |
  • 60 |
    61 | Flag 62 | Tryharder bro.. If you don't understand all of these step. ping me on Discord: blomann#3219. for some explanation. Thanks...
    63 |
    • 64 | -------------------------------------------------------------------------------- /Threat-hunter/README.md: -------------------------------------------------------------------------------- 1 | ## Certified Threat Hunter 2 | 3 | Here you will find all **Threat Hunter** Units WriteUPs 4 | 5 | follow me on my Hacking Journey Blog here : https://blackcybersec.xyz 6 | 7 | 8 | ## Certified Threat Hunter 9 | 10 | | Challenges | Difficulty | Tags | Completed | 11 | |:-------------:|:----------:|:--------------------------------------------------------------------------------------------------:|:---------:| 12 | | | | | | 13 | | [APT](./Threat-hunter) | Easy | Hacking groups, OSINT | Completed | 14 | | [Kill Chain](./Threat-hunter) | Basic | Mittre attack | Completed | 15 | | [CTI Analyst](./Threat-hunter) | Easy | Malware hash | Completed | 16 | | [Yara Magic](./Threat-hunter/YaraMagic.md) | Easy | yara, rules, Basic | Completed | 17 | | [Within Code](./Threat-hunter/WithIncode.md) | Medium | yara, rules, conditions, strings | Completed| 18 | | [Falcon Hunt](./Threat-hunter) | Medium | hunting, | Completed | 19 | | Enc0de | Easy | Arp, network analysis | Completed | 20 | | Refresher | Medium | Wireshark hunting | Completed | 21 | | Ex0dus | Medium | Forensic, Wireshark, ICMP | Completed | 22 | | Missey | Easy | Wireshark, | Completed | 23 | | Baseline | Easy | Powershell, Hunting | Completed | 24 | | [Arson](./Threat-hunter) | Medium | Powershell, Ps1, Wireshark | Completed | 25 | | [Process](./Threat-hunter) | Basic | Windows, Process | Completed | 26 | | [W4nna-Flag](./Threat-hunter) | Medium | Forensic, Volatility | Completed | 27 | | Masqur4d3 | Medium | Memory | Completed | 28 | | Scanner | Easy | Logs Analysis, Attacker | Completed | 29 | | [New account](./Threat-hunter) | Easy | Completed | Completed | 30 | | [Active Attacks](./Threat-hunter) | Medium | Completed | Completed | 31 | | Brut3 Forc3 | Medium | Completed | Completed | 32 | -------------------------------------------------------------------------------- /Soc-analyst/Backdoor/Readme.md: -------------------------------------------------------------------------------- 1 | ### Description 2 | Our server compromised due to known vulnerability introduced from many years, Kindly check and identify this flow 3 | 4 | X: Attack source → EX. “Internal/External”
    5 | Y: The Source IP → x.x.x.x
    6 | Z: CVE Num of the attack → xxx
    7 | W: Destination Mac Address
    8 | Flag format: flag{X:Y:Z:w}
    9 | 10 | ### Solution 11 | First I used capinfos to see informations of the file 12 | ``` 13 | $ capinfos backdoor.pcap 14 | File name: backdoor.pcap 15 | File type: Wireshark/tcpdump/... - pcap 16 | File encapsulation: Ethernet 17 | File timestamp precision: microseconds (6) 18 | Packet size limit: file hdr: 96 bytes 19 | Packet size limit: inferred: 96 bytes 20 | Number of packets: 739 21 | File size: 71 kB 22 | Data size: 134 kB 23 | Capture duration: 72.785513 seconds 24 | First packet time: 2022-04-26 18:07:31.244931 25 | Last packet time: 2022-04-26 18:08:44.030444 26 | Data byte rate: 1,850 bytes/s 27 | Data bit rate: 14 kbps 28 | Average packet size: 182.21 bytes 29 | Average packet rate: 10 packets/s 30 | SHA256: 91a780295b31dac44d5357bf63bfe2cfddb990f447fd60a9048eb16ec5c7ec15 31 | RIPEMD160: 01a55a5fe78f4db4ae13d90b031b6d5e5c8845fd 32 | SHA1: 6a8a80c755676757b2a77b01f0282c46b4f87f9d 33 | Strict time order: True 34 | Number of interfaces in file: 1 35 | Interface #0 info: 36 | Encapsulation = Ethernet (1 - ether) 37 | Capture length = 96 38 | Time precision = microseconds (6) 39 | Time ticks per second = 1000000 40 | Number of stat entries = 0 41 | Number of packets = 739 42 | 43 | ``` 44 | I see number of packets is 739. now i proceed with Tshark, i used tshark to search if this pcap have a http request but not. Then i try to search for FTP. 45 | ``` 46 | $ tshark -r backdoor.pcap -Y ftp 47 | Running as user "root" and group "root". This could be dangerous. 48 | 165 10.000115 192.168.1.80 → 192.168.1.58 FTP 86 Response: 220 (vsFTPd 2.3.4) 49 | 167 10.000865 192.168.1.58 → 192.168.1.80 FTP 78 Request: USER zH9:) 50 | 169 10.000901 192.168.1.80 → 192.168.1.58 FTP 100 Response: 331 Please specify the passwor 51 | 171 10.001580 192.168.1.58 → 192.168.1.80 FTP 77 Request: PASS utEt 52 | 53 | ``` 54 | I got only 4 request. So, in the first request i see vsFTPD 2.3.4 and it's the vulnerability that allowed the attacker to hack the machine. 55 | I search that on Google and i got CVE-2011-2523.
    56 | Also, you can see that in these FTP request, you will see the source IP, that's 192.168.1.58, and destination IP : 192.168.1.80. 57 | Now if you use wireshark and filter using FTP. you will find the Destination Mac address.
    58 | or use this wireshark command 59 | 60 | ``` 61 | $ tshark -r backdoor.pcap -Y ftp -V | less 62 | Frame 165: 86 bytes on wire (688 bits), 86 bytes captured (688 bits) 63 | Encapsulation type: Ethernet (1) 64 | Arrival Time: Apr 26, 2022 18:07:41.245046000 EDT 65 | [Time shift for this packet: 0.000000000 seconds] 66 | Epoch Time: 1651010861.245046000 seconds 67 | [Time delta from previous captured frame: 0.005825000 seconds] 68 | [Time delta from previous displayed frame: 0.000000000 seconds] 69 | [Time since reference or first frame: 10.000115000 seconds] 70 | Frame Number: 165 71 | Frame Length: 86 bytes (688 bits) 72 | Capture Length: 86 bytes (688 bits) 73 | [Frame is marked: False] 74 | [Frame is ignored: False] 75 | [Protocols in frame: eth:ethertype:ip:tcp:ftp] 76 | Ethernet II, Src: PcsCompu_66:e3:8b (08:00:27:66:e3:8b), Dst: IntelCor_c5:20:65 (4c:1d:96:c5:20:65) 77 | 78 | ``` 79 | You will find the Destination Mac address: 08:00:27:66:e3:8b
    80 |
  • 81 |
    82 | Flag 83 | flag{Internal:192.168.1.58:CVE-2011-2523:08:00:27:66:e3:8b}
    84 |
    • 85 | -------------------------------------------------------------------------------- /Soc-analyst/WormSeen/README.md: -------------------------------------------------------------------------------- 1 | OOur EDR has flagged suspicious traffic from production endpoint, after reviewing the respective process generating the traffic and another alert has been alerted “Worm Detected” in our SIEM 2 | 3 | You decided to escalate the case to IR team to further investigate and answer the below questions 4 | 5 | 6 | 7 | Questions: 8 | 9 | What is the range of worm spreading (x.x.x.x/xx) ? 10 | 11 | Destination target port of the attack (XX)? 12 | 13 | How many hosts might be affected by the worm (XX)? 14 | 15 | 16 | 17 | Flag format: flag{Answer1:Answer2:Answer3}. 18 | 19 | # Solution 20 | i will unzip it 21 | ``` 22 | └─# unzip worm.zip 23 | Archive: worm.zip 24 | skipping: worm.exe unsupported compression method 99 25 | ``` 26 | 27 | Not work i will use 7z 28 | ``` 29 | Enter password (will not be echoed): 30 | 31 | ``` 32 | it's asking me password, i will crack it 33 | cracked 34 | 35 | ``` 36 | ┌──(root㉿kali)-[/home/…/Desktop/Learning/Bluteam/Repeat] 37 | └─# zip2john worm.zip > worm.hash 38 | 39 | ┌──(root㉿kali)-[/home/…/Desktop/Learning/Bluteam/Repeat] 40 | └─# john worm.hash 41 | Using default input encoding: UTF-8 42 | Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 128/128 AVX 4x]) 43 | Cost 1 (HMAC size) is 9191957 for all loaded hashes 44 | Will run 4 OpenMP threads 45 | Proceeding with single, rules:Single 46 | Press 'q' or Ctrl-C to abort, almost any other key for status 47 | Almost done: Processing the remaining buffered candidate passwords, if any. 48 | Proceeding with wordlist:/usr/share/wordlists/rockyou.txt 49 | infected (worm.zip/worm.exe) 50 | 1g 0:00:00:04 DONE 2/3 (2023-09-26 15:13) 0.2252g/s 11516p/s 11516c/s 11516C/s 280690..spongebob9 51 | Use the "--show" option to display all of the cracked passwords reliably 52 | Session completed. 53 | 54 | ``` 55 | Password : infected 56 | 57 | I got an .exe file, i will analyze it 58 | 59 | i will try to decompile it into a `pyc` file then i will into a `.py` using `pycdc` 60 | To do That i will use this 61 | Link :https://github.com/extremecoders-re/pyinstxtractor 62 | Done: 63 | ``` 64 | └─# python3 pyinstxtractor.py /home/kali/Desktop/Learning/Bluteam/Repeat/worm.exe 65 | [+] Processing /home/kali/Desktop/Learning/Bluteam/Repeat/worm.exe 66 | [+] Pyinstaller version: 2.1+ 67 | [+] Python version: 3.10 68 | [+] Length of package: 9051050 bytes 69 | [+] Found 39 files in CArchive 70 | [+] Beginning extraction...please standby 71 | [+] Possible entry point: pyiboot01_bootstrap.pyc 72 | [+] Possible entry point: pyi_rth_inspect.pyc 73 | [+] Possible entry point: worm.pyc 74 | [!] Warning: This script is running in a different Python version than the one used to build the executable. 75 | [!] Please run this script in Python 3.10 to prevent extraction errors during unmarshalling 76 | [!] Skipping pyz extraction 77 | [+] Successfully extracted pyinstaller archive: /home/kali/Desktop/Learning/Bluteam/Repeat/worm.exe 78 | 79 | ``` 80 | Now i will just use the `pycdc` 81 | `└─# ./pycdc worm.exe_extracted/worm.pyc > worm.py 82 | Unsupported opcode: GEN_START 83 | Unsupported opcode: JUMP_IF_NOT_EXC_MATCH 84 | ` 85 | 86 | Now just open the worm.py 87 | ``` 88 | └─# cat worm.py 89 | # Source Generated with Decompyle++ 90 | # File: worm.pyc (Python 3.10) 91 | 92 | ''' Implementation of simple worm that spreads via SSH connection. 93 | ''' 94 | import logging 95 | import paramiko 96 | import scp 97 | import sys 98 | 99 | class Worm: 100 | ''' This class represents implementation of worm that spreads via SSH 101 | connections. 102 | ''' 103 | 104 | def __init__(self, network_address): 105 | self._network = network_address 106 | 107 | 108 | def network(self): 109 | ''' Network, on which the worm spreads. ''' 110 | return self._network 111 | 112 | network = property(network) 113 | 114 | def network(self, new_network): 115 | self._network = new_network 116 | 117 | network = network.setter(network) 118 | 119 | def credentials(self): 120 | ''' Possible SSH credentials of the victim. ''' 121 | return (('root', 'root'), ('msfadmin', 'msfadmin')) 122 | 123 | credentials = property(credentials) 124 | 125 | def generate_addresses_on_network(self): 126 | ''' Generate addresses of hosts on the given network. 127 | For simplicity is expected the following mask: 128 | 255.255.255.0 129 | ''' 130 | pass 131 | # WARNING: Decompyle incomplete 132 | 133 | 134 | def spread_via_ssh(self): 135 | ''' Spread the worm on the network via SSH connections. 136 | To establish SSH connection try selected user-password 137 | combinations. When the connection is established, copy 138 | the worm to the remote host. 139 | ''' 140 | ssh = paramiko.SSHClient() 141 | ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 142 | # WARNING: Decompyle incomplete 143 | 144 | 145 | if __name__ == '__main__': 146 | worm = Worm('192.168.1.0') 147 | worm.spread_via_ssh() 148 | return None 149 | ``` 150 | 151 | 152 | 153 | flag : flag{192.168.1.0/24:22:85} 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CyberTalents Blue Team Scholarship Writeups 2 | 3 | Hey there! During my three-month learning journey, I'll be diving into the exciting world of cybersecurity with CyberTalents. I'll be taking two advanced courses on their platform, where I'll gain hands-on experience and learn from some of the best instructors in the field. 4 | 5 | The first course is called "CyberTalents Certified SOC Analyst," where I'll be honing my skills in handling security incidents and managing a Security Operations Center (SOC). It's all about detecting and responding to cyber threats effectively. 6 | 7 | The second course, "CyberTalents Certified Threat Hunter," sounds even more thrilling! I'll be learning the art of proactive hunting for cyber threats, seeking out those sneaky adversaries before they can cause any harm. 8 | 9 | I can't wait to explore these courses, take on challenges, and share my progress with you all. Join me on this cybersecurity adventure, and together, we'll become skilled defenders of the digital world! Let's go! 🚀💻🔒 10 | 11 | follow me on my Hacking Journey blog here : https://blackcybersec.xyz 12 | 13 | 14 | ## Certified SOC ANALYST 15 | 16 | | Challenges | Difficulty | Tags | Completed | 17 | |:-------------:|:----------:|:--------------------------------------------------------------------------------------------------:|:---------:| 18 | | | | | | 19 | | [CVE-Number](./Soc-analyst/CVE-Number/Readme.md) | Basic | EternalBlue, Searchsploit | Completed | 20 | | [Backdoor](./Soc-analyst/Backdoor/Readme.md) | Medium | Tshark, Wireshark, vsFTPD | Completed | 21 | | [Bean Detector](./Soc-analyst/Bean-Detector/Readme.md) | Medium | Log analysis, Forensic, Web | Completed | 22 | | Bean | Easy | LFI, Web | Completed | 23 | | 55H-Access | Easy | Splunk, Forensic, SSH | Completed| 24 | | [Competition](./Soc-analyst/Competition/Readme.md) | Basic | CTF, Hacking, Google | Completed | 25 | | [Creepy-DNS](./Soc-analyst/Creepy-DNS/README.md) | Easy | DNS, DNS Zone Transfer, Google | Completed | 26 | | FourOFour | Easy | Splunk, Log, IIS Server,Microsoft | Completed | 27 | | MEGO | Medium | Forensic, Volatility, Disc | Completed | 28 | | Pass-Reset | Easy | File Misconfiguration, Web | Completed | 29 | | Phisher | Medium | Foresic, Disc, Volatility | Completed | 30 | | [Remote Hacker](./Soc-analyst/Remote-Hacker/Readme.md) | Medium | Forensic, Logs Analysis, Windows logs | Completed | 31 | | [SIEM Port](./Soc-analyst/SIEM-Port/Readme.md) | Basic | SIEM, TLS | Completed | 32 | | [Smart-Role](./Soc-analyst/Smart-Role/Readme.md) | Basic | Soc, CTI, Analyst | Completed | 33 | | USB-Case | Easy | Splunk, USB Device | Completed | 34 | | [WormSeen](./Soc-analyst/WormSeen/README.md) | Medium | Exe Analysis, Forensic, Python | Completed | 35 | 36 | 37 | ## Certified Threat Hunter 38 | 39 | | Challenges | Difficulty | Tags | Completed | 40 | |:-------------:|:----------:|:--------------------------------------------------------------------------------------------------:|:---------:| 41 | | | | | | 42 | | [APT](./Threat-hunter) | Easy | Hacking groups, OSINT | Completed | 43 | | [Kill Chain](./Threat-hunter) | Basic | Mittre attack | Completed | 44 | | [CTI Analyst](./Threat-hunter) | Easy | Malware hash | Completed | 45 | | [Yara Magic](./Threat-hunter/YaraMagic.md) | Easy | yara, rules, Basic | Completed | 46 | | [Within Code](./Threat-hunter/WithIncode.md) | Medium | yara, rules, conditions, strings | Completed| 47 | | [Falcon Hunt](./Threat-hunter) | Medium | hunting, | Completed | 48 | | Enc0de | Easy | Arp, network analysis | Completed | 49 | | Refresher | Medium | Wireshark hunting | Completed | 50 | | Ex0dus | Medium | Forensic, Wireshark, ICMP | Completed | 51 | | Missey | Easy | Wireshark, | Completed | 52 | | Baseline | Easy | Powershell, Hunting | Completed | 53 | | [Arson](./Threat-hunter) | Medium | Powershell, Ps1, Wireshark | Completed | 54 | | [Process](./Threat-hunter) | Basic | Windows, Process | Completed | 55 | | [W4nna-Flag](./Threat-hunter) | Medium | Forensic, Volatility | Completed | 56 | | Masqur4d3 | Medium | Memory | Completed | 57 | | Scanner | Easy | Logs Analysis, Attacker | Completed | 58 | | [New account](./Threat-hunter) | Easy | Completed | Completed | 59 | | [Active Attacks](./Threat-hunter) | Medium | Completed | Completed | 60 | | Brut3 Forc3 | Medium | Completed | Completed | 61 | -------------------------------------------------------------------------------- /AllInOne/README.md: -------------------------------------------------------------------------------- 1 | - encode challenge: 2 | first use capinfos ARP+Storm.pcap 3 | Number of pa 4 | packets: 68 5 | i used thsark 6 | tshark -r chall.pcap -Y arp 7 | also 8 | tshark -r ARP+Storm.pcap -Y "arp.dst.proto_ipv4 == 11.0.0.100" 9 | then i add 10 | tshark -r ARP+Storm.pcap -Y "arp.dst.proto_ipv4 == 11.0.0.100" -T fields -e arp.opcode -E separator =, > encode.txt 11 | make in one line and with spaces 12 | sed ':a;N;$!ba;s/\n/ /g' encode.txt > enc0de.txt 13 | 14 | i get these number and then i made them in inline 15 | 90 109 120 104 90 51 116 110 99 107 66 48 100 87 108 48 77 72 86 122 88 122 66 119 89 48 57 107 90 86 56 120 99 49 57 66 98 72 100 65 101 88 78 102 81 84 90 49 85 50 86 107 88 51 81 119 88 51 65 119 77 88 77 119 98 110 48 61 16 | decode it from decimal and i got 17 | ZmxhZ3tnckB0dWl0MHVzXzBwY09kZV8xc19BbHdAeXNfQTZ1U2VkX3QwX3AwMXMwbn0= 18 | base64 decode from terminale and got the flag. 19 | 20 | - Refresher chall : 21 | found many images then have extract them using wireshark 22 | take first character of any 200 success images by writing a script name seded.py 23 | then i got the 24 | iamsupersecretpasswordgood4uthefinding 25 | 26 | now look at the wireshark ftp you'' 27 | i see a zip file now extract it as raw 28 | now extract it using 7z x 29 | flag : flag{y0u_c0m3_f0r_fl1g_1nd_h3r3_1t_1s_2000} 30 | 31 | worm challenge 32 | crack zip and find .exe 33 | i use pyinstxtractor to extract worm file 34 | foun 35 | found worm.pyc it's interesting file 36 | i think i need to convert that .pyc to .py 37 | found : https://acrosby.bitbucket.io/2018/06/28/pycdc/ 38 | extract it 39 | └─# ./pycdc /home/kali/Desktop/Learning/Bluteam/worm.exe_extracted/worm.pyc 40 | 41 | flag : flag{192.168.1.0/24:22:85} 42 | 43 | splunk 44 | learning splunk 45 | Splunk can be used as a single instance or as a distributed deployment. The latter would be a typical scenario for security usage in organizations, where data needs to be collected from multiple assets and sent to a centralized solution. 46 | SOC analysts need to make correlations and search the data, typically at different times and different physical locations. 47 | 48 | Search Processing Language is a language designed by Splunk for use with Splunk software. It encompasses all the search commands and their functions, arguments, and clauses. 49 | Ressources: https://tryhackme.com/room/splunkexploringspl 50 | Introduction to SIEM : https://tryhackme.com/room/introtosiem 51 | 52 | SIEM stands for Security Information and Event Management system. It is a tool that collects data from various endpoints/network devices across the network, stores them at a centralized place, and performs correlation on them. This room will cover the basic concepts required to understand SIEM and how it works. 53 | 1) Host-Centric Log Sources 54 | 55 | These are log sources that capture events that occurred within or related to the host. Some log sources that generate host-centric logs are Windows Event logs, Sysmon, Osquery, etc. Some examples of host-centric logs are: 56 | 57 | A user accessing a file 58 | A user attempting to authenticate. 59 | A process Execution Activity 60 | A process adding/editing/deleting a registry key or value. 61 | Powershell execution 62 | 63 | SOC Analyst Responsibilities 64 | 65 | SOC Analysts utilize SIEM solutions in order to have better visibility of what is happening within the network. Some of their responsibilities include: 66 | 67 | Monitoring and Investigating. 68 | Identifying False positives. 69 | Tuning Rules which are causing the noise or False positives. 70 | Reporting and Compliance. 71 | Identifying blind spots in the network visibility and covering them. 72 | 73 | 74 | 55H-access 75 | We observed a huge traffic towards our SSH Server 76 | X: How many source IPs attempting to connect → Number 77 | Y: The Source IP with the most connections → x.x.x.x 78 | Z: The Source IP with the most connections country → xxxxxxx 79 | W: The Firewall action taken from the security control → xxxxxxx 80 | Flag format: flag{X:Y:Z:W} 81 | 82 | search for ssh service in search filter it all time 83 | then 84 | answer is 85 | X = src_ip = 19 86 | Y = src_ip = top 10 : 91.224.160.108 87 | Z = finland by googling the IPs "https://iplocation.co.uk/ip-address/91.224.160.108" 88 | W = blocked : found on action value 89 | 90 | flag{19:91.224.160.108:finland:blocked} 91 | 92 | - FourOFour 93 | Massive web bruteforce attack observed on our IIS server, Your lead has informed you to initiate some investigation to identify the following : 94 | X: The highest number of non existent URLs request sent by the attacker → Number 95 | Y: The Source IP → x.x.x.x 96 | Z: The attacker source country → xxx 97 | 98 | first : IIS server all time 99 | c_ip="40.80.148.42" sc_status="404" 100 | X: 2009 101 | Y = 40.80.148.42 102 | Z = usa 103 | 104 | flag{1315:40.80.148.42:usa} not work 105 | 106 | x i think not correct 107 | 108 | 109 | - usb case: 110 | first i check provided link : https://lantern.splunk.com/Security/Use_Cases 111 | search for usb 112 | found : Removable devices connected to a machine 113 | 114 | search query : sourcetype=winregistry friendlyname filter in all time 115 | 116 | Expand the result and look at the registry_value_data field. 117 | X: Date and time when the USB plugged on device (YYYY-MM-DD:HH:MM:SS) 118 | Y: The Machine name 119 | Z: Name of the USB device 120 | flag{2016-08-24:10:42:17:we8105desk:MIRANDA_PRI} 121 | 122 | 123 | - Chall: Remote Hacker 124 | desc: 125 | 126 | Our SoC L1 reported that she received alert of suspicious login detected by company user “Kvasir” on 13/06/2022. 127 | Please do check and return by your analysis: 128 | 129 | X: Session Duration spent by the attacker on the system (HH:MM:SS) 130 | 131 | Y: The application used by the user after login (xxxx.exe) 132 | 133 | Z: Identify the SHA256 of this application W: Attacker IP address 134 | A: Attacker Machine host name 135 | 136 | transform it on xml 137 | evtxtract Microsoft-Windows-Sysmon_4Operational.evtx > Microsoft-Windows-Sysmon_4Operational.xml 138 | INFO:root:recovered 20044 complete records 139 | INFO:root:recovered 0 incomplete records 140 | 141 | evtxtract Security.evtx > Security.xml 142 | INFO:root:recovered 6178 complete records 143 | INFO:root:recovered 0 incomplete records 144 | 145 | CTRL+F 146 | find 2022-06-13 147 | DESKTOP-9BBI1VE 148 | 04:51:36s and 4:51:28. for kvasir 149 | SearchIndexer.exe 150 | autochk.exe 151 | smss.exe 152 | 00:02:40 153 | 3 154 | 155 | 192.168.1.58 156 | 157 | 158 | technique_id=T1204,technique_name=User Execution 159 | 2022-06-13 05:03:21.855 160 | {9beb5cef-c519-62a6-1301-000000000b00} 161 | 5172 162 | C:\Windows\System32\win32calc.exe 163 | 10.0.17763.1 (WinBuild.160101.0800) 164 | Windows Calculator 165 | Microsoft® Windows® Operating System 166 | Microsoft Corporation 167 | WIN32CALC.EXE 168 | "C:\Windows\system32\win32calc.exe" 169 | C:\Windows\system32\ 170 | DESKTOP-9BBI1VE\kvasir 171 | {9beb5cef-c2f9-62a6-0c6e-040000000000} 172 | 0x0000000000046e0c 173 | 1 174 | High 175 | SHA1=EC73FCAB989C8D525FE3BBCC3736BC3E6192A112,MD5=46CDCA3D2EB9B837EC3C4CDA60D0D0D9,SHA256=3E2300394C15B59A964EAB45D9EB96D317650E2F7448FD1B4AE825A134402B7A,IMPHASH=BDE48881DABC2774907583E3DE072A63 176 | {9beb5cef-c2fb-62a6-3b00-000000000b00} 177 | 178 | flag{05:03:21:win32calc.exe:3E2300394C15B59A964EAB45D9EB96D317650E2F7448FD1B4AE825A134402B7A:192.168.1.58:Nitro} 179 | flag{00:02:40:win32calc.exe:3E2300394C15B59A964EAB45D9EB96D317650E2F7448FD1B4AE825A134402B7A:192.168.1.58:Nitro} 180 | 181 | 182 | chall yara Magic and WithIn Code: 183 | YARA is the name of a tool primarily used in malware research and detection. It provides a rule-based approach to create descriptions of malware families based on textual or binary patterns 184 | Yara Use Cases: 185 | 186 | 1. Identify Malware samples. 187 | 188 | 2. Detect Malware infection 189 | 190 | 3. Perform Incident Response and Threat Hunting activities. 191 | 192 | - For yara first challenge : 193 | https://support.knowbe4.com/hc/en-us/articles/360013116053-How-to-Write-YARA-Rules 194 | I run ls: 195 | root@nenandjabhata:/home/files/Yara Magic# ls 196 | Folder rule2.yara rule.yara 197 | i found a yara rule . 198 | now i execute it 199 | root@nenandjabhata:/home/files/Yara Magic# yara -f rule.yara Folder/ 200 | MySuperCoolRule Folder//12776 201 | 202 | - Within code challenge: 203 | I write a rule 204 | Flag into base64 RmxhZw= and base64 to hex 526d78685a773d3d 205 | root@nenandjabhata:/home/files# cat rule.yara 206 | rule Finder 207 | { 208 | strings: 209 | 210 | $encode = "RmxhZw==" 211 | $hex = "526d78685a773d3d" 212 | 213 | condition: 214 | $encode or $hex 215 | } 216 | root@nenandjabhata:/home/files# 217 | when i execute it i find : root@nenandjabhata:/home/files# yara -f rule.yara Code 218 | Finder Code/6645 219 | we’re going to use the -s option which will give us the offset location of the string in the matched file (for more 220 | explanation about the Yara options use the command ($yara - - help) 221 | root@nenandjabhata:/home/files# yara -s -f rule.yara Code 222 | Finder Code/6645 223 | 0x2460:$encode: RmxhZw== 224 | we need now to decode the 0x2460 into decimal and we got 9312 as flag 225 | 226 | - Powershell Hunting: 227 | 1. What is Powershell? 228 | 2. Powershell Hunting Commands 229 | 3. Baselines 230 | 4. Hunting Web Shells 231 | 5. Powershell Hunting Tools 232 | 6. Hunting Windows Processes 233 | 234 | Compare : 235 | Comparing Baselines 236 | 237 | $baseline = Get-Content .\baseline-services.txt 238 | $current = Get-Content .\current-services.txt 239 | Compare-Object $baseline $current 240 | Arson: 241 | a pcap file 242 | i opened it using wireshark and i follwed tcp stream by http request 243 | i find : a powershell script in hots.ps1 244 | i save it as 245 | i found this : $key = "llm0xB8WOfv9Ssq9+f0sIMFK6OyQHOzhdenMzRInqXA=" 246 | $ip = "192.168.1.11" 247 | $port = "7788" 248 | $implant_name = "razer" 249 | $sleep_time = 5 250 | 251 | i think it's a cipher AES and i found his key 252 | i continued in the response of that request and i found this : 253 | result=irbYP4XxfwuTlCbMxv4CE9KdquYNczFCMziT5VTG6aS%2B%2BMDZiChw3YJbtbrvt4FKO2WmdKwVBqjdX4xDguV7slrxsNNLqVbSOCceAURzkhNDvaMOIg8a0tPx3G7U%2BPUH 254 | here is an url encryption i need to decode it : irbYP4XxfwuTlCbMxv4CE9KdquYNczFCMziT5VTG6aS++MDZiChw3YJbtbrvt4FKO2WmdKwVBqjdX4xDguV7slrxsNNLqVbSOCceAURzkhNDvaMOIg8a0tPx3G7U+PUH 255 | This not work for our powershell script 256 | clean all function in the script; i need decryption function: 257 | i found this last which have razer in his post : IN3DZMA9y5D0q5y4Pe3Uv%2FVE3mA4EZY55XHJJIdLc29WAK73bE2DzB7ae%2Fmpy4CW 258 | decode url : IN3DZMA9y5D0q5y4Pe3Uv/VE3mA4EZY55XHJJIdLc29WAK73bE2DzB7ae/mpy4CW 259 | when i execute the powershell script i found : 260 | flag{2C_p0w3r_Chi11} 261 | 262 | - Wireshark: Exodus challenge 263 | Using http filter i get the key GET /?KEY=STAR 264 | Now i filter icmp and i got data values : 265 | from hex i xor these value using cyberchef and key STAR 266 | and then from base64 i decode and find zip file 267 | 268 | What will you learn? 269 | 1- What is Security Onion 270 | 2- Security Onion Use Cases 271 | 3- Security Onion Platform 272 | 4- Security Onion Workflows 273 | 5- Deploying Security Onion 274 | 6- Security Onion Console 275 | 7- Security Onion Network Visibility 276 | 8- Security Onion Host Visibility 277 | What is Security Onion? 278 | 279 | Security Onion is a free and open platform for threat hunting, enterprise security monitoring, and log management. It includes our own tools for Alerts, Dashboards, Hunt, PCAP, and Cases as well as other tools such as Playbook, FleetDM, osquery, CyberChef, Elasticsearch, Logstash, Kibana, Suricata, Zeek, and Wazuh. 280 | Security Onion Platform 281 | Analysis Tools 282 | 283 | SOC 284 | Kibana 285 | CyberChef 286 | 287 | Network and Host Tools 288 | Wazuh 289 | Suricata 290 | Zeek 291 | 292 | Infrastructure 293 | Docker 294 | Redis 295 | Salt 296 | Operating System 297 | 298 | Ubunto 299 | CentOS 300 | 301 | Filebeat - Used to collect Log files and send them to logstash. 302 | Logstach – Used to aggregate logs. 303 | Redis – In memory Storage for the query for fast retrieval of the logstash. 304 | Elasticsearch – Indexing and Storage of logs. 305 | Curator – for managing Elasticsearch indexing. 306 | Security Onion Host Visibility 307 | 308 | Host logs can be sent to Security Onion through: 309 | 310 | Wazuh EDR 311 | Syslog 312 | Osquery 313 | Beats 314 | Sysmon 315 | 316 | What will you learn? 317 | 1. Window Processes 318 | 2. Famous Windows Processes 319 | 3. Hunting Tips 320 | 321 | Windows is the most targeted operating system by attackers, and various types of processes run in Windows, including the operating system processes and different applications processes, as a threat hunter you need to know windows processes to be able to locate abnormal behavior. 322 | smss.exe 323 | 324 | Responsible for starting user sessions. This process is started by the main system thread and is responsible for various activities such as starting Winlogon and Win32 (Csrss.exe) processes and setting system variables. 325 | 326 | Image Path: %SystemRoot%\System32\smss.exe 327 | Parent Process: System 328 | Session 0 starts csrss.exe and wininet.exe and session 1 starts csrss.exe for the user and winlogon.exe. 329 | Mandiant RedLine 330 | 331 | Mandiant Redline is a free tool that provides host investigative capabilities to users and uncovers signs of malicious activity through memory and file analysis to develop a threat assessment profile. 332 | 333 | Hunting Tips: 334 | 335 | The most targeted process from malware authors is svchost.exe because it has multiple instances hence malware running as svchost.exe can be easily undetected. 336 | Malware authors tend to use a name similar to windows processes and misspell it such as: 337 | 338 | - 1sass.exe 339 | 340 | - svchot.exe 341 | 342 | - cssrss.exe 343 | 344 | Always check the image path of the process that you suspect. 345 | Some malware authors use process injection techniques to inject their code inside legitimate process, you can detect process injection by checking the memory for the processes for any READ_WRITE_EXECUTE sections. 346 | 347 | - W4nna Fl4g challenge 348 | i use volatility 349 | scan pslist 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | Hunting Windows Events 360 | Hunting Windows Event IDs 361 | Hunting Accounts: 362 | 363 | 4720: Account created 364 | 4722: Account Enabled 365 | 4724: reset password 366 | 4728: user added to global group 367 | 4756: user added to universal group 368 | 369 | Logon Types 370 | 2 371 | Physical login to the computer 372 | 3 373 | A login from the network 374 | 4 375 | Used by batch servers 376 | 5 377 | A service started by the SCM 378 | 7 379 | The workstation was unlocked 380 | 8 381 | Network credentials were sent in cleartext 382 | 9 383 | A caller specified new creds 384 | 10 385 | A user logged in using terminal service or RDP 386 | 11 387 | A user logged in using stored network credentials 388 | 389 | 390 | Hunting Password Attacks 391 | 392 | 4625: failed login. 393 | Logon Type 3: Network login. 394 | Hunting Scheduled Tasks and Services 395 | 396 | 4698: a scheduled task was created. 397 | 200, 201: Task Monitoring and Control. 398 | 4697: a service was installed in the system 399 | Hunting RDP Sessions: 400 | 401 | 4624: An account was successfully logged on. 402 | 4778: A session was reconnected to a Window Station. 403 | 404 | Scanner challenge 405 | Our web server at 192.168.250.20 is being scanned by a famous vulnerability scanner, can you investigate the logs and tell us: 406 | 407 | X: the vulnerability scanner name 408 | Y: The Source IP → x.x.x.x 409 | 410 | Flag format: flag{X:Y} 411 | 412 | Credentials: cybertalents/cybertalents 413 | 414 | I use this on splunk : 192.168.250.20 415 | | stats count by http_user_agent 416 | found : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) 961 417 | Nessus 36 and i now nessus is a vulnerability scanner. 418 | I load it to see the src_ip and i found 192.168.2.50 and this 192.168.250.20 419 | flag{Nessus:192.168.2.50} and it's correct 420 | 421 | New account 422 | an attacker after compromising the machine added a new account as admin. can you find the name of the new account? 423 | flag format : flag{md5 of string} 424 | 425 | using evtxtract to extract it to xml 426 | └─# python3 /root/environment/myenv/bin/evtxtract Security436509324654726509.evtx > security.xml 427 | 428 | Now for hunting account we need : Hunting Accounts: 429 | 430 | 4720: Account created 431 | 4722: Account Enabled 432 | 4724: reset password 433 | 4728: user added to global group 434 | 4756: user added to universal group 435 | 436 | so we found 4720 437 | and the name Sam 438 | we need to make this name as md5 439 | I use md5hash generator 440 | flag{ba0e0cde1bf72c28d435c89a66afc61a} --------------------------------------------------------------------------------