├── CyberChef ├── README.md ├── Misc_keyboard_shortcuts.md ├── Linux.md ├── SecurityOnion.md ├── DetectionLab.md ├── Malware_analysis.md └── PowerShell.md /CyberChef: -------------------------------------------------------------------------------- 1 | Magic - Recipe is quiet interesting 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cheat Sheet / Quick reference 2 | These are some of the commands which I use frequently during Malware Analysis and DFIR. 3 | 4 | [PowerShell Cheat Sheet for Blue Team](./PowerShell.md) 5 | -------------------------------------------------------------------------------- /Misc_keyboard_shortcuts.md: -------------------------------------------------------------------------------- 1 | To view strings of file, can use less strings + less cmd 2 | 3 | strings filename | less 4 | Press spacebar to go forward 1 page and b for backword 5 | 6 | Works fine in Mac/Linux 7 | Ctrl + a - Move to start of a line 8 | Ctrl + e - Move to end of line 9 | Ctrl + l - Clear Screen 10 | Ctrl + u - Clear current line 11 | 12 | ### Youtube shortcut: 13 | https://support.google.com/youtube/answer/7631406?hl=en 14 | 15 | ">" Speed up the video playback rate. 16 | "<" Slow down the video playback rate. 17 | f Activate full screen 18 | -------------------------------------------------------------------------------- /Linux.md: -------------------------------------------------------------------------------- 1 | To locate use updatedb then locate 2 | 3 | To check vmware installed or not in Ubuntu 4 | `lsmod | grep vmw` 5 | 6 | Check OS Name & Version 7 | ``` 8 | hostnamectl 9 | cat /etc/os-release 10 | ``` 11 | 12 | How to Configure BIND9 DNS Server on Ubuntu 20.04 13 | https://serverspace.io/support/help/configure-bind9-dns-server-on-ubuntu/ 14 | 15 | Extract tar.gz file 16 | `tar -xvf archive.tar.gz` 17 | 18 | ## Networking 19 | 20 | For wireless `iwconfig`
21 | For active connection `netstat -ano` 22 | 23 | For ip 24 | `ip a` 25 | 26 | For arp table 27 | `ip n` 28 | 29 | for route 30 | `ip r` 31 | 32 | if want to remove : after cat from abcd: 33 | tr -d ":" -------------------------------------------------------------------------------- /SecurityOnion.md: -------------------------------------------------------------------------------- 1 | Setup 2 | 3 | 4 | sudo so-status - to view if all services are running or not 5 | 6 | Check if any Ips are allowed to access SO 7 | sudo so-allow-view 8 | 9 | To change IP 10 | 11 | 12 | 13 | To view Ip for different interface and app. Found this cmd from this discussion https://github.com/Security-Onion-Solutions/securityonion/discussions/2382 14 | sudo salt-call pillar.get global 15 | sudo salt-call grains.get ip_interfaces 16 | 17 | First reconfigured the required nic using change network settings 18 | sudo SecurityOnion/setup/so-setup iso 19 | 20 | Then used the below to update the IP address of management interface. 21 | https://docs.securityonion.net/en/2.3/ip.html 22 | so-ip-update 23 | 24 | Sysmon 25 | 26 | https://github.com/Security-Onion-Solutions/securityonion/discussions/3742 27 | -------------------------------------------------------------------------------- /DetectionLab.md: -------------------------------------------------------------------------------- 1 | Rough notes: 2 | 3 | Install suricata 4 | https://suricata.readthedocs.io/en/latest/quickstart.html 5 | replace eth0 with your interface, i did around 3 places 6 | 7 | sudo systemctl restart suricata 8 | sudo systemctl enable suricata 9 | 10 | to test signature 11 | wget http://testmynids.org/uid/index.html 12 | 13 | To work as gateway need to enable net.ipv4.ip_forward = 1 to forward all packets 14 | https://www.systutorials.com/setting-up-gateway-using-iptables-and-route-on-linux/ 15 | 16 | ### Configure Ubuntu Machine to capture traffic from other machine on the network 17 | This [guide](https://monoinfinito.wordpress.com/series/setting-up-a-linux-gatewayrouter-a-guide-for-non-network-admins/) is quiet good and give good overview of steps. 18 | 19 | ens33 - WAN interface 20 | ens38 - LAN interface 21 | 22 | 1. In order to have the forwarding rules persisting after a reboot, we need first to change /etc/sysctl.conf to allow IP forwarding. It’s just a mater of uncommenting this line: 23 | `net.ipv4.ip_forward = 1` 24 | 25 | 2. Setup iptables, more [info](https://help.ubuntu.com/community/IptablesHowTo) 26 | - `sudo iptables --table nat --append POSTROUTING --out-interface ens33 -j MASQUERADE` 27 | - `sudo iptables --append FORWARD --in-interface ens38 -j ACCEPT` 28 | - Save iptable using `iptables-save` 29 | - Persist iptable using any method mention [here](https://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently) using iptables-persistent 30 | 31 | 3. Configure [bind](https://serverspace.io/support/help/configure-bind9-dns-server-on-ubuntu/) Server on Linux gateway 32 | 33 | 34 | -------------------------------------------------------------------------------- /Malware_analysis.md: -------------------------------------------------------------------------------- 1 | ### How to? 2 | 3 | ### How to check if the file is truncated or not? 4 | Using CFF explorer, check File Size and PE Size value. If File size is less than PE size then file is possibly truncated. 5 | Check this flareon7 challenge 2 solution for more details [challenge 2](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/flareon7-challenge2-solution.pdf) 6 | 7 | ### Extract domain name from pcap using tshark 8 | - HTTPS ```tshark -r traffic_example.pcapng -Y "ssl.handshake.type == 1" -T fields -e tls.handshake.extensions_server_name | sort | uniq``` 9 | - HTTP ```tshark -r traffic_example.pcapng -Y "http.request and !(ssdp)" -T fields -e http.host | sort | uniq``` 10 | - Both ```tshark -r traffic_example.pcapng -Y "(ssl.handshake.type == 1 or http.request) and !(ssdp)" -T fields -e tls.handshake.extensions_server_name -e http.host | sort | uniq -c``` 11 | 12 | ### Use hashbd to identify algorithm 13 | 14 | Can use plugin too 15 | https://github.com/OALabs/hashdb-ghidra 16 | 17 | Src: 18 | https://research.openanalysis.net/emulation/dumpulator/cobaltstrike/config/2022/06/09/cobaltstrike.html 19 | 20 | ``` 21 | import requests 22 | 23 | HASHDB_HUNT_URL = 'https://hashdb.openanalysis.net/hunt' 24 | HASHDB_HASH_URL = 'https://hashdb.openanalysis.net/hash' 25 | 26 | api_hash = 572265531 27 | hunt_request = {"hashes": [572265531]} 28 | 29 | r = requests.post(HASHDB_HUNT_URL, json=hunt_request) 30 | print(r.json()) 31 | ```` 32 | 33 | {'hits': [{'algorithm': 'add1501_shl5', 'count': 1, 'hitrate': 1.0}]} 34 | 35 | ``` 36 | r = requests.get(HASHDB_HASH_URL + '/add1501_shl5/' + str(api_hash)) 37 | print(r.json()) 38 | ``` 39 | {'hashes': [{'hash': 572265531, 'string': {'string': 'ZwAllocateVirtualMemory', 'is_api': True, 'permutation': 'api', 'api': 'ZwAllocateVirtualMemory', 'modules': ['ntdll']}}]} 40 | 41 | ### Plugin for x64dbg hide 42 | Can use basic profile if needed 43 | https://github.com/x64dbg/ScyllaHide 44 | 45 | ## .NET file anlalysis tips 46 | - https://github.com/Fody/Costura Used for embedding dependencies in .NET 47 | - https://www.linqpad.net/ Use this for running/debugging .NET code, lightweight 48 | 49 | ### Confuser Obfusaction 50 | - Use de4dot 51 | - To remove type scarmble protection use this https://github.com/ElectroHeavenVN/ConfuserEx-UnTypeScrambler 52 | 53 | ### DnsSpy Tips 54 | 55 | From dr4k0nia 56 | - asmresolver good project similar to dnlib 57 | - Edit IL instruction if the string is too long in the UI 58 | - Enable show hidden compiled genrated type and methods 59 | - Edit the IL instruction and press n for nop 60 | -------------------------------------------------------------------------------- /PowerShell.md: -------------------------------------------------------------------------------- 1 | # PowerShell Cheat Sheet for Blue Team 2 | 3 | I will recommend reading this [PowerShell Commands for Incident Response](https://www.securityinbits.com/incident-response/powershell-commands-for-incident-response/) article to get a better understanding of the commands discussed below. 4 | 5 | - [Basics](#basics) 6 | - [Commands](#commands) 7 | - [Process](#process) 8 | - [Registry](#registry) 9 | - [File](#file) 10 | - [Gather file hashes](#gather-file-hashes) 11 | - [Useful Functions](#useful-functions) 12 | - [References](#references) 13 | 14 | 15 | ## Basics 16 | ### To check PS version 17 | ```$PSVersionTable``` 18 | 19 | ### Calculated properties using Hashtable 20 | Calculated properties that require a Hashtable with a Name/label and an Expression key can be used with **Select-Object** . The name key is the property name and the Expression key is a scriptblock that will be executed as **Select-Object** receives input. 21 | ```powershell 22 | @{ Name = ''; Expression = {}} 23 | ``` 24 | Using E/Expression we are calculating the MD5 & SHA256 of each file returned by Get-ChildItem as shown below in the [gather file hashes](#gather-file-hashes) section. 25 | 26 | ## Commands 27 | **Make sure you are running the PowerShell with admin privilege otherwise some of the cmdlets will not work properly** 28 | 29 | ### Process 30 | Get all process with standard column 31 | ```powershell 32 | Get-Process 33 | ``` 34 | 35 | Get Id, ProcessName, Path, Company, StartTime with **Select-Object** cmdlet 36 | ```powershell 37 | Get-Process ProcName | Select-Object Id, ProcessName, Path, Company, StartTime | Format-Table 38 | ``` 39 | 40 | **Get-Process** cmdlet doesn’t support the process command line so use **Get-WmiObject** command for Windows PowerShell 5.1 41 | ```powershell 42 | Get-WmiObject -Class Win32_Process -Filter "name='process.exe'" | Select-Object ProcessId, ProcessName, CommandLine 43 | ``` 44 | But **Get-Wmiobject** is deprecated so use **Get-CimInstance** for PowerShell 7 45 | ```powershell 46 | Get-CimInstance -Class Win32_Process | Format-Table -Property ProcessId, ProcessName, CommandLine -Autosize 47 | ``` 48 | Update: 49 | This cmd works fie for PowerShell 7 50 | ```powershell 51 | Get-Process ProcName | Select-Object Id, ProcessName, CommandLine, Path 52 | ``` 53 | 54 | 55 | 56 | Terminate Process 57 | ```powershell 58 | Get-Process ProcName | Stop-Process 59 | ``` 60 | 61 | ### Registry 62 | **Get-ItemProperty** cmdlet can be used for listing registry entries 63 | ```powershell 64 | Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'IMAP Service' 65 | ``` 66 | **Remove-ItemProperty** can be used for removing persistence registry entries created by malware. This example is from NanoCore RAT. 67 | ```powershell 68 | Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Remove-ItemProperty -Name 'IMAP Service' 69 | ``` 70 | ### File 71 | We can **Get-ChildItem** cmdlet to list the directory it’s like dir cmd. This cmdlet can be used in file system directory, registry hive, or a certificate store. 72 | -Recurse – Used to recursive list all the sub-dir 73 | -Filter – You can use the parameter to filter the path and it supports * and ? wildcards e.g *.dat, *.exe 74 | ```powershell 75 | Get-ChildItem -Path $Env:APPDATA -Force -Recurse -Filter run.dat 76 | ``` 77 | **-Force – It is used to list hidden or system files. Some malware use the hidden attribute for their files, so always use this parameter** 78 | 79 | Instead of **Get-ChildItem**, we can Test-Path to check if the dir or file exists or not 80 | ```powershell 81 | Test-Path -Path $Env:APPDATA\*\run.dat 82 | ``` 83 | Create new directory 84 | ```powershell 85 | New-Item -ItemType Directory -Path C:\Users\admin\IoCs 86 | ``` 87 | 88 | Copy directory recursively 89 | ```powershell 90 | Copy-Item C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Destination C:\Users\admin\IoCs\ -Recurse 91 | ``` 92 | 93 | Delete the complete dir recursively 94 | ```powershell 95 | Remove-Item -Path $env:APPDATA\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Recurse -Force 96 | ``` 97 | 98 | Remove the copy of the NanoCore malware 99 | ```powershell 100 | Remove-Item -Path $env:TEMP\RAVBg64.exe -Force 101 | ``` 102 | 103 | #### Gather file hashes 104 | **Get-FileHash** cmdlet can be used to get the hash using a different algorithm e.g. MD5. SHA1 , SHA256 etc. By default, the Get-FileHash cmdlet uses the SHA256 algorithm, although any hash algorithm that is supported by the target operating system can be used. 105 | 106 | **SHA256** 107 | ```powershell 108 | Get-FileHash -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe' 109 | ``` 110 | 111 | **MD5** 112 | ```powershell 113 | Get-FileHash -Algorithm MD5 -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe' 114 | ``` 115 | 116 | Command for collecting the file hashes in the directory with MD5, SHA256, Name & FullName and exporting the result in the file using **Export-Csv** 117 | Using E/Expression we are calculating the MD5 & SHA256 of each file returned by **Get-ChildItem** 118 | 119 | ```powershell 120 | Get-ChildItem -Path C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Force -Recurse -File | 121 | Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, 122 | @{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}},Name, FullName | 123 | Export-Csv -NoTypeInformation -Path FileHashes.csv 124 | ``` 125 | -NoTypeInformation is used to remove this line from csv "#TYPE Selected.System.IO.FileInfo" 126 | 127 | ## Useful Functions 128 | This function can be added to PowerShell profile file e.g. [Profile.ps1](https://github.com/Securityinbits/config/blob/main/Profile.ps1) 129 | ### Calculate hash of files 130 | ``` 131 | # Get md5,sha256 and file name , input support multiple string with wildcard 132 | function hashes { 133 | Get-ChildItem -Path $args -Force -Recurse -File | 134 | Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, 135 | @{N='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}},Name 136 | } 137 | function md5 { 138 | Get-ChildItem -Path $args -Force -Recurse -File | 139 | Select-Object @{Name='MD5';E={(Get-FileHash -Algorithm MD5 $_).Hash}}, Name 140 | } 141 | function sha256 { 142 | Get-ChildItem -Path $args -Force -Recurse -File | 143 | Select-Object @{Name='SHA256';E={(Get-FileHash -Algorithm SHA256 $_).Hash}}, Name 144 | } 145 | ``` 146 | 147 | ## References 148 | ### Other good PowerShell Cheat Sheet 149 | * [PowerShell Basic Cheat Sheet](http://ramblingcookiemonster.github.io/images/Cheat-Sheets/powershell-basic-cheat-sheet2.pdf) & [PowerShell Cheat Sheet](http://ramblingcookiemonster.github.io/images/Cheat-Sheets/powershell-cheat-sheet.pdf) by @ramblingcookiemonster 150 | * [Cheat Sheet](https://gist.github.com/pcgeek86/336e08d1a09e3dd1a8f0a30a9fe61c8a) by @pcgeek86 151 | --------------------------------------------------------------------------------