├── Section1
├── ⠀⠀
├── Module1
│ └── Intro to Threat Hunting.md
├── Module4
│ └── Threat Hunting Hypothesis.md
├── Module3
│ └── Threat Intelligence.md
└── Module2
│ └── Threat Hunting Professional.md
├── Section2
├── ⠀⠀
├── Module1
│ └── Intro To Network Hunting.md
├── Module3
│ └── Hunting Web shell.md
└── Module2
│ └── suspicious Traffic Hunting.md
├── Section3
├── ⠀
├── Module3
│ └── Hunting Malware.md
├── Module4
│ └── Event IDs, Logging, & SIEMs.md
├── Module2
│ └── Malware Overview.md
└── Module1
│ └── Introduction To Endpoint Hunting.md
├── README.md
└── Labs
├── Splunk & ELK.md
└── Volatility.md
/Section1/⠀⠀:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Section2/⠀⠀:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Section3/⠀:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 |
2 | 
3 |
4 |
5 |
6 |
7 | "I would like to clarify that these are merely notes for my certification study, and I have not violated any intellectual property rights For INE, engaged in plagiarism, or unlawfully transferred content"
8 |
9 | By Talal Alqahtani
10 |
11 |
12 | Connect with me:
13 |
14 | 
15 | 
16 |
17 |
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/Labs/Splunk & ELK.md:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | **Splunk** is a tool for collecting, searching, and analyzing machine data in real-time. It’s essential for IT operations, security, and business analytics.
5 |
6 | ### **Splunk Usage Workflow:**
7 |
8 | 1. **Data Input**: Collect data from various sources (e.g., servers, apps).
9 | 2. **Indexing**: Organize data for fast searching.
10 | 3. **Search and Analyze**: Query data using SPL to find insights.
11 | 4. **Reporting and Visualization**: Create dashboards, reports, and set alerts based on the analyzed data.
12 |
13 | Splunk is widely used for monitoring systems, detecting security threats, and making informed decisions.
14 |
15 | https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/ListOfSearchCommands
16 |
17 | I found valuable resources to understand Splunk and ELK through the "Boss of the SOC" (BOTS) series by CyberDefenders. Versions V1, V2, and V3 of this series were particularly helpful in providing real-world scenarios and in-depth analysis on using these tools in a Security Operations Center (SOC)
18 |
19 | &&
20 |
21 | https://academy.hackthebox.com/course/preview/understanding-log-sources--investigating-with-splunk
22 |
23 | --------------------------------------------------------------------
24 |
25 |
26 | **ELK Stack** (Elasticsearch, Logstash, Kibana) is a popular open-source toolset for log and data analysis, similar to Splunk, used for real-time data search, analysis, and visualization.
27 |
28 | ### **ELK Usage Workflow:**
29 |
30 | 1. **Logstash (Data Collection)**: Ingests and processes data from various sources.
31 | 2. **Elasticsearch (Indexing and Storage)**: Stores and indexes data for quick search and retrieval.
32 | 3. **Kibana (Visualization)**: Creates visualizations, dashboards, and reports based on the indexed data.
33 |
34 | ELK is widely used for monitoring, troubleshooting, and gaining insights from log data in real-time.
35 |
36 | 
37 |
--------------------------------------------------------------------------------
/Section1/Module1/Intro to Threat Hunting.md:
--------------------------------------------------------------------------------
1 |
2 |
3 | What is Threat Hunting ?
4 |
5 | Threat hunting is the human-centric process of proactively searching data and discovering cyber threats.
6 |
7 | The Hunter ?
8 |
9 | attempts to locate and confirm abnormal activity
10 |
11 | Threat Intelligence ?
12 |
13 | involves the collection, analysis, and dissemination of information about current and potential threats to an organization's digital security It is used to inform proactive measures, improve defensive strategies and support real-time decision-making to protect systems and data from cyber threats and compromises.
14 |
15 | ### reactive vs proactively
16 |
17 | reactive : Real-time monitoring like SOC
18 |
19 | proactively : After Real-time monitoring such as Threat hunting
20 |
21 | # Incident Response
22 |
23 | Incident Response: اي شي مخالف لسياسه الشركه و يؤدي الى threat
24 |
25 | 
26 |
27 | Preparation: This phase involves setting up the necessary tools, documentation, and responsibilities to handle incidents effectively. It also includes measures to reduce the likelihood of incidents.
28 |
29 | Detection and Analysis: During this phase, the IR team verifies if a security breach has occurred by analyzing reported symptoms and classifying the situation as an incident if necessary.
30 |
31 | Containment, Eradication, and Recovery: In this phase, the team gathers intelligence and creates signatures to identify compromised systems.
32 | They then implement countermeasures to neutralize the threat and work to restore systems and data to normal operation.
33 |
34 | Post-Incident Activity: This phase involves learning from the incident to enhance the organization’s security posture and prevent future occurrences.
35 |
36 | # Risk Assessments
37 |
38 | What is a risk assessment ?
39 |
40 | Risk assessments provide hunters with insights into the systems or processes most likely to be targeted by intruders. Hunters need to think like attackers to identify critical targets within a network.
41 |
42 | "We must prioritize Focus Determination and Role Distribution"
43 |
44 | # Type Threat Hunting
45 |
46 | 1-Ad-hoc Hunter:
47 | Multi-role, infrequent hunts.
48 | Found in organizations without formal security teams.
49 |
50 | 2-Analyst and Hunter:
51 | SOC analysts who also hunt.
52 | Common in small organizations.
53 |
54 | 3-Dedicated Hunting Team:
55 | Specialized team focused on hunting.
56 | Typical in large or governmental organizations.
57 |
--------------------------------------------------------------------------------
/Section3/Module3/Hunting Malware.md:
--------------------------------------------------------------------------------
1 |
2 | #### Introduction
3 |
4 | - **Malware Persistence:** Malware employs various techniques to evade detection.
5 | - **Proactive Hunting:** It is essential to use multiple tools and techniques to actively hunt for malware, which may hide in plain sight, inject into other processes, reside in files, email attachments, or exist as fileless malware in memory.
6 |
7 | #### Detection Tools
8 |
9 | - **Tool Variety:** A wide range of tools is necessary to detect different types of malware signatures, including Meterpreter sessions and DLL injections.
10 | - **PE Capture Tool:** An example tool, NoVirusThanks’s PE Capture, captures PE files, executables, DLLs, and drivers loaded into the OS for analysis.
11 | - **ProcScan.rb:** Scans process memory for code injections, working for 32-bit systems/applications.
12 | - **Meterpreter Payload Detection:** Scans running processes to detect Meterpreter.
13 | - **Reflective Injection Detection:** Detects reflective DLL injections by looking for PE headers.
14 |
15 | #### Detection Techniques
16 |
17 | - **Static and Dynamic Analysis:** Techniques for both static and dynamic analysis are crucial to detect malware. Static analysis involves examining the malware file without executing it, while dynamic analysis involves executing the malware in a controlled environment to observe its behavior.
18 |
19 | #### Memory Analysis
20 |
21 | - **Importance:** Traditional file-system detection techniques are often unreliable for memory-resident malware, making memory analysis vital.
22 | - **Memory Forensics:** Provides visibility into the runtime state of a system, revealing running processes, open network connections, and recently executed commands.
23 | - **Acquisition Methods:** Memory can be acquired via hardware (more resilient to rootkit modification) or software (requires kernel mode access and may overwrite evidence).
24 | - **Memory Analysis Tools:**
25 | - **Mandiant’s (FireEye) Redline:** Provides host investigative capabilities for finding signs of malicious activity through memory and file analysis.
26 | - **Volatility:** Memory forensics tool for analyzing memory dumps.
27 | - **Get-InjectedThreat.ps1:** PowerShell script for memory analysis.
28 | - **Memdump:** Utility for creating memory dumps for analysis.
29 |
30 | #### Malware Analysis
31 |
32 | - **Skill Necessity:** Basic malware analysis skills are essential for threat hunters, even if they are not dedicated malware analysts.
33 | - **Binary Analysis:** To understand malware further, analysis of binaries in clear-text in memory is needed.
34 |
--------------------------------------------------------------------------------
/Section1/Module4/Threat Hunting Hypothesis.md:
--------------------------------------------------------------------------------
1 | #### MITRE ATT&CK
2 | #### Overview
3 |
4 | MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a detailed framework that models cyber adversary behavior, covering different attack phases and targeted platforms. It's widely used for understanding, detecting, and mitigating cyber threats.
5 |
6 | - **Tactics**: High-level adversary goals.
7 | - **Techniques**: Methods used to achieve tactics.
8 | - **Procedures**: Detailed steps for executing techniques.
9 |
10 | The framework is structured as a matrix, with columns representing tactics and cells representing techniques. Each technique includes:
11 |
12 | - Detailed explanations
13 | - Real-world examples
14 | - Mitigation strategies
15 | - Detection suggestions
16 | - Metadata
17 |
18 | #### Data Collection
19 |
20 | 1. **Purpose-Driven Collection**:
21 |
22 | - Collect data with a clear objective based on a hypothesis.
23 | - Focus on relevant host and network data.
24 | 2. **Exporting Data**:
25 |
26 | - **Push**: Automatic forwarding by host agents.
27 | - **Pull**: Remote collection during connections.
28 | - **Combination**: Using both methods.
29 | 3. **Assessment of Data Collection**:
30 |
31 | - Ensure availability of needed data, environmental coverage, historical data search capabilities, and data quality.
32 |
33 | #### Data Governance
34 |
35 | 1. **Definition**:
36 |
37 | - Management of data availability, usability, integrity, and security for consistency and trustworthiness.
38 | 2. **Data Quality Aspects**:
39 |
40 | - Completeness, consistency, and timeliness of data.
41 | 3. **Identifying Anomalies**:
42 |
43 | - Baseline normal activities to detect anomalies.
44 |
45 | #### Data Analysis
46 |
47 | 1. **Tools**:
48 |
49 | - SIEM systems like ELK/HELK, Splunk, and Graylog.
50 | 2. **Analysis Techniques**:
51 |
52 | - **Searching**: Finding answers and identifying anomalies.
53 | - **Aggregation**: Grouping data to identify patterns.
54 | 3. **Utilizing Multiple Data Sources**:
55 |
56 | - Switch data sources when initial results are incomplete.
57 |
58 | ### Hunting Hypothesis and Methodology
59 |
60 | #### 5-Step Process for Hunting
61 |
62 | 1. **Pick a Tactic and Technique**:
63 |
64 | - Use MITRE ATT&CK to select an attack technique.
65 | 2. **Identify Associated Procedure(s)**:
66 |
67 | - Research procedures, prerequisites, and outcomes.
68 | 3. **Perform an Attack Simulation**:
69 |
70 | - Simulate the attack in a controlled environment to understand generated data.
71 | 4. **Identify Evidence to Collect**:
72 |
73 | - Look for artifacts and deviations from baselines.
74 | 5. **Set Scope**:
75 |
76 | - Define hunt duration and data sources, considering limitations.
77 |
78 | ### Hunting Metrics
79 |
80 | #### Considerations for Defining Metrics
81 |
82 | 1. **Activity Detection**:
83 |
84 | - Success isn’t only finding malicious activity but ensuring thorough coverage.
85 | 2. **Simulated Activity**:
86 |
87 | - Avoid simulations in production; coordinate with penetration testing.
88 | 3. **Control Factors**:
89 |
90 | - Frequency of hunts, technique and procedure coverage, network coverage, and historic logging capability.
91 | ---
92 |
93 |
--------------------------------------------------------------------------------
/Section3/Module4/Event IDs, Logging, & SIEMs.md:
--------------------------------------------------------------------------------
1 |
2 | 1. **Introduction**
3 |
4 | - Event logs, initially used for troubleshooting, have become vital for incident response and threat hunting.
5 | 2. **Windows Event Logs**
6 |
7 | - Core event logs in Windows include Application, System, and Security logs.
8 | - Logs capture various events such as application errors, system processes, and security-related actions.
9 | - Modern Windows versions use the EVTX format for logs.
10 | - Additional logs include Setup, Forwarded Events, and Applications and Services logs.
11 | 3. **Windows Event IDs**
12 |
13 | - Specific event IDs are crucial for monitoring account logon events, account management, and logon types.
14 | - Examples of important event IDs include:
15 |
16 | - 4624: Successful logon
17 | - 4625: Failed logon
18 | - 4634: Successful logoff
19 | - 4647: User-initiated logoff
20 | - 4648: Logon using explicit credentials
21 | - 4672: Special privileges assigned
22 | - 4720: Account created
23 | - 4768: Kerberos ticket (TGT) requested
24 | - 4769: Kerberos service ticket requested
25 | - 4771: Kerberos pre-authentication failed
26 | - 4776: Attempted to validate credentials
27 | - 4778: Session reconnected
28 | - 4779: Session disconnected
29 | - 4724: An attempt was made to reset an account's password
30 | - 4738: A user account was changed
31 | - 4740: A user account was locked out
32 | - 4765: SID History was added to an account
33 | - 4766: An attempt to add SID History to an account failed
34 | - Logon types provide context on how an account logged in, such as interactive, network, or service logons
35 |
36 | |Logon Type|Logon Title|Description|
37 | |---|---|---|
38 | |2|Interactive|Physically logged on.|
39 | |3|Network|Logged on from the network.|
40 | |4|Batch|For batch servers/scheduled tasks.|
41 | |5|Service|Service started by Service Control Manager.|
42 | |7|Unlock|Workstation unlocked.|
43 | |8|NetworkCleartext|Network credentials sent in cleartext.|
44 | |9|NewCredentials|Cloned token with new credentials.|
45 | |10|RemoteInteractive|Logged on via Terminal Services or RDP.|
46 | |11|CachedInteractive|Logged on with locally stored credentials.|
47 |
48 | Logon IDs help track session information across different events.
49 | 4. **Windows Event Forwarding**
50 |
51 | - Discusses centralizing logs from multiple machines for better monitoring and analysis.
52 | 5. **Windows Log Rotation & Clearing**
53 |
54 | - Methods and best practices for managing log sizes and retention.
55 | 6. **Tools**
56 |
57 | - Lists and explains various tools used for log analysis and event monitoring.
58 | 7. **Advanced Hunting**
59 |
60 | - Techniques for developing custom hunting dashboards and detecting both generic and advanced attacks.
61 |
62 | ### Tools Mentioned
63 |
64 | 1. **Event Viewer**
65 |
66 | - Tool to access and view event logs on Windows.
67 | 2. **Microsoft’s Documentation**
68 |
69 | - Provides detailed information about specific event IDs.
70 | 3. **Log Parsing and Analysis Tools**
71 |
72 | - Various tools to parse and analyze log data, such as:
73 | - **LogParser**: Used for querying Windows event logs.
74 | - **Sysmon**: Extends logging capabilities of Windows.
75 | 4. **SIEM Systems**
76 |
77 | - SIEM systems like Splunk and ELK (Elasticsearch, Logstash, Kibana) are essential for centralizing and analyzing logs from multiple sources.
78 | 5. **PowerShell**
79 |
80 | - Useful for scripting and automating log analysis tasks.
81 | 6. **Third-Party Tools**
82 |
83 | - Examples include PE Sieve and API Monitor for specific attack detection tasks.
84 |
85 |
--------------------------------------------------------------------------------
/Section1/Module3/Threat Intelligence.md:
--------------------------------------------------------------------------------
1 |
2 | Threat Intelligence Reports:
3 |
4 | - Published by trusted sources, offering insights into cyber threats and associated actors.
5 |
6 | Entities Issuing Reports:
7 |
8 | - FireEye, Verizon, TrustWave, CrowdStrike, Palo Alto Networks, Cylance, and F-Secure.
9 |
10 | FireEye's Role:
11 |
12 | - Regularly releases detailed reports and an annual M-Trends report, focusing on specific threat actors and global trends.
13 |
14 | M-Trends Report:
15 |
16 | - Provides a comprehensive analysis of cyber attack trends, helping organizations understand emerging threats and defensive strategies. [M-Trends 2023 Executive Summary | Mandiant](https://www.mandiant.com/resources/reports/m-trends-2023-executive-summary)
17 |
18 | Industry-specific Reports:
19 |
20 | - Tailored insights for sectors like education, finance, and healthcare to address industry-specific risks. [The CyberThreat Report: November 2023 (trellix.com)](https://www.trellix.com/solutions/gated-form/?docID=20ac2103-1f39-4c86-a2b8-995059730c01/)
21 |
22 |
23 | Threat Intelligence Research:
24 |
25 | - Ongoing efforts by entities like Palo Alto Networks' Unit42 to uncover new vulnerabilities and exploits. [Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 (Updated May 20) (paloaltonetworks.com)](https://unit42.paloaltonetworks.com/cve-2024-3400/)
26 |
27 | Key Questions When Reading Reports:
28 |
29 | - Focus on objectives, detection methods, and alignment with known threats.
30 | - How was the goal accomplished?
31 | - What measures can we take to identify this behavior?
32 | - Does this resemble any past occurrences?
33 |
34 | Data Collection Tip:
35 |
36 | - Automate data gathering into a centralized dashboard for efficient monitoring of multiple sources.
37 |
38 | ### Threat Sharing and Exchanges
39 |
40 | ISACs: Collaborative orgs sharing threat info across critical sectors via the National Council of ISACs for a unified response to emerging threats. https://www.nationalisacs.org/about-isacs
41 |
42 | US-CERT: Leading authority in responding to cyber incidents, providing crucial threat intel and mitigation strategies. [Home Page | CISA](https://www.cisa.gov/)
43 |
44 |
45 | OTX: AlienVault's community-driven platform shares actionable threat data for collective defense, enhancing cybersecurity resilience. [AT&T Alien Labs Open Threat Exchange (att.com)](https://cybersecurity.att.com/open-threat-exchange)
46 |
47 | Threat Connect: Like OTX, offers threat intel feeds and collaborative defense tools to strengthen cybersecurity defenses.
48 |
49 | MISP: Open-source platform for sharing cybersecurity indicators and threats, enabling info exchange and integration with security tools [MISP features and functionalities (misp-project.org)](https://www.misp-project.org/features/)
50 |
51 | ### Indicators of Compromise
52 |
53 | 1. **Role of IOCs**:
54 |
55 | - Indicators of Compromise (IOCs) are pivotal in identifying data breaches, malware infections, and other malicious activities.
56 | - Monitoring IOCs allows organizations to promptly detect and respond to cyber threats.
57 | 2. **Acquiring IOCs**:
58 |
59 | - When obtaining IOCs from sources like ISACs or threat sharing platforms, compatibility with existing tools is crucial.
60 | - Typical IOCs encompass malware signatures, MD5 hashes, IP addresses, and URLs linked to malicious activities.
61 | 3. **Standardized Formats and Tools**:
62 |
63 | - OpenIOC, developed by FireEye, provides a standardized format for describing artifacts encountered during investigations.
64 | - Tools such as IOC Editor facilitate efficient management and manipulation of IOCs, enhancing threat analysis capabilities. [OpenIOC 1.1 Editor | FireEye Market](https://fireeye.market/apps/211404)
65 |
66 | 1. **Automated Analysis**:
67 |
68 | - Redline, another tool by FireEye, automates IOC analysis, expediting the identification of potential threats. [Redline | FireEye Market](https://fireeye.market/apps/211364)
69 |
70 | 1. **Malware Classification**:
71 |
72 | - YARA assists in the identification and classification of malware samples, aiding in IOC detection on systems. [GitHub - VirusTotal/yara: The pattern matching swiss knife](https://github.com/virustotal/yara)
73 |
74 |
75 | This structured approach highlights the importance of IOCs, their acquisition, standardized formats, tools for management and analysis, and assistance in malware classification.
76 |
--------------------------------------------------------------------------------
/Section1/Module2/Threat Hunting Professional.md:
--------------------------------------------------------------------------------
1 |
2 | What is APT ?
3 |
4 | Skilled hackers sneak into a system, steal data in small bits for a long time, all to stay hidden.
5 |
6 |
7 | What is TTP ?
8 |
9 | ### Tactics or Tools
10 |
11 | Tactics explain the "why" behind actions, involving the strategic arrangement of forces to achieve a goal.
12 |
13 | ### Techniques
14 |
15 | Techniques describe "how" actions are performed, using specific methods to accomplish tactical objectives.
16 |
17 | ### Procedures
18 |
19 | Procedures are the detailed steps that implement each technique, outlining the exact process for tasks.
20 |
21 |
22 | *Understanding TTPs helps in identifying the adversary in future attacks by creating Indicators of Compromise (IOCs).*
23 |
24 | What is IOCs ?
25 |
26 | IOCs (Indicators of Compromise) are artifacts collected from active or previous intrusions used to identify a specific adversary. These artifacts include MD5 hashes, IP addresses, executable names, and more.
27 |
28 | APT 1 uses two custom utilities to steal emails from their victims:
29 |
30 | - **GETMAIL**: Malware that extracts email messages and attachments from Outlook PST files.
31 | - **MAPIGET**: Malware that extracts email messages and attachments from an Exchange server.
32 |
33 |
34 | #### The Pyramid of Pain classifies indicators of compromise (IOCs) and adversary tactics based on their effectiveness and difficulty of detection:
35 |
36 | - **Hash Values:** Used to verify the authenticity of files but easily changed, hence less reliable.
37 | - **IP Addresses:** Easily masked through anonymity channels, but blacklisting can disrupt adversaries.
38 | - **Domain Names:** Dynamic and easily changed; adversaries exploit various techniques for evasion. By using :
39 | 
40 | IDN Homograph Attack
41 | 
42 | Punycode
43 |
44 | - **Network/Host Artifacts:** Clues left by adversaries; detecting specific tools forces them to adapt, increasing their workload.
45 | - **TTPs (Tactics, Techniques, and Procedures):** Represent adversaries' methods; retraining adversaries is costly and challenging, but effective in increasing their operational costs.
46 |
47 | 
48 |
49 |
50 | #### The Cyber Kill Chain: outlines the stages of a cyber attack. In both realms, it denotes the step-by-step progression of an offensive operation.
51 |
52 | 1- Recon: Gathering information on the target.
53 | 2- Weaponize: Developing and preparing the attack.
54 | 3- Deliver: Transporting the malicious payload to the target.
55 | 4- Exploit: Taking advantage of vulnerabilities to infiltrate.
56 | 5- Install: Implanting the malware on the target system.
57 | 5- C&C (Command & Control): Establishing control over the compromised system.
58 | 6- Action: Executing the intended malicious activities on the target.
59 |
60 |
61 | #### Threat intelligence can be categorized into three types:
62 | - Strategic intelligence: This type assists senior management in making informed decisions about security budget and strategies by addressing questions about ==who== the adversary is, ==why== they are targeting you, and ==where== they have attacked previously.
63 |
64 | - Tactical intelligence: It deals with the adversary's Tactics, Techniques, and Procedures (TTPs), aiming to identify their patterns of attacks using models like the Cyber Kill Chain and Diamond Models. ==(What and When)==
65 |
66 | - Operational intelligence: This focuses on the actual indicators, known as IOCs, addressing ==how== the adversary conducts their attacks.
67 |
68 | #### Threat Hunting Mindset: Digital Forensics
69 | This type of threat hunter focuses on host, network, and memory forensics when hunting for unknown threats. Data sources may include:
70 |
71 | - Network, VPN, and Firewall logs
72 | - Disk/Share Access
73 | - Disk Forensic artifacts and advanced system logging
74 | - Memory Forensic artifacts
75 | - Reputation-based intelligence
76 | - Passive DNS
77 |
78 | While they still use threat intelligence, they go beyond it by analyzing digital artifacts proactively to detect threats. This is human-based detection and doesn't wait for automated alerts.
79 |
80 | **Key Components of a Good Hunter:**
81 |
82 | - Knowledge of available data sources/logs
83 | - Understanding a broad variety of attacks
84 | - Knowing what attacks can be detected in different data sources/logs
85 | - Ability to find reliable sources about new attack techniques
86 |
87 | A good hunter should identify variations of attacks, not just known examples.
88 |
89 | **Hunting Methods:**
90 |
91 | 1. **Attack-Based Hunting:** Searches for specific attacks in the environment by asking questions like, "Did pass the hash happen in my network?"
92 |
93 | 2. **Analytics-Based Hunting:** Examines data for anomalies, asking, "Does anything in this data look malicious?" Examples include unexpected encryption or a receptionist accessing HR data.
94 |
95 |
96 | **Hunting Periods:**
97 |
98 | 1. **Point in Time:** Detects what's happening at a specific moment but may miss short-lived data.
99 | 2. **Real Time:** Detects ongoing activity with data sent to SIEM.
100 | 3. **Historic:** Uses logs to identify past activities, requiring pre-configured logging.
101 |
--------------------------------------------------------------------------------
/Section2/Module1/Intro To Network Hunting.md:
--------------------------------------------------------------------------------
1 | بالبدايه لازم تعرف تفاصيل هيكليه ال Layering عن Protocols تستعمل مثل TCP-IP , OSI
2 |
3 | 
4 | 
5 | 
6 | 
7 | 
8 | 
9 |
10 |
11 | ### Encapsulation Process
12 |
13 | - During encapsulation, each protocol adds a header to the packet, treating it as a payload.
14 | - This process is reversed at the destination host.
15 |
16 | ### Internet Protocol (IP)
17 |
18 | - IP operates at the Internet layer of the TCP/IP suite.
19 | - It delivers datagrams (IP packets) using IP addresses to identify hosts.
20 |
21 | ### Routing
22 |
23 | - Routers connect different networks and forward IP datagrams based on routing protocols.
24 | - They inspect destination addresses and use routing tables to map IP addresses to interfaces.
25 | - The routing table includes a default address (0.0.0.0) for unknown destinations.
26 | - Routing protocols assign metrics to links for path selection, considering bandwidth and congestion.
27 |
28 | ### Switching
29 |
30 | - Switches use MAC addresses and maintain a forwarding table (Content Addressable Memory or CAM table).
31 | - They forward packets based on MAC addresses.
32 |
33 | ### Protocol Familiarity
34 |
35 | - Understanding ARP, TCP, UDP, DNS, and other protocols is essential for packet analysis.
36 | - Knowing how these protocols communicate and their differences is crucial.
37 |
38 | ### ARP (Address Resolution Protocol)
39 |
40 | - When host A wants to communicate with host B but only knows B's IP address:
41 | 1. A sends an ARP request with B's IP and FF:FF:FF:FF:FF
42 |
43 | as the destination MAC address.
44 | 2. All hosts on the network receive the request.
45 | 3. B responds with an ARP reply, providing its MAC address to A.
46 |
47 | #### TCP uses a 3-way handshake to establish communication between two hosts because the protocol is connection orientated
48 | 
49 |
50 | #### TCP header
51 | 
52 |
53 | #### UDP don't uses a 3-way handshake because the protocol is connectionless
54 |
55 | #### UDP header
56 | 
57 |
58 | Some important ports you should know which port they typically communicate on
59 | [Common Ports Cheat Sheet: The Ultimate List (stationx.net)](https://www.stationx.net/common-ports-cheat-sheet/)
60 |
61 | #### Packet Capture and Analysis
62 |
63 | - **PCAP Format**: Standard format for packet captures; tools export and import PCAP files.
64 | - **Scenario**: Common situations for network analysis include detecting unusual traffic, alerted by the Network Team.
65 |
66 | #### Role of a Threat Hunter
67 |
68 | - **Responsibilities**: Analyzing PCAP files provided by Network Team or conducting live captures.
69 | - **Limitations**: Not expected to manually monitor or analyze terabytes of traffic daily.
70 |
71 | #### Defense-in-Depth and Monitoring
72 |
73 | - **Security Appliances**: Appliances and configured rulesets alert for suspicious activities; Continuous Threat Intelligence (CTI) updates rulesets.
74 |
75 | #### Occasional Deep Dives
76 |
77 | - **Need for Analysis**: Instances like IDS/IPS downtime may require reviewing packet captures for missed malicious activities.
78 |
79 | #### Network Understanding
80 |
81 | - **Network Familiarity**: Essential for effective threat hunting; knowledge of infrastructure, IP schemes, network rules, and egress points.
82 |
83 | #### Platform and Tool Familiarity
84 |
85 | - **Operating Systems**: IT Security uses Windows; Red Teamers use Linux; Threat Hunters (Purple Teamers) should be proficient in both.
86 |
87 | #### Network Traffic Capture Considerations
88 |
89 | - **Live Capture**: Key considerations include ensuring correct traffic capture, sufficient computing power, and disk space.
90 | - **Switch Considerations**: Use of mirrored ports (SPAN ports) for capturing traffic; alternatives include network taps, MAC flooding, or ARP spoofing if SPAN ports are unavailable.
91 |
92 | #### Tools for Packet Analysis
93 |
94 | - **libpcap**: Unix C library for packet sniffing and analysis; basis for tools like Wireshark and tcpdump.
95 | - **WinPcap**: Equivalent library for Windows systems, supporting tools like Wireshark.
96 |
97 | ### Wireshark
98 |
99 | - **Wireshark**: Network sniffer and protocol analyzer; supports packet analysis across different operating systems.
100 | - **Features**: Capable of dissecting and examining packets, traffic streams, and connections.
101 |
102 | ### Dumpcap
103 | is a command-line packet capture tool bundled with Wireshark, designed for capturing network traffic on Unix-based systems. It lacks a GUI but offers robust capabilities for automated packet capture and filtering, saving data in the pcap format.
104 |
105 | ### Tcpdump
106 | is another command-line packet sniffer for Unix-based systems like Linux, FreeBSD, and macOS. It intercepts and displays TCP/IP packets in real-time, supports extensive filtering, and saves captured data for analysis. It's essential for network monitoring, troubleshooting, and security analysis tasks.
107 |
108 | ### Berkley Packet Filter (BPF)
109 | is a filtering mechanism used by tools like Tcpdump and Wireshark to capture specific network traffic based on defined criteria. BPF filters allow users to specify precisely which packets should be captured or analyzed, enhancing efficiency and focusing on relevant data.
110 |
111 |
--------------------------------------------------------------------------------
/Labs/Volatility.md:
--------------------------------------------------------------------------------
1 | I found resources like [MemLabs on GitHub](https://github.com/stuxnet999/MemLabs) and [CyberDefenders DumpMe](https://cyberdefenders.org/blueteam-ctf-challenges/dumpme/) incredibly helpful for studying and applying **Volatility**. These sources provided practical challenges and hands-on experience that enhanced my understanding of memory forensics and how to effectively use Volatility for analyzing memory dumps.
2 |
3 |
4 | 1. Install Python 2
5 | Download and install Python 2.7 from the [official Python website](https://www.python.org/downloads/release/python-2718/) Follow the installation instructions for your operating system.
6 |
7 | 2. Get Volatility 2
8 | Option 1: Clone from GitHub
9 | `git clone https://github.com/volatilityfoundation/volatility.git`
10 |
11 | Option 2: Zip Download
12 | Alternatively, download the zip file from the [Volatility 2 GitHub releases page](https://search.brave.com/search?q=Volatility+2+GitHub+releases+page.&source=desktop)
13 |
14 | 3. Set Up
15 | After retrieving the files, navigate to the Volatility 2 directory:
16 | `cd volatility`
17 |
18 | 4. Execute Volatility 2
19 | Run the tool with:
20 | python2 vol.py -h
21 | This command displays the help details, showcasing available commands and options.
22 |
23 | ### ** Popular Plugins**
24 |
25 | Volatility 2 offers a variety of plugins to explore memory dumps. Here are some frequently used ones:
26 |
27 | 
28 |
29 |
30 | #### **pslist**
31 |
32 | - **Purpose**: Show all active tasks.
33 | - **Use**:
34 |
35 |
36 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 pslist`
37 |
38 |
39 | #### **pstree**
40 |
41 | - **Purpose**: Depict tasks hierarchically, highlighting task links.
42 | - **Use**:
43 |
44 |
45 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 pstree`
46 |
47 |
48 | #### **pssca**
49 |
50 | - **Purpose**: Locate task structures, i.e., active, covert, or halted.
51 | - **Use**:
52 |
53 |
54 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 pssca`
55 |
56 |
57 | #### **dlllist**
58 |
59 | - **Purpose**: Show all DLLs tied to each task.
60 | - **Use**:
61 |
62 |
63 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 dlllist`
64 |
65 |
66 | #### **hadles**
67 |
68 | - **Purpose**: Show all active hadles, such as files, registries, a host of items.
69 | - **Use**:
70 |
71 |
72 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 hadles`
73 |
74 |
75 | #### **cmdlie**
76 |
77 | - **Purpose**: Reveal CLI flags tied to tasks.
78 | - **Use**:
79 |
80 |
81 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 cmdlie`
82 |
83 |
84 | #### **filesca**
85 |
86 | - **Purpose**: Locate file entities within the memory state.
87 | - **Use**:
88 |
89 |
90 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 filesca`
91 |
92 |
93 |
94 | #### **socksca**
95 |
96 | - **Purpose**: Locate socked setups i the memory state.
97 | - **Use**:
98 |
99 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 socksca`
100 |
101 |
102 | #### **hivelist**
103 |
104 | - **Purpose**: Reveal registry entities i the memory state.
105 | - **Use**:
106 |
107 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 hivelist`
108 |
109 |
110 | #### **hashdup**
111 |
112 | - **Purpose**: Retrieve secret hashes from the state, typically via the SAM base.
113 | - **Use**:
114 |
115 |
116 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 hashdup`
117 |
118 |
119 | #### **shellbags**
120 |
121 | - **Purpose**: Extract & study ShellBag data, which tracks folder setup history & activity.
122 | - **Use**:
123 |
124 |
125 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 shellbags`
126 |
127 |
128 | #### **ftparser**
129 |
130 | - **Purpose**: Study the Master File Table (MFT) for file system activity.
131 | - **Use**:
132 |
133 |
134 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 ftparser`
135 |
136 |
137 | #### **vaddump**
138 |
139 | - **Purpose**: Retrieve the virtual address space of a task.
140 | - **Use**:
141 |
142 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 vaddump -p `
143 |
144 |
145 | #### **procdump**
146 |
147 | - **Purpose**: Retrieve the executable image of a task.
148 | - **Use**:
149 |
150 |
151 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 procdump -p -D `
152 |
153 |
154 | #### **iehistory**
155 |
156 | - **Purpose**: Retrieve history from the IE browser.
157 | - **Use**:
158 |
159 |
160 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 iehistory`
161 |
162 |
163 | #### **chromehistory**
164 |
165 | - **Purpose**: Retrieve history from the Chrome browser.
166 | - **Use**:
167 |
168 |
169 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 chromehistory`
170 |
171 |
172 | #### **alwarecmd**
173 |
174 | - **Purpose**: Look for regular malware C&C servers.
175 | - **Use**:
176 |
177 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 alwarecmd`
178 |
179 |
180 | #### **yarasca**
181 |
182 | - **Purpose**: Look for specific code patterns or malware using YARA rules.
183 | - **Use**:
184 |
185 |
186 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 yarasca -y `
187 |
188 |
189 | #### **clipoard**
190 |
191 | - **Purpose**: Extract clipboard data from the memory state.
192 | - **Use**:
193 |
194 |
195 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 clipoard`
196 |
197 |
198 | #### **tielines**
199 |
200 | - **Purpose**: Build a chronological record of events from various memory data sources.
201 | - **Use**:
202 |
203 |
204 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 tielies`
205 |
206 |
207 | #### **autoruis**
208 |
209 | - **Purpose**: List auto-launching tasks by exploring various registries & startup directories.
210 | - **Use**:
211 |
212 |
213 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 autoruis`
214 |
215 |
216 | #### **ssdt**
217 |
218 | - **Purpose**: Study the System Service Descriptor Table (SSDT) for possible threats.
219 | - **Use**:
220 |
221 |
222 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 ssdt`
223 |
224 |
225 | #### **devicetree**
226 |
227 | - **Purpose**: Show the device tree of drivers i the memory state.
228 | - **Use**:
229 |
230 |
231 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 devicetree`
232 |
233 |
234 | #### **odsca**
235 |
236 | - **Purpose**: Detect loaded kernel odules.
237 | - **Use**:
238 |
239 |
240 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 odsca`
241 |
242 |
243 | #### **alfind**
244 |
245 | - **Purpose**: Detect potential covert code or injected processes i the memory state.
246 | - **Use**:
247 |
248 |
249 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 alfind`
250 |
251 | - **-D**: Dumps detected suspicious memory regions.
252 |
253 |
254 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 alfind -D `
255 |
256 | - **-p**: Searches withi a specific task, usig PID.
257 |
258 |
259 | `python2 vol.py -f memory.dmp --profile=Win7SP1x64 alfind -p 1234`
260 |
--------------------------------------------------------------------------------
/Section3/Module2/Malware Overview.md:
--------------------------------------------------------------------------------
1 |
2 | #### What is Malware?
3 |
4 | Malware refers to any software intentionally designed to cause harm to a computer, server, network, or user.
5 |
6 | #### What is a Virus?
7 |
8 | A computer virus is a self-replicating program that spreads without the owner's permission or knowledge. Unlike worms that exploit vulnerabilities, viruses rely on the host for propagation. If a file carrying a virus is moved to another system, the virus has an opportunity to spread and survive.
9 |
10 | **Sub-Types of Viruses:**
11 |
12 | 1. **Resident:** Executes and becomes memory resident, infecting other programs when triggered by specific events.
13 | 2. **Non-Resident:** Searches for files to infect upon execution, quits afterward, and continues to find new targets when the infected program runs again.
14 | 3. **Boot Sector:** Spreads via boot sectors, for example, when an infected CD-ROM is left in the drive during system shutdown, activating and spreading upon the next boot.
15 | 4. **Multi-Partite:** Exhibits various infection mechanisms, combining features like Boot-Sector and Resident viruses for versatile spreading.
16 |
17 | #### What is a Worm?
18 |
19 | Worms are a type of software that exploits network or system vulnerabilities to autonomously spread from one system to another.
20 |
21 | #### What is a Rootkit?
22 |
23 | A rootkit is a type of stealthy malware designed to conceal or compromise a computer system at a deep level. Functioning as a complement to other malicious software, rootkits can hide processes, add files to the file system, implement backdoors, and create vulnerabilities.
24 |
25 | **Types of Rootkits:**
26 |
27 | - **Application Level:** Replaces programs with copies of others.
28 | - **Library Level:** Controls shared libraries, affecting multiple applications.
29 | - **Kernel Level:** Common and resistant to removal, operates at the same privilege level as antivirus software.
30 | - **Hypervisor Level:** Utilizes virtualization technologies, such as Blue Pill and SubVirt.
31 | - **Firmware Level:** Targets firmware like BIOS, ACPI tables, and device ROMs, with a high chance of survival due to limited scanning tools.
32 |
33 | #### What is a Bootkit?
34 |
35 | Bootkits differ from rootkits by infiltrating the operating system before it fully starts, compromising security from the outset. This unique approach grants bootkits the ability to exert complete control over the target operating system.
36 |
37 | #### What is a Trojan?
38 |
39 | A Trojan masquerades as legitimate software while secretly enabling unauthorized access to the user's system. An example is downloading a game from the internet, which may contain hidden malicious code. While the user enjoys the game, the concealed code executes malicious activities in the background.
40 |
41 | #### What is a Backdoor?
42 |
43 | A backdoor is software enabling unauthorized access by bypassing authentication. It allows remote entry while remaining hidden, similar to Remote Access Trojans (RATs).
44 |
45 | #### What is Spyware?
46 |
47 | Spyware gathers user information, monitoring online activities without consent. The collected data is sent to the spyware's author.
48 |
49 | #### What is a Botnet?
50 |
51 | Botnets are networks of compromised computers controlled by a central server. Created through malware installation, they can be used for DDoS attacks and spam distribution by the bot master, who issues commands to the bots.
52 |
53 | #### What is Ransomware?
54 |
55 | Ransomware encrypts files and demands payment in Bitcoin for the decryption key. It holds files hostage, requiring victims to pay a ransom to restore their data, earning the name extortive malware.
56 |
57 | #### What is an Information Stealer?
58 |
59 | Information stealers illicitly acquire sensitive data like encryption keys, login credentials, credit card information, and proprietary data. The stolen data may be exploited for various malicious purposes.
60 |
61 | #### What is a Keylogger?
62 |
63 | Keyloggers capture keystrokes as the victim types.
64 |
65 | #### What is a Screen Recorder?
66 |
67 | Screen recorders are malicious software designed to capture and record screenshots of the active window on a victim's computer.
68 |
69 | #### What is a RAM Scraper?
70 |
71 | RAM scrapers are malware designed to extract sensitive data, including login credentials, from a computer's random access memory (RAM).
72 |
73 | #### Other Types of Malware:
74 |
75 | - **Adware:** Displays unwanted ads.
76 | - **Greyware:** Causes undesired effects.
77 | - **Scareware:** Tricks users with false threats.
78 | - **Fakeware:** Deceives as legitimate software.
79 | - **PUPs (Potentially Unwanted Programs):** Bundled with downloads.
80 |
81 | ### Malware Delivery
82 |
83 | These are common vectors for malware distribution:
84 |
85 | 1. **Physical Media:** Malware spread through CDs, USB drives, etc.
86 | 2. **Email (Attachments):** Malicious software attached to emails.
87 | 3. **URL Links:** Malicious links leading to malware downloads.
88 | 4. **Drive-by Downloads:** Malware automatically downloaded from websites.
89 | 5. **Web Advertising:** Malicious ads containing malware.
90 | 6. **Social Media:** Malware spread through social platforms.
91 | 7. **File Shares:** Malware distributed through shared files.
92 | 8. **Software Vulnerabilities:** Exploiting weaknesses in software for malware delivery.
93 |
94 | **Exploitation Techniques:**
95 |
96 | 1. **Stack Overflows:** Exploited by overflowing stack buffers to control the flow of execution and execute malicious code.
97 | 2. **Heap Overflows:** Exploited by overwriting heap pointers to direct the execution to malicious code instead of its original location.
98 |
99 | **Additional Vectors:**
100 |
101 | 1. **Peer-to-Peer (P2P) File Sharing**
102 | 2. **Instant Messaging**
103 |
104 | ### Malware Evasion Techniques
105 |
106 | Malware employs various techniques to run, evade detection, and achieve its objectives, including privilege escalation, credential theft, data exfiltration, and persistence. Researchers and adversaries continuously discover new evasion methods. Staying informed about the latest techniques is essential for cybersecurity professionals.
107 |
108 | **MITRE ATT&CK Resources:**
109 |
110 | - [Exfiltration](https://attack.mitre.org/wiki/Exfiltration)
111 | - [Persistence](https://attack.mitre.org/wiki/Persistence)
112 | - [Technique Matrix](https://attack.mitre.org/wiki/Technique_Matrix)
113 |
114 | One technique involves leveraging Alternate Data Streams (ADS), a feature of the NTFS file system. ADS can store metadata and other data streams, providing a covert method for concealing information within files. Understanding such evasion techniques is vital for effective threat hunting and cybersecurity.
115 |
116 | **Injection Techniques:**
117 |
118 | 1. **DLL Injection:**
119 |
120 | - **Locate Process:** Malware finds a target process using Windows API.
121 | - **Open Process:** The malware opens the identified process.
122 | - **Allocate Memory:** Finds a location to write the path of the malicious DLL.
123 | - **Copy:** Writes the path to the malicious DLL into the allocated memory.
124 | - **Execute:** Executes the malicious DLL in another process by starting a new thread.
125 | 2. **Reflective DLL Injection:** A stealthier technique that loads the DLL in memory without relying on standard Windows API calls. The DLL maps itself into memory, resolving import addresses, fixing relocations, and calling DllMain without using LoadLibrary.
126 |
127 | 3. **Thread Hijacking:**
128 |
129 | - **Locate Thread:** Malware finds a target thread to inject into.
130 | - **Open Thread:** Opens the identified thread.
131 | - **Suspend Thread:** Suspends the thread to inject.
132 | - **Allocate Memory:** Finds a location to write the path of the malicious DLL or shellcode.
133 | - **Copy:** Writes the path to the malicious DLL or shellcode into the allocated memory.
134 | - **Resume Thread:** Resumes the thread after injection.
135 | 4. **PE (Portable Executable) Injection:** Similar to DLL Injection but doesn't require the malicious DLL to reside on disk. Uses WriteProcessMemory to write the malicious code into the target location without using LoadLibrary.
136 |
137 |
138 | **Hooking Events:**
139 |
140 | - **Interception:** Malware intercepts events with SetWindowsHookEx().
141 | - **Monitoring:** Monitors keyboard and mouse inputs, among others.
142 | - **DLL Loading:** Loads malicious DLLs based on specific events.
143 | - **Significance:** Enables covert actions like keylogging and executing additional payloads.
144 |
145 | **Kernel-Mode Rootkits: SSDT Hooks Overview:**
146 |
147 | 1. **SSDT Basics:**
148 | - SSDT (System Service Descriptor Table) aids Windows Kernel.
149 | - Entries point to essential kernel mode functions.
150 | 2. **Kernel Mode Operations:**
151 | - Kernel functions correspond to SSDT entries.
152 | - SSDT exported as KeServiceDescriptorTable().
153 | 3. **SSDT Hooking:**
154 | - Globally modify SSDT pointers.
155 | - Redirect system functions to rootkit-controlled location.
156 | 4. **Implementation:**
157 | - **Hook SSDT Entry:** Redirect specific function (e.g., NTQueryDirectoryFile).
158 | - **Call Function:** Trigger malicious function on system function calls.
159 | - **Pass Control:** Invoke original function for results.
160 | - **Alter & Return Results:** Modify results (e.g., hide a file) before returning.
161 |
162 | **Kernel Mode IRP Hooks:**
163 |
164 | - **IRPs Essential:** Windows kernel uses I/O Request Packets (IRPs) for data transmission.
165 | - **Universal Application:** IRPs are used by various components, such as network interfaces and drivers.
166 | - **DKOM Technique:** Direct Kernel Object Manipulation (DKOM) involves global hooking of function pointers in device objects.
167 | - **Systemwide Impact:** DKOM techniques globally affect the system, allowing for fundamental manipulation.
168 |
169 | **Userland Rootkits:**
170 |
171 | - **IAT Hooks:** Import Address Table (IAT) resolves runtime dependencies. IAT Hooking modifies the table, redirecting functions.
172 | - **EAT Hooks:** Export Address Table (EAT) in DLLs, housing support functions for executables. EAT Hooking primarily targets DLLs and complements IAT Hooking.
173 | - **Inline Hooking:** Directly modifies the API function by altering the initial bytes of the target function code, inserting malicious code, and redirecting the instruction pointer (EIP) to execute code from a different memory location.
174 |
175 | **Process Hiding:**
176 |
177 | - Employs SSDT hooking on NtOpenProcess to obscure their presence from the EPROCESS list, detaching their structure from the list and, if necessary, from PsLoadedModuleList.
178 |
179 | **Masquerading:**
180 |
181 | - Uses names such as svch0st or resides in common directories like C:\Windows, to blend in and avoid detection.
182 |
183 | **Hiding Locations:**
184 |
185 | - Malware may hide in temporary folders, temporary internet files, or program files.
186 |
187 | **Packing / Compression:**
188 |
189 | - Uses tools like UPX or custom ones to compress executables, reducing pattern visibility and aiding in evading detection by antivirus products.
190 |
191 | **Recompiling:**
192 |
193 | - Uses different compilers to alter the executable's signature, such as an MD5 hash, to evade detection by security measures relying on specific signatures.
194 |
195 | **Obfuscation:**
196 |
197 | - Alters code to impede analysis and reverse engineering, used by malware and legitimate software to protect functionality.
198 |
199 | **Anti-Reversing Techniques:**
200 |
201 | - Aim to detect analysis and mislead analysts, including identifying virtual machine environments, detecting attached debuggers, and inserting junk code for misdirection, prolonging analysis time.
202 |
203 | **Autostart Locations:**
204 |
205 | - Common registry locations for malware to ensure execution at startup include:
206 | - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
207 | - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
208 |
209 | Tools like Sysinternals' AutoRuns can help identify these entries.
210 |
211 | **Scheduled Tasks:**
212 |
213 | - Malware uses at.exe and schtasks.exe to schedule execution, maintaining persistence by running at startup or specific times.
214 | - Example command: schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System"
215 |
216 | **COM Hijacking:**
217 |
218 | - Adversaries insert malicious code into COM references, causing malware to execute instead of legitimate software.
219 |
220 | **DLL Hijacking:**
221 |
222 | - **Search Order Hijacking:** Exploiting DLL search order by placing malicious DLLs in directories searched first.
223 | - **Phantom DLL Hijacking:** Using malicious DLLs named after non-existent but expected DLLs.
224 | - **Side Loading:** Placing malicious DLLs in the WinSxS folder.
225 |
226 | **Windows Services:**
227 |
228 | - **Service Creation:** Creating a service to run malware at boot.
229 | - **Service Replacement:** Replacing existing services with malware.
230 | - **Service Recovery:** Configuring services to run malware upon failure.
231 |
232 | These techniques help malware evade detection and maintain persistence on infected systems
233 |
--------------------------------------------------------------------------------
/Section2/Module3/Hunting Web shell.md:
--------------------------------------------------------------------------------
1 | ##### Intro
2 |
3 | - **Definition and Purpose**: A web shell is a script that allows remote execution of commands on a victim's machine. Attackers use it to control the victim's system after a successful exploit, which is the post-exploitation stage
4 |
5 | - **Deployment**: Attackers upload the web shell to the victim's web server. They often target servers within internal networks to enable pivoting, moving laterally to other systems in the network
6 |
7 | - **Programming Language**: The web shell must be written in a programming language supported by the victim's web server, such as PHP for an Apache server. Attackers determine the server's language through information gathering
8 |
9 | - **Execution Methods**: Common methods for deploying a web shell include XSS (Cross-Site Scripting), RFI (Remote File Inclusion), SQL Injection, and LFI (Local File Inclusion). Misconfigurations in the web server can also be exploited
10 |
11 | - **Examples**: Notable web shells used in past attacks include C99
12 |
13 | 
14 |
15 | To download https://github.com/phpwebshell/c99shell
16 |
17 | - B347K
18 | To download https://github.com/b374k/b374k
19 |
20 | - R57
21 |
22 | 
23 |
24 | To download https://github.com/tennc/webshell/blob/master/php/PHPshell/%E3%80%90r57%E3%80%91/r57.php
25 |
26 | - Each varies based on the server's supported services and configurations
27 |
28 | - **Bypassing Security**: Advanced attackers bypass Web Application Firewalls (WAF) and antivirus software by obfuscating the web shell's code or disguising it within other files to avoid detection
29 | 
30 |
31 |
32 | - **Detection**: WAF and antivirus programs use signature databases to detect malware. Skilled attackers modify web shell signatures to evade detection
33 | ---
34 |
35 | #### Hunting Tools
36 |
37 | The first tool we will mention here is Simple LOKI. This is a simple tool that helps identify IOCs, which are Indicators of Compromise, signs of malware presence on your device. This tool scans files or folders on the web server and highlights any indicators suggesting the presence of a web shell
38 | https://github.com/Neo23x0/Loki
39 |
40 | 
41 |
42 |
43 | The tool works by searching for IOCs on your system and providing alerts. It scans for MD5, SHA1, and SHA256 hashes, checks their signatures, and ensures their security. Additionally, it can use YARA rules, which are included in its base data from the YARA tool, to detect malicious traffic or any malware attempting to infiltrate your network, providing alerts accordingly.
44 |
45 | MD5, SHA1, and SHA256
46 | 
47 | Generated log file
48 | 
49 |
50 |
51 |
52 | Moreover, the tool can perform hard and soft filename indicator checks using regular expressions, meaning it examines all the files on your system to detect anything suspicious.
53 |
54 | 
55 |
56 | Loki detected suspicious objects here
57 |
58 | 
59 |
60 | ##### NeoPI
61 |
62 | This is a Python script designed to uncover obfuscated content, meaning it can detect hidden malicious content. It can also analyze text files, even if they are encrypted, and identify any suspicious elements. NeoPI checks scripting files like .py, .php, or any other script files to see if they contain hidden web shells.
63 |
64 | [GitHub - CiscoCXSecurity/NeoPI](https://github.com/CiscoCXSecurity/NeoPI)
65 |
66 |
67 | 
68 |
69 |
70 | Here’s how NeoPI works:
71 |
72 | - NeoPI operates through a command-line interface.
73 | - It scans a specified folder on the web server
74 | - The tool generates a report listing suspicious files. As a threat hunter, you can then perform a detailed investigation on these flagged files. The report will highlight the top 10 files that look suspicious (IC 10 top files), along with a list of files that are deemed safe.
75 | 
76 | Detailed steps and features:
77 |
78 | - NeoPI identifies the top 10 longest files by size. It flags larger PHP files as potentially suspicious because larger files may contain web shells. This is a prompt for you to investigate these files further.
79 | - It also ranks files based on the level of suspicion, indicating how likely it is that they contain something malicious, such as a web shell. These files are listed in order of risk, helping you prioritize your investigation. If a file is confirmed to be malicious, you should take steps to close or remove it.
80 |
81 | #### BackDoor man
82 |
83 | **Man BackDoor:**
84 |
85 | - **Description:** A toolkit written in Python to detect suspicious, hidden, and malicious PHP scripts, especially web shells.
86 | - **Features:**
87 | - Detects through file names.
88 | - Uses a signature database to identify known web shells and backdoors.
89 | - Detects suspicious PHP activities and functions that could indicate a web shell.
90 | - Integrates with VirusTotal for regular updates.
91 | - **Usage:** Operates via command-line interface, scans web server directories, flags suspicious files, and prioritizes them for investigation.
92 | [GitHub - cys3c/BackdoorMan: BackdoorMan is a toolkit that helps you find malicious, hidden and suspicious PHP scripts and shells in a chosen destination.](https://github.com/cys3c/BackdoorMan)
93 |
94 | #### PHP Malware Finder
95 |
96 | - **Description:** A script used to detect obfuscated code, particularly in PHP functions used in web shells.
97 | - **Features:**
98 | - Identifies obfuscated PHP code that could be hiding malicious activities.
99 | - Matches detected code against the YARA tool's base data to determine if a file is malicious or not.
100 |
101 | This tool helps in identifying hidden malicious code within PHP scripts, providing a crucial step in ensuring web server security
102 |
103 | [GitHub - nbs-system/php-malware-finder](https://github.com/nbs-system/php-malware-finder)
104 |
105 |
106 | #### PHP UN
107 | - **Description:** A tool designed to de-obfuscate PHP code.
108 | - **Features:**
109 | - Converts obfuscated PHP code back into a readable format, making it easier to analyze and understand.
110 |
111 | This tool is useful for reversing obfuscation in PHP scripts, allowing security professionals to inspect the original code and identify any hidden malicious activities
112 |
113 | [UnPHP - The Online PHP Decoder](https://www.unphp.net/)
114 |
115 | #### Web Shell Detector
116 |
117 | - **Description:** The Shell Web Detector tool is commonly used by Blue Teams in Security Operations Centers (SOCs). Its primary function is to detect various types of web shells, such as those written in PHP, Perl, ASP, or ASPX.
118 | - **Features:**
119 | - **Multi-Type Support:** It supports detection for a wide range of web shell types, enhancing its versatility and applicability across different environments.
120 | - **Signature Database:** The tool includes a comprehensive database of known and discovered signatures for web shells. This allows it to match patterns and characteristics against these signatures to identify potential web shell instances.
121 | - **Advanced Capabilities:** Due to its ability to handle multiple types of shells and its extensive signature database, it is considered an advanced tool in the field of web shell detection. However, accurately determining whether a detected file is indeed a web shell can still be challenging in some cases, requiring further investigation by security analysts.
122 |
123 | This tool plays a crucial role in proactive threat detection and incident response strategies within SOC environments, aiding in the identification and mitigation of web shell-based threats
124 |
125 | #### Detect malware Linux
126 |
127 | tool is designed to scan and identify malicious software specifically targeting Linux systems. It enhances security by detecting viruses, trojans, and other malware types, contributing to proactive defense against potential security breaches in Linux environments
128 |
129 | #### Invoke ExchangeWebShellHunter
130 |
131 | known as Web Shell Hunter, is used for hunting down web shells that may compromise Microsoft Server Exchange. This server type is a critical component in Microsoft's email infrastructure. If there is suspicion or concern about the presence of a web shell on a Microsoft Server Exchange system, this tool can be employed to detect and mitigate such threats effectively
132 | [GitHub - FixTheExchange/Invoke-ExchangeWebShellHunter: PowerShell script for hunting webshells on Microsoft Exchange Servers.](https://github.com/FixTheExchange/Invoke-ExchangeWebShellHunter)
133 |
134 | #### NPROCWATCH
135 |
136 | is a proactive security tool designed to detect and respond to web shell activities on servers, particularly focusing on identifying and neutralizing newly created processes associated with such malicious entities
137 |
138 | ---
139 |
140 | ### Hunting Web Shells
141 |
142 | ### Log Files Analysis
143 |
144 | 1. **Initial Step**: Always check log files first when hunting for web shells. These files often record when new files are created or added to the server, and log the IP address of the entity that made the changes.
145 | 2. **Log Parser Tool**: Instead of manually checking log files on each server, use a tool like Log Parser Studio. This tool can automate the analysis, scanning for newly added files within a specified time frame.
146 |
147 | ### Commands for Windows and Linux Servers
148 |
149 | 1. **Environment**:
150 |
151 | - Windows servers typically run on IIS.
152 | - Linux servers typically run on Apache.
153 | - Courses like Linux+ and MCSA provide detailed information on these servers.
154 | 2. **Example Scenario**:
155 |
156 | - Assume we have four files (two are clear web shells, two are suspicious).
157 | - Web shell files:
158 | - `locus7s.php` located at `/var/www/html/v1/locus7s.php`.
159 | - `ss8.txt` located at `/var/html/v1/imags/ss8.txt`.
160 | - Suspicious files:
161 | - `unknown.txt` located at `/var/www/html/v1/js/unknown.txt`.
162 | - `unknown2.php` located at `/var/www/html/v1/css/unknown2.PHP`.
163 | 3. **Using Commands for Detection**:
164 |
165 | - **Linux Commands**:
166 |
167 | - To find newly added PHP files in the last 24 hours:
168 |
169 | `find . -type f -name '*.php' -mtime -1` or
170 | `find . –type f –name ‘*.txt’ –mtime -1
171 |
172 | ls –la to also view hidden entries
173 | - Explanation: This command searches for files (`-type f`) in the current directory (`.`) with the extension `.php` modified in the last day (`-mtime -1`).
174 | - **Analyzing Files**:
175 |
176 | - Look inside PHP files for suspicious functions like `eval`, which are often used maliciously:
177 |
178 | `find . -type f -name '*.php' | xargs grep -I "eval *("`
179 |
180 | - Similarly, search for `base64_decode`, another function commonly misused in web shells:
181 |
182 | `find . -type f -name '*.php' | xargs grep -I "base64_decode("`
183 | **xargs : build and execute command lines from standard input**
184 | **grep : prints lines matching a pattern**
185 |
186 | 4. **Additional Functions to Look For**:
187 |
188 | - `mail()`: Often used for sending spam.
189 | - `fsockopen()`, `pfsockopen()`: Used for opening ports.
190 | - `exec()`, `system()`, `passthru()`: Used for executing commands remotely.
191 | - Combine the search into one command:
192 |
193 | ``find . -type f -name "*.php" | xargs egrep -l "(mail|fsockopen|pfsockopen|exec|system|passthru|eval|base64_decode) *\("``
194 |
195 |
196 | ### Windows Server Commands
197 |
198 | 1. **PowerShell Commands**:
199 | - To find PHP files recursively:
200 |
201 | `Get-ChildItem -Recurse -Include *.php | Select-String -Pattern "eval|base64_decode|mail|fsockopen|pfsockopen|exec|system|passthru" | Out-GridView`
202 |
203 |
204 | ### Tools for Web Shell Detection
205 |
206 | 1. **LOKI**:
207 |
208 | - Use LOKI to scan for known signatures of web shells. Provide it with the web server directory (e.g., `/var/www/html/`).
209 | - LOKI uses YARA rules for detection and relies on a signature database to identify malicious files.
210 | - Example directory for YARA rules in LOKI: `/loki/signature-base/yara`.
211 | 2. **NeoPI**:
212 |
213 | - NeoPI is a Python script used to detect malicious files by calculating file entropy and comparing against known signatures.
214 | - Provide it with the web server directory to scan (e.g., `/var/www/html/`).
215 | - NeoPI can detect more files compared to LOKI by looking into the file content for suspicious functions.
216 |
--------------------------------------------------------------------------------
/Section3/Module1/Introduction To Endpoint Hunting.md:
--------------------------------------------------------------------------------
1 |
2 | When analyzing Windows core processes for legitimacy, it's important to verify several key attributes. These attributes help in determining whether the processes are genuine or potentially malicious imitations. Let's break down each factor and its relevance:
3 | • Name • Purpose • Executable path • Parent process • SID
4 |
5 | 
6 |
7 |
8 |
9 |
10 | ### Analysis of `smss.exe` (Session Manager Subsystem)
11 |
12 | `smss.exe` is a critical Windows core process responsible for managing sessions on a Windows system. Understanding its characteristics is essential for ensuring system integrity and detecting potential security issues
13 |
14 | 
15 |
16 | #### **Attributes of `smss.exe`**
17 |
18 | **Description:**
19 |
20 | This process manages the start of user sessions and various other activities including launching Winlogon.exe and Csrss.exe processes, setting system variables, and other activities. If the 2 processes end normally after launch, smss.exe shuts down the system and if they end unexpectedly, smss.exe causes the system to hang.
21 |
22 | **Image Path**:
23 |
24 | %SystemRoot%\System32\smss.exe
25 |
26 | **Parent Process**:
27 |
28 | System
29 |
30 | **Threat hunting tips:**
31 |
32 | “smss.exe” that starts with csrss.exe and wininit.exe or with csrss.exe and winlogon.exe, are normal. Additional sessions may be created by RDP and Fast User Switching on shared computers. Remember, only 1 instance of smss.exe must run.
33 |
34 |
35 | - **Expected Base Priority**: 11
36 | - **Expected Timing**: For Session 0, within seconds of boot time
37 | - Remember only 1 instance of smss.exe should be running
38 |
39 | #### Analysis of `csrss.exe` (Client/Server Runtime Subsystem)
40 |
41 | `csrss.exe` is an essential Windows core process that plays a crucial role in the management of processes and threads, as well as providing the Windows API to other processes
42 |
43 | #### **Attributes of `csrss.exe`**
44 |
45 | 
46 |
47 | **Description:**
48 |
49 | This process is an essential subsystem that must be running at all times. It is responsible for console windows process/thread creation and thread deletion.
50 |
51 | **Image Path:**
52 |
53 | %SystemRoot%\System32\csrss.exe
54 |
55 | **Parent Process:**
56 |
57 | Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
58 |
59 | **Threat Hunting Tips**:
60 |
61 | Malware authors can disguise their malware to appear as this process by hiding in plain sight. They can change the malware name from ‘csrss.exe’ to something similar but with a misspelling; for instance, cssrss, crss, cssrs, csrsss.
62 |
63 |
64 | - **Expected Base Priority**: 13
65 | - **Expected Timing**: For Sessions 0 & 1, within seconds of boot time.
66 | - Remember, typically you will see 2 instances of csrss.exe
67 |
68 | #### Analysis of `Winlogon.exe` ( Windows Logon Process )
69 | `winlogon.exe` is a crucial system process responsible for handling secure user interactions during the login process. It manages user authentication, loading user profiles, and several other critical tasks. Ensuring the legitimacy of `winlogon.exe` is vital for system security
70 |
71 | 
72 |
73 | #### **Attributes of `Winlogon.exe`
74 |
75 | Winlogon handles interactive user logons and logoffs. It launches LogonUI.exe, which accepts the username and password at the logon screen and passes the credentials to lsass.exe to validate the credentials. Once the user is authenticated, Winlogon loads the user’s NTUSER.DAT into HKEY_CURRENT_USER Registry Hive and starts the user’s shell (explorer.exe) via Userinit.exe.
76 |
77 | **Image Path:**
78 |
79 | %SystemRoot%\System32\winlogon.exe
80 |
81 | **Parent Process:**
82 |
83 | Created by an instance of smss.exe that exits, so analysis tools usually do not provide the parent process name.
84 |
85 | **Threat Hunting Tips**:
86 |
87 | The abuse within this process often comes within the different components of the login process. Malware sometimes mishandles the SHELL registry value. This value should be explorer.exe
88 |
89 |
90 | - **Expected Base Priority**: 13
91 | - **Expected Timing**: During the early stages of the boot process
92 |
93 |
94 | ### Analysis of `wininit.exe` (Windows Initialization Process)
95 | `wininit.exe` is a core Windows system process responsible for initializing the user-mode side of the Win32 subsystem. This includes starting services and initializing system drivers. Ensuring the legitimacy of `wininit.exe` is essential for maintaining system integrity
96 |
97 | 
98 |
99 | #### **Attributes of `wininit.exe`**
100 |
101 | **Description:**
102 |
103 | This process is an essential part of the Windows OS and it runs in the background. “wininit.exe” is responsible for launching the Windows Initialization process. Wininit starts key background processes within Session 0. It starts with the Service Control Manager (services.exe), the Local Security Authority process (lsass.exe), and the Local Session Manager (lsm.exe).
104 |
105 | **Image Path:**
106 |
107 | %SystemRoot%\System32\wininit.exe
108 |
109 | **Parent Process:**
110 |
111 | Created by an instance of smss.exe that exits, so tools usually do not provide the parent process name.
112 |
113 | **Number of Instances:**
114 |
115 | One
116 |
117 | **User Account:**
118 |
119 | Local System
120 |
121 | **Threat hunting tips:**
122 |
123 | There must be only one instance of wininit.exe. You should check the parent process to see if it is spawning wininit.exe. You should also check whether this process is located somewhere other than its usual path. You should also check the spelling
124 |
125 |
126 |
127 | ### Analysis of `lsm.exe` (Local Session Manager)
128 |
129 |
130 |
131 | #### **Attributes of `lsm.exe`**
132 |
133 | **Description:**
134 |
135 | `lsm.exe` is a critical system process that runs in the background on Windows OS. It is responsible for managing user sessions and is especially important in multi-user environments such as Terminal Services. It helps in managing and maintaining sessions on the system
136 |
137 | **Image Path:**
138 |
139 | %SystemRoot%\System32\lsm.exe
140 |
141 | **Parent Process:**
142 |
143 | Created by `wininit.exe`.
144 |
145 | **Number of Instances:**
146 |
147 | One
148 |
149 | **User Account:**
150 |
151 | Local System
152 |
153 | **Threat hunting tips:**
154 |
155 | Ensure only one instance of `lsm.exe` is running. Verify `lsm.exe` is started by `wininit.exe`. Confirm `lsm.exe` runs from `%SystemRoot%\System32\lsm.exe`. Watch for misspelled variants or suspiciously similar processes.
156 |
157 | ### Analysis of `lsass.exe` (Local Security Authority Subsystem Service)
158 |
159 | 
160 |
161 | #### **Attributes of `lsass.exe`**
162 |
163 | **Description:**
164 |
165 | `lsass.exe` is a critical system process responsible for enforcing security policies, handling user logins, password changes, and creating access tokens. It also manages the Local Security Authority (LSA) process, which is crucial for authenticating users and ensuring system security.
166 |
167 | **Image Path:**
168 |
169 | %SystemRoot%\System32\lsass.exe
170 |
171 | **Parent Process:**
172 |
173 | Created by `wininit.exe`.
174 |
175 | **Number of Instances:**
176 |
177 | One
178 |
179 | **User Account:**
180 |
181 | Local System
182 |
183 | **Threat hunting tips:**
184 |
185 | Ensure only one instance of `lsass.exe` is running. Validate `lsass.exe` is spawned by `wininit.exe`. Confirm `lsass.exe` runs from `%SystemRoot%\System32\lsass.exe`. Watch out for misspelled variants
186 |
187 |
188 |
189 | #### lsm.exe vs lsass.exe
190 |
191 | ### Key Differences:
192 |
193 | - **Function:** `lsm.exe` manages user sessions, while `lsass.exe` focuses on security enforcement and authentication.
194 | - **Responsibilities:** `lsm.exe` ensures smooth session transitions and management, whereas `lsass.exe` handles authentication processes and security policy enforcement.
195 | - **Criticality:** Both are critical system processes, but `lsass.exe` directly impacts system security and user authentication, making it more security-sensitive.
196 | - **Execution:** `lsm.exe` is crucial for session initialization and management from the early stages of system boot, whereas `lsass.exe` plays a continuous role in user authentication and security operations throughout system uptime
197 |
198 |
199 |
200 | ## **Services.exe**
201 |
202 | 
203 |
204 | **Description:**
205 |
206 | services.exe launches the Services Control Manager which is primarily responsible for handling system services including starting and ending services, and interacting with services. Services are defined in HKLM\SYSTEM\CurrentControlSet\Services. “services.exe” is the parent process of svchost.exe, dllhost.exe, taskhost.exe,spoolsv.exe, etc.
207 |
208 | **Image Path:**
209 |
210 | %SystemRoot%\System32\services.exe
211 |
212 | **Parent Process:**
213 |
214 | wininit.exe
215 |
216 | **Number of Instances:**
217 |
218 | One
219 |
220 | **User Account:**
221 |
222 | Local System
223 |
224 | **Threat hunting tips:**
225 |
226 | There must only be 1 instance of “services.exe”. This is a protected process that makes it difficult to tamper with. Also track Event ID Event ID 4697 ( security ) & Event ID 7045 (system )
227 |
228 |
229 |
230 | ## **Svchost.exe(service host)**
231 |
232 | **Description:**
233 |
234 | The generic host process for Windows Services. It is used for running service DLLs. Windows will run multiple instances of svchost.exe, each using a unique “-k” parameter for grouping similar services. Typical “-k” parameters include BTsvcs, DcomLaunch, RPCSS, LocalServiceNetworkRestricted, netsvcs, LocalService, NetworkService, LocalServiceNoNetwork, secsvcs, and LocalServiceAndNoImpersonation.
235 |
236 | 
237 | **BTsvcs, DcomLaunch, RPCSS, LocalServiceNetworkRestricted, netsvcs, LocalService, NetworkService, LocalServiceNoNetwork, secsvcs, and LocalServiceAndNoImpersonation.**
238 |
239 | 
240 |
241 | **Image Path:**
242 |
243 | %SystemRoot%\System32\svchost.exe
244 |
245 | **Parent Process:**
246 |
247 | services.exe
248 |
249 | **Number of Instances:**
250 |
251 | Five or more
252 |
253 | **User Account:**
254 |
255 | Varies depending on svchost instance, though it typically will be Local System, Network Service, or Local Service accounts. Instances running under any other account should be investigated.
256 |
257 | **Legitimate svchost runs on**
258 |
259 | %SystemRoot%\System32\svchost.exe and it should be the children of services.exe
260 |
261 | **Threat Hunting Tips:**
262 |
263 | This process can be used to launch malicious services (malware installed as a service). Once the malicious service is launched, **“-k”** will not be present. This process hides in plain sight through misspellings of words. Another method to utilize this process for malicious purposes is to place it in different directories and paths; However, note in such a case, services.exe would not be the parent process.
264 |
265 |
266 |
267 |
268 |
269 |
270 | ### Analysis of `taskhost.exe`
271 |
272 | 
273 |
274 | **Description:**
275 |
276 | `taskhost.exe` is a legitimate Windows process responsible for launching tasks based on triggers such as user actions or system events. It helps manage background processes and services efficiently.
277 |
278 | **Executable Path:**
279 |
280 | %SystemRoot%\System32\taskhost.exe
281 |
282 | **Parent Process:**
283 |
284 | Typically spawned by `svchost.exe` or `explorer.exe`, depending on the context of the task.
285 |
286 | **Number of Instances:**
287 |
288 | Multiple instances can run simultaneously depending on the tasks triggered.
289 |
290 | **User Account:**
291 |
292 | Varies based on the context in which it is executed, often under the context of the logged-in user or as a system service.
293 |
294 | ### Analysis of `explorer.exe`
295 |
296 | 
297 |
298 | **Description:**
299 |
300 | `explorer.exe` is a fundamental Windows process responsible for managing the graphical user interface (GUI) and providing the desktop environment. It allows users to interact with files, folders, and applications through the Windows Explorer interface.
301 |
302 | **Executable Path:**
303 |
304 | %SystemRoot%\explorer.exe (typically `C:\Windows\explorer.exe`)
305 |
306 | **Parent Process:**
307 |
308 | Usually initiated by the Windows Shell (`explorer.exe`) itself upon user login.
309 |
310 | **Number of Instances:**
311 |
312 | Typically, only one instance per user session, but multiple instances can occur in specific scenarios.
313 |
314 | **User Account:**
315 |
316 | Runs under the context of the logged-in user.
317 |
318 | ---
319 |
320 | #### Endpoint Baselines
321 |
322 | To create and use baselines for monitoring running services and processes on a Windows machine, you can use PowerShell. Here's a summary of how to establish and utilize these baselines:
323 |
324 | ### **Creating a Services Baseline**
325 |
326 | 1. **Get a list of running services:**
327 |
328 | `Get-Service * | Where-Object {$_.Status -eq "Running"} | Export-Clixml -Path "Baseline-Services.xml"`
329 |
330 | - `Get-Service *` retrieves all services.
331 | - `Where {$_.Status -eq "Running"}` filters to show only running services.
332 | - The information is exported to an XML file named `Baseline-Services.xml`.
333 | 2. **Compare the current services to the baseline:**
334 |
335 | Compare-Object (Import-Clixml Baseline-Services.xml) (Get-Service | Where {$_.status -eq "Running"}) -Property DisplayName | Where-Object {$_.sideindicator -eq "<="}
336 |
337 | - `Import-Clixml Baseline-Services.xml`: This command imports the baseline list of services from an XML file.
338 | - `Get-Service | Where {$_.status -eq "Running"}`: This retrieves the current list of running services.
339 | - `Compare-Object`: This cmdlet compares the two sets of objects (baseline services and current services).
340 | - `-Property DisplayName`: This parameter specifies that the comparison should be based on the `DisplayName` property of the services.
341 | - `Where-Object {$_.sideindicator -eq "<="}`: This filters the comparison results to show only the services that are different from the baseline.
342 |
343 | ### **Creating a Processes Baseline**
344 |
345 | 1. **Get a list of running processes:**
346 |
347 |
348 | `Get-Process | Export-Clixml -Path "Baseline-Processes.xml"`
349 |
350 | - `Get-Process` retrieves all processes.
351 | - The information is exported to an XML file named `Baseline-Processes.xml`.
352 | 2. **Compare the current processes to the baseline:**
353 |
354 |
355 | `Compare-Object (Import-Clixml Baseline-Processes.xml) (Get-Process) -Property Name | Where-Object {$_.sideindicator -eq "<="}`
356 |
357 | ### Explanation
358 |
359 | - `Import-Clixml Baseline-Services.xml`: This command imports the baseline list of services from an XML file.
360 | - `Get-Service | Where {$_.status -eq "Running"}`: This retrieves the current list of running services.
361 | - `Compare-Object`: This cmdlet compares the two sets of objects (baseline services and current services).
362 | - `-Property DisplayName`: This parameter specifies that the comparison should be based on the `DisplayName` property of the services.
363 | - `Where-Object {$_.sideindicator -eq "<="}`: This filters the comparison results to show only the services that are different from the baseline.
364 |
365 | ### **Additional Baselines to Consider**
366 |
367 | - **Accounts on a system (user or service)**
368 | - **Local administrators on a system**
369 | - **Folder permissions**
370 | - **Folder contents**
371 | - **Tasks folder (scheduled tasks)**
372 | - **Network folders containing internal installation executables & files**
373 |
374 | ---
375 |
--------------------------------------------------------------------------------
/Section2/Module2/suspicious Traffic Hunting.md:
--------------------------------------------------------------------------------
1 | #### ARP (Address Resolution Protocol) Traffic
2 |
3 | ARP is fundamental in network communications, operating at Layer 2 of the OSI model. It resolves IP addresses to MAC addresses through ARP Request and Reply messages, crucial for proper data transmission.
4 |
5 | **Differentiating Normal and Suspicious Traffic**:
6 |
7 | - **Normal ARP Traffic**: In a typical network environment, ARP broadcasts occur at a reasonable rate from both clients and servers. These transmissions involve ARP Requests and corresponding Replies (Opcode 1 and 2 respectively) to resolve IP addresses to MAC addresses.
8 |
9 | 
10 |
11 | - **Suspicious ARP Traffic**: Suspicious behavior includes excessive ARP broadcasts within a short timeframe, often indicative of scanning activities like those conducted by tools such as Nmap. Additionally, instances where the same MAC address is associated with different IP addresses suggest ARP spoofing, a potential security threat.
12 |
13 | for more [(PDF) ARP Spoofing- Analysis using Wireshark on 2 different OS LINUX and WINDOWS | Debojyoti Sengupta - Academia.edu](https://www.academia.edu/5648727/ARP_Spoofing_Analysis_using_Wireshark_on_2_different_OS_LINUX_and_WINDOWS)
14 |
15 | #### here are the images that were referenced in the TryHackMe Wireshark Traffic Analysis challenge:
16 | #### Normal
17 | 
18 |
19 | Proper ARP Request followed by a single ARP Reply with correct MAC address mapping
20 | #### Suspicious
21 | 
22 |
23 | Multiple ARP Requests with incrementing IP addresses and minimal time intervals, suggesting systematic scanning or reconnaissance by malicious actors.
24 | Or sometimes ARP Spoofing attack by looking for a MAC address being used by two different IP addresses
25 |
26 |
27 | Identifying Suspicious Patterns:
28 | In suspicious ARP traffic, anomalies such as frequent and rapid ARP broadcasts without corresponding Replies, or ARP Replies sent gratuitously (without prior Request), can indicate attempts to manipulate ARP cache entries (ARP poisoning) or unauthorized network scans.
29 |
30 | Gratuitous ARP Replies:
31 | Attackers may use gratuitous ARP replies to introduce false MAC address mappings into ARP caches, attempting to intercept network traffic or disrupt communications. They often send these replies periodically to maintain the false entries.
32 |
33 | This proactive approach helps safeguard network integrity and data confidentiality against various ARP-related vulnerabilities.👍
34 |
35 | --------------------------------------------------------------------------
36 |
37 | #### ICMP (The Internet Control Message Protocol) Traffic
38 |
39 | **(ICMP)** is primarily used for error reporting and diagnostics in network communications. It operates at the Network Layer (Layer 3) of the OSI model, which is the same layer as the Internet Protocol (IP). Unlike other protocols, ICMP does not have specific ports.
40 |
41 | **Uses of ICMP:**
42 |
43 | 1. **Troubleshooting Network Issues:**
44 |
45 | - ICMP is commonly used for network diagnostics and troubleshooting. For example, if your device is experiencing connectivity issues, ICMP can help determine if there is a problem with the internet connection.
46 | 2. **Ping:**
47 |
48 | - The `ping` command utilizes ICMP to check the availability of a destination device on a network. When you `ping` a device, ICMP sends an echo request and waits for an echo reply. If a reply is received, the device is active and reachable.
49 | 
50 |
51 | 3. **Traceroute:**
52 |
53 | - `Traceroute` uses ICMP to trace the path packets take to reach a destination IP address. It helps identify the various gateways (routers) the packets pass through on their journey to the target.
54 | 
55 |
56 |
57 | **ICMP Packet Types:**
58 |
59 | - **Echo Request and Reply:**
60 | - An echo request (Type 8, Code 0) is sent to test connectivity, and an echo reply (Type 0, Code 0) is returned to confirm the connection.
61 |
62 | **Detecting Suspicious ICMP Traffic:**
63 |
64 | 1. **Abnormal Packet Frequency:**
65 |
66 | - If ICMP packets are being sent excessively, it could indicate data exfiltration, where sensitive data is being transmitted covertly.
67 | 2. **Unusual Packet Sizes:**
68 |
69 | - Typically, ICMP packets have a standard length. If you notice packets with unusually large sizes (e.g., 1000 bytes instead of the usual 100 bytes), it might be a sign of an attack, such as data exfiltration disguised as ICMP traffic.
70 | 
71 | 3. **Unusual ICMP Types/Codes:**
72 |
73 | - Be aware of uncommon ICMP types and codes. For example, a timestamp request (Type 13) should only occur between servers. If a normal PC sends such requests, it could indicate a reconnaissance attempt by an attacker.
74 |
75 | **Common ICMP Attacks:**
76 |
77 | 1. **Smurf Attack:**
78 |
79 | - This is a type of DDoS attack where the attacker spoofs the victim's IP address and sends ICMP echo requests to a network's broadcast address. All devices in the network respond to the victim, overwhelming it with traffic.
80 | 
81 |
82 |
83 | 2. **ICMP Tunneling:**
84 |
85 | - Attackers may encapsulate other types of traffic (e.g., HTTP) within ICMP packets to bypass firewalls and IDS/IPS systems. Tools like `ptunnel` can be used for this purpose. Indicators of ICMP tunneling include varying packet sizes and specific data sequences within the packets.
86 | 
87 |
88 |
89 | 3. **ICMP Redirect Abuse:**
90 |
91 | - An attacker can send a fake ICMP redirect message to a device, causing it to route its traffic through a malicious gateway controlled by the attacker. This can be used for man-in-the-middle attacks.
92 | 
93 |
94 | **Detection and Mitigation:**
95 |
96 | - **Packet Analysis with Wireshark:**
97 |
98 | - Use Wireshark to capture and analyze ICMP packets. Look for anomalies such as unusual types, codes, packet sizes, and frequencies.
99 | - **Monitoring Network Traffic:**
100 |
101 | - Regularly monitor your network traffic for spikes in ICMP traffic and other irregular patterns that might indicate malicious activity.
102 |
103 | --------------------------------------------------------------------------
104 | ### TCP (Transmission Control Protocol) Traffic
105 |
106 | - **Definition:**
107 | - TCP is a protocol responsible for controlling the transmission of data between the source and the destination.
108 | - It ensures that packets (data units) are delivered correctly and handles any errors that occur during transmission.
109 | - If an error occurs while sending a packet, TCP will send an alert to inform you that the data did not reach the destination or was lost along the way.
110 |
111 | ### How TCP Works
112 |
113 | - **Handshake Process:**
114 | - Before sending any data, TCP performs a process called the handshake to ensure the connection is successfully established.
115 | - This process involves sending a SYN from the source, receiving a SYN-ACK from the destination, and then confirming the connection with an ACK from the source.
116 | 
117 |
118 | ### Normal TCP vs. Suspicious TCP
119 |
120 | - **Normal TCP:**
121 | - The connection process starts with sending a SYN, followed by a SYN-ACK response, and finally an ACK to establish the connection.
122 | 
123 |
124 | - **Suspicious TCP:**
125 | - Multiple SYN requests are sent without receiving an ACK response.
126 | 
127 | 
128 |
129 |
130 | - This behavior is typical of tools like Nmap, which perform port scanning to detect open ports.
131 | - Requests are sent from a single port to multiple different ports on the destination device.
132 | - Requests may come from a single IP to multiple IPs, indicating network scanning behavior.
133 | ### Scenarios of Suspicious Behavior
134 |
135 | - **Scanning:**
136 | - Observing repeated SYN requests without receiving ACKs indicates a scanning operation.
137 | - Requests sent from one port to multiple ports or from one IP to several IPs suggest network scanning.
138 | - **SYN Flooding:**
139 | - Sending numerous SYN requests in a short period is known as a SYN flooding attack, a type of DDOS (Denial of Service) attack.
140 | - **Connection Refusal:**
141 | - In some cases, after a SYN and SYN-ACK, an RST (Reset) is sent instead of an ACK, indicating a refusal or termination of the connection. This is typical behavior of scanning tools.
142 | 
143 |
144 | 
145 |
146 | ### Handling Suspicious Behaviors
147 |
148 | - **Detecting and Preventing Attacks:**
149 | - Monitor the network to detect suspicious behaviors such as scanning or flooding.
150 | - Take appropriate actions like dropping, resetting, or blocking suspicious connections.
151 | - Stay one step ahead of attackers by identifying these behaviors early.
152 |
153 |
154 | --------------------------------------------------------------------------
155 | #### Dynamic Host Configuration Protocol (DHCP) Traffic
156 |
157 | - **Definition:**
158 | - DHCP is a protocol responsible for dynamically assigning IP addresses to devices (hosts) on a network.
159 | - It operates within a LAN (Local Area Network).
160 |
161 | **Methods for Obtaining an IP Address:**
162 |
163 | - **Manual Assignment:**
164 | - A user can manually assign an IP address based on the subnet mask and the instructions provided by the network administrator.
165 | - **Automatic Assignment (DHCP):**
166 | - More commonly, users obtain an IP address automatically through DHCP.
167 | - A DHCP server must be present on the network to distribute IP addresses. This server can be located on a firewall, router, or a dedicated DHCP server.
168 |
169 | **DHCP Server:**
170 |
171 | - **Functionality:**
172 | - The DHCP server automatically assigns IP addresses to devices on the network.
173 | - It operates on ports 67 and 68 and uses the UDP protocol from the transport layer.
174 |
175 | **DHCP Process (DORA):**
176 |
177 | - **DORA Process:**
178 | - **Discover:** The client sends a DHCP Discover message to find available DHCP servers.
179 | - **Offer:** A DHCP server responds with a DHCP Offer message, offering an IP address to the client.
180 | - **Request:** The client sends a DHCP Request message to the server, indicating it wants to use the offered IP address.
181 | - **Acknowledgement:** The server sends a DHCP Acknowledgement message to confirm the IP address assignment.
182 |
183 | ### Detailed DHCP Process:
184 |
185 | 
186 |
187 |
188 | 1. **DHCP Discover:**
189 |
190 | - The client broadcasts a Discover message to find DHCP servers on the network.
191 | - This message is sent to the destination IP address 255.255.255.255 (broadcast address) and destination port 67 (DHCP server port).
192 | 2. **DHCP Offer:**
193 |
194 | - The DHCP server responds with an Offer message, containing an available IP address and other configuration information.
195 | - This message is sent to the client’s MAC address and uses source port 67 and destination port 68 (DHCP client port).
196 | 3. **DHCP Request:**
197 |
198 | - The client responds with a Request message, indicating it accepts the offered IP address.
199 | - This message also includes any other network configuration information requested by the client.
200 | 4. **DHCP Acknowledgement:**
201 |
202 | - The DHCP server sends an Acknowledgement message, confirming the IP address assignment and completing the configuration process.
203 |
204 | #### Normal process
205 |
206 | 
207 | Looking at packet number 1, we see that the device didn't have an IP address and sent a broadcast message to the entire network. The IP 1.1 responded with a DHCP offer, continuing through the DORA process we explained above. This is the correct and expected behavior.
208 | #### 1- **DHCP Discover**
209 | 
210 | This first frame that is sent by the client as a broadcast to all available servers
211 | #### 2-**DHCP Offer**
212 | 
213 | This frame is sent by the server(s) to the client with many details subnet mask. Now, the client can choose the IP address if it gets multiple DHCP offer
214 |
215 | #### 3-**DHCP Request**
216 | 
217 | This frame is sent by the client to the particular server confirming the IP address. It can also request for some more details from the server
218 |
219 | #### 4-**DHCP Acknowledgement
220 | 
221 | This is the last frame of the DORA process. It is sent by the server as an acknowledgement
222 |
223 | After the DHCP lease time expires, the client needs to send a DHCP renewal frame to extend its IP address lease. The renewal process involves two key exchanges:
224 |
225 | 1. **DHCP Request:**
226 |
227 | - During renewal, the DHCP request frame includes the client’s current IP address in the client IP address field, as the client is attempting to renew its existing IP address.
228 | - This request is sent as a unicast frame directly to the DHCP server.
229 | 2. **DHCP ACK:**
230 |
231 | - The DHCP ACK frame is the server’s acknowledgment of the renewal request.
232 | - This ACK is sent as a broadcast frame, confirming the renewal of the client’s IP address.
233 | 
234 |
235 | #### Suspicious process
236 |
237 | Everything we've seen so far was the normal DHCP process. Let's see how things look in a suspicious DHCP scenario:
238 |
239 | - An attacker might impersonate the DHCP server and set up a rogue DHCP server, convincing you it's the real DHCP server. If the attacker succeeds, they perform a man-in-the-middle attack, intercepting all your communications by posing as the legitimate DHCP server. This allows them to monitor everything you do.
240 |
241 | -
242 | 
243 |
244 | 
245 |
246 |
247 | 
248 |
249 | With Wireshark of the rogue DHCP server, you'll see that when the attacker received a discover message, they sent back an offer, initiating a man-in-the-middle attack instead of the original server.
250 |
251 | --------------------------------------------------------------------------
252 | #### DNS (Domain Name System) Traffic
253 |
254 | - DNS operates at the application layer (Layer 4) on port 53 using the UDP protocol from the transport layer. It resolves domain names to IP addresses. For example, when you want to visit Google, you type "google.com" in your browser. This request is sent to the DNS server, which has the IP address of every website you want to visit. The DNS protocol retrieves the IP address and directs you to it, because nothing on the internet is recognized by "google.com" as such; the DNS server understands only IP addresses but knows the IP corresponding to "google.com" and has it recorded in its server.
255 |
256 | - Any new domain that appears on the internet is automatically registered in the DNS server. To visit a site, your device first sends a DNS query via the DNS protocol, and the server responds, directing you to the site you entered in the browser.
257 |
258 | ### Normal vs. Suspicious DNS Traffic:
259 |
260 | - **Normal DNS Traffic:**
261 |
262 | - DNS queries are sent from a client to a server to resolve the address of a specific website.
263 | - Normal traffic operates on port 53 using UDP.
264 | - Each DNS query has a corresponding DNS response.
265 | - DNS traffic should typically flow from client to server, not from client to client.
266 | - **Suspicious DNS Traffic:**
267 |
268 | - Suspicious activity might use the same port (53) but with TCP instead of UDP.
269 | - While normal DNS traffic can sometimes use TCP, if you see unexpected use of TCP, it's a cause for investigation.
270 | - Suspicious traffic might not reach the DNS server, indicating potential malicious activity from another device.
271 | - You might see numerous DNS queries without corresponding responses, or the reverse, which is abnormal and indicates suspicious behavior.
272 |
273 | 
274 |
275 | | Feature | Normal DNS Traffic | Suspicious DNS Traffic |
276 | | ------------------------ | ------------------------------------------- | ----------------------------------------------------- |
277 | | Protocol | UDP | TCP |
278 | | **Port** | 53 | 53 |
279 | | **Traffic Flow** | Client to DNS Server | Client to Client or unexpected flows |
280 | | **Transaction ID** | Matches in both query and response | Mismatch or no response to queries |
281 | | **Volume of Traffic** | Low, typically small queries and responses | High volume, especially large data transfers |
282 | | **Behavior** | Client queries server for domain resolution | Unusual patterns, such as zone transfers from clients |
283 | | **Query/Response Ratio** | Each query has a corresponding response | Multiple queries without responses or vice versa |
284 | | **Use Case** | Resolving domain names to IP addresses | Potential data exfiltration or unauthorized access |
285 | | **Zone Transfers** | Typically server to server | Client attempting zone transfers |
286 |
287 | I will explain some differences between them in Wireshark.
288 |
289 | #### DNS Transaction ID
290 | A 16-bit field used to uniquely identify a specific DNS transaction. It is generated by the originator of the message and is included in both the request and response messages. This ID allows the DNS client to match responses with the corresponding requests.
291 |
292 |
293 |
294 | 
295 |
296 | #### Normal DNS
297 |
298 | 
299 |
300 | Here it tells you that the connection was established normally because the client device reached the server on port 53 using the UDP protocol, so the connection is valid
301 | 
302 | Here you will find the response to the query you sent, and you will see the answer to the query you sent to the server
303 |
304 |
305 | 
Look here as well, you will find that the DNS traffic is normal, and each DNS query has a corresponding DNS response
306 | ##### $ Everything is clear and simple in normal traffic $
307 |
308 |
309 | #### Suspicious DNS
310 |
311 | *Common attack is A DNS zone transffer*
312 | IN Normal : the process of replicating the DNS records from one DNS server to another. This is commonly done to ensure consistency and redundancy across DNS servers.
313 |
314 | IN Suspicious : will find an attack happening occurs between servers and clients
315 | And they do this in order to pull the addresses present in the DNS servers so that they can modify or manipulate them.
316 |
317 | There are two primary types of DNS zone transfers:
318 |
319 | Full Zone Transfer (AXFR): This type of transfer replicates the entire zone file from the master DNS server to the secondary DNS server. It is typically used when a secondary server is being set up or when there have been significant changes to the DNS records.
320 |
321 | Incremental Zone Transfer (IXFR): This type of transfer only replicates the changes (deltas) since the last transfer, rather than the entire zone. It is more efficient and reduces the amount of data transferred over the network.
322 |
323 |
324 | 
325 | We will find TCP being actively used. This is because the request sent for zone transfer aims to gather all IP addresses, resulting in large traffic volume. Therefore, TCP is used contrary to UDP.
326 |
327 | 
328 |
329 | In contrast, here you'll find when it sends traffic, the size is small relative to the connection, aiming for just one device's IP. Everything seems normal, unlike TCP, which often carries large traffic, raising suspicion.
330 |
331 | As a threat hunter, you'd scrutinize any TCP traffic. If it's between servers, that's usual. But if it's from a client to a server, that's where the concern lies.
332 |
333 | ### *DNS Tunneling*
334 | is used for exfiltrating data. After carrying out the initial attack and exploiting vulnerabilities, the attacker performs data exfiltration. This process is similar to what occurs frequently on the Dark Web, where the attacker possesses data that cannot be easily copied or pasted due to firewall restrictions. To circumvent this, the attacker creates tunnels or channels within DNS traffic, concealing the data within these channels and extracting it covertly.
335 |
336 | 
337 |
338 | --------------------------------------------------------------------------
339 |
340 | #### HTTP Traffic
341 |
342 | HTTP (Hypertext Transfer Protocol) operates on the application layer (layer 4) and is used for browsing the web. HTTP transmits data as clear text, making it vulnerable to attacks. HTTPS (Hypertext Transfer Protocol Secure) encrypts data using an SSL certificate, ensuring secure data transmission between parties.
343 |
344 | HTTP uses a request and reply system:
345 |
346 | - **GET Request**: To read data from another computer.
347 | - **POST Request**: To send data to another computer.
348 | - **DELETE Request**: To delete data on another computer.
349 |
350 | Each request and reply has a status code that indicates the server's response :
351 | 
352 | You will find that some of the codes sent by the destination indicate its status. For example, if you open your browser and type in google.com and the Google page appears, it means you sent a GET request to Google. The server received it and replied with a status code 200, meaning it approved your request to browse Google and opened the page for you. Similarly, every request has a specific reply with its status code describing a particular state. If you are adding a post or writing a comment on X , you will receive a status code 201 from the server.
353 |
354 | | **Aspect** | **Normal HTTP Traffic** | **Suspicious HTTP Traffic** |
355 | | ------------------------- | ----------------------------------------------- | ---------------------------------------------------------------------- |
356 | | **Request Frequency** | Regular patterns | Unusually high or burst requests |
357 | | **Source IP Address** | Known, trusted IPs | Unknown, blacklisted, spoofed IPs |
358 | | **Destination URL** | Legitimate URLs | Unusual domains, typos, obfuscation |
359 | | Ports | Port 80, TCP Port 8080, TCP (used as alternate) | Excessive or unusual methods |
360 | | **Payload Content** | Plaintext traffic | Malicious content if If the traffic is encrypted (e.g., SQL injection) |
361 | | **FQDN** | typically web server | The server will point to an IP address instead of FQDN format |
362 | | **Response Status Codes** | Standard codes (200, 301, 404) | High error codes (401, 403, 500) |
363 | | **Traffic Volume** | Normal volume | Sudden traffic spikes |
364 |
365 | In HTTP, when you send an HTTP request from your device to a server, it goes to port 80 on the server by default. If you're running an HTTP server (like a web server), it listens for requests directly on port 80. However, if you're running a HTTP Proxy Server, it acts as an intermediary between your device and the internet. It receives HTTP requests from your device and forwards them to other servers on the internet. In this case, the proxy server might use ports like 8080 or 8088 instead of the standard port 80 for various purposes such as access control or filtering
366 | ##### (FQDN)
367 |
368 | The term "Fully Qualified Domain Name" (FQDN) refers to a site that has a complete domain name, like google.com. However, if you come across a site referenced only by an IP address such as 192.168.1.1, I would advise caution. It lacks a proper FQDN, which could indicate a suspicious site. While it's possible for a site to be legitimate using just an IP address, as a threat hunter, encountering this should raise concern and prompt further investigation to ensure the safety of the traffic.
369 |
370 |
371 | #### Normal HTTP
372 |
373 | - 1- **TCP Three-Way Handshake**:
374 |
375 | - **SYN**: The client sends a SYN (synchronize) packet to the server to initiate a connection.
376 | - **SYN-ACK**: The server responds with a SYN-ACK (synchronize-acknowledge) packet to acknowledge the client’s request and synchronize the connection.
377 | - **ACK**: The client sends an ACK (acknowledge) packet back to the server, completing the handshake.
378 | - **Initiating HTTP Traffic**:
379 |
380 | - Once the TCP connection is established via the three-way handshake, HTTP traffic can begin. This is typically seen in packet analysis, such as with Wireshark, where the sequence of packets can be examined.
381 |
382 | The second indication you'll find is that the source device is connecting to the destination port 80
383 |
384 | **I can't share image from slied INE but , I explain to you in below **
385 |
386 | Remember the tips regarding normal HTTP traffic:
387 | • Typically port 80
388 | • Cleartext web-based traffic
389 | • Hosts are accessed using FQDNs instead of IP addresses
390 | ##### Example
391 |
392 | GET /index.html HTTP/1.1
393 | Host: www.example.com
394 |
395 | 1. - The server then responds with an HTTP 200 OK status code, indicating that the request has been successfully processed and the requested page will be sent.
396 |
397 | Here is a detailed step-by-step process :
398 |
399 | 1. **Establishing TCP Connection**:
400 |
401 | - Client: Sends SYN to Server.
402 | - Server: Sends SYN-ACK to Client.
403 | - Client: Sends ACK to Server.
404 | 2. **Starting HTTP Communication**:
405 |
406 | - Client: Sends an HTTP GET request.
407 | - Server: Responds with HTTP 200 OK, along with the requested resource.
408 |
409 | ### Packet in Wireshark display like this for Example :
410 |
411 | - **Packet 1**: Client to Server – SYN
412 | - **Packet 2**: Server to Client – SYN-ACK
413 | - **Packet 3**: Client to Server – ACK
414 | - **Packet 7**: Client to Server – HTTP GET /index.html
415 | - **Packet 8**: Server to Client – HTTP 200 OK
416 |
417 | #### Suspicious HTTP
418 |
419 |
420 | 1. **Unusual Traffic Patterns**:
421 |
422 | - Sudden spikes in HTTP requests.
423 | - Repetitive requests to the same resource.
424 | 2. **Unusual Request Characteristics**:
425 |
426 | - Uncommon or suspicious User-Agent strings.
427 | - URLs with unusual parameters or encoded characters.
428 | - Misuse of HTTP methods (e.g., unexpected DELETE or PUT requests).
429 | 3. **Abnormal Response Codes**:
430 |
431 | - High rates of 4xx/5xx errors.
432 | - Unexpected successful responses (2xx codes).
433 | 4. **Header Anomalies**:
434 |
435 | - Missing or extra headers.
436 | - Inconsistent header values.
437 | 5. **Suspicious Payloads**:
438 |
439 | - Binary data in text-based requests.
440 | - Obfuscated or excessively encoded data.
441 | 6. **Unusual Source IPs**:
442 |
443 | - Requests from unexpected geographical locations.
444 | - Traffic from known malicious IPs.
445 |
446 | ### Example of Suspicious HTTP Activity
447 |
448 | SQL Injection Attempt
449 |
450 | `GET /index.php?id=1' OR '1'='1 HTTP/1.1 Host: example.com User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)`
451 |
452 | - **Indicator**: Unusual URL parameter with SQL injection payload.
453 | 
454 | 
455 |
456 | #### HTTPS Traffic
457 |
458 | - **HTTPS** operates at Layer 7 (Application Layer) and is the secure version of HTTP.
459 | - HTTPS is considered secure because it uses the SSL (Secure Socket Layer) protocol.
460 | - HTTPS establishes a connection using a handshake process, similar to TCP, but more complex. SSL is responsible for this process.
461 | - The client and server must agree on the same SSL version before the connection can be established.
462 | - They must also agree on the cryptographic algorithm before the connection.
463 | - SSL ensures secure sessions by managing encryption keys between the client and the server.
464 | - Authentication between the client and the server must occur before the connection.
465 | - Both parties must agree on a public encryption key to establish the connection.
466 |
467 | | **Aspect** | **Normal HTTPS Traffic** | **Suspicious HTTPS Traffic** |
468 | | ------------------------- | --------------------------------------------------- | ------------------------------------------------------------------------ |
469 | | **Request Frequency** | Regular, consistent patterns | Unusually high volume or burst requests |
470 | | **Source IP Address** | Known, trusted IPs | Unknown, blacklisted, or spoofed IPs |
471 | | **Destination URL** | Legitimate, expected URLs | Unusual domains, typosquatting, or obfuscated URLs |
472 | | **Ports** | Standard ports (443 for HTTPS) (8443) | Use of non-standard or unexpected ports |
473 | | **Payload Content** | Encrypted, expected content | Malicious content, even if encrypted (e.g., backdoors, malware payloads) |
474 | | **FQDN** | Resolves to legitimate Fully Qualified Domain Names | May resolve directly to IP addresses instead of domain names |
475 | | **Response Status Codes** | Standard codes (200, 301, 404) | High frequency of error codes (401, 403, 500) |
476 | | **Traffic Volume** | Consistent with normal usage patterns | Sudden, unexpected spikes in traffic volume |
477 | #### **Normal HTTPS
478 |
479 | #### Secure Form Submission on a Website
480 |
481 | `POST /submit-form HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Content-Type: application/x-www-form-urlencoded Content-Length: 89 Connection: keep-alive name=John+Doe&email=johndoe%40example.com&message=Hello%2C+this+is+a+test+message HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Content-Length: 512`
482 |
483 | - **Request Frequency**: Normal submission frequency for form submissions.
484 | - **Source IP Address**: Known IP addresses from a user's ISP.
485 | - **Destination URL**: Legitimate form submission URL on the website.
486 | - **Ports**: Standard HTTPS port 443.
487 | - **Payload Content**: Encrypted form data.
488 | - **FQDN**: Resolves to [www.example.com](http://www.example.com).
489 | - **Response Status Codes**: Standard code 200 OK.
490 | - **Traffic Volume**: Consistent with normal form submission activity.
491 |
492 |
493 | #### Suspicious HTTPS
494 |
495 | #### DDoS Attack with Burst Requests
496 |
497 |
498 | `GET / HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Connection: keep-alive HTTP/1.1 403 Forbidden Content-Type: text/html; charset=UTF-8 Content-Length: 512`
499 |
500 | - **Request Frequency**: Extremely high volume of requests in a short period.
501 | - **Source IP Address**: Spoofed or unknown IP addresses, often geographically dispersed.
502 | - **Destination URL**: Legitimate homepage URL.
503 | - **Ports**: Standard HTTPS port 443.
504 | - **Payload Content**: Encrypted, but excessive volume.
505 | - **FQDN**: Resolves to [www.example.com](http://www.example.com).
506 | - **Response Status Codes**: High frequency of 403 Forbidden errors.
507 | - **Traffic Volume**: Massive spikes in traffic volume indicative of a DDoS attack.
508 |
509 |
510 | #### Unknown Traffic
511 |
512 | 1. **Traffic Filtering**: Focus on port 443, expected to be encrypted. However, the observed traffic was not encrypted, indicating it was not SSL traffic.
513 |
514 | 2. **Protocol Identification**: The traffic involved the AOL Instant Messenger (AIM) protocol, specifically using OFT2 for file transfer.
515 |
516 | 3. **Wireshark Usage**:
517 |
518 | - **Before Decoding**: Traffic appeared normal without specific protocol dissection.
519 | - **Decode As Feature**: Right-click on the packet in Wireshark, use "Decode As" to specify the AIM protocol.
520 | - **After Decoding**: Detailed information about the OSCAR (OFT2) protocol was revealed.
521 | 4. **Key Tools**: Wireshark and its protocol dissectors are essential for decoding and analyzing unknown traffic.
522 |
523 | ---
524 |
--------------------------------------------------------------------------------