├── 511 ├── 511_A13_index.md ├── 511_concordance.txt ├── 511_index_A01.docx ├── 511_index_A05.docx ├── 511_index_A09.docx └── 511_index_A13_02.docx └── README.md /511/511_A13_index.md: -------------------------------------------------------------------------------- 1 | SEC511 Index 2 | ===== 3 | 4 | 5 | Index 6 | ----- 7 | 8 | ####**[Word (.docx) version of the index](/Resources/511_index.docx)** 9 | 10 | >**Note:** Please let us know if you find any errors in the index. Also, reach out if you have suggestions to improve the index (e.g. keywords that should be added, removed, or have page references added or removed). The easiest way to submit these improvements is through the bug/suggestion form here: **[http://cyber.gd/511_updates](http://cyber.gd/511_updates)** also feel free to email **<511@contextsecurity.com>** 11 | 12 | **Version A13\_01** 13 | 14 | Please let us know if you find any errors in the index. Also, reach out if you have suggestions to improve the index (e.g. keywords that should be added, removed, or have page references added or removed). The easiest way to submit these improvements is to email <511@contextsecurity.com>. 15 | 16 | Seth Misenar and Eric Conrad 17 | 18 | | Keyword | Book:Page | 19 | |-------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------| 20 | | \$HOME\_NET | 2:79, 3:86, 3:130 21 | | \$TRUSTED | 2:77-78 22 | | .dll | 4:56, 4:145, 5:82 23 | | .evt | 5:43-44, 5:128, 5:131 24 | | .evtx | 5:43-44, 5:128, 5:131 25 | | .exe | 3:121, 4:56, 4:64, 5:104-105 26 | | .jar | 2:118, 3:49, 5:40 27 | | Abnormal | 1:144, 1:164, 2:34, 2:36, 2:41, 3:53, 3:154 28 | | Access token | 1:116, 2:24, 2:139, 3:175, 4:132, 4:152, 4:154-155, 4:157, 4:161 29 | | ACT, Application Compatibility Toolkit | 4:129-130 30 | | ActiveX | 1:94, 1:97 31 | | Administrative accounts | 2:139, 4:3, 4:95, 4:97-99, 4:101, 4:103, 4:125, 4:137, 5:28, 5:133, 5:143, 5:155, 5:157, 5:159, 5:184 32 | | Adobe Reader | 1:94, 1:100, 4:28 33 | | ADS, Alternate Data Stream | 4:69-70 34 | | Adversary Deception | 2:3, 2:134-135 35 | | Adversary success | 1:42, 3:20 36 | | Alert data | 1:9, 3:64, 3:82, 3:93 37 | | Alexa | 2:38, 3:173, 3:175, 5:88 38 | | Analysis Methodology | 3:3, 3:57, 3:60 39 | | Anomaly | 2:43, 3:38, 3:43, 3:50-53, 3:81, 3:122, 3:127-130, 3:145, 5:87 40 | | Anomaly Detection | 2:34, 2:112, 3:50, 3:52-53, 3:128, 3:130, 3:145, 4:49, 5:28 41 | | Antimalware | 1:55, 1:146, 2:110, 2:157, 4:4, 4:18, 4:171-172 42 | | Antivirus | 2:157, 3:21, 3:46-48, 3:55, 3:63, 3:73, 3:115, 3:125, 4:171-172, 5:102 43 | | Anubis | 2:160 44 | | APK | 2:160 45 | | AppArmor | 4:86 46 | | Application Inspection | 2:95-96, 2:98-99 47 | | Application Monitoring | 4:48 48 | | Application Whitelisting | 4:48, 4:62-63, 4:71, 4:77, 4:85, 4:87-88, 4:92, 4:94, 4:182, 5:50 49 | | Application Whitelisting, Bypass | 4:83 50 | | Application Whitelisting, Phase 0: Whitelist Building | 4:57, 4:72-76 51 | | Application Whitelisting, Phase 1: Targeted Detection | 4:77-79 52 | | Application Whitelisting, Phase 2: Strict Enforcement | 4:80-81 53 | | Applocker | 4:87-91, 5:132, 5:161-162 54 | | APT | 2:39, 3:169, 4:164, 5:78, 5:104 55 | | argus | 3:77, 3:93 56 | | ASD Top 35 | 5:25, 5:38 57 | | ASD Top 4 | 5:26-28, 5:38 58 | | ASEPs | 4:114 59 | | ASEPs, Auto-Start Extensibility Points | 1:137, 4:3, 4:114-115, 4:117 60 | | ASEPs, Registry | 4:114, 5:177-182 61 | | Asset Inventory | 5:52, 5:54, 5:58-59, 5:108 62 | | Authentication | 4:4, 4:132-133, 4:143-145, 4:152-154, 4:159, 4:162, 4:168-169, 5:36, 5:84, 5:96, 5:154 63 | | Authentication Policy Silos | 4:168 64 | | Autoruns | 1:137, 4:3, 4:115, 4:117 65 | | awk | 3:40, 3:157 66 | | Backdoor | 1:50-51, 1:111 67 | | Base64 | 3:147, 4:145 68 | | Baseline Configuration | 4:3, 4:31-34, 4:37-39, 4:41, 4:75, 4:94, 5:75 69 | | Baselining | 4:42, 4:115, 4:183, 5:51 70 | | Behavior | 2:10, 2:107-109, 3:49-50, 3:136, 5:104 71 | | Bejtlich | 1:9, 1:58, 3:9, 3:11, 3:16, 3:20, 5:5, 5:9, 5:12 72 | | BITS, Background Intelligents Transfer Service | 4:27, 4:29 73 | | Blacklist | 1:101, 2:44, 2:53-54, 2:56-57, 2:117, 3:44, 3:46, 3:155, 4:167, 4:188, 5:102 74 | | Blue Team | 3:29 75 | | Bogon | 2:53-54 76 | | Botnet | 1:52, 3:5, 3:137, 5:89, 5:106, 5:109 77 | | Bro | 3:30, 3:38-40, 3:43, 3:69, 3:74, 3:89, 3:93, 3:152, 3:155-156, 3:172-173, 3:175-176 78 | | Browser | 1:86, 1:94-98, 2:18, 2:114-115, 3:151-153, 3:172 79 | | Browser attacks | 1:96-97 80 | | C2 | 1:50-51, 1:111, 1:134-135, 1:140, 2:23, 2:26, 2:44-45, 3:3, 3:107, 3:134, 3:141, 5:88-89, 5:176 81 | | C2, HTTP | 3:148-149 82 | | C2, HTTPS | 1:123, 1:145, 2:97, 3:3, 3:141, 3:159-160, 3:162, 3:166, 3:175 83 | | C2, HTTPS and X.509 | 3:55, 3:131-132, 3:162, 3:165, 3:169-175 84 | | C2, ICMP | 3:143-144 85 | | C2, non-HTTPS SSL | 3:162, 3:164-165 86 | | C2, Persistent Connections | 3:138-139 87 | | C2, Tor | 3:167 88 | | Cached Credentials | 4:152-153 89 | | CAPEX | 1:61, 1:157 90 | | Carving | 3:3, 3:69-70, 3:74, 3:89 91 | | CDM, Continuous Diagnostics and Miticgation | 5:6, 5:10-13, 5:23 92 | | Centralized Logging, Windows | 4:175-176, 5:114 93 | | Change Detection | 4:41-42, 5:96-98 94 | | Change Monitoring | 4:41-42, 4:183 95 | | Ciphertext | 3:131 96 | | CIS, Center for Internet Security | 4:34-35, 4:37, 4:39, 5:124 97 | | Cleartext | 1:145, 4:102, 4:132, 4:145-146, 4:150, 4:162 98 | | Client-Side | 1:3, 1:10, 1:63, 1:74-78, 1:80, 1:94, 1:100, 2:17-18, 2:22, 2:26, 2:76, 2:82, 2:90, 3:108 99 | | Content Filter | 1:57, 2:116-118, 2:120, 2:122, 2:156, 3:140 100 | | Content-Type | 2:118-119 101 | | Correlated Data | 1:9, 3:64, 3:87 102 | | Cost per record | 1:34 103 | | Critical Controls, 1 | 3:123, 3:135, 4:18, 4:61, 4:96, 5:47, 5:52, 5:74, 5:87, 5:101, 5:108, 5:148 104 | | Critical Controls, 10 | 4:18 105 | | Critical Controls, 13 | 3:135 106 | | Critical Controls, 14 | 5:108 107 | | Critical Controls, 19 | 3:123 108 | | Critical Controls, 2 | 3:123, 3:135, 4:16, 4:61, 5:52, 5:74, 5:101, 5:108, 5:148 109 | | Critical Controls, 20 | 4:7-8 110 | | Critical Controls, 3 | 3:135, 5:47, 5:52, 5:148 111 | | Critical Controls, 5 | 4:8, 4:16, 4:96 112 | | Critical Controls, 8 | 4:61 113 | | Critical Controls, 9 | 3:135 114 | | Critical Controls, First Five Quick Wins | 4:7-8, 4:16, 4:61, 4:96, 4:194, 5:50-51 115 | | Critical Security Controls | 1:19, 1:126, 3:162, 4:7-8, 4:16, 4:89, 4:94, 5:23-24, 5:148, 5:184 116 | | Cuckoo | 2:108-109, 2:140 117 | | CyberScope | 5:18 118 | | Daemonlogger | 3:68 119 | | Data Breach | 1:32-34, 3:19, 4:180 120 | | Data Classification | 5:32, 5:34 121 | | Data compromise | 1:72, 1:167, 2:36, 5:34 122 | | Daylight Savings Time | 2:58-59, 3:85 123 | | DBIR | 1:32-33, 1:35-37, 1:81, 2:125, 3:19 124 | | DDoS | 1:51-52, 1:70, 1:104 125 | | Debug Programs | 4:100, 4:105, 4:112, 4:193 126 | | Deception Devices | 2:3, 2:134-137 127 | | Deduction | 3:58 128 | | Default Deny | 1:146, 2:51, 2:55, 2:57, 2:60, 5:107 129 | | Defensible Network | 1:2, 1:8, 2:163, 3:16, 3:123-125, 3:127-128, 3:138, 3:160, 5:20, 5:30-31, 5:39-40 130 | | Detection-Oriented | 1:120-121, 2:74, 4:182 131 | | DIACAP | 3:8, 5:7-8, 5:18 132 | | diff | 4:42, 4:115, 5:59, 5:96 133 | | Dirty Word List | 2:152, 2:154-155, 3:61 134 | | Display filters | 3:111, 3:119-122, 3:132, 3:167 135 | | DITSCAP | 3:8, 5:7-8 136 | | DLL | 2:160, 3:52, 3:87, 3:130, 4:50, 4:56, 4:84, 4:92, 4:145, 4:185, 5:82, 5:161-162 137 | | DNS, failed-dns-query | 5:93 138 | | DNS, Logging | 5:86-87, 5:90-93, 5:184 139 | | DNS, long-dns-query | 5:93, 5:184 140 | | DNS, NXDOMAIN | 5:93 141 | | DOCX | 1:83, 1:101, 2:118, 2:160, 3:44, 3:86, 3:130, 3:163 142 | | DoS, Denial of Service | 1:49, 1:51, 2:102, 3:33, 3:117-118 143 | | dumpcap | 3:68 144 | | Dynamic Analysis | 2:108-109, 2:118, 2:160 145 | | Egress | 1:4, 1:146-147, 1:170, 2:39, 2:42, 2:44, 2:47, 2:49, 2:55, 2:57, 2:60, 2:97, 2:113, 2:122, 2:162, 4:174-176, 4:182 146 | | ELSA | 1:4, 1:170, 3:30, 3:41 147 | | Emerging Threats | 3:44, 3:83, 3:86-87, 3:130, 3:136 148 | | EMET, Enhanced Mitigation Experience Toolkit | 4:3, 4:44-46 149 | | Enable-PSRemoting | 5:173 150 | | Entropy | 3:34, 3:52, 3:124, 3:127, 3:131-132, 3:163, 3:167, 4:103, 5:88, 5:104-105, 5:135, 5:138, 5:156, 5:181 151 | | Event ID 1056, RDP Self-Signed Cert | 5:147, 5:162 152 | | Event ID 1102, Event Log Cleared | 5:145, 5:162 153 | | Event ID 2003, Firewall Disabled | 5:151, 5:162 154 | | Event ID 2005, Firewall Rule | 5:103, 5:152 155 | | Event ID 4624, Logon | 5:153, 5:155 156 | | Event ID 4720, User Creation | 5:44, 5:142, 5:162 157 | | Event ID 4722, User Enabled | 5:44, 5:142, 5:162 158 | | Event ID 4724, Password Reset | 5:142, 5:162 159 | | Event ID 4732, User Added to Group | 5:44, 5:144, 5:162 160 | | Event ID 4738, Account Changed | 5:142, 5:162 161 | | Event ID 7030, Interactive Service Error | 5:21, 5:139-140, 5:162, 6:16, 6:20 162 | | Event ID 7045, Service Creation | 5:21, 5:135, 5:138, 5:140, 5:149, 5:162 163 | | Event IDs, Applocker | 4:90-91, 5:161-162 164 | | Event IDs, Removable Media | 5:149 165 | | Event Logs, Critical Windows Events | 5:3, 5:127, 5:134, 5:140-141, 5:143, 5:145-146, 5:148-150, 5:153, 5:161, 5:184, 6:16 166 | | Event Logs, Damaged | 5:129 167 | | Event Logs, Windows | 5:19, 5:123, 5:129, 5:131, 5:133, 5:164 168 | | Event Query, Windows | 5:121 169 | | Event Viewer | 5:120, 5:128-131, 5:142, 5:144, 5:147, 5:149, 5:151 170 | | eventvwr | 5:120, 5:128, 5:130 171 | | EXE | 2:160, 3:3, 3:33, 3:52, 3:61, 3:63, 3:73, 3:87, 3:107, 3:116-117, 3:121-122, 3:130, 3:178, 4:56, 5:105, 5:162 172 | | EXE, MZ | 3:33, 3:72, 3:118-120, 3:130 173 | | EXE, PE | 3:73, 3:87, 3:118, 3:120, 3:130 174 | | EXE, This program cannot be run in DOS mode | 3:33, 3:117-119 175 | | EXE, This program must be run under Win32 | 3:118, 3:120 176 | | EXE, This program must be run under Win64 | 3:118 177 | | EXE, Transfer | 3:3, 3:125, 3:127, 3:130, 3:178 178 | | Executable | 1:83, 3:116, 3:125, 3:127, 4:66-69, 4:72, 4:75-76, 4:78, 4:84, 5:102 179 | | Exfiltration | 1:105, 1:135, 1:145, 1:147, 2:15, 2:25, 2:36, 2:42-45, 2:58-61, 2:68-69, 2:81, 2:83, 2:89-90, 2:94, 2:100-102, 2:110, 2:122 180 | | Exploitation | 1:47-48, 1:73, 1:78, 1:97, 1:103, 1:111, 1:122, 1:131, 1:135, 2:15, 2:22, 2:90, 2:137, 4:94, 4:113, 4:132 181 | | Extracted data | 3:64, 3:69 182 | | False Negative | 3:125 183 | | False Positive | 2:66, 2:81, 2:86, 2:102, 2:140, 3:24, 3:52, 3:129-130, 4:77-79, 4:186, 5:40 184 | | File Analysis | 2:157, 2:160 185 | | File Carving | 3:70, 3:74 186 | | File Integrity Monitoring | 4:42, 4:63, 4:179, 4:183 187 | | File-format | 1:94, 1:100-101, 3:65, 3:115, 4:187 188 | | FIPS 199 | 5:33 189 | | Firewalls | 1:57, 2:64, 2:74, 2:87, 2:92-95, 2:97-102, 2:116, 2:146, 2:156, 2:162 190 | | Flash | 1:94, 1:97-98, 4:26, 5:26 191 | | Flow Data | 1:8, 2:30-33, 2:41, 2:143, 2:162, 3:77 192 | | Forensics | 1:159, 2:107, 2:125, 2:154, 3:34, 3:61, 4:42, 4:49, 4:73, 4:84, 4:185-186, 5:129 193 | | Forward Proxy | 2:116, 2:122-123 194 | | Framework | 1:98, 1:115, 1:126, 2:96, 2:152, 3:39, 4:188, 5:8, 5:174 195 | | GeoIP | 2:33, 2:40, 2:53-54, 2:56 196 | | Get-WinEvent | 5:21, 5:43-44, 5:140, 5:142, 5:144-145, 5:147, 5:149, 5:151, 5:162 197 | | grep | 3:5, 3:30, 3:37, 3:75-76, 3:152, 3:154, 3:156-157, 3:176, 5:68-69, 5:92 198 | | Group Policy | 4:24, 4:38, 4:87-88, 4:110, 4:126, 4:139, 4:175, 5:114-115, 5:123 199 | | Hanlon's Razor | 3:49, 5:40 200 | | HIDS, Host Intrusion Detection System | 1:32, 4:172, 4:179-184 201 | | HIPS, Host Intrusion Prevention System | 4:172, 4:179-182, 4:184, 5:36 202 | | HKLM\\Security\\Policies\\Secrets | 4:105 203 | | HoneyAdmins | 2:139 204 | | Honeyclients | 2:140 205 | | Honeynets | 2:135, 2:137 206 | | Honeypots | 2:3, 2:134-139 207 | | HoneyRobots.txt | 2:139 208 | | HoneySAT | 2:139 209 | | HoneyTable | 2:139 210 | | HoneyTokens | 2:4, 2:165 211 | | HoneyUsers | 2:139 212 | | HTTP GET | 3:36, 3:109, 5:105 213 | | HTTP POST | 1:139-140, 3:147-148 214 | | Hunt team | 1:13, 1:121, 1:167, 2:8-10, 2:126-127, 2:130-131, 3:7, 3:11-13, 3:178, 4:188, 6:12 215 | | Hunt Teams | 1:13, 1:88, 1:121, 1:167, 2:8-10, 2:39, 2:126-127, 2:130-131, 3:7, 3:11-13, 3:178, 4:188, 6:12 216 | | Hypothesis Management | 3:60 217 | | ICMP | 1:145, 2:32, 2:48-50, 3:52, 3:110, 3:138, 3:141-145 218 | | ICMP 0:0, Echo Reply | 3:144 219 | | ICMP 8:0, Echo Request | 3:52, 3:142, 3:145, 6:4 220 | | IDS Frontends | 1:63, 1:65-67, 3:3, 3:30-34, 3:66, 3:83, 3:113 221 | | Impersonation Level | 4:154-157, 4:161 222 | | Inbound Filtering | 2:29, 2:53 223 | | Incident Response | 1:31-32, 1:159, 1:161, 3:13, 3:103, 3:138, 3:140, 4:42, 4:186 224 | | Indicator Identification | 2:152 225 | | Indicators | 1:133-134, 2:151-155 226 | | Indicators of Compromise | 2:155, 4:186 227 | | Interactive Logon | 4:153, 4:159, 4:169, 5:155 228 | | Internal SI Firewalls | 2:146, 2:162 229 | | Inventory, Active Scanning | 5:52, 5:54-58, 5:64, 5:108 230 | | Inventory, Passive Discovery | 3:30, 3:93, 5:54, 5:63-64, 5:66-69 231 | | Invisibility | 2:78 232 | | IPFIX | 2:30-32, 2:41, 2:143, 2:162, 3:77 233 | | IRC | 1:106, 1:132, 2:48, 2:52, 2:70, 2:77, 2:97, 2:101, 3:39, 3:53, 3:67, 3:73, 3:141, 4:83, 4:87 234 | | IRC C2 | 2:97, 2:101, 3:141 235 | | ISCM, Information Security Continuous Monitoring | 5:6, 5:8, 5:14-16 236 | | JAR | 2:106, 2:118, 2:160, 3:49, 5:40 237 | | Java | 1:94, 1:97-99, 2:114, 2:118, 2:160, 4:22, 4:26, 4:28, 4:46, 5:26, 5:78 238 | | JavaScript | 1:97, 2:114, 2:160 239 | | Joe Sandbox | 2:160 240 | | Kansa | 4:188-189 241 | | Kill Chain | 1:133-134, 2:151-152, 2:154 242 | | LanMan Hash | 4:139-140 243 | | Layer 3 | 1:59, 1:125, 2:30, 2:33, 2:53, 2:55-57, 2:93, 2:95, 2:97-98, 2:144, 3:108, 3:127 244 | | Layer 4 | 1:59, 2:30, 2:33, 2:55, 2:57, 2:93, 2:95, 2:97, 3:108 245 | | Layer 7 | 1:18, 1:59, 1:125, 2:33, 2:43-45, 2:50, 2:93, 2:95, 2:98-99, 2:101, 3:65, 3:79, 3:108, 5:100 246 | | LiveSSP | 4:147, 4:150, 4:162, 4:168 247 | | Log data | 1:9, 2:43, 3:64, 5:19, 5:129 248 | | Log files | 3:8, 5:5, 5:129 249 | | Log Monitoring | 4:39, 4:183, 5:112, 5:127, 5:132 250 | | Log Review | 1:32, 4:179 251 | | Log Settings, Windows | 5:122, 5:124 252 | | Logon Types, Type 10 | 4:153, 5:155 253 | | Logon Types, Type 11 | 4:152-153 254 | | Logon Types, Type 2 | 4:153, 4:157, 4:159, 4:169, 5:155 255 | | Logon Types, Type 3 | 2:50, 4:111, 4:153, 5:156, 5:159-160 256 | | Logon Types, Type 4 | 4:153 257 | | Logon Types, Type 7 | 4:147, 4:153, 6:8, 6:14 258 | | Long Tail Analysis | 4:188-189, 5:41-44, 5:167, 5:181, 5:184 259 | | LSA Secrets | 4:105 260 | | lsass.exe | 4:64 261 | | LUA Buglight | 4:130 262 | | M-Trends | 1:31, 1:36-37, 1:88, 1:130, 1:139, 1:142, 2:125, 4:163 263 | | Malvertising | 1:80, 1:87 264 | | Malware Detonation Devices | 1:8, 1:57, 2:3, 2:64, 2:106-107, 2:140, 3:125 265 | | MBSA, Microsoft Baseline Security Analyzer | 5:79-82 266 | | Memory Analysis | 4:185-186, 4:188 267 | | Metadata | 1:9, 3:64, 3:79, 3:87, 4:57, 5:129 268 | | Metasploit | 1:115, 1:142-143, 3:47, 3:132, 3:165, 4:163, 5:136, 5:138-139, 5:146, 5:157-158 269 | | Meterpreter | 1:115-116, 3:117, 3:164-165, 4:161, 5:133, 5:141, 5:145-146, 5:157 270 | | Microsoft Account | 4:144, 4:147-150 271 | | Microsoft Office | 1:94, 1:100-101, 4:34-35, 5:26 272 | | Mimikatz | 4:48, 4:56, 4:92, 4:150, 4:160-168 273 | | Minnow | 1:91-92 274 | | Mobile application | 2:95 275 | | Mobile device | 1:47, 1:90-92, 2:10, 2:114, 3:110, 4:6, 4:13, 4:21 276 | | ModSecurity | 2:3, 2:72 277 | | MSSP | 1:32, 1:152, 1:157-159, 1:163 278 | | NAT | 2:33-34 279 | | Nation-State | 1:71 280 | | ndiff | 5:59 281 | | NetFlow | 1:8, 2:30-33, 2:41, 2:143, 2:162, 3:77 282 | | netsniff-ng | 3:30, 3:66, 3:68 283 | | Network Logon | 4:111, 4:153, 5:156, 5:159-160 284 | | NGFW | 1:8, 1:57, 2:3, 2:64, 2:74, 2:87, 2:92-95, 2:97-102, 2:116, 2:156, 3:108, 5:89, 5:107 285 | | ngrep | 3:30, 3:37, 3:75-76 286 | | NIDS | 2:3, 2:74-77, 2:80-84, 2:86-87, 3:15, 3:17, 3:30-31, 3:38, 3:43, 3:51, 3:93, 4:179 287 | | NIPS | 2:3, 2:74, 2:86-90, 4:179 288 | | nmap | 2:38, 3:30, 3:145, 5:56, 5:58-59 289 | | Non-Encrypted HTTPS | 3:160-161 290 | | NSRL RDS | 4:57, 4:72-76 291 | | NT Hash | 4:136, 4:138, 4:140-141, 4:143-144, 4:159, 5:156 292 | | NTFS Permissions | 4:99-100, 4:108-110 293 | | Obfuscation | 2:160, 3:147 294 | | Offense informs defense | 2:149, 5:24 295 | | OpenAppId | 2:3, 2:96-97, 2:104, 6:10 296 | | OpenVAS | 5:76 297 | | OPEX | 1:61, 1:157 298 | | OSSEC | 3:93, 4:183 299 | | Outbound connections | 2:35-36, 2:38, 2:41, 5:106 300 | | Outbound Filtering | 2:29, 2:55-57 301 | | Outsource | 1:152, 1:156-159, 1:163, 2:67 302 | | p0f | 5:3, 5:64-65, 5:71 303 | | PAC | 2:114-115 304 | | Packet capture, Full | 1:65-66, 2:30, 3:32, 3:66-68, 3:93 305 | | Packet Data | 1:65-66, 1:116, 2:30, 2:130-132, 3:32, 3:66-68, 3:93 306 | | PADS, Passive Asset Database | 3:93, 5:64 307 | | Pass the pass | 4:162 308 | | Pass-the-Hash | 4:136, 4:139, 4:159, 4:161, 5:155-160 309 | | Password Hashes | 4:132, 4:135-136, 4:141, 4:157, 4:161, 5:96 310 | | Passwords Hashes, Ntds.dit | 4:141 311 | | Passwords Hashes, SAM | 4:139, 4:141 312 | | Patching | 1:78, 2:64, 2:66, 2:68, 4:15-17, 4:21-23, 4:26, 4:31, 4:66, 4:94, 5:31, 5:51, 5:78, 5:184 313 | | PDF | 1:75, 1:77, 1:83, 1:101, 2:119, 2:160, 3:108, 5:26 314 | | Perfect Solution Fallacy | 3:55, 3:155 315 | | Perimeter SI Firewall | 2:3, 2:47, 2:58 316 | | Persistence | 1:112, 1:114, 1:116, 1:120, 1:135, 1:137, 2:121, 4:4, 4:113-114, 4:184-185, 4:191, 5:176 317 | | Persistence, registry | 5:176 318 | | Persistence, service | 4:114 319 | | persistent.pl | 3:139-140, 5:106 320 | | Phish | 1:75-77, 1:81, 1:84-85, 1:91, 2:152 321 | | Phishing | 1:75-77, 1:81, 1:84-85, 1:91, 2:152 322 | | Pivoting | 1:106, 1:131, 1:141, 5:153, 5:155, 5:160 323 | | Plugin | 1:97-98, 4:161 324 | | Ponemon | 1:34 325 | | Port Scan | 5:58 326 | | Post-Exploitation | 1:103, 1:111, 1:122, 1:131, 1:135, 2:15, 2:23, 2:137, 4:132, 4:184 327 | | PowerShell Remoting | 4:188, 5:173-174 328 | | PPT | 1:89, 1:101, 2:160, 4:140 329 | | PPTX | 1:89, 1:101, 2:160 330 | | PRADS | 3:30, 5:64, 5:66-69 331 | | PRADS, Passive Real-Time Asset Database | 3:30, 5:64, 5:66-69 332 | | Prevention-Oriented | 1:57, 2:74 333 | | Privilege escalation | 1:116, 3:13, 3:93, 4:109, 5:46 334 | | Process Monitor | 4:127-128 335 | | Protected Users | 4:168, 5:160 336 | | Protocol Behavior | 3:43, 3:49 337 | | Proxies | 2:57, 2:112-114, 2:116, 2:121-123, 2:140, 3:139, 3:147, 5:100-106 338 | | PSExec | 1:142-143, 3:132, 4:160, 5:133-139, 5:157-159, 6:16 339 | | Rainbow Tables | 4:136 340 | | Red Team | 3:29 341 | | Redline | 4:186-187 342 | | Registry keys | 3:8, 4:127, 5:5, 5:41, 5:167, 5:176, 5:179, 5:181 343 | | Remote Interactive | 4:153, 5:155 344 | | Reputation | 2:41, 2:45, 2:56, 2:98, 2:120-122, 3:50-51, 4:163 345 | | Response-Driven | 1:124 346 | | Restricted Admin Mode RDP | 4:168 347 | | Reverse HTTP | 1:116, 3:139, 5:106 348 | | Reverse HTTPS | 1:116, 5:106 349 | | RFC 1918 | 2:53-54 350 | | Risk Informed | 1:126 351 | | Risk Management | 1:126, 5:8, 5:12, 5:14, 5:18 352 | | RMF, Risk Management Framework | 5:9 353 | | Router | 2:29-30, 2:34, 2:41-45, 2:47, 2:143, 5:97-98 354 | | RTF | 1:83, 1:101 355 | | Salts | 4:102, 4:136-138, 4:140, 4:159, 5:156-157 356 | | SANCP | 3:93 357 | | Sandbox | 1:8, 2:108-109, 2:118, 2:140 358 | | SCAP, Security Content Automation Protocol | 4:39, 5:18, 5:74-76 359 | | SCCM, System Center Configuration Manager | 4:27-29, 4:68 360 | | Scheduled Tasks | 4:114 361 | | SCM, Security Compliance Manager | 4:38 362 | | SCUP, System Center Updates Publisher | 4:28-29 363 | | Security Onion | 1:63-64, 3:28-30, 3:93, 3:99, 3:178, 5:66 364 | | SeDebugPrivilge | 4:100, 4:105, 4:112, 4:165, 4:193 365 | | Sensor Placement | 3:100-102 366 | | Sensor, Design | 3:91, 3:93 367 | | Sensor, DMZ | 2:75, 3:102 368 | | Sensor, External | 3:102 369 | | Sensor, NSM | 3:92, 3:99-100 370 | | Sensor, Security Onion | 3:30, 3:93, 3:99, 3:178 371 | | Sensor, Umbrella | 3:101-102 372 | | Service Accounts | 4:104-105, 5:155 373 | | Service Logon | 4:153 374 | | Service-side | 1:47-48, 1:73, 1:78, 3:110 375 | | Set-ExecutionPolicy | 5:170-171 376 | | sFlow | 2:30 377 | | Sguil | 1:63, 1:65-67, 3:3, 3:30-34, 3:66, 3:83, 3:113 378 | | Shell | 1:51, 1:67, 1:111, 1:115, 5:84, 5:101, 5:118-119, 5:133, 5:141 379 | | Shellcode | 1:139, 3:32, 3:34, 4:44 380 | | SI Firewall | 2:3, 2:47-48, 2:58-61, 2:92-95, 2:97-99, 2:146-147, 2:162 381 | | SID | 4:154 382 | | SIEM | 1:8, 1:57, 1:151, 2:3, 2:125-128, 2:132, 3:30, 3:41, 3:63, 4:49-50, 4:57, 4:183, 5:109 383 | | Signature Evasion | 3:47 384 | | Signature Matching | 3:43-44, 3:46, 3:131 385 | | SiLK | 3:77 386 | | Situational Awareness | 1:11, 5:46 387 | | Sniffing | 1:70, 3:92-94, 3:97, 3:99, 5:56, 5:64 388 | | Sniffing, Hubs | 3:95 389 | | Sniffing, Port Mirror/SPAN Port | 3:94-96, 3:98, 3:101, 3:128, 3:178 390 | | Sniffing, Port Overload | 3:97-98 391 | | Sniffing, Taps | 3:94-95, 3:97-98 392 | | Sniffing, Virtual | 3:94, 3:99 393 | | Snorby | 3:30-31 394 | | Snort | 2:3, 2:78-79, 2:96, 2:104, 3:30, 3:38, 3:40, 3:43, 3:68, 3:80, 3:84-85, 3:145 395 | | Snort Frontends | 1:63, 1:65-67, 3:3, 3:30-34, 3:66, 3:83, 3:113 396 | | SOC | 1:149-165, 4:10, 4:92 397 | | Social Engineering | 1:74, 1:80-81, 2:17, 4:113 398 | | SP 800-117 | 5:75 399 | | SP 800-137 | 5:8, 5:14-17, 5:23 400 | | SP 800-37 | 5:8 401 | | Spam | 1:49, 1:70, 2:67, 3:86, 5:103, 5:109-110 402 | | Splash Proxy | 2:121 403 | | Splunk | 3:30, 3:41 404 | | Spoofed | 2:41 405 | | SQL Injection | 2:10, 2:14-16 406 | | SRP, Software Restiction Policies | 4:87-88 407 | | SSH | 1:145, 2:95, 2:101, 3:39, 3:139-140, 3:144, 5:84 408 | | SSL | 1:116, 2:39, 3:39, 3:159-167, 3:173, 3:175, 4:54-55, 4:68, 5:147 409 | | SSO, Single Sign-On | 4:135, 4:143-145, 4:147, 5:156 410 | | SSP, Security Service Provider | 1:152, 4:4, 4:143-145, 4:147, 4:162 411 | | Stage 2 | 1:137, 3:3, 3:13, 3:107, 3:115-118, 3:128-129, 5:27 412 | | Statistical Data | 3:64, 3:81 413 | | STIGs, Security Technical Implementation Guides | 4:39-40 414 | | Strategic Web Compromise | 1:88 415 | | String data | 3:64, 3:75-76, 3:89 416 | | strings, command | 3:5, 3:61, 3:75-76, 3:89, 3:117, 3:152, 3:154, 3:157 417 | | Suricata | 3:30, 3:38, 3:40, 3:43, 3:145 418 | | Sysmon | 4:3, 4:49-57, 4:59 419 | | Sysmon, syntax and configuration | 4:3, 4:49, 4:51-53 420 | | Tagged data | 3:84-86 421 | | Target Breach | 1:35, 2:26, 3:21-25, 3:142, 4:180 422 | | TCP/21, FTP | 2:93, 2:95, 3:22-23, 3:39, 3:79, 4:68, 5:101 423 | | TCP/22, SSH | 1:145, 2:95, 2:101, 3:39, 3:139-140, 3:144, 5:84 424 | | TCP/3389, RDP | 4:152, 4:157, 4:168, 5:110, 5:132-133, 5:146-147, 5:152, 5:162 425 | | TCP/443, HTTPS | 1:116, 2:39, 3:39, 3:159-167, 3:173, 3:175, 4:54-55, 4:68, 5:147 426 | | TCP/6667, IRC | 2:97, 2:101, 3:39, 3:53, 3:141 427 | | TCP/80, HTTP | 1:48, 1:116, 1:125, 1:139-140, 2:39, 2:42, 2:95, 3:39, 3:44, 3:79, 3:138, 3:141, 3:147-148, 3:154, 3:159-167, 3:175, 4:68, 4:145 428 | | tcpflow | 3:77 429 | | Teensy | 1:89 430 | | Threat Intelligence | 1:132, 2:4, 2:98, 2:106, 2:120, 2:149-150, 2:153, 2:157, 4:185 431 | | ThreatExpert | 2:160 432 | | ThreatTrack | 2:160 433 | | Time synchronization | 2:57, 3:91, 3:103-104 434 | | Time Zone | 3:104 435 | | TLS | 1:116, 3:13, 3:117, 3:160, 3:162-165, 3:167, 3:169 436 | | True Positive | 3:24, 3:130, 4:77-78 437 | | tshark | 3:35, 3:37, 3:77-78, 3:80, 3:152, 3:175 438 | | tspkg | 4:162 439 | | TTPs | 1:132, 2:150 440 | | Tunnel | 1:145, 2:53, 3:139-141, 3:143-144, 3:162, 3:166, 5:40, 5:102, 5:106 441 | | Two-Factor Authentication | 4:133, 4:169 442 | | UAC, User Account Control | 4:120-121, 4:123-127, 5:182 443 | | UDP/123, NTP | 2:57, 3:91, 3:103 444 | | UDP/53, DNS | 2:13, 2:39, 2:51, 2:115, 3:52, 3:141, 4:68, 5:86-90, 5:93, 5:184 445 | | UDP/69, TFTP | 4:68 446 | | URL Analysis | 2:156, 2:159-160 447 | | USB | 1:80, 1:89, 1:145, 3:110, 4:68, 5:43, 5:129, 5:148-149, 5:162, 5:172, 5:180, 6:17 448 | | User Rights, Windows | 4:99-100, 4:108, 4:111, 4:154, 4:193 449 | | User Visibility | 2:98 450 | | User-Agent | 3:3, 3:40, 3:107, 3:151-155, 3:157, 3:178 451 | | UTC | 1:32, 1:133, 3:103-104 452 | | Virtual Patching | 2:64, 2:66, 2:68 453 | | VirusTotal | 2:157-159, 4:50, 4:57, 4:115, 4:166 454 | | Visibility | 1:125, 1:136-137, 1:164, 2:44-45, 2:78, 2:90, 2:98, 2:101, 2:142, 3:178, 4:180, 5:15 455 | | VLAN ACLs | 2:142, 2:144-146, 4:180 456 | | VNC | 1:116, 4:157, 5:139 457 | | VPN | 1:19, 1:27, 1:68, 1:145, 1:171, 2:35, 2:166, 3:135, 3:138-139, 3:162, 3:180, 4:195, 5:40, 5:47, 5:61, 5:102, 5:108, 5:185-186 458 | | Vulnerability assessment | 3:8, 5:82 459 | | Vulnerability Scanning | 2:16, 4:20, 5:3, 5:47, 5:58, 5:73-74, 5:76 460 | | Watering Hole | 1:80, 1:88, 2:17-22, 4:121 461 | | WDigest | 4:145-147, 4:150, 4:162, 4:165, 4:168 462 | | Web Application Firewall | 1:8, 2:3, 2:63-64, 2:66-70 463 | | wecutil | 5:119 464 | | Wepawet | 2:160 465 | | wevutil | 5:128 466 | | WFAS, Windows Firewall with Advanced Security | 4:175-177, 5:132, 5:150-151, 5:162 467 | | Whitelist Integrity | 4:65 468 | | Windows Event Collector | 5:119 469 | | Windows Remoting | 5:118, 5:173 470 | | winrm | 5:118, 5:173 471 | | Wireshark | 1:63, 1:66-67, 3:32, 3:35-36, 3:65, 3:68, 3:70, 3:81, 3:119-122, 3:132, 3:143, 3:161, 3:164, 3:167 472 | | WMF | 1:83, 1:101 473 | | WPAD | 2:114-115 474 | | WSUS, Window Server Update Services | 3:124, 4:23-29 475 | | X.509 | 3:55, 3:131-132, 3:162, 3:165, 3:169-175 476 | | XLS | 1:101, 2:160, 4:70 477 | | XLSX | 1:101, 2:160, 4:70 478 | | XOR | 1:139, 3:147 479 | | Zero-copy | 3:68 480 | | Zero-day | 5:78 481 | | Zone.Identifier | 4:69-70 482 | -------------------------------------------------------------------------------- /511/511_concordance.txt: -------------------------------------------------------------------------------- 1 | Persistence;"persistence" in page 2 | $HOME_NET 3 | $TRUSTED 4 | .dll 5 | .evt 6 | .evtx 7 | .exe;".exe" in page and ("EXE" in cswordlist or "executable" in page) 8 | .jar 9 | Abnormal 10 | Access token;"security access token" in page or "sat" in wordlist or "access token" in page 11 | ACT, Application Compatibility Toolkit;"application compatibility toolkit" in page 12 | ActiveX 13 | Administrative accounts;"built-in administrator" in wordlist or "local administrator" in page or "administrative accounts" in page 14 | Adobe Reader 15 | ADS, Alternate Data Stream;"ADS" in cswordlist 16 | Adversary Deception 17 | Adversary success 18 | Alert data 19 | Alexa 20 | Analysis Methodology 21 | Anomaly 22 | Anomaly Detection;"specific anomalies" in page or "anomalous" in wordlist or "anomaly-based" in wordlist or "targeted anomaly" in page or "anomaly detection" in page 23 | Antimalware 24 | Antivirus;page.count("antivirus") > 1 25 | Anubis 26 | APK 27 | AppArmor 28 | Application Inspection 29 | Application Monitoring 30 | Application Whitelisting;page.count("application whitelisting") > 1 31 | Application Whitelisting, Bypass;("whitlisting" in wordlist and "trusted binaries" in page) or ("whitlisting" in wordlist and "bypass" in wordlist) or "adversary uses trusted filename" in page 32 | Application Whitelisting, Phase 0: Whitelist Building;"nsrl" in wordlist or "fielded-system executables" in wordlist or "pre-fielded system" in wordlist or "whitelisting and phase 0" in page 33 | Application Whitelisting, Phase 1: Targeted Detection;("whitelist" in wordlist and "targeted detection" in page) or ("whitelisting" in wordlist and "detect-only" in wordlist) or ("whitelisting" in wordlist and "phase 1" in page) 34 | Application Whitelisting, Phase 2: Strict Enforcement;"strict enforcement" in page or "unknown binary attempted execution" in page 35 | Applocker 36 | APT 37 | APT;"advanced persistent threat" in page 38 | argus 39 | ASD Top 35;"australian signals directorate" in page or "top 35 mitigations" in page 40 | ASD Top 35;"top 35" in page 41 | ASD Top 4;"top 4" in page 42 | ASEPs, Auto-Start Extensibility Points;"aseps" in wordlist or "autoruns" in wordlist or "reg run" in page or "registry run" in page 43 | ASEPs, Registry;"currentversion" in wordlist 44 | ASEPs;"asep" in wordlist or "autostart extensibility point" in page 45 | Asset Inventory;"asset inventory" in page 46 | Authentication;page.count("authentication") > 1 47 | Authentication Policy Silos 48 | Autoruns 49 | awk; "awk" in wordlist 50 | Backdoor 51 | Base64;"base 64" in page or "base64" in page 52 | Baseline Configuration;"security baseline" in page or "baseline config" in page or "security config" in page 53 | Baselining;"baseline monitoring" in page or "baselining" in wordlist 54 | Behavior;page.count("behavior") > 1 55 | Bejtlich 56 | BITS, Background Intelligents Transfer Service;"BITS" in cswordlist 57 | Blacklist 58 | Blue Team 59 | Bogon 60 | Botnet;"bots" in wordlist or "botnet" in wordlist 61 | Bro; "bro" in wordlist 62 | Browser;page.count("browser") > 1 63 | Browser attacks 64 | C2, HTTP;"http post c2" in page or "c2 post" in page or ("HTTP" in cswordlist and "c2" in wordlist) 65 | C2, HTTPS and X.509;"509" in page or ("organization" in wordlist and "country" in wordlist and "certificates" in wordlist) 66 | C2, HTTPS;("ssl" in wordlist and "c2" in page) or ("tls" in wordlist and "c2" in page) or ("HTTPS" in cswordlist and "c2" in page) 67 | C2, ICMP;"wireshark icmp example" in page or "ssh tunneled" in page 68 | C2, non-HTTPS SSL;"tls without https" in page or "https and non-http ssl" in page or "https meterpreter bind_tcp" in page 69 | C2, Persistent Connections;"persistent external" in page or "c2, persistent connections" in wordlist 70 | #C2, Proxy;("c2" in wordlist and "proxies" in wordlist) or ("c2" in wordlist and "proxy" in wordlist) 71 | C2, Tor;"tor" in wordlist and "c2" in wordlist or "tor https" in page 72 | C2;"command and control" in page or "cnc" in wordlist or "c&c" in wordlist or "c2" in wordlist 73 | C2;"command and control" in page or "command & control" in page 74 | Cached Credentials;"domain cached" in page or "cached credentials" in page 75 | CAPEX 76 | Carving 77 | CDM, Continuous Diagnostics and Miticgation;"CDM" in cswordlist or "cdm, continuous diagnostics and miticgation" in wordlist 78 | Change Detection;"change detection" in page or "change control" in page or "change notification" in page 79 | Change Monitoring;"change control board" in page or "change monitoring" in page 80 | Ciphertext 81 | CIS, Center for Internet Security;"CIS" in cswordlist 82 | Cleartext 83 | Client-Side;page.count("client-side") >1 and page.count("exploit") > 1 84 | Content Filter 85 | Content-Type;"mime type" in page or "content-type" in wordlist 86 | Correlated Data 87 | Cost per record 88 | Critical Controls, 10;"CSC" in cswordlist and " 10 " in page 89 | Critical Controls, 11;"CSC" in cswordlist and " 11 " in page 90 | Critical Controls, 12;"CSC" in cswordlist and " 12 " in page 91 | Critical Controls, 13;"CSC" in cswordlist and " 13 " in page 92 | Critical Controls, 14;"CSC" in cswordlist and " 14 " in page 93 | Critical Controls, 15;"CSC" in cswordlist and " 15 " in page 94 | Critical Controls, 16;"CSC" in cswordlist and " 16 " in page 95 | Critical Controls, 17;"CSC" in cswordlist and " 17 " in page 96 | Critical Controls, 18;"CSC" in cswordlist and " 18 " in page 97 | Critical Controls, 19;"CSC" in cswordlist and " 19 " in page 98 | Critical Controls, 1;"CSC" in cswordlist and " 1 " in page 99 | Critical Controls, 20;"CSC" in cswordlist and " 20 " in page 100 | Critical Controls, 2;"CSC" in cswordlist and " 2 " in page 101 | Critical Controls, 3;"CSC" in cswordlist and " 3 " in page 102 | Critical Controls, 4;"CSC" in cswordlist and " 4 " in page 103 | Critical Controls, 5;"CSC" in cswordlist and " 5 " in page 104 | Critical Controls, 6;"CSC" in cswordlist and " 6 " in page 105 | Critical Controls, 7;"CSC" in cswordlist and " 7 " in page 106 | Critical Controls, 8;"CSC" in cswordlist and " 8 " in page 107 | Critical Controls, 9;"CSC" in cswordlist and " 9 " in page 108 | Critical Controls, First Five Quick Wins;"first five" in page or "critical controls, first five quick wins" in wordlist 109 | Critical Security Controls;"critical controls" in page or "critical security controls" in page 110 | Cuckoo 111 | CyberScope 112 | Daemonlogger 113 | Data Breach 114 | Data Classification 115 | Data compromise 116 | Daylight Savings Time;"dst" in wordlist or "daylight savings time" in page 117 | DBIR;"data breach investigation report" in page or "dbir" in wordlist 118 | DDoS;"distributed denial of service" in page or "ddos" in wordlist 119 | Debug Programs 120 | Deception Devices 121 | Deduction 122 | Default Deny 123 | Defensible Network 124 | Detection-Oriented 125 | DIACAP 126 | diff;"diff" in wordlist 127 | Dirty Word List;"dirty wordlist" in page or "dirty word list" in page 128 | Display filters;("tshark" in wordlist and "-r" in wordlist) or ("wireshark" in wordlist and "filter" in wordlist) 129 | DITSCAP 130 | DLL 131 | #DNS;page.count("dns") > 1 132 | DNS, failed-dns-query;page.count("long-dns-query") > 1 133 | DNS, Logging;("dns" in wordlist and "log" in wordlist) or ("logging" in wordlist and "bind" in wordlist) 134 | DNS, long-dns-query;"long-dns-query" in page or "dns, long-dns-query" in page 135 | DNS, NXDOMAIN;"nxdomain" in wordlist or "failed dns query" in page 136 | DOCX;"doc" in wordlist or "docx" in wordlist 137 | DoS, Denial of Service;page.count("denial of service") >1 or wordlist.count("dos") > 1 138 | dumpcap 139 | Dynamic Analysis 140 | Egress 141 | ELSA 142 | Emerging Threats;"ET" in cswordlist 143 | EMET, Enhanced Mitigation Experience Toolkit;"EMET" in cswordlist or "emet, enhanced mitigation experience toolkit" in wordlist 144 | Enable-PSRemoting 145 | Entropy 146 | Entropy;"random" in wordlist or "entropy" in wordlist 147 | Event ID 1056, RDP Self-Signed Cert;"1056" in page or "event id 1056, rdp self-signed cert" in page 148 | Event ID 1102, Event Log Cleared;"1102" in page or "event id 1102, event log cleared" in page 149 | Event ID 2003, Firewall Disabled;"event 2003" in page or "ID" in cswordlist and "2003" in page 150 | Event ID 2005, Firewall Rule;"2005" in page or "event id 2005, firewall rule" in page 151 | Event ID 4624, Logon;"4624" in page or "event id 4624, logon" in page 152 | Event ID 4720, User Creation;"4720" in page or "event id 4720, user creation" in page 153 | Event ID 4722, User Enabled;"4722" in page or "event id 4722, user enabled" in page 154 | Event ID 4724, Password Reset;"4724" in page or "event id 4724, password reset" in page 155 | Event ID 4732, User Added to Group;"4732" in page or "event id 4732, user added to group" in page 156 | Event ID 4738, Account Changed;"4738" in page or "event id 4738, account changed" in page 157 | Event ID 7030, Interactive Service Error;"7030" in page or "event id 7030, interactive service error" in page 158 | Event ID 7045, Service Creation;"7045" in page or "event id 7045, service creation" in page 159 | Event IDs, Applocker;"8003" in page or "8006" in page or "8004" in page or "8007" in page 160 | Event IDs, Removable Media;("system log" in page and "usb" in wordlist) 161 | Event Logs, Critical Windows Events;"critical windows events" in page or "malice and windows events" in page or "critical event" in page or "7045" in wordlist or "7030" in wordlist 162 | Event Logs, Damaged;("event logs" in page and "damaged" in wordlist) 163 | Event Logs, Windows;page.count("event logs") > 2 and "windows" in page or ("windows" in wordlist and "centralized" in wordlist and "logging" in wordlist) or "collectors and sources" in page or "collector and windows" in page or "windows event collector" in page or "event viewer" in page or "log and event query" in page or "log settings and windows" in page or "auditpol" in wordlist 164 | Event Viewer;"event viewer" in page or "eventvwr" in wordlist 165 | eventvwr 166 | EXE, MZ;"MZ" in cswordlist 167 | EXE, PE;"PE" in cswordlist 168 | EXE, This program cannot be run in DOS mode;"this program cannot be run in dos mode" in page or "exe, this program cannot be run in dos mode" in page 169 | EXE, This program must be run under Win32;"this program must be run under win32" in page or "exe, this program must be run under win32" in page 170 | EXE, This program must be run under Win64;"this program must be run under win64" in page or "exe, this program must be run under win64" in page 171 | EXE, Transfer;(("exe" in wordlist or "executable" in wordlist) and ("transfer" in wordlist or "transfers" in wordlist)) or "executable flow" in page 172 | EXE;"EXE" in cswordlist 173 | Executable;page.count("executable") > 2 174 | Exfiltration;page.count("exfiltration") > 1 175 | Exploitation;page.count("exploitation") > 2 176 | Extracted data 177 | False Negative 178 | False Positive 179 | File Analysis 180 | File Carving;"carving files" in page 181 | File Integrity Monitoring 182 | File-format;"file format" in page or "file-format" in page 183 | FIPS 199;"fips 199" in page 184 | Firewalls;"internal firewalls" in page or "internal si firewalls" in page or "ngfw" in wordlist 185 | Flash 186 | Flow Data;"netflow" in wordlist or "ipfix" in wordlist 187 | Forensics 188 | Forward Proxy 189 | Framework 190 | GeoIP 191 | Get-WinEvent 192 | grep 193 | Group Policy;"gpo" in wordlist or "group policy" in page 194 | Hanlon's Razor;"hanlon" in page 195 | HIDS, Host Intrusion Detection System;"hids" in wordlist or "hids, host intrusion detection system" in wordlist 196 | HIPS, Host Intrusion Prevention System;"hips" in wordlist or "hips, host intrusion prevention system" in wordlist 197 | HKLM\Security\Policies\Secrets 198 | HoneyAdmins 199 | Honeyclients 200 | Honeynets 201 | Honeypots;"internal listening" in page or "deception" in wordlist 202 | HoneyRobots.txt 203 | HoneySAT 204 | HoneyTable 205 | HoneyTokens 206 | HoneyUsers 207 | HTTP GET;"GET" in cswordlist and "HTTP" in cswordlist 208 | HTTP POST;"POST" in cswordlist and "HTTP" in cswordlist 209 | Hunt team 210 | Hunt Teams;"hunt team" in page or "hunting" in wordlist 211 | Hypothesis Management;"hypotheses" in wordlist or "hypothesis management" in page 212 | ICMP 213 | ICMP 0:0, Echo Reply;"icmp type 0" in page or "echo reply" in page 214 | ICMP 8:0, Echo Request;"icmp type 8" in page or "ping" in wordlist or "echo request" in page 215 | IDS Frontends;"sguil" in wordlist or "snorby" in wordlist or "squert" in wordlist 216 | Impersonation Level;"delegate tokens" in page or "impersonation level" in page 217 | Inbound Filtering 218 | Incident Response 219 | Indicator Identification 220 | Indicators 221 | Indicators of Compromise;"ioc" in wordlist or "iocs" in wordlist 222 | Interactive Logon 223 | Internal SI Firewalls 224 | Inventory, Active Scanning;"active scanning" in page or ("scan" in wordlist and "inventory" in wordlist) 225 | Inventory, Passive Discovery;"passive scanning" in page or "passive discovery" in page or "passive host discovery" in page or "pads" in wordlist or "prads" in wordlist or "p0f" in wordlist 226 | Invisibility 227 | IPFIX 228 | IRC 229 | IRC C2;("irc" in wordlist and "c2" in page) 230 | ISCM, Information Security Continuous Monitoring;"iscm" in wordlist or "iscm, information security continuous monitoring" in wordlist 231 | JAR 232 | Java 233 | JavaScript 234 | Joe Sandbox;"joe security" in page or "joe sandbox" in page 235 | Kansa 236 | Kill Chain 237 | LanMan Hash;"lm hash" in page or "lanman hash" in page 238 | Layer 3 239 | Layer 4 240 | Layer 7 241 | LiveSSP 242 | Log data 243 | Log files 244 | Log Monitoring 245 | Log Review 246 | Logon Types, Type 10;"type 10" in page or "remote interactive" in page 247 | Logon Types, Type 11;"type 11" in page or "cached credentials" in page 248 | Logon Types, Type 2;"type 2" in page or "interactive logon" in page 249 | Logon Types, Type 3;"type 3" in page or "network logon" in page 250 | Logon Types, Type 4;"type 4" in page or "service logon" in page 251 | Logon Types, Type 7;"type 7" in page or "unlock" in page 252 | Long Tail Analysis;"stacking analytics" in page or "stakrank" in wordlist or "stack ranking" in page or "long tail" in page 253 | LSA Secrets 254 | lsass.exe 255 | LUA Buglight 256 | M-Trends 257 | Malvertising 258 | Malware Detonation Devices 259 | MBSA, Microsoft Baseline Security Analyzer;"mbsa" in wordlist or "mbsa, microsoft baseline security analyzer" in wordlist 260 | Memory Analysis 261 | Metadata 262 | Metasploit;page.count("metasploit") > 1 263 | Meterpreter 264 | Microsoft Account 265 | Microsoft Office 266 | Mimikatz 267 | Minnow;"minnows" in wordlist or "minnow" in wordlist 268 | Mobile application 269 | Mobile device 270 | ModSecurity 271 | MSSP 272 | NAT;"NAT" in cswordlist 273 | Nation-State 274 | ndiff 275 | NetFlow;"netflow" in wordlist or "netflow" in wordlist 276 | netsniff-ng;"netsniff" in wordlist or "netsniff-ng" in wordlist 277 | Network Logon 278 | NGFW;"next generation firewall" in page or "NGFW" in cswordlist 279 | ngrep 280 | NIDS;"network intrusion detection system" in page or page.count("nids") > 1 281 | NIPS;"network intrusion prevention system" in page or "nips" in wordlist 282 | nmap 283 | Non-Encrypted HTTPS 284 | NSRL RDS;"nsrl" in wordlist or "nsrl rds, national software reference library reference dataset" in wordlist 285 | NT Hash 286 | NTFS Permissions 287 | Obfuscation;"obfuscated" in wordlist or "obfuscation" in wordlist 288 | Offense informs defense 289 | OpenAppId 290 | OpenVAS 291 | OPEX 292 | OSSEC 293 | Outbound connections;"persistent outbound connections" in page or "high volume outbound" in page or "unexpected destinations" in page 294 | Outbound Filtering 295 | Outsource;"outsourcing" in wordlist or "outsource" in wordlist 296 | p0f 297 | PAC;"proxy auto-configuration" in wordlist or "PAC" in cswordlist 298 | Packet capture, Full;page.count("full packet capture") > 1 or page.count("full pcap") > 1 299 | Packet Data;page.count("packet capture") > 1 or page.count("PCAP") > 1 300 | PADS, Passive Asset Database;"pads" in wordlist or "pads, passive asset database" in wordlist 301 | Pass the pass 302 | Pass-the-Hash;"pth" in wordlist or "pass the hash" in page 303 | Password Hashes 304 | Passwords Hashes, Ntds.dit;"ntds.dit" in page 305 | Passwords Hashes, SAM;"SAM" in cswordlist or "passwords hashes, sam" in wordlist 306 | Patching;page.count("patching") > 1 307 | PDF;"PDF" in cswordlist 308 | Perfect Solution Fallacy 309 | Perimeter SI Firewall;"perimeter" in wordlist and "firewall" in wordlist and ("SI" in cswordlist or "stateful inspection" in page) 310 | Persistence, registry;("persistence" in page and "registry" in wordlist) 311 | Persistence, service;("persistence" in wordlist and "services" in wordlist) 312 | persistent.pl 313 | Phish;"phishing" in wordlist or "phish" in wordlist 314 | Phishing 315 | Pivoting;page.count("lateral movement" or "pivoting") > 1 316 | Plugin 317 | Ponemon 318 | Port Scan 319 | Post-Exploitation;page.count("post-exploitation") > 1 320 | PowerShell Remoting;"psremoting" in wordlist or "powershell remoting" in page 321 | PPT 322 | PPTX 323 | PRADS 324 | PRADS, Passive Real-Time Asset Database;"prads" in wordlist or "prads, passive real-time asset database" in wordlist 325 | Prevention-Oriented 326 | Privilege escalation;"escalation" in wordlist or "privilege escalation" in page 327 | Process Monitor 328 | Protected Users 329 | Protocol Behavior 330 | Proxies;wordlist.count("proxy") > 1 331 | PSExec 332 | Rainbow Tables 333 | Red Team 334 | Redline 335 | Registry keys;"or registry startup keys" in page or "registry keys" in page 336 | Remote Interactive 337 | Reputation 338 | Response-Driven 339 | Restricted Admin Mode RDP 340 | Reverse HTTP 341 | Reverse HTTPS 342 | RFC 1918;"rfc1918" in page or "rfc 1918" in page 343 | Risk Informed 344 | Risk Management 345 | RMF, Risk Management Framework;"rmf" in wordlist or "rmf, risk management framework" in wordlist 346 | Router;page.count("router") > 1 347 | RTF 348 | Salts 349 | SANCP 350 | Sandbox 351 | SCAP, Security Content Automation Protocol;"scap" in wordlist or "scap, security content automation protocol" in wordlist 352 | SCCM, System Center Configuration Manager;"sccm" in wordlist or "sccm, system center configuration manager" in wordlist 353 | Scheduled Tasks 354 | SCM, Security Compliance Manager;"scm" in wordlist or "scm, security compliance manager" in wordlist 355 | SCUP, System Center Updates Publisher;"scup" in wordlist 356 | Security Onion 357 | SeDebugPrivilge;"debug programs" in page or ("debug" in wordlist and "privilege" in wordlist) 358 | Sensor Placement;"nids placement" in page or "sensor placement" in page 359 | Sensor Placement;"umbrella sensor" in page or "sensor placement" in page 360 | Sensor, Security Onion;"sensor" in page and "security onion" in page 361 | Sensor, Design;"sensor design" in page 362 | Sensor, NSM;"nsm sensor" in page 363 | Sensor, Umbrella;"umbrella sensor" in page 364 | Sensor, External;"external sensor" in page 365 | Sensor, DMZ;"dmz sensor" in page 366 | Service Accounts 367 | Service Logon 368 | Service-side;(page.count("server-side") > 1 or page.count("service-side") > 1) and page.count("exploit") > 1 369 | Set-ExecutionPolicy 370 | sFlow 371 | Sguil 372 | Shell;"shell" in wordlist 373 | Shellcode 374 | SI Firewall;"stateful inspection" in page or "si firewall" in page 375 | SID;"SID" in cswordlist 376 | SIEM;"SIM" in cswordlist or "SIEM" in cswordlist 377 | Signature Evasion 378 | Signature Matching 379 | SiLK 380 | Situational Awareness 381 | Sniffing 382 | Sniffing, Hubs;"hub" in wordlist and "sniff" in wordlist 383 | Sniffing, Port Mirror/SPAN Port;"mirror port" in page or "span port" in page 384 | Sniffing, Port Overload;"tap buffer" in page or "sniffing, port overload" in page 385 | Sniffing, Taps;"taps" in wordlist or "network tap" in page 386 | Sniffing, Virtual;"sniffing virtual" in page or "sniffing, virtual" in wordlist 387 | Snorby 388 | Snort 389 | Snort Frontends;"sguil" in wordlist or "snorby" in wordlist or "acid" in wordlist or "BASE" in cswordlist or "squert" in wordlist 390 | SOC;"SOC" in cswordlist 391 | Social Engineering 392 | SP 800-117;"800-117" in page 393 | SP 800-137;"800-137" in page 394 | SP 800-37;"800-37" in page 395 | Spam 396 | Splash Proxy 397 | Splunk 398 | Spoofed;"forged" in wordlist or "spoofed" in wordlist 399 | SQL Injection 400 | SRP, Software Restiction Policies;"srp" in wordlist or "srp, software restiction policies" in wordlist 401 | SSH 402 | SSL;"port 443" in page or cswordlist.count("HTTPS") > 1 or cswordlist.count("SSL") > 1 403 | SSO, Single Sign-On;"SSO" in cswordlist or "sso, single sign-on" in wordlist 404 | SSP, Security Service Provider;"ssp" in wordlist or "sspi" in wordlist or "security service provider" in page 405 | Stage 2;"tracking exe" in page or "stage 2" in page 406 | Statistical Data 407 | STIGs, Security Technical Implementation Guides;"stig" in wordlist or "stigs" in wordlist 408 | Strategic Web Compromise 409 | String data;"pcap strings" in page or "string data" in page 410 | strings, command;"strings" in page and "pcap" in page 411 | Suricata 412 | Sysmon 413 | Sysmon, syntax and configuration;("sysmon" in wordlist and "syntax" in wordlist) or ("sysmon" in wordlist and "configuration" in wordlist) 414 | Tagged data;"tagging" in wordlist or "tagged rule" in page 415 | Target Breach;("target" in wordlist and "breach" in wordlist) 416 | TCP/21, FTP;"port 21" in page or "ftp" in wordlist 417 | TCP/22, SSH;"port 22" in page or "ssh" in wordlist 418 | TCP/3389, RDP;"port 3389" in page or "3389" in wordlist or "rdp" in wordlist 419 | TCP/443, HTTPS;"port 443" in page or cswordlist.count("HTTPS") > 1 or cswordlist.count("SSL") > 1 420 | TCP/6667, IRC;"port 6667" in page or "6667" in wordlist or "IRC" in cswordlist 421 | TCP/80, HTTP;"port 80 " in page or cspage.count("HTTP") > 1 422 | tcpflow 423 | Teensy 424 | Threat Intelligence 425 | Threat Intelligence;"threat intel" in page 426 | ThreatExpert 427 | ThreatTrack 428 | Time synchronization;"ntp" in wordlist or "utc" in wordlist or "time zone" in page or "daylight savings time" in page 429 | Time Zone 430 | TLS 431 | True Positive 432 | tshark 433 | tspkg 434 | TTPs 435 | TTPs;"TTP" in cswordlist or "tactics, techniques, and procedures" in wordlist 436 | Tunnel 437 | Two-Factor Authentication;"two factor" in page or "two-factor" in page 438 | UAC, User Account Control;"uac" in wordlist or "uac, user account control" in wordlist 439 | UDP/123, NTP;"ntp" in wordlist or "port 123" in page 440 | UDP/53, DNS;"port 53" in page or page.count("dns") > 1 441 | UDP/69, TFTP;"port 69" in page or "tftp" in wordlist 442 | URL Analysis 443 | USB 444 | User Rights, Windows;("windows" in wordlist and "user rights" in page) 445 | User Visibility 446 | User-Agent;"user agent" in page or "user-agent" in wordlist 447 | UTC 448 | Virtual Patching;"virtual patch" in page or "virtual patching" in page 449 | VirusTotal 450 | Visibility;page.count("visibility") > 1 451 | VLAN ACLs 452 | VNC 453 | VPN 454 | Vulnerability assessment 455 | Vulnerability Scanning;"vulnerability scan" in page or "vulnerability scanning" in page 456 | Watering Hole 457 | WDigest 458 | Web Application Firewall;"waf" in wordlist or "web application firewall" in page 459 | wecutil 460 | Wepawet 461 | wevutil 462 | WFAS, Windows Firewall with Advanced Security;"wfas" in wordlist or "windows firewall" in page 463 | Whitelist Integrity 464 | Windows Remoting;"winrm" in wordlist 465 | winrm 466 | Wireshark;page.count("wireshark") > 1 467 | WMF 468 | WPAD;"web proxy autodiscovery protocol" in page or "wpad" in wordlist 469 | WSUS, Window Server Update Services;"wsus" in wordlist or "wsus, window server update services" in wordlist 470 | X.509 471 | XLS 472 | XLSX 473 | XLSX;"xls" in wordlist or "xlsx" in wordlist 474 | XOR 475 | Zero-copy 476 | Zero-day;"zero day" in page or "0day" in wordlist or "0-day" in wordlist 477 | Zone.Identifier 478 | Event Logs, Windows;page.count("event logs") > 2 and "windows" in page 479 | Windows Event Collector;"windows event collector" in page 480 | Log Settings, Windows;"log settings" in page and "windows" in page 481 | Event Query, Windows;"log" in page and "event query" in page 482 | Centralized Logging, Windows;"windows" in wordlist and "centralized" in wordlist and "logging" in wordlist 483 | -------------------------------------------------------------------------------- /511/511_index_A01.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sans-blue-team/course_indices/c12e888da2227d718afcf650c748e6fef6665afe/511/511_index_A01.docx -------------------------------------------------------------------------------- /511/511_index_A05.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sans-blue-team/course_indices/c12e888da2227d718afcf650c748e6fef6665afe/511/511_index_A05.docx -------------------------------------------------------------------------------- /511/511_index_A09.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sans-blue-team/course_indices/c12e888da2227d718afcf650c748e6fef6665afe/511/511_index_A09.docx -------------------------------------------------------------------------------- /511/511_index_A13_02.docx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/sans-blue-team/course_indices/c12e888da2227d718afcf650c748e6fef6665afe/511/511_index_A13_02.docx -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # course_indices 2 | Indices for courses in SANS' Network Security Operations curriculum 3 | --------------------------------------------------------------------------------