BTL1 Notes

Common Ports

Port
Service
Description

20,21

FTP

File Transfer Protocol used to transfer files b/w systems.

22

SSH

Secure Shell Protocol allows users to securely connect to a remote host.

23

Telnet

Used before SSH, allows users to connect to a remote host, doesn’t offer encryption.

25

SMTP

Simple Mail Transfer Protocol used to send emails between servers within the network, or over the internet.

53

DNS

Domain Name System converts human-readable domain names to machine-readable IP address.

67,68

DHCP

Dynamic Host Configuration Protocol assign IP address-related information to any hosts on the network automatically.

80

HTTP

Hypertext Transfer Protocol allows browsers (Chrome, Firefox, etc) to connect to web servers and request contents.

443

HTTPS

Hypertext Transfer Protocol Secure is a secure version of HTTP Protocol which allows browsers to securely connect to web servers and request contents.

514

Syslog

Syslog server listens for incoming Syslog notifications, transported by UDP packets.

***

Phishing Analysis

Gathering Artifacts (IOCs)

Email Artifacts -

  • Sender Address

  • Reply-To Address

  • Sending Server IP

  • Reverse DNS

  • Recipient Address

  • Subject Line

  • Date & Time

Web-based Artifacts -

  • Full-URLs (sanitized)

  • Domain Names

File-based Artifacts -

  • Filename & Extension

  • MD5/SHA1/SHA256 Hash Values

Artifacts Analysis

  1. Visualization Tools - URL2PNG, URLScan

  2. URL Reputation Tools - VirusTotal, URLScan, URLhaus, WannaBrowser

  3. File Reputation Tools - VirusTotal, Talos File Reputation

  4. Malware Sandboxing - Hybrid Analysis

Defanging URL & IP Address

  1. Defang URL, Defang IP Addresses - CyberChef (gchq.github.io)

Digital Forensics

Data representation can be done in the following ways,

  • Base64

  • Hexadecimal

  • Octal

  • ASCII

  • Binary

Metadata

File Carving

Hashing

  1. Windows

  1. Linux

Data Acquisition

  • FTK Imager - import .img file in FTK Imager. Download

  • KAPE - uses for fast acquisition of data. Download

Windows Investigation

LNK Files -

  • These files can be found at

Prefetch Files -

  • These files can be found at

Jump List -

  • These files can be found at

Browsers Artifacts -

Event Logs -

  • Event ID 4624 - Successful Logon

  • Event ID 4625 - Failed Logon

  • Event ID 4672 - Special Logon (with administrative privileges logs in)

  • Event ID 4634 - Logoff from the current session

  • Event ID 4720 - User account was created

  • Event ID 4726 - User account was deleted

  • Event ID 4732 - A member was added to a security-enabled local group

These event logs could be found at

Linux Investigation

  • /etc/passwd — contains a list of user accounts on the system, and their permissions.

  • /etc/shadow — contains encrypted passwords of existing users on the system.

  • unshadow /etc/passwd /etc/shadow > <new-file> to combine the passwd and shadow together.

  • /var/lib/dpkg/status — includes list of all installed software packages on debian-based systems.

  • .bash_history — contains a list of commands that have been run by the specific user.

  • Hidden Files and Directories — usually prefix with .

  • Clear Files — the file that is accessible by standard means. i.e. browser, terminal

  • Steganography — a practice of concealing messages or files within other non-secret text or data.

Volatility — Memory Analysis -

Security Information and Event Management

All queries must start by referencing the dataset

To search for a source ip address

To search for a destination ip address that made a connection with, i.e. locahost (127.0.0.1)

Incident Response

Network Traffic Analysis

Using Wireshark to analyze network traffic capture files including, .pcap, .cap, .pcapng, etc.

Command Prompt to assist with incident response

  • List network configuration information in local system

  • Print a list of running processes and programs

  • Display running processes and associated binary file that was executed to create the process

  • Print a list of all local system users

Print a list of all users that are resided in an administrators user group

List all services and detailed information about each one

List all open ports on a system

Powershell to help extracted valuable information

  • To get network-related information from the system

  • List all local users on the system

  • To identify running services on the system and show the results in a nice windows

  • List the running processes and group it by their priority value

  • Get specific information from a service

  • List tasks that are set to run after certain conditions are met

  • Dig more deeper by specifying the task we’re interested in and piping for all properties

  • Change the Execution Policy applied to specific user

  1. DeepBlueCLI is a tool that was created by SANS to aid the investigation and triage of Windows Event Logs

  • Run the command to a specific local log file

Run the command to analyze the system we are currently on

Appendix A — Logs Information Details

Logon Type (Event ID: 4624)

Type
Description

2

Interactive (interactively logged on, meaning a physical logon to the device)

3

Network (accessed system via network)

4

Batch (started as an automated batch job)

5

Service (a Windows service started by service controller)

6

Proxy (proxy logon; not used in Windows NT or Windows 2000)

7

Unlock (unlock workstation - think Interactive logon, but unlocking to resume a previous session)

8

NetworkCleartext (network logon with cleartext credentials)

9

NewCredentials (used by RunAs when the /netonly option is used)

NETLOGON LOG ERROR CODE (Event ID: 4625)

NETLOGON log error code
Description

0xC0000064

The specified user does not exist

0xC000006A

The value provided as the current password is not correct

0xC000006C

Password policy not met

0xC000006D

The attempted logon is invalid due to a bad username

0xC000006E

User account restriction has prevented successful login

0xC000006F

The user account has time restrictions and may not be logged onto at this time

0xC0000070

The user is restricted and may not log on from the source workstation

0xC0000071

The user account’s password has expired

0xC0000072

The user account is currently disabled

0xC000009A

Insufficient system resources

0xC0000193

The user’s account has expired

0xC0000224

User must change his password before he logs on the first time

0xC0000234

The user account has been automatically locked

Linux Logs

  • /var/log/auth.log — contains system authorization information. i.e. user logins.

  • /var/log/dpkg.log — contains information that is logged when a package is installed or remove using dpkg.

  • /var/log/btmp — contains information about failed login attempts.

  • /var/log/cron — logs information about cron job.

  • /var/log/secure — contains information related to authentication and authorization.

  • /var/log/faillog — contains user failed login attempts.

PreviousPythonScriptsNextThreat Hunting Hypothesis

Last updated