strandjs / introlabs Goto Github PK

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/deepbluecli/DeepBlueCLI.md

DeepBlueCLI is a free tool by Eric Conrand

-> Conrad

Please enable the Virtual Machine Platform Windows feature and ensure virtualization is enabled in the BIOS.
For information please visit https://aka.ms/wsl2-install

[process exited with code 4294967295]

Hi!

Can you plase add a notice to use mouseover on the axes and data in https://github.com/strandjs/IntroLabs/edit/master/IntroClassFiles/Tools/IntroClass/RITA/RITA.md

That would've helped me a lot answering the first question and also I would not have to guess what it shows! :)

Thanks.

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/Wireshark/Wireshark.md

tcpdump, lets take

-> let's

having some visulizations is very

-> visualizations

Wireshark. Basicly, it is key

-> Basically

Lets get started.

-> Let's

The second windows shows a

-> window

If it is.... You must

-> you

highlights the corasponding

-> corresponding

This means wirreshark can decode

-> wireshark

fly and automaticly highlight

-> automatically

the relevent data

-> relevant

Ok, now, lets play with some statistics.

-> let's

Please select Staticstics >

-> Statistics

If you looks closely, there is a lot

-> look

Now, lets look at Statisctics >

-> let's
-> Statistics

This gives us a breakdown of who was chatting with what systems the most.

-> system

the opisite direction

-> opposite

Now, lets play with some basic

-> let's

with possible compleation options

-> completion

quickly drill in on any spcific protocls you

-> specific
-> protocols

for that spcific string:

-> specific

Burnerap.com should be Burnerapp.com

200-user-gen.bat line 52 is missing a space between the password and /add.

net user David correcthorse/add

There is a typo at dnscat2-ja3-strobe-gaten when it should be dnscat2-ja3-strobe-agent

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!index.md

-> Cyber Deception

say "Comming Soon!!!"

should be "Coming soon!"

It is possible to use login hour restrictions in the honey users lab.

Add net user Frank /time: to the user creation script which will set Frank's login hours to None

You may also want to modify Frank's password to be a otherwise-successful hit (Winter2020)

Now the event log that is generated if you password spray Frank's password is Account logon time restriction violation.

Sort LAB page link order to reflect 'Intro to SOC' first and 'intro to Sec" as second

WINADHD VM > Desktop Labs link > Cyber Deception > "Comming Soon!!!"

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/TCPDump/TCPDump.md

and security analyest

-> analyst

Well, it is showing each packets Timestamp:

-> packet's
-> timestamp

can create filters for litteraly every

-> literally

Lets add port number.

-> Let's

either sent or recived to port

-> received
-> by

Lets dig into the packet

-> Let's

We can also see the raw Hex, if that is your sort of thing with the -X flag:

-> thing, with

This is very usefull when

-> useful

Here is a great resoruce to try

-> resource

I believe the PS C:\Users\adhd> Install-Module -Name powershell-yaml
to install the modules should come before this code is run to go into the atomic red file
PS C:\Users\adhd> cd C:\AtomicRedTeam\invoke-atomicredteam\

In the above screenshot we are seeing the CLsoe and SYN_Sent becasue of the beaconing nature of the connection

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/WebLogReview/WebLogReview.md

Now, lets instert your IP address

-> let's
-> insert

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/LinuxCLI/LinuxCLI.md

The fist will be where we run the backdoor.

-> first

On your Linux terminal

-> you switch between capitalizing Linux (as in Linux terminal here, Linux backdoor later) and lowercase (linux system later)

We will next need to create a fifo backpipe:
/#mknod backpipe p

-> Repetition

Next, lets start the backdoor:

-> let's

back into the netcat listiner.

-> listener

Basicly, this will create a backdoor listnening

-> listening

Now, lets connect:

-> let's

Now, lets type some

-> let's

Also notice there was not message saying

-> no

It just drops our curser back to the left side of the screen.

-> cursor

Now, lets open

-> let's

We want to be root becasue doing looking at network

->"because"
-> remove the doing

Basicly, it is very had to do your job as a SOC

-> Basically
-> hard

Lets start by

-> Let's

ports that are being used.just

-> used. Just

Now lets

-> let's

Lets look at the full processes

-> Let's

This is a for all processes. U for sorted by user and x to indlude the processes using a teletype terminal.

-> I know it's cause it's the start of the sentence, but a capital U is actually a different switch
-> include

It allows us to see data associated with the various proccess directly.

-> processes

This is very, very usefull as

-> useful

what, exacly a program is doing.

-> remove the comma

Line 22: truning -> turning

I believe it should be "event IDs of 4776."

dnscat2-ja3-strobe-gaten should be dnscat2-ja3-strobe-agent

For the dnscat2-ja3-strobe-gaten dataset --> For the dnscat2-ja3-strobe-agent dataset

The dropdown for the Intro to SOC class lists each of the labs, but the order does not match the sequence they are used in the class.

(class is still ongoing for me, but so far we've done, in order, Windows CLI, DeepBlueCLI, Linux CLI, TCPDump, Wireshark)

One of the interesting things about many malware specimens we review these days is how they “wait” for the attacker to communicate with them. For example, in the sample malware traffic we are reviewing, the backdoor “beacons” out every 30 seconds. This is for two reasons. One is because the attacker might not be at a system waiting for a command shell on a ### compromised target and. Secondly, because long-term established sessions tend to attract attention. This is because with protocols such as HTTP, the sessions are generally short burst sessions for multiple objects. When this backdoor was created, we wanted it to act like real HTTP. So, it had to have an asynchronous component to it.

Dear John,

I've setup and tested the steps below to disable windows updates on the Lab-VM with working results.

Disable the Windows service directly under services:

• Win + R ==> services.msc ==> Select Windows Update service ==> General Tab ==> Startup Type ==> Disabled
• While you are there, stop the running service by right clicking Windows Update service and clicking stop.
  

Edit the registry to 1st disable the windows medic service by changing the config value to (4)

• Win + R ==> regedit ==> Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services>WaaSMedicSvc ==> Modify the Start key and set its value to (4).
• Updated the registry permissions for the WaaS service to enable the (adhd) to disable the service by enabling "Full Control" for "All users on the system"
  
  

Update the System Windows Update Group Policy. (This is the real winner)

• Win + R ==> gpedit.msc ==> Computer Configuration ==> Administrative Templates ==> Windows Components ==> Windows Update ==> Configure Automatic Updates ==> Select Disable ==> OK
  

At this stage you can reboot the VM and test the updates by bringing up the Windows Updates menu.

• End result can be seen in screenshots.
  

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/RITA/RITA.md

For VSAgent we will be focusing on Beacons

-> focussing

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/Memory/MemoryAnalysis.md

Sprcificly in the area of network

-> Specificly

applied to any comercial tools

-> commercial

navigate to the the memory

-> remove one the

Lets open a command

-> Let's

look at it with Volaitlity!

-> Volatility

Now, we will need to navigate to the cd \tools\volatility_2.6_win64_standalone directory

->"cd to the \tools" or "navigate to the c:\tools", you mixed both

established and have SYS_Sent and closed:

-> SYN_SENT

we are seeing the CLsoe and

-> CLOSED

The above screenshot is... Concerning.

-> concerning

look further into this becasue

-> because

it is compromised (becasue it

-> because

anytime a "suspect" computer has another open connection to an internal system is, without question, a cause for concern.

-> any time

Now, lets look

-> let's

Generaly, users and day to day usage of a system does not

-> Generally
-> do

We may see it brefily as part

-> briefly

was invoked by the user on the system as Explorer.exe is the GUI

-> on the system, as

Lets now dive

-> Let's

IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/LinuxCLI/LinuxCLI.md

4th line: "The fist will be where we run the backdoor."

The first...

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/DomainLogReview/DomainLogReview.md

We will start by using DeepBlueCLI, then moving into looking directly at the event logs themselves.

-> move

We have 240 logon failures. That... Is a lot for this small org.

-> is

event IDs of 4476:

-> 4776

Issue: Typo
Location: First line from the top of FirewallLog.md

-> "In this lab, we will be looing at a log from an ASA firewall from Cisco."

Hi John,
The top of the Portspoof lab lists http://portspoof.org/ as the website for Portspoof. This leads to a defunct Wordpress site.

http://drk1wi.github.io/portspoof/ is the correct website. Alternatively, you could link to the Github page for Portspoof: https://github.com/drk1wi/portspoof

Current lab page:

Portspoof.org:

Portspoof Github.io:

In the Example 2: Spoofing Service Signatures section the nmap from Windows command contains what I assume is the instructor's IP instead of the expected

Line 2: "lense" should be "lens"
Line 18: "basicly" should be "basically"
Line 38: "curser" should be "cursor"
Line 38: "succesfully" should be "successfully"
Line 40: "Basicly" should be "Basically"
Line 54: "usesfull" should be "useful"
Line 62: "direcly" should be "directly"

File: Canarytokens.md
"Then, select Coned Website from the dropdown: " <- Cloned

file:///C:/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/DomainLogReview/DomainLogReview.md

Now, please click on the header column called Event ID. This will sort the logs by ID number we are doing this because we want to quickly get to the event IDs of 4476:

should be event 4776

In navigation.md the Applocker link does not go to the correct resource. Line 22

Expected: http://localhost:8888/#!Tools/IntroClass/AppLocker/AppLocker.md

Current: https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/Tools/IntroClass/AppLocker/AppLocker.md

https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/Tools/IntroClass/FirewallLog/FirewallLog.md

In this lab we will be looing at a log from an ASA firewall from Cisco.

Update to looking

"Basicly" should be "Basically"

file:///C:/Users/adhd/IntroLabs/IntroClassFiles/index.html#!Tools/IntroClass/WindowsCLI/WindowsCLI.md

ways to learn, well... Anything,

-> anything

is to actualy

-> actually

Lets get started.

-> "Let's" - but you could also just scratch the sentence since the next one is "let's get started" again.

Please note that my adaptor

-> adapter

msf5 exploit(multi/handler) > set LHOST 172.26.19.133
Remember, your IP will be different!
msf5 exploit(multi/handler) > exploit

-> I think this is missing the set LPORT 4444 step. The default seems to be 8443

open an edge browser

-> Edge

Now, lets look

-> Let's

Please, remember, your IP addresses will

-> address

Now, lets open another

-> let's

Once we are in, lets start

-> let's

connections yet. Lets try

-> Let's

Now, lets drill down

-> let's

Now, lets dive in!

-> let's

Lets keep digging with wmic:

-> Let's

see above, it was launced by

-> launched

Line 11: "overal" should be "overall"