Common Ports
| Port | Service | Description | |
| 20,21 | FTP | File Transfer Protocol used to transfer files b/w systems. | |
| 22 | SSH | Secure Shell Protocol allows users to securely connect to a remote host. | |
| 23 | Telnet | Used before SSH, allows users to connect to a remote host, doesn’t offer encryption. | |
| 25 | SMTP | Simple Mail Transfer Protocol used to send emails between servers within the network, or over the internet. | |
| 53 | DNS | Domain Name System converts human-readable domain names to machine-readable IP address. | |
| 67,68 | DHCP | Dynamic Host Configuration Protocol assign IP address-related information to any hosts on the network automatically. | |
| 80 | HTTP | Hypertext Transfer Protocol allows browsers (Chrome, Firefox, etc) to connect to web servers and request contents. | |
| 443 | HTTPS | Hypertext Transfer Protocol Secure is a secure version of HTTP Protocol which allows browsers to securely connect to web servers and request contents. | |
| 514 | Syslog | Syslog server listens for incoming Syslog notifications, transported by UDP packets. | *** |
Phishing Analysis
Gathering Artifacts (IOCs)
Email Artifacts -
Sender Address
Reply-To Address
Sending Server IP
Reverse DNS
Recipient Address
Subject Line
Date & Time
Web-based Artifacts -
Full-URLs (sanitized)
Domain Names
File-based Artifacts -
Filename & Extension
MD5/SHA1/SHA256 Hash Values
Artifacts Analysis
URL Reputation Tools - VirusTotal, URLScan, URLhaus, WannaBrowser
File Reputation Tools - VirusTotal, Talos File Reputation
Malware Sandboxing - Hybrid Analysis
Defanging URL & IP Address
Digital Forensics
Data representation can be done in the following ways,
Base64
Hexadecimal
Octal
ASCII
Binary
Metadata
|
File Carving
|
Hashing
Windows
1
Get-FileHash -Algorithm [algorithm-to-use] [file]Linux
md5sum <file> sha1sum <file> sha256sum <file>
Data Acquisition
FTK Imager - import
.imgfile in FTK Imager. DownloadKAPE - uses for fast acquisition of data. Download
Windows Investigation
LNK Files -
These files can be found at
1
%userprofile%\Appdata\Roaming\Microsoft\Windows\RecentWindows File Analyzer can be used to view these files in form of human-readable format.
Prefetch Files -
These files can be found at
1
C:\Windows\PrefetchPrefetch Explorer Command Line can be used to view these files in form of human-readable format a.k.a.
PEbatch.exe.# Using PEbatch requires administrator privilege PEbatch.exe -f [path-to-file].pf PEbatch.exe -k "string-to-match" -d [path-to-prefetch-folder]
Jump List -
These files can be found at
C:\Users\% USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinationsJumpList Explorer could be used to analyze these files.
Browsers Artifacts -
Event Logs -
Event ID 4624 - Successful Logon
Event ID 4625 - Failed Logon
Event ID 4672 - Special Logon (with administrative privileges logs in)
Event ID 4634 - Logoff from the current session
Event ID 4720 - User account was created
Event ID 4726 - User account was deleted
Event ID 4732 - A member was added to a security-enabled local group
These event logs could be found at
|
Linux Investigation
/etc/passwd— contains a list of user accounts on the system, and their permissions./etc/shadow— contains encrypted passwords of existing users on the system.unshadow /etc/passwd /etc/shadow > <new-file>to combine the passwd and shadow together./var/lib/dpkg/status— includes list of all installed software packages on debian-based systems..bash_history— contains a list of commands that have been run by the specific user.Hidden Files and Directories — usually prefix with
.Clear Files — the file that is accessible by standard means. i.e. browser, terminal
Steganography — a practice of concealing messages or files within other non-secret text or data.
Volatility — Memory Analysis -
|
Security Information and Event Management
Splunk
Make sure you turn searching query time to All Times to see all the events
To quickly identify sourcetype (don’t look through every single log) make sure to turn Event Sampling to
1:100 or 1:1000 or etc.
All queries must start by referencing the dataset
|
To search for a source ip address
|
To search for a destination ip address that made a connection with, i.e. locahost (127.0.0.1)
|
Incident Response
Network Traffic Analysis
Using Wireshark to analyze network traffic capture files including, .pcap, .cap, .pcapng, etc.
Command Prompt to assist with incident response
List network configuration information in local system
1
ipconfig /allPrint a list of running processes and programs
1
tasklistDisplay running processes and associated binary file that was executed to create the process
1
wmic process get description, executablepathPrint a list of all local system users
1
net userPrint a list of all users that are resided in an administrators user group
1
net localgroup administratorsPrint all users reside in a RDP group
1
net localgroup "Remote Desktop Users"List all services and detailed information about each one
1
sc query | moreList all open ports on a system
1
netstat -ab
Powershell to help extracted valuable information
To get network-related information from the system
Get-NetIPConfiguration Get-NetIPAddressList all local users on the system
Get-LocalUser # To get more information about a specific user Get-LocalUser -Name BTLO | select *To identify running services on the system and show the results in a nice windows
1
Get-Service | where Status -eq "Running" | Out-GridViewList the running processes and group it by their priority value
1
Get-Process | Format-Table -View priorityGet specific information from a service
# specific information by including their name Get-Process -Name 'namehere' # specific information by including their id and piping for collected all properties Get-Process -Id 'idhere' | Select *List tasks that are set to run after certain conditions are met
1
Get-ScheduledTaskDig more deeper by specifying the task we’re interested in and piping for all properties
1
Get-ScheduledTask -TaskName 'PutANameHere' | Select *Change the Execution Policy applied to specific user
1
Set-ExecutionPolicy Bypass -Scope CurrentUser
- DeepBlueCLI is a tool that was created by SANS to aid the investigation and triage of Windows Event Logs
Run the command to a specific local log file
1
./DeepBlue.ps1 ../Log1.evtxRun the command to analyze the system we are currently on
# to analyze a live security log ./DeepBlue.ps1 -log security # to analyze a live system log ./DeepBlue.ps1 -log system
Appendix A — Logs Information Details
Logon Type (Event ID: 4624)
| Type | Description |
| 2 | Interactive (interactively logged on, meaning a physical logon to the device) |
| 3 | Network (accessed system via network) |
| 4 | Batch (started as an automated batch job) |
| 5 | Service (a Windows service started by service controller) |
| 6 | Proxy (proxy logon; not used in Windows NT or Windows 2000) |
| 7 | Unlock (unlock workstation - think Interactive logon, but unlocking to resume a previous session) |
| 8 | NetworkCleartext (network logon with cleartext credentials) |
| 9 | NewCredentials (used by RunAs when the /netonly option is used) |
NETLOGON LOG ERROR CODE (Event ID: 4625)
| NETLOGON log error code | Description |
| 0xC0000064 | The specified user does not exist |
| 0xC000006A | The value provided as the current password is not correct |
| 0xC000006C | Password policy not met |
| 0xC000006D | The attempted logon is invalid due to a bad username |
| 0xC000006E | User account restriction has prevented successful login |
| 0xC000006F | The user account has time restrictions and may not be logged onto at this time |
| 0xC0000070 | The user is restricted and may not log on from the source workstation |
| 0xC0000071 | The user account’s password has expired |
| 0xC0000072 | The user account is currently disabled |
| 0xC000009A | Insufficient system resources |
| 0xC0000193 | The user’s account has expired |
| 0xC0000224 | User must change his password before he logs on the first time |
| 0xC0000234 | The user account has been automatically locked |
Linux Logs
/var/log/auth.log— contains system authorization information. i.e. user logins./var/log/dpkg.log— contains information that is logged when a package is installed or remove using dpkg./var/log/btmp— contains information about failed login attempts./var/log/cron— logs information about cron job./var/log/secure— contains information related to authentication and authorization./var/log/faillog— contains user failed login attempts.