Advertisement
Shiva108

SOC Core Skills w/ John Strand (16 Hours)

Dec 16th, 2020
1,255
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. SOC Core Skills w/ John Strand (16 Hours)
  2. Mon, Dec 14, 2020 4-9PM UCT
  3.  
  4. Comments & feedback:
  5. webcasts@wildwesthackinfest.com
  6. training@wildwesthackinfest.com
  7. theinnkeeper@wildwesthackinfest.com
  8.  
  9. Dedicated SOC Core Skills Discord Server:
  10. https://discord.gg/MmRKwEpWwu
  11.  
  12. Preparation instructions and hands-on labs installation guide:
  13. https://wildwesthackinfest.com/training/soc-core-skills-instructions/
  14.  
  15. Slides:
  16. https://handouts-live.s3.amazonaws.com/b0b53ddc19754bb7b2e376b85646a1ae?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20201214T160824Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86400&X-Amz-Credential=AKIAJICNIQWVMWBRIUMQ%2F20201214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a0c42d706063156eaf7aa6e368dd7e333d1d7fa32ac23852b4785f474d33d207
  17.  
  18. ADHD Win VM:
  19. https://introclassjs.s3.us-east-1.amazonaws.com/WINADHD.7z
  20. Checksums:
  21. Algorithm: SHA256
  22. Hash: 54C461A0BFC6E9599B0A9BC92D3BD16CB21E5020100D4C2532FE7C43B1807129
  23. https://www.activecountermeasures.com/free-tools/adhd/
  24. GitHub Labs:
  25. https://github.com/strandjs/IntroLabs
  26. https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/navigation.md
  27.  
  28. Security Onion:
  29. https://github.com/Security-Onion-Solutions/security-onion
  30. https://securityonionsolutions.com/software/
  31.  
  32. SOC Core Skills w/ John Strand (16 Hours - Pay What You Can)
  33. Tue-Fri 2-5 Feb 2021 11AM-3PM CST
  34. https://register.gotowebinar.com/register/5912460362618462478
  35.  
  36. Getting Started in Security with BHIS and MITRE ATT&CK w/ John Strand (16-Hours - Pay What You Can)
  37. Tue-Fri 23-26 Feb 2021 11AM-3PM CST
  38. https://register.gotowebinar.com/register/3559987064714262542
  39.  
  40. Active Defense & Cyber Deception w/ John Strand (16 Hours - Pay What You Can)
  41. Tue-Fri 16-19 Mar 2021 11AM-3PM CDT
  42. https://register.gotowebinar.com/register/3272325136631560973
  43.  
  44. LINKS (BHIS):
  45.  
  46. https://www.blackhillsinfosec.com/
  47. https://wildwesthackinfest.com/online-training/
  48. https://www.activecountermeasures.com/
  49.  
  50. Your 5 Year Path: Success in Infosec:
  51. https://youtu.be/Uv-AfK7PkxU
  52. https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Your5YearPlanIntoInfoSec.pdf
  53.  
  54. Contacts:
  55. https://www.twitch.tv/banjocrashland
  56. https://www.twitch.tv/banjocrashland/schedule
  57. https://twitter.com/BanjoCrashland
  58. https://www.linkedin.com/in/jasonsblanchard/
  59. https://twitter.com/debthedeb
  60. https://www.linkedin.com/in/deborahwigley/
  61. https://twitter.com/BHinfoSecurity
  62.  
  63. Training:
  64. https://wildwesthackinfest.com/training-schedule/
  65. https://www.blackhillsinfosec.com/webcast-the-soc-age-or-a-young-soc-analysts-illustrated-primer/
  66. https://www.youtube.com/channel/UCJ2U9Dq9NckqHMbcUupgF0A
  67.  
  68. How to Hunt for Jobs like a Hacker w/ Jason Blanchard
  69. https://youtu.be/Air1c697tjw
  70.  
  71. Cyber Range:
  72. https://www.blackhillsinfosec.com/services/cyber-range/
  73.  
  74. 4-hours of free intro Threat Hunting Training from Chris Brenton:
  75. https://youtu.be/FzYPT1xTVHY
  76.  
  77. How to build your own home lab to use to get experience:
  78. https://youtu.be/t7bhnK47Ygo
  79.  
  80. Pillage the Village:
  81. https://www.youtube.com/watch?v=n2nptntIsn4
  82.  
  83. Backdoors and Breaches:
  84. https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/
  85.  
  86. RITA:
  87. https://www.activecountermeasures.com/free-tools/rita/
  88.  
  89. Videos:
  90. https://www.youtube.com/c/BlackHillsInformationSecurity/videos
  91. News:
  92. https://youtu.be/QZOW0itnyLU
  93.  
  94. The SOC Age Or, A Young SOC Analyst's Illustrated Primer | John Strand | 1 Hour
  95. https://www.youtube.com/watch?v=Lhol4rZo_ts
  96.  
  97. How to update the VM labs:
  98. •Delete: C:\IntroLabs\
  99. •Double-click: C:\labupdate.bat
  100. •Note: don't run as an Administrator, the files will not be placed in the correct directory
  101. If this fails somehow, or the labupdate.bat file is not present:
  102. •Open Notepad and paste the following in, then save as C:\labupdate.bat and run it again:
  103. @ECHO OFF
  104. git clone https://github.com/strandjs/IntroLabs
  105. exit
  106. LABS shortcut on the Desktop is missing/broken:
  107. •Update the labs again
  108. •or manually open: C:\IntroLabs\IntroClassFiles\index.html
  109.  
  110. Stop Windows 10 updates:
  111. •In the Run command (Win+R), type in "services. msc" and hit Enter
  112. •Select the Windows Update service from the Services list
  113. •Click on the "General" tab and change the "Startup Type" to "Disabled"
  114. •Restart your machine
  115.  
  116. VMware Workstation does not support nested virtualization on this host.
  117. Module 'MonitorMode' power on failed.
  118. Failed to start the vitual machine.
  119. Fixed: bcdedit /set hypervisorlaunchtype off
  120.  
  121. dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
  122.  
  123. netstat:
  124. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
  125. tasklist:
  126. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
  127. DeepBlueCLI:
  128. https://github.com/sans-blue-team/DeepBlueCLI
  129. DeepWhiteCLI:
  130. https://github.com/darkoperator/Posh-VirusTotal
  131. VirusTotal:
  132. https://www.virustotal.com/gui/
  133. VirusTotal API Key:
  134. https://www.virustotal.com/en/documentation/public-api/
  135.  
  136. https://www.opendns.com/
  137. https://github.com/davehull/Kansa
  138. https://adblockplus.org/
  139. https://pi-hole.net/
  140. https://portswigger.net/daily-swig/sad-dns-researchers-pull-source-code-as-dns-cache-poisoning-technique-deemed-too-dangerous
  141. https://www.windows-commandline.com/get-computer-model/
  142. https://requestpolicycontinued.github.io/
  143. https://www.virustotal.com/gui/
  144. https://www.velocidex.com/
  145. https://github.com/ComodoSecurity/openedr
  146. https://www.activecountermeasures.com/free-tools/passer/
  147. https://github.com/activecm/passer
  148. https://github.com/sans-blue-team/DeepBlueCLI
  149.  
  150.  
  151. LINKS (Students):
  152.  
  153. https://www.timeanddate.com/time/map/
  154.  
  155. https://jensoroger.wordpress.com/2020/07/22/if-you-are-attending-getting-started-in-security-with-bhis-and-mitre-attck-with-strandjs-next-week-and-running-linux-and-virtualbox-how-to-import-the-machine-bhinfosecurity-wwhackinfest/
  156.  
  157. I was able to run the Soc VM in Hyper-v. Just follow Converting a VMDK virtual disk copied from ESXi and The entry 1 is not a supported disk database entry for the descriptor in this guide:
  158. https://www.nakivo.com/blog/how-to-convert-vmware-vm-to-hyper-v/#:~:text=The%20entry%201%20is%20not,of%20the%20disk%20database%20entries
  159. In the entry 1 error guide section, you don't need to run boot repair, just uncomment the dbtools lline and run dsfi to save back. I converted it to vhdx and created a gen 2 vm in hyper-v. It booted up just fine, but FYI they don't support you running it like this. This is also handy if you want to run vmware images from vulnhub on hyper-v. Just note that depending on errors you may need to uncomment other lines in descriptor.txt. On some of them on vulnhub, especially old linux ones, I have had to make vm gen 1. Also convert vmdk to vhd, and use a legacy network adapter in hyper-v. Sometimes this doesn't work so your just stuck only running it in vmware or virtualbox.
  160.  
  161. https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
  162. https://cyber.dhs.gov/ed/21-01/
  163. SANS Webcast tonight about it:
  164. https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015
  165. Details initial access, execution, and C2 with extra details:
  166. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
  167. FireEye:
  168. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  169. ISC DShield:
  170. https://isc.sans.edu/diary/rss/26884
  171. SwiftOnSecurity:
  172. https://twitter.com/SwiftOnSecurity/status/1338279792727257088?s=20
  173. Reminder of why just throwing hashes into VT isn't good enough for hunting: https://twitter.com/MalwareJake/status/1338332539379998730?s=20
  174. Countermeasures:
  175. https://github.com/fireeye/sunburst_countermeasures
  176. Orion Hashes:
  177. https://pastebin.com/N0bfywTB
  178. MalwareJake about NMS/Solarwinds:
  179. https://twitter.com/MalwareJake/status/1338278185692246016?s=20
  180. SAML tokens were forged, learn more about SAML here:
  181. https://twitter.com/SwiftOnSecurity/status/1217942428243632128?s=20
  182. https://techcrunch.com/2020/12/14/gmail-youtube-google-docs-and-other-services-go-down-simultaneously-in-multiple-countries/
  183. https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html
  184. https://content.govdelivery.com/attachments/USDHSCISA/2020/12/14/file_attachments/1625402/UNCLASSIFIED_TLPWHITE_20201214_Sector_Alert_SolarWinds.pdf
  185.  
  186. https://www.professormesser.com/
  187. https://www.youtube.com/channel/UCkefXKtInZ9PLsoGRtml2FQ
  188.  
  189. https://linuxjourney.com/
  190. https://www.youtube.com/watch?v=HbgzrKJvDRw
  191.  
  192. https://pentesterlab.com/
  193.  
  194. https://support.microsoft.com/en-gb/help/2977003/the-latest-supported-visual-c-downloads
  195.  
  196. https://www.cyberseek.org/pathway.html
  197.  
  198. https://www.youtube.com/watch?v=8armE3Wz0jk
  199.  
  200. https://docs.microsoft.com/en-us/archive/blogs/johnla/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win
  201.  
  202. https://github.com/ComodoSecurity/openedr
  203.  
  204. https://medium.com/tenable-techblog/psexec-local-privilege-escalation-2e8069adc9c8
  205.  
  206. https://nostarch.com/rootkits
  207. https://attack.mitre.org/techniques/T1014/
  208.  
  209. https://www.saddns.net/
  210. https://ublockorigin.com/
  211.  
  212. https://ss64.com/nt/wmic.html
  213.  
  214. https://keexybox.org/
  215.  
  216. https://www.amazon.com/Standing-Sitting-Perching-Ergonomic-Computer/dp/B00HCLJDSK
  217.  
  218. https://www.forensicnotes.com/
  219.  
  220. https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
  221.  
  222. https://support.opendns.com/hc/en-us/articles/227986647-Can-I-Block-Advertisers-and-Ad-Servers-
  223.  
  224. https://social.technet.microsoft.com/Forums/ie/en-US/cba40481-7400-4c25-aaf6-4f378dcca5b7/service-vs-process?forum=operationsmanagergeneral
  225.  
  226. https://www.2600.com/
  227.  
  228. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
  229. https://processhacker.sourceforge.io/
  230.  
  231. https://github.com/Tripwire/tripwire-open-source
  232.  
  233. https://otx.alienvault.com/browse/global?include_inactive=0&sort=-modified&page=1&indicatorsSearch=modified:%22%22
  234.  
  235. https://www.crowdstrike.com/resources/reports/netwalker-ransomware-technical-analysis/
  236. https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/
  237.  
  238. https://cyware.com/news/ransomware-makes-up-half-of-all-major-incidents-79f3704e
  239.  
  240. https://www.darkreading.com/application-security/ransomware-makes-up-half-of-all-major-incidents/d/d-id/1339667
  241.  
  242. https://mitre-engenuity.org/attackevaluations/
  243.  
  244. https://github.com/iamadamdev/bypass-paywalls-chrome
  245.  
  246. https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library
  247.  
  248. https://lolbas-project.github.io/
  249.  
  250. https://docs.microsoft.com/en-us/windows/wsl/install-win10
  251.  
  252. https://gchq.github.io/CyberChef/
  253.  
  254. https://wadcoms.github.io/
  255.  
  256. https://docs.microsoft.com/en-us/sysinternals/downloads/
  257.  
  258. https://strontic.github.io/xcyclopedia/intro
  259.  
  260. https://blog.didierstevens.com/my-software/
  261.  
  262. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.1
  263.  
  264. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities
  265. https://github.com/SwiftOnSecurity/sysmon-config
  266. https://github.com/olafhartong/sysmon-modular
  267.  
  268. https://www.hybrid-analysis.com/
  269.  
  270. https://www.tenforums.com/tutorials/46769-enable-disable-windows-subsystem-linux-wsl-windows-10-a.html
  271.  
  272. Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
  273.  
  274. https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html
  275.  
  276. https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
  277.  
  278. https://osquery.io/
  279.  
  280. https://www.elastic.co/endpoint-security/
  281.  
  282. https://www.eff.org/pages/tools
  283.  
  284. https://github.com/Cyb3rWard0g/HELK
  285.  
  286. https://github.com/google/grr
  287.  
  288. https://nmap.org/book/man-os-detection.html
  289. https://nmap.org/book/man-version-detection.html
  290.  
  291. https://nsacyber.github.io/unfetter/
  292.  
  293. https://github.com/JPCERTCC/LogonTracer
  294.  
  295. https://www.rumble.run/
  296.  
  297. https://www.prelude.org/
  298.  
  299. https://github.com/fireeye/iocs
  300. https://github.com/fireeye/red_team_tool_countermeasures/
  301. https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-snort.rules
  302.  
  303. https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools
  304.  
  305. https://github.com/kitabisa/teler
  306.  
  307. https://www.youtube.com/watch?v=iB_xCLsgQZI
  308. https://www.youtube.com/watch?v=Uv-AfK7PkxU
  309.  
  310. https://www.iocbucket.com/
  311.  
  312. https://www.cyberseek.org/index.html#
  313.  
  314. https://pauljerimy.com/security-certification-roadmap/
  315.  
  316. https://www.youtube.com/watch?v=17UUS3fY2Nw&feature=youtu.be
  317.  
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement