Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- SOC Core Skills w/ John Strand (16 Hours)
- Mon, Dec 14, 2020 4-9PM UCT
- Comments & feedback:
- webcasts@wildwesthackinfest.com
- training@wildwesthackinfest.com
- theinnkeeper@wildwesthackinfest.com
- Dedicated SOC Core Skills Discord Server:
- https://discord.gg/MmRKwEpWwu
- Preparation instructions and hands-on labs installation guide:
- https://wildwesthackinfest.com/training/soc-core-skills-instructions/
- Slides:
- https://handouts-live.s3.amazonaws.com/b0b53ddc19754bb7b2e376b85646a1ae?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20201214T160824Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86400&X-Amz-Credential=AKIAJICNIQWVMWBRIUMQ%2F20201214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a0c42d706063156eaf7aa6e368dd7e333d1d7fa32ac23852b4785f474d33d207
- ADHD Win VM:
- https://introclassjs.s3.us-east-1.amazonaws.com/WINADHD.7z
- Checksums:
- Algorithm: SHA256
- Hash: 54C461A0BFC6E9599B0A9BC92D3BD16CB21E5020100D4C2532FE7C43B1807129
- https://www.activecountermeasures.com/free-tools/adhd/
- GitHub Labs:
- https://github.com/strandjs/IntroLabs
- https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/navigation.md
- Security Onion:
- https://github.com/Security-Onion-Solutions/security-onion
- https://securityonionsolutions.com/software/
- SOC Core Skills w/ John Strand (16 Hours - Pay What You Can)
- Tue-Fri 2-5 Feb 2021 11AM-3PM CST
- https://register.gotowebinar.com/register/5912460362618462478
- Getting Started in Security with BHIS and MITRE ATT&CK w/ John Strand (16-Hours - Pay What You Can)
- Tue-Fri 23-26 Feb 2021 11AM-3PM CST
- https://register.gotowebinar.com/register/3559987064714262542
- Active Defense & Cyber Deception w/ John Strand (16 Hours - Pay What You Can)
- Tue-Fri 16-19 Mar 2021 11AM-3PM CDT
- https://register.gotowebinar.com/register/3272325136631560973
- LINKS (BHIS):
- https://www.blackhillsinfosec.com/
- https://wildwesthackinfest.com/online-training/
- https://www.activecountermeasures.com/
- Your 5 Year Path: Success in Infosec:
- https://youtu.be/Uv-AfK7PkxU
- https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Your5YearPlanIntoInfoSec.pdf
- Contacts:
- https://www.twitch.tv/banjocrashland
- https://www.twitch.tv/banjocrashland/schedule
- https://twitter.com/BanjoCrashland
- https://www.linkedin.com/in/jasonsblanchard/
- https://twitter.com/debthedeb
- https://www.linkedin.com/in/deborahwigley/
- https://twitter.com/BHinfoSecurity
- Training:
- https://wildwesthackinfest.com/training-schedule/
- https://www.blackhillsinfosec.com/webcast-the-soc-age-or-a-young-soc-analysts-illustrated-primer/
- https://www.youtube.com/channel/UCJ2U9Dq9NckqHMbcUupgF0A
- How to Hunt for Jobs like a Hacker w/ Jason Blanchard
- https://youtu.be/Air1c697tjw
- Cyber Range:
- https://www.blackhillsinfosec.com/services/cyber-range/
- 4-hours of free intro Threat Hunting Training from Chris Brenton:
- https://youtu.be/FzYPT1xTVHY
- How to build your own home lab to use to get experience:
- https://youtu.be/t7bhnK47Ygo
- Pillage the Village:
- https://www.youtube.com/watch?v=n2nptntIsn4
- Backdoors and Breaches:
- https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/
- RITA:
- https://www.activecountermeasures.com/free-tools/rita/
- Videos:
- https://www.youtube.com/c/BlackHillsInformationSecurity/videos
- News:
- https://youtu.be/QZOW0itnyLU
- The SOC Age Or, A Young SOC Analyst's Illustrated Primer | John Strand | 1 Hour
- https://www.youtube.com/watch?v=Lhol4rZo_ts
- How to update the VM labs:
- •Delete: C:\IntroLabs\
- •Double-click: C:\labupdate.bat
- •Note: don't run as an Administrator, the files will not be placed in the correct directory
- If this fails somehow, or the labupdate.bat file is not present:
- •Open Notepad and paste the following in, then save as C:\labupdate.bat and run it again:
- @ECHO OFF
- git clone https://github.com/strandjs/IntroLabs
- exit
- LABS shortcut on the Desktop is missing/broken:
- •Update the labs again
- •or manually open: C:\IntroLabs\IntroClassFiles\index.html
- Stop Windows 10 updates:
- •In the Run command (Win+R), type in "services. msc" and hit Enter
- •Select the Windows Update service from the Services list
- •Click on the "General" tab and change the "Startup Type" to "Disabled"
- •Restart your machine
- VMware Workstation does not support nested virtualization on this host.
- Module 'MonitorMode' power on failed.
- Failed to start the vitual machine.
- Fixed: bcdedit /set hypervisorlaunchtype off
- dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
- netstat:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
- tasklist:
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
- DeepBlueCLI:
- https://github.com/sans-blue-team/DeepBlueCLI
- DeepWhiteCLI:
- https://github.com/darkoperator/Posh-VirusTotal
- VirusTotal:
- https://www.virustotal.com/gui/
- VirusTotal API Key:
- https://www.virustotal.com/en/documentation/public-api/
- https://www.opendns.com/
- https://github.com/davehull/Kansa
- https://adblockplus.org/
- https://pi-hole.net/
- https://portswigger.net/daily-swig/sad-dns-researchers-pull-source-code-as-dns-cache-poisoning-technique-deemed-too-dangerous
- https://www.windows-commandline.com/get-computer-model/
- https://requestpolicycontinued.github.io/
- https://www.virustotal.com/gui/
- https://www.velocidex.com/
- https://github.com/ComodoSecurity/openedr
- https://www.activecountermeasures.com/free-tools/passer/
- https://github.com/activecm/passer
- https://github.com/sans-blue-team/DeepBlueCLI
- LINKS (Students):
- https://www.timeanddate.com/time/map/
- https://jensoroger.wordpress.com/2020/07/22/if-you-are-attending-getting-started-in-security-with-bhis-and-mitre-attck-with-strandjs-next-week-and-running-linux-and-virtualbox-how-to-import-the-machine-bhinfosecurity-wwhackinfest/
- I was able to run the Soc VM in Hyper-v. Just follow Converting a VMDK virtual disk copied from ESXi and The entry 1 is not a supported disk database entry for the descriptor in this guide:
- https://www.nakivo.com/blog/how-to-convert-vmware-vm-to-hyper-v/#:~:text=The%20entry%201%20is%20not,of%20the%20disk%20database%20entries
- In the entry 1 error guide section, you don't need to run boot repair, just uncomment the dbtools lline and run dsfi to save back. I converted it to vhdx and created a gen 2 vm in hyper-v. It booted up just fine, but FYI they don't support you running it like this. This is also handy if you want to run vmware images from vulnhub on hyper-v. Just note that depending on errors you may need to uncomment other lines in descriptor.txt. On some of them on vulnhub, especially old linux ones, I have had to make vm gen 1. Also convert vmdk to vhd, and use a legacy network adapter in hyper-v. Sometimes this doesn't work so your just stuck only running it in vmware or virtualbox.
- https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
- https://cyber.dhs.gov/ed/21-01/
- SANS Webcast tonight about it:
- https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015
- Details initial access, execution, and C2 with extra details:
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- FireEye:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- ISC DShield:
- https://isc.sans.edu/diary/rss/26884
- SwiftOnSecurity:
- https://twitter.com/SwiftOnSecurity/status/1338279792727257088?s=20
- Reminder of why just throwing hashes into VT isn't good enough for hunting: https://twitter.com/MalwareJake/status/1338332539379998730?s=20
- Countermeasures:
- https://github.com/fireeye/sunburst_countermeasures
- Orion Hashes:
- https://pastebin.com/N0bfywTB
- MalwareJake about NMS/Solarwinds:
- https://twitter.com/MalwareJake/status/1338278185692246016?s=20
- SAML tokens were forged, learn more about SAML here:
- https://twitter.com/SwiftOnSecurity/status/1217942428243632128?s=20
- https://techcrunch.com/2020/12/14/gmail-youtube-google-docs-and-other-services-go-down-simultaneously-in-multiple-countries/
- https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html
- https://content.govdelivery.com/attachments/USDHSCISA/2020/12/14/file_attachments/1625402/UNCLASSIFIED_TLPWHITE_20201214_Sector_Alert_SolarWinds.pdf
- https://www.professormesser.com/
- https://www.youtube.com/channel/UCkefXKtInZ9PLsoGRtml2FQ
- https://linuxjourney.com/
- https://www.youtube.com/watch?v=HbgzrKJvDRw
- https://pentesterlab.com/
- https://support.microsoft.com/en-gb/help/2977003/the-latest-supported-visual-c-downloads
- https://www.cyberseek.org/pathway.html
- https://www.youtube.com/watch?v=8armE3Wz0jk
- https://docs.microsoft.com/en-us/archive/blogs/johnla/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win
- https://github.com/ComodoSecurity/openedr
- https://medium.com/tenable-techblog/psexec-local-privilege-escalation-2e8069adc9c8
- https://nostarch.com/rootkits
- https://attack.mitre.org/techniques/T1014/
- https://www.saddns.net/
- https://ublockorigin.com/
- https://ss64.com/nt/wmic.html
- https://keexybox.org/
- https://www.amazon.com/Standing-Sitting-Perching-Ergonomic-Computer/dp/B00HCLJDSK
- https://www.forensicnotes.com/
- https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
- https://support.opendns.com/hc/en-us/articles/227986647-Can-I-Block-Advertisers-and-Ad-Servers-
- https://social.technet.microsoft.com/Forums/ie/en-US/cba40481-7400-4c25-aaf6-4f378dcca5b7/service-vs-process?forum=operationsmanagergeneral
- https://www.2600.com/
- https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
- https://processhacker.sourceforge.io/
- https://github.com/Tripwire/tripwire-open-source
- https://otx.alienvault.com/browse/global?include_inactive=0&sort=-modified&page=1&indicatorsSearch=modified:%22%22
- https://www.crowdstrike.com/resources/reports/netwalker-ransomware-technical-analysis/
- https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/
- https://cyware.com/news/ransomware-makes-up-half-of-all-major-incidents-79f3704e
- https://www.darkreading.com/application-security/ransomware-makes-up-half-of-all-major-incidents/d/d-id/1339667
- https://mitre-engenuity.org/attackevaluations/
- https://github.com/iamadamdev/bypass-paywalls-chrome
- https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library
- https://lolbas-project.github.io/
- https://docs.microsoft.com/en-us/windows/wsl/install-win10
- https://gchq.github.io/CyberChef/
- https://wadcoms.github.io/
- https://docs.microsoft.com/en-us/sysinternals/downloads/
- https://strontic.github.io/xcyclopedia/intro
- https://blog.didierstevens.com/my-software/
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.1
- https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities
- https://github.com/SwiftOnSecurity/sysmon-config
- https://github.com/olafhartong/sysmon-modular
- https://www.hybrid-analysis.com/
- https://www.tenforums.com/tutorials/46769-enable-disable-windows-subsystem-linux-wsl-windows-10-a.html
- Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
- https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html
- https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
- https://osquery.io/
- https://www.elastic.co/endpoint-security/
- https://www.eff.org/pages/tools
- https://github.com/Cyb3rWard0g/HELK
- https://github.com/google/grr
- https://nmap.org/book/man-os-detection.html
- https://nmap.org/book/man-version-detection.html
- https://nsacyber.github.io/unfetter/
- https://github.com/JPCERTCC/LogonTracer
- https://www.rumble.run/
- https://www.prelude.org/
- https://github.com/fireeye/iocs
- https://github.com/fireeye/red_team_tool_countermeasures/
- https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-snort.rules
- https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools
- https://github.com/kitabisa/teler
- https://www.youtube.com/watch?v=iB_xCLsgQZI
- https://www.youtube.com/watch?v=Uv-AfK7PkxU
- https://www.iocbucket.com/
- https://www.cyberseek.org/index.html#
- https://pauljerimy.com/security-certification-roadmap/
- https://www.youtube.com/watch?v=17UUS3fY2Nw&feature=youtu.be
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement