SOC Core Skills w/ John Strand (16 Hours)

1. SOC Core Skills w/ John Strand (16 Hours)
2. Mon, Dec 14, 2020 4-9PM UCT
3.  
4. Comments & feedback:
5. [email protected]
6. [email protected]
7. [email protected]
8.  
9. Dedicated SOC Core Skills Discord Server:
10. https://discord.gg/MmRKwEpWwu
11.  
12. Preparation instructions and hands-on labs installation guide:
13. https://wildwesthackinfest.com/training/soc-core-skills-instructions/
14.  
15. Slides:
16. https://handouts-live.s3.amazonaws.com/b0b53ddc19754bb7b2e376b85646a1ae?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20201214T160824Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86400&X-Amz-Credential=AKIAJICNIQWVMWBRIUMQ%2F20201214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a0c42d706063156eaf7aa6e368dd7e333d1d7fa32ac23852b4785f474d33d207
17.  
18. ADHD Win VM:
19. https://introclassjs.s3.us-east-1.amazonaws.com/WINADHD.7z
20. Checksums:
21. Algorithm: SHA256
22. Hash: 54C461A0BFC6E9599B0A9BC92D3BD16CB21E5020100D4C2532FE7C43B1807129
23. https://www.activecountermeasures.com/free-tools/adhd/
24. GitHub Labs:
25. https://github.com/strandjs/IntroLabs
26. https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/navigation.md
27.  
28. Security Onion:
29. https://github.com/Security-Onion-Solutions/security-onion
30. https://securityonionsolutions.com/software/
31.  
32. SOC Core Skills w/ John Strand (16 Hours - Pay What You Can)
33. Tue-Fri 2-5 Feb 2021 11AM-3PM CST
34. https://register.gotowebinar.com/register/5912460362618462478
35.  
36. Getting Started in Security with BHIS and MITRE ATT&CK w/ John Strand (16-Hours - Pay What You Can)
37. Tue-Fri 23-26 Feb 2021 11AM-3PM CST
38. https://register.gotowebinar.com/register/3559987064714262542
39.  
40. Active Defense & Cyber Deception w/ John Strand (16 Hours - Pay What You Can)
41. Tue-Fri 16-19 Mar 2021 11AM-3PM CDT
42. https://register.gotowebinar.com/register/3272325136631560973
43.  
44. LINKS (BHIS):
45.  
46. https://www.blackhillsinfosec.com/
47. https://wildwesthackinfest.com/online-training/
48. https://www.activecountermeasures.com/
49.  
50. Your 5 Year Path: Success in Infosec:
51. https://youtu.be/Uv-AfK7PkxU
52. https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Your5YearPlanIntoInfoSec.pdf
53.  
54. Contacts:
55. https://www.twitch.tv/banjocrashland
56. https://www.twitch.tv/banjocrashland/schedule
57. https://twitter.com/BanjoCrashland
58. https://www.linkedin.com/in/jasonsblanchard/
59. https://twitter.com/debthedeb
60. https://www.linkedin.com/in/deborahwigley/
61. https://twitter.com/BHinfoSecurity
62.  
63. Training:
64. https://wildwesthackinfest.com/training-schedule/
65. https://www.blackhillsinfosec.com/webcast-the-soc-age-or-a-young-soc-analysts-illustrated-primer/
66. https://www.youtube.com/channel/UCJ2U9Dq9NckqHMbcUupgF0A
67.  
68. How to Hunt for Jobs like a Hacker w/ Jason Blanchard
69. https://youtu.be/Air1c697tjw
70.  
71. Cyber Range:
72. https://www.blackhillsinfosec.com/services/cyber-range/
73.  
74. 4-hours of free intro Threat Hunting Training from Chris Brenton:
75. https://youtu.be/FzYPT1xTVHY
76.  
77. How to build your own home lab to use to get experience:
78. https://youtu.be/t7bhnK47Ygo
79.  
80. Pillage the Village:
81. https://www.youtube.com/watch?v=n2nptntIsn4
82.  
83. Backdoors and Breaches:
84. https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/
85.  
86. RITA:
87. https://www.activecountermeasures.com/free-tools/rita/
88.  
89. Videos:
90. https://www.youtube.com/c/BlackHillsInformationSecurity/videos
91. News:
92. https://youtu.be/QZOW0itnyLU
93.  
94. The SOC Age Or, A Young SOC Analyst's Illustrated Primer | John Strand | 1 Hour
95. https://www.youtube.com/watch?v=Lhol4rZo_ts
96.  
97. How to update the VM labs:
98. •Delete: C:\IntroLabs\
99. •Double-click: C:\labupdate.bat
100. •Note: don't run as an Administrator, the files will not be placed in the correct directory
101. If this fails somehow, or the labupdate.bat file is not present:
102. •Open Notepad and paste the following in, then save as C:\labupdate.bat and run it again:
103. @ECHO OFF
104. git clone https://github.com/strandjs/IntroLabs
105. exit
106. LABS shortcut on the Desktop is missing/broken:
107. •Update the labs again
108. •or manually open: C:\IntroLabs\IntroClassFiles\index.html
109.  
110. Stop Windows 10 updates:
111. •In the Run command (Win+R), type in "services. msc" and hit Enter
112. •Select the Windows Update service from the Services list
113. •Click on the "General" tab and change the "Startup Type" to "Disabled"
114. •Restart your machine
115.  
116. VMware Workstation does not support nested virtualization on this host.
117. Module 'MonitorMode' power on failed.
118. Failed to start the vitual machine.
119. Fixed: bcdedit /set hypervisorlaunchtype off
120.  
121. dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart
122.  
123. netstat:
124. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat
125. tasklist:
126. https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist
127. DeepBlueCLI:
128. https://github.com/sans-blue-team/DeepBlueCLI
129. DeepWhiteCLI:
130. https://github.com/darkoperator/Posh-VirusTotal
131. VirusTotal:
132. https://www.virustotal.com/gui/
133. VirusTotal API Key:
134. https://www.virustotal.com/en/documentation/public-api/
135.  
136. https://www.opendns.com/
137. https://github.com/davehull/Kansa
138. https://adblockplus.org/
139. https://pi-hole.net/
140. https://portswigger.net/daily-swig/sad-dns-researchers-pull-source-code-as-dns-cache-poisoning-technique-deemed-too-dangerous
141. https://www.windows-commandline.com/get-computer-model/
142. https://requestpolicycontinued.github.io/
143. https://www.virustotal.com/gui/
144. https://www.velocidex.com/
145. https://github.com/ComodoSecurity/openedr
146. https://www.activecountermeasures.com/free-tools/passer/
147. https://github.com/activecm/passer
148. https://github.com/sans-blue-team/DeepBlueCLI
149.  
150.  
151. LINKS (Students):
152.  
153. https://www.timeanddate.com/time/map/
154.  
155. https://jensoroger.wordpress.com/2020/07/22/if-you-are-attending-getting-started-in-security-with-bhis-and-mitre-attck-with-strandjs-next-week-and-running-linux-and-virtualbox-how-to-import-the-machine-bhinfosecurity-wwhackinfest/
156.  
157. I was able to run the Soc VM in Hyper-v. Just follow Converting a VMDK virtual disk copied from ESXi and The entry 1 is not a supported disk database entry for the descriptor in this guide:
158. https://www.nakivo.com/blog/how-to-convert-vmware-vm-to-hyper-v/#:~:text=The%20entry%201%20is%20not,of%20the%20disk%20database%20entries
159. In the entry 1 error guide section, you don't need to run boot repair, just uncomment the dbtools lline and run dsfi to save back. I converted it to vhdx and created a gen 2 vm in hyper-v. It booted up just fine, but FYI they don't support you running it like this. This is also handy if you want to run vmware images from vulnhub on hyper-v. Just note that depending on errors you may need to uncomment other lines in descriptor.txt. On some of them on vulnhub, especially old linux ones, I have had to make vm gen 1. Also convert vmdk to vhd, and use a legacy network adapter in hyper-v. Sometimes this doesn't work so your just stuck only running it in vmware or virtualbox.
160.  
161. https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
162. https://cyber.dhs.gov/ed/21-01/
163. SANS Webcast tonight about it:
164. https://www.sans.org/webcasts/emergency-webcast-about-solarwinds-supply-chain-attack-118015
165. Details initial access, execution, and C2 with extra details:
166. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
167. FireEye:
168. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
169. ISC DShield:
170. https://isc.sans.edu/diary/rss/26884
171. SwiftOnSecurity:
172. https://twitter.com/SwiftOnSecurity/status/1338279792727257088?s=20
173. Reminder of why just throwing hashes into VT isn't good enough for hunting: https://twitter.com/MalwareJake/status/1338332539379998730?s=20
174. Countermeasures:
175. https://github.com/fireeye/sunburst_countermeasures
176. Orion Hashes:
177. https://pastebin.com/N0bfywTB
178. MalwareJake about NMS/Solarwinds:
179. https://twitter.com/MalwareJake/status/1338278185692246016?s=20
180. SAML tokens were forged, learn more about SAML here:
181. https://twitter.com/SwiftOnSecurity/status/1217942428243632128?s=20
182. https://techcrunch.com/2020/12/14/gmail-youtube-google-docs-and-other-services-go-down-simultaneously-in-multiple-countries/
183. https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html
184. https://content.govdelivery.com/attachments/USDHSCISA/2020/12/14/file_attachments/1625402/UNCLASSIFIED_TLPWHITE_20201214_Sector_Alert_SolarWinds.pdf
185.  
186. https://www.professormesser.com/
187. https://www.youtube.com/channel/UCkefXKtInZ9PLsoGRtml2FQ
188.  
189. https://linuxjourney.com/
190. https://www.youtube.com/watch?v=HbgzrKJvDRw
191.  
192. https://pentesterlab.com/
193.  
194. https://support.microsoft.com/en-gb/help/2977003/the-latest-supported-visual-c-downloads
195.  
196. https://www.cyberseek.org/pathway.html
197.  
198. https://www.youtube.com/watch?v=8armE3Wz0jk
199.  
200. https://docs.microsoft.com/en-us/archive/blogs/johnla/defenders-think-in-lists-attackers-think-in-graphs-as-long-as-this-is-true-attackers-win
201.  
202. https://github.com/ComodoSecurity/openedr
203.  
204. https://medium.com/tenable-techblog/psexec-local-privilege-escalation-2e8069adc9c8
205.  
206. https://nostarch.com/rootkits
207. https://attack.mitre.org/techniques/T1014/
208.  
209. https://www.saddns.net/
210. https://ublockorigin.com/
211.  
212. https://ss64.com/nt/wmic.html
213.  
214. https://keexybox.org/
215.  
216. https://www.amazon.com/Standing-Sitting-Perching-Ergonomic-Computer/dp/B00HCLJDSK
217.  
218. https://www.forensicnotes.com/
219.  
220. https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
221.  
222. https://support.opendns.com/hc/en-us/articles/227986647-Can-I-Block-Advertisers-and-Ad-Servers-
223.  
224. https://social.technet.microsoft.com/Forums/ie/en-US/cba40481-7400-4c25-aaf6-4f378dcca5b7/service-vs-process?forum=operationsmanagergeneral
225.  
226. https://www.2600.com/
227.  
228. https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
229. https://processhacker.sourceforge.io/
230.  
231. https://github.com/Tripwire/tripwire-open-source
232.  
233. https://otx.alienvault.com/browse/global?include_inactive=0&sort=-modified&page=1&indicatorsSearch=modified:%22%22
234.  
235. https://www.crowdstrike.com/resources/reports/netwalker-ransomware-technical-analysis/
236. https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/
237.  
238. https://cyware.com/news/ransomware-makes-up-half-of-all-major-incidents-79f3704e
239.  
240. https://www.darkreading.com/application-security/ransomware-makes-up-half-of-all-major-incidents/d/d-id/1339667
241.  
242. https://mitre-engenuity.org/attackevaluations/
243.  
244. https://github.com/iamadamdev/bypass-paywalls-chrome
245.  
246. https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/dynamic-link-library
247.  
248. https://lolbas-project.github.io/
249.  
250. https://docs.microsoft.com/en-us/windows/wsl/install-win10
251.  
252. https://gchq.github.io/CyberChef/
253.  
254. https://wadcoms.github.io/
255.  
256. https://docs.microsoft.com/en-us/sysinternals/downloads/
257.  
258. https://strontic.github.io/xcyclopedia/intro
259.  
260. https://blog.didierstevens.com/my-software/
261.  
262. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.1
263.  
264. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities
265. https://github.com/SwiftOnSecurity/sysmon-config
266. https://github.com/olafhartong/sysmon-modular
267.  
268. https://www.hybrid-analysis.com/
269.  
270. https://www.tenforums.com/tutorials/46769-enable-disable-windows-subsystem-linux-wsl-windows-10-a.html
271.  
272. Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
273.  
274. https://thehackernews.com/2020/12/zero-click-wormable-rce-vulnerability.html
275.  
276. https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2
277.  
278. https://osquery.io/
279.  
280. https://www.elastic.co/endpoint-security/
281.  
282. https://www.eff.org/pages/tools
283.  
284. https://github.com/Cyb3rWard0g/HELK
285.  
286. https://github.com/google/grr
287.  
288. https://nmap.org/book/man-os-detection.html
289. https://nmap.org/book/man-version-detection.html
290.  
291. https://nsacyber.github.io/unfetter/
292.  
293. https://github.com/JPCERTCC/LogonTracer
294.  
295. https://www.rumble.run/
296.  
297. https://www.prelude.org/
298.  
299. https://github.com/fireeye/iocs
300. https://github.com/fireeye/red_team_tool_countermeasures/
301. https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-snort.rules
302.  
303. https://www.picussecurity.com/resource/blog/techniques-tactics-procedures-utilized-by-fireeye-red-team-tools
304.  
305. https://github.com/kitabisa/teler
306.  
307. https://www.youtube.com/watch?v=iB_xCLsgQZI
308. https://www.youtube.com/watch?v=Uv-AfK7PkxU
309.  
310. https://www.iocbucket.com/
311.  
312. https://www.cyberseek.org/index.html#
313.  
314. https://pauljerimy.com/security-certification-roadmap/
315.  
316. https://www.youtube.com/watch?v=17UUS3fY2Nw&feature=youtu.be
317.