SHOW:
|
|
- or go back to the newest paste.
1 | SOC Core Skills w/ John Strand (16 Hours) | |
2 | - | Day 1 - Mon, Dec 14, 2020 4-9PM UCT |
2 | + | Mon, Dec 14, 2020 4-9PM UCT |
3 | - | Day 2 - Tue, Dec 15, 2020 5-9PM UCT |
3 | + | |
4 | - | Day 3 - Wed, Dec 16, 2020 5-9PM UCT |
4 | + | |
5 | - | Day 4 - Thu, Dec 17, 2020 5-9PM UCT |
5 | + | |
6 | training@wildwesthackinfest.com | |
7 | - | Bonus Job Hunting talk w/ Jason Blanchard: |
7 | + | |
8 | - | Tue, Dec 15, 2020 9-10PM UCT |
8 | + | |
9 | Dedicated SOC Core Skills Discord Server: | |
10 | - | Extra bonus links from (at the end of this document): |
10 | + | |
11 | - | The SOC Age Or, A Young SOC Analyst's Illustrated Primer | John Strand | 1 Hour (26 Oct 2020) |
11 | + | |
12 | Preparation instructions and hands-on labs installation guide: | |
13 | https://wildwesthackinfest.com/training/soc-core-skills-instructions/ | |
14 | ||
15 | Slides: | |
16 | https://handouts-live.s3.amazonaws.com/b0b53ddc19754bb7b2e376b85646a1ae?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Date=20201214T160824Z&X-Amz-SignedHeaders=host&X-Amz-Expires=86400&X-Amz-Credential=AKIAJICNIQWVMWBRIUMQ%2F20201214%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Signature=a0c42d706063156eaf7aa6e368dd7e333d1d7fa32ac23852b4785f474d33d207 | |
17 | ||
18 | ADHD Win VM: | |
19 | https://introclassjs.s3.us-east-1.amazonaws.com/WINADHD.7z | |
20 | Checksums: | |
21 | Algorithm: SHA256 | |
22 | Hash: 54C461A0BFC6E9599B0A9BC92D3BD16CB21E5020100D4C2532FE7C43B1807129 | |
23 | https://www.activecountermeasures.com/free-tools/adhd/ | |
24 | GitHub Labs: | |
25 | https://github.com/strandjs/IntroLabs | |
26 | https://github.com/strandjs/IntroLabs/blob/master/IntroClassFiles/navigation.md | |
27 | ||
28 | Security Onion: | |
29 | https://github.com/Security-Onion-Solutions/security-onion | |
30 | https://securityonionsolutions.com/software/ | |
31 | ||
32 | SOC Core Skills w/ John Strand (16 Hours - Pay What You Can) | |
33 | Tue-Fri 2-5 Feb 2021 11AM-3PM CST | |
34 | https://register.gotowebinar.com/register/5912460362618462478 | |
35 | ||
36 | Getting Started in Security with BHIS and MITRE ATT&CK w/ John Strand (16-Hours - Pay What You Can) | |
37 | Tue-Fri 23-26 Feb 2021 11AM-3PM CST | |
38 | - | https://www.linkedin.com/in/john-strand-a1b4b62/ |
38 | + | |
39 | ||
40 | Active Defense & Cyber Deception w/ John Strand (16 Hours - Pay What You Can) | |
41 | Tue-Fri 16-19 Mar 2021 11AM-3PM CDT | |
42 | https://register.gotowebinar.com/register/3272325136631560973 | |
43 | ||
44 | LINKS (BHIS): | |
45 | ||
46 | https://www.blackhillsinfosec.com/ | |
47 | https://wildwesthackinfest.com/online-training/ | |
48 | https://www.activecountermeasures.com/ | |
49 | ||
50 | Your 5 Year Path: Success in Infosec: | |
51 | https://youtu.be/Uv-AfK7PkxU | |
52 | https://www.blackhillsinfosec.com/wp-content/uploads/2020/09/SLIDES_Your5YearPlanIntoInfoSec.pdf | |
53 | ||
54 | Contacts: | |
55 | https://www.twitch.tv/banjocrashland | |
56 | https://www.twitch.tv/banjocrashland/schedule | |
57 | https://twitter.com/BanjoCrashland | |
58 | https://www.linkedin.com/in/jasonsblanchard/ | |
59 | https://twitter.com/debthedeb | |
60 | https://www.linkedin.com/in/deborahwigley/ | |
61 | https://twitter.com/BHinfoSecurity | |
62 | ||
63 | Training: | |
64 | - | ==================== |
64 | + | |
65 | https://www.blackhillsinfosec.com/webcast-the-soc-age-or-a-young-soc-analysts-illustrated-primer/ | |
66 | https://www.youtube.com/channel/UCJ2U9Dq9NckqHMbcUupgF0A | |
67 | - | *****DAY 1***** |
67 | + | |
68 | How to Hunt for Jobs like a Hacker w/ Jason Blanchard | |
69 | https://youtu.be/Air1c697tjw | |
70 | ||
71 | Cyber Range: | |
72 | https://www.blackhillsinfosec.com/services/cyber-range/ | |
73 | ||
74 | 4-hours of free intro Threat Hunting Training from Chris Brenton: | |
75 | https://youtu.be/FzYPT1xTVHY | |
76 | ||
77 | How to build your own home lab to use to get experience: | |
78 | https://youtu.be/t7bhnK47Ygo | |
79 | ||
80 | Pillage the Village: | |
81 | https://www.youtube.com/watch?v=n2nptntIsn4 | |
82 | ||
83 | Backdoors and Breaches: | |
84 | https://www.blackhillsinfosec.com/projects/backdoorsandbreaches/ | |
85 | ||
86 | RITA: | |
87 | https://www.activecountermeasures.com/free-tools/rita/ | |
88 | ||
89 | Videos: | |
90 | https://www.youtube.com/c/BlackHillsInformationSecurity/videos | |
91 | News: | |
92 | https://youtu.be/QZOW0itnyLU | |
93 | ||
94 | The SOC Age Or, A Young SOC Analyst's Illustrated Primer | John Strand | 1 Hour | |
95 | https://www.youtube.com/watch?v=Lhol4rZo_ts | |
96 | ||
97 | How to update the VM labs: | |
98 | •Delete: C:\IntroLabs\ | |
99 | •Double-click: C:\labupdate.bat | |
100 | •Note: don't run as an Administrator, the files will not be placed in the correct directory | |
101 | If this fails somehow, or the labupdate.bat file is not present: | |
102 | •Open Notepad and paste the following in, then save as C:\labupdate.bat and run it again: | |
103 | @ECHO OFF | |
104 | git clone https://github.com/strandjs/IntroLabs | |
105 | - | News 20201214: |
105 | + | |
106 | LABS shortcut on the Desktop is missing/broken: | |
107 | •Update the labs again | |
108 | •or manually open: C:\IntroLabs\IntroClassFiles\index.html | |
109 | ||
110 | Stop Windows 10 updates: | |
111 | •In the Run command (Win+R), type in "services. msc" and hit Enter | |
112 | •Select the Windows Update service from the Services list | |
113 | •Click on the "General" tab and change the "Startup Type" to "Disabled" | |
114 | •Restart your machine | |
115 | ||
116 | VMware Workstation does not support nested virtualization on this host. | |
117 | Module 'MonitorMode' power on failed. | |
118 | Failed to start the vitual machine. | |
119 | Fixed: bcdedit /set hypervisorlaunchtype off | |
120 | ||
121 | dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux /all /norestart | |
122 | ||
123 | netstat: | |
124 | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/netstat | |
125 | tasklist: | |
126 | https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/tasklist | |
127 | DeepBlueCLI: | |
128 | https://github.com/sans-blue-team/DeepBlueCLI | |
129 | DeepWhiteCLI: | |
130 | https://github.com/darkoperator/Posh-VirusTotal | |
131 | VirusTotal: | |
132 | https://www.virustotal.com/gui/ | |
133 | VirusTotal API Key: | |
134 | https://www.virustotal.com/en/documentation/public-api/ | |
135 | ||
136 | https://www.opendns.com/ | |
137 | https://github.com/davehull/Kansa | |
138 | https://adblockplus.org/ | |
139 | https://pi-hole.net/ | |
140 | https://portswigger.net/daily-swig/sad-dns-researchers-pull-source-code-as-dns-cache-poisoning-technique-deemed-too-dangerous | |
141 | https://www.windows-commandline.com/get-computer-model/ | |
142 | https://requestpolicycontinued.github.io/ | |
143 | https://www.virustotal.com/gui/ | |
144 | https://www.velocidex.com/ | |
145 | https://github.com/ComodoSecurity/openedr | |
146 | https://www.activecountermeasures.com/free-tools/passer/ | |
147 | https://github.com/activecm/passer | |
148 | https://github.com/sans-blue-team/DeepBlueCLI | |
149 | ||
150 | ||
151 | LINKS (Students): | |
152 | ||
153 | https://www.timeanddate.com/time/map/ | |
154 | ||
155 | https://jensoroger.wordpress.com/2020/07/22/if-you-are-attending-getting-started-in-security-with-bhis-and-mitre-attck-with-strandjs-next-week-and-running-linux-and-virtualbox-how-to-import-the-machine-bhinfosecurity-wwhackinfest/ | |
156 | ||
157 | I was able to run the Soc VM in Hyper-v. Just follow Converting a VMDK virtual disk copied from ESXi and The entry 1 is not a supported disk database entry for the descriptor in this guide: | |
158 | https://www.nakivo.com/blog/how-to-convert-vmware-vm-to-hyper-v/#:~:text=The%20entry%201%20is%20not,of%20the%20disk%20database%20entries | |
159 | In the entry 1 error guide section, you don't need to run boot repair, just uncomment the dbtools lline and run dsfi to save back. I converted it to vhdx and created a gen 2 vm in hyper-v. It booted up just fine, but FYI they don't support you running it like this. This is also handy if you want to run vmware images from vulnhub on hyper-v. Just note that depending on errors you may need to uncomment other lines in descriptor.txt. On some of them on vulnhub, especially old linux ones, I have had to make vm gen 1. Also convert vmdk to vhd, and use a legacy network adapter in hyper-v. Sometimes this doesn't work so your just stuck only running it in vmware or virtualbox. | |
160 | ||
161 | https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network | |
162 | - | *****DAY 2***** |
162 | + | |
163 | SANS Webcast tonight about it: | |
164 | - | 2020-12-14 – RECORDING – SOC Core Skills – Day 1 – John Strand |
164 | + | |
165 | - | https://attendee.gotowebinar.com/register/3061585041642106382 |
165 | + | |
166 | - | FOR FREE ACCESS USE CODE: |
166 | + | |
167 | - | JOHNSMISSINGSOCS0187 |
167 | + | |
168 | https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
169 | - | Now That’s What I Call ADHD! 4: |
169 | + | |
170 | - | https://www.blackhillsinfosec.com/now-thats-what-i-call-adhd-4/ |
170 | + | |
171 | SwiftOnSecurity: | |
172 | - | Anagram Solver: |
172 | + | |
173 | - | https://word.tips/anagram-solver/ |
173 | + | |
174 | Countermeasures: | |
175 | - | Discord CLI: |
175 | + | |
176 | - | https://github.com/RickvanLoo/discord-cli |
176 | + | |
177 | https://pastebin.com/N0bfywTB | |
178 | - | 12 Days of Cyber Defense: |
178 | + | |
179 | - | https://www.youtube.com/playlist?list=PLUze0rzlzxgJ2Ys5lpm3HCCa2xC6oNMuK |
179 | + | |
180 | SAML tokens were forged, learn more about SAML here: | |
181 | - | CIS Benchmarks: |
181 | + | |
182 | - | https://cisecurity.org/cis-benchmarks/ |
182 | + | |
183 | - | https://www.cisecurity.org/controls/cis-controls-list/ |
183 | + | |
184 | - | https://www.cisecurity.org/white-papers/cis-controls-sme-guide/ |
184 | + | |
185 | - | https://public.cyber.mil/stigs/ |
185 | + | |
186 | https://www.professormesser.com/ | |
187 | - | How to Build a Home Lab – Bill Stearns: |
187 | + | |
188 | - | https://www.youtube.com/watch?v=t7bhnK47Ygo |
188 | + | |
189 | https://linuxjourney.com/ | |
190 | - | Code Combat: |
190 | + | |
191 | - | https://codecombat.com/ |
191 | + | |
192 | https://pentesterlab.com/ | |
193 | - | Infosec Mentoring | How to Find and Be a Mentor & Mentee | John Strand & Jason Blanchard | 1 Hour: |
193 | + | |
194 | - | https://youtu.be/j3_xXgNOmQM |
194 | + | |
195 | ||
196 | - | Holiday Hack Challenge 2020: |
196 | + | |
197 | - | https://holidayhackchallenge.com/2020/ |
197 | + | |
198 | https://www.youtube.com/watch?v=8armE3Wz0jk | |
199 | - | How SPF, DKIM, and DMARC Authentication Works to Increase Inbox Pen... (Testing) Rates: |
199 | + | |
200 | - | https://tinyurl.com/y92s4o8d |
200 | + | |
201 | - | https://www.blackhillsinfosec.com/how-spf-dkim-and-dmarc-authentication-works-to-increase-inbox-pen...-testing-rates/ |
201 | + | |
202 | - | ^^^use the tinyurl or spell out the word with "..." in the link (pastebin was flagging as potentially offensive) |
202 | + | |
203 | ||
204 | - | ActiveCountermeasures: |
204 | + | |
205 | - | https://www.activecountermeasures.com/blog/ |
205 | + | |
206 | https://nostarch.com/rootkits | |
207 | - | Alert (AA20-302A) |
207 | + | |
208 | - | Ransomware Activity Targeting the Healthcare and Public Health Sector: |
208 | + | |
209 | - | https://us-cert.cisa.gov/ncas/alerts/aa20-302a |
209 | + | |
210 | https://ublockorigin.com/ | |
211 | - | Atomic Red Team: |
211 | + | |
212 | - | https://github.com/redcanaryco/atomic-red-team |
212 | + | |
213 | ||
214 | - | Hacking a Security Career - Deviant Ollam: |
214 | + | |
215 | - | https://www.youtube.com/watch?v=jZFuCYyQB6c |
215 | + | |
216 | https://www.amazon.com/Standing-Sitting-Perching-Ergonomic-Computer/dp/B00HCLJDSK | |
217 | - | Exploit-DB |
217 | + | |
218 | - | https://www.exploit-db.com/ |
218 | + | |
219 | ||
220 | - | 115 How to Social Engineer your way into your dream job Jason Blanchard: |
220 | + | |
221 | - | https://youtu.be/__lvS2pjuSg |
221 | + | |
222 | https://support.opendns.com/hc/en-us/articles/227986647-Can-I-Block-Advertisers-and-Ad-Servers- | |
223 | ||
224 | - | https://www.youtube.com/watch?v=Air1c697tjw&feature=youtu.be |
224 | + | |
225 | ||
226 | - | Kroll: |
226 | + | |
227 | - | https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape |
227 | + | |
228 | - | https://ericzimmerman.github.io/#!index.md |
228 | + | |
229 | https://processhacker.sourceforge.io/ | |
230 | - | *****DAY 3***** |
230 | + | |
231 | https://github.com/Tripwire/tripwire-open-source | |
232 | - | 2020-12-15 – RECORDING – SOC Core Skills – Day 2 – John Strand |
232 | + | |
233 | - | https://attendee.gotowebinar.com/register/1681441762585925903 |
233 | + | |
234 | - | FOR FREE ACCESS USE CODE: |
234 | + | |
235 | - | JOHNSMISSINGSOCS0187 |
235 | + | |
236 | https://www.crowdstrike.com/resources/reports/2020-crowdstrike-global-threat-report/ | |
237 | - | Shodan: |
237 | + | |
238 | - | https://shodan.io/ |
238 | + | |
239 | ||
240 | - | Active Countermeasures: |
240 | + | |
241 | - | https://www.activecountermeasures.com/blog/ |
241 | + | |
242 | - | https://www.activecountermeasures.com/category/video-blog/ |
242 | + | |
243 | - | https://www.activecountermeasures.com/malware-of-the-day-backoff/ |
243 | + | |
244 | - | https://www.youtube.com/activecountermeasures |
244 | + | |
245 | ||
246 | - | tcpdump: |
246 | + | |
247 | - | https://www.tcpdump.org/ |
247 | + | |
248 | https://lolbas-project.github.io/ | |
249 | - | Wireshark: |
249 | + | |
250 | - | https://www.wireshark.org/ |
250 | + | |
251 | ||
252 | - | Getting Started With TCPDump: |
252 | + | |
253 | - | https://www.blackhillsinfosec.com/getting-started-with-tcpdump/ |
253 | + | |
254 | https://wadcoms.github.io/ | |
255 | - | Volatility: |
255 | + | |
256 | - | https://www.volatilityfoundation.org/26 |
256 | + | |
257 | - | https://www.volatilityfoundation.org/releases |
257 | + | |
258 | - | https://github.com/fireeye/win10_volatility |
258 | + | |
259 | - | https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf |
259 | + | |
260 | https://blog.didierstevens.com/my-software/ | |
261 | - | FTK Imager: |
261 | + | |
262 | - | https://accessdata.com/product-download/ftk-imager-version-4-5 |
262 | + | |
263 | - | https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager |
263 | + | |
264 | https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon#overview-of-sysmon-capabilities | |
265 | - | Rekall: |
265 | + | |
266 | - | http://www.rekall-forensic.com/ |
266 | + | |
267 | - | https://github.com/google/rekall |
267 | + | |
268 | - | https://github.com/fireeye/win10_rekall |
268 | + | |
269 | ||
270 | - | Winpmem: |
270 | + | |
271 | - | https://winpmem.velocidex.com/ |
271 | + | |
272 | - | https://github.com/google/rekall/tree/master/tools/windows/winpmem |
272 | + | |
273 | ||
274 | - | Velociraptor: |
274 | + | |
275 | ||
276 | - | https://github.com/Velocidex/velociraptor |
276 | + | |
277 | - | https://www.velocidex.com/discord |
277 | + | |
278 | https://osquery.io/ | |
279 | - | NetFlow (IPFIX): |
279 | + | |
280 | - | https://en.wikipedia.org/wiki/NetFlow |
280 | + | |
281 | - | https://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html |
281 | + | |
282 | - | https://en.wikipedia.org/wiki/IP_Flow_Information_Export |
282 | + | |
283 | - | https://tools.ietf.org/html/rfc7011 |
283 | + | |
284 | https://github.com/Cyb3rWard0g/HELK | |
285 | - | Zeek (Corelight): |
285 | + | |
286 | - | https://zeek.org/ |
286 | + | |
287 | - | https://github.com/zeek/zeek |
287 | + | |
288 | - | https://corelight.com/about-zeek/how-zeek-works/ |
288 | + | |
289 | - | https://www3.corelight.com/nsm@home |
289 | + | |
290 | ||
291 | https://nsacyber.github.io/unfetter/ | |
292 | - | https://github.com/activecm/rita |
292 | + | |
293 | - | https://www.blackhillsinfosec.com/projects/rita/ |
293 | + | |
294 | ||
295 | - | https://www.blackhillsinfosec.com/webcast-rita/ |
295 | + | |
296 | - | Real Intelligence Threat Analytics (RITA) Overview & AI-Hunter Demo: |
296 | + | |
297 | - | https://youtu.be/h8KNyhSMoig |
297 | + | |
298 | ||
299 | - | Gigamon: |
299 | + | |
300 | - | https://www.gigamon.com/ |
300 | + | |
301 | https://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-snort.rules | |
302 | - | JA3: |
302 | + | |
303 | - | https://github.com/salesforce/ja3 |
303 | + | |
304 | ||
305 | https://github.com/kitabisa/teler | |
306 | ||
307 | https://www.youtube.com/watch?v=iB_xCLsgQZI | |
308 | https://www.youtube.com/watch?v=Uv-AfK7PkxU | |
309 | - | Suricata: |
309 | + | |
310 | - | https://suricata-ids.org/ |
310 | + | |
311 | - | https://github.com/OISF/suricata |
311 | + | |
312 | https://www.cyberseek.org/index.html# | |
313 | - | Webcast: Attack Tactics 7 – The Logs You Are Looking For: |
313 | + | |
314 | - | https://www.blackhillsinfosec.com/webcast-attack-tactics-7-the-logs-you-are-looking-for/ |
314 | + | |
315 | ||
316 | - | Cyber Threat Hunting | Chris Brenton | October 2020 | 4 Hours: |
316 | + | |
317 | - | https://www.youtube.com/watch?v=FzYPT1xTVHY |
317 | + |