Tag Archive: forensic


https://www.sans.org/reading-room/whitepapers/forensics/disrupting-empire-identifying-powershell-empire-command-control-activity-38315

Advertisements

Main question is: How do I know if I have been hacked?

Hacking mind map: https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/

Detecting lateral movement using event logs: http://blog.jpcert.or.jp/.s/2017/12/research-report-released-detecting-lateral-movement-through-tracking-event-logs-version-2.html

Sysmon 6: https://technet.microsoft.com/en-us/sysinternals/sysmon  and how to use it: https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow

http://blog.crowdstrike.com/sysmon-2/

http://joshuadlewis.blogspot.fr/2014/10/advanced-threat-detection-with-sysmon_74.html

additional resources on this blog: http://wp.me/p15Zft-od

and some other links:  http://www.computerforensicsworld.com/, http://www.forensics.nl/links

The first step is to scan your computer with a Rootkit detector. Our download section has numerous Rootkit scanners available with some being listed below:

Toolkit to help you:

– Volatility: http://www.volatilityfoundation.org/

– Crowdstrike: http://www.crowdstrike.com/community-tools/index.html

– McAfee foundstone free tools: http://www.mcafee.com/us/downloads/free-tools/index.aspx

– Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

– Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

– Powershell windows forensics: https://github.com/gfoss/PSRecon

-Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

– forensic toolkits: http://www.sleuthkit.org/, http://sourceforge.net/projects/autopsy/

– online scanning: http://www.virustotal.com

-Windows event logs

– Windows safe mode ! (autoruns from sysinternals to detect not well known application/services)

– autoruns,procexp,procmon,tcpview,handles,psloggedon  (http://www.microsoft.com/sysinternals)

– treesize pro (http://www.jam-software.com/treesize/)

– closethedoor (http://sourceforge.net/projects/closethedoor/)

– Wireshark (https://www.wireshark.org/download.html) or Microsoft Message Analyzer (http://www.microsoft.com/en-us/download/details.aspx?id=40308)

– nmap: http://nmap.org/download.html#windows

– traceroute: http://www.net.princeton.edu/traceroute.html

Based on my 25 years experience as sysadmin, I recommend you the free tools below for forensic analysis and systems assessment:

Repair tools:

http://trinityhome.org/Home

Windows privilege escalation:

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Blog hacker playbook mindmap (poster):

https://www.marcolancini.it/2018/blog-hacker-playbook-mindmap/

SANS DFIR hunting evil Windows map (poster):

Windows systems: https://digital-forensics.sans.org/media/DFPS_FOR508_v4.3_12-18.pdf

Linux privilege escalation:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Blogs and web sites:

online malware analysis: https://app.sndbox.com/login

https://cloudblogs.microsoft.com/microsoftsecure/

https://www.microsoft.com/en-us/security

http://adsecurity.org

https://www.absolomb.com

https://cqure.pl/

http://www.thehackernews.com

https://packetstormsecurity.com/

Online attack map: https://www.csoonline.com/article/3217944/security/8-top-cyber-attack-maps-and-how-to-use-them.html

https://cybermap.kaspersky.com/

https://threatmap.checkpoint.com/ThreatPortal/livemap.html

http://map.norsecorp.com/

https://www.fireeye.com/cyber-map/threat-map.html

https://www.netscout.com/ddos-attack-map

PowerShell:

Powershell windows forensics: https://github.com/WiredPulse/PoSh-R2

Powershell windows forensics: https://github.com/Invoke-IR/PowerForensics

Powershell windows forensics: https://github.com/gfoss/PSRecon

Powershell windows forensics: https://github.com/davehull/Kansa

http://www.powershellmagazine.com/2014/07/18/kansa-a-powershell-based-incident-response-framework/

Vulnerability scanners:

Nessus

openvas

autoscan network

Find exploits and vulnerabilities:

exploit-db

securityfocus

packet storm security

cve.mitre.org

nvd.nist.gov

https://www.cert.ssi.gouv.fr/

Tools:

Timeline Tools

RegRipper

FTK Imager

Volatility (memory tool): http://www.volatilityfoundation.org/

http://www.crowdstrike.com/community-tools/index.html

http://www.truesec.com

http://www.joeware.net

http://helgeklein.com/setacl/

http://www.microsoft.com/sysinternals

http://www.systemtools.com

http://www.netikus.net

http://www.insecure.org  and http://sectools.org

Nirsoft (https://www.nirsoft.net/)

Netcat (https://github.com/rsanchez-wsu/jfiles/wiki/Windows-10-Telnet-&-NetCat)

Social engineering / fingerprinting tools:

google hacks

facebook

linkedin

viadeo

whois

mxtoolbox

http://www.shodanhq.com

http://www.lullar.com

http://www.checkusernames.com

http://www.pipl.com

maltego (www.paterva.com)

foca free

dig

dnsenum

dnsdic

dnsmap

dnsrecon

dnswalk

subdomainer

fierce

netcat

nmap

hping (https://github.com/antirez/hping)

amap (https://github.com/vanhauser-thc/THC-Archive)

 

Web site / web server toolkit:

dmitry (https://github.com/jaygreig86/dmitry)

httprint

Hi,

Here are list of web resources about Penetration techniques (pentest)/forensics techniques etc:

Definitions: http://en.wikipedia.org/wiki/Penetration_test  ; http://en.wikipedia.org/wiki/Computer_forensics

Tools and techniques:

Penetration toolkit for Windows: http://pentestlab.wordpress.com/2013/01/07/windows-tools-for-penetration-testing/

Penetration toolkit from Erdal Ozakaya: http://www.erdalozkaya.com/index.php/security/83-penetration-testing-framework-0-58

http://pentestlab.wordpress.com/

http://www.coresecurity.com

http://www.backtrack-linux.org/    ; http://fr.wikipedia.org/wiki/BackTrack  ; http://backtrack-fr.net/

http://www.ampliasecurity.com (with the famous wce) , http://oss.coresecurity.com/projects/pshtoolkit.html

http://sectools.org/

http://www.truesec.com

– guides:

http://www.bleepingcomputer.com/tutorials/have-i-been-hacked/

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

http://www.us-cert.gov/reading_room/forensics.pdf

– library: http://ed-diamond.com/