This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
Digital Forensics & Incident Response is a multidisciplinary profession that focuses on identifying, investigating, and remeidating computer network exploitation. This can take varied forms and involves a wide variety of skills, kinds of attackers, an kinds of targets. This presentation explains how we can implement docker in DFIR practices.
VAPT (Vulnerability Assessment and Penetration Testing) involves evaluating systems and networks to identify vulnerabilities, configuration issues, and potential routes of unauthorized access. It is recommended for SMEs due to common security issues like phishing and ransomware attacks targeting them. The document outlines the types of VAPT testing, why SMEs need it, example data breaches, and estimated costs of common cyber attacks and security services.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia". Ch 1: Real-World Incidents Teacher: Sam Bowne Website: https://samsclass.info/121/121_F16.shtml
This document summarizes Andrea Minigozzi's presentation on cyber threats landscape and defense. It discusses the evolution of threats from early computer viruses to modern advanced persistent threats. Various threat vectors are examined, including malware, social engineering, and zero-day exploits. Common attack methods like watering hole attacks and the Heartbleed bug are explained. Defensive strategies are proposed, such as previewing shortened URLs and avoiding malicious QR codes. The presentation aims to increase understanding of modern cybersecurity challenges and threats.
The document provides biographies and background information for two cyber threat hunters, Teymur Kheirkhabarov and Sergey Soldatov. It then discusses the process of cyber threat hunting, including collecting log and system event data from endpoints, analyzing that data using tools like Yara and Cuckoo Sandbox, and manually investigating anomalies through iterative hypothesis testing to detect advanced threats. Examples are given of how threat hunters traced back the steps of an attacker who compromised a system by injecting code into the LSASS process and establishing persistence via a scheduled task. The document emphasizes that threat hunting requires both machine analysis of large datasets as well as human reasoning to uncover sophisticated threats that evade other security solutions.
This document discusses Nationwide's experience using threat intelligence to focus their MITRE ATT&CK activities. Their initial broad approach analyzing 240+ techniques at once was unsuccessful. They then prioritized techniques based on threats to the financial sector. This focused their efforts on the 27 most relevant threat actors and the 100+ techniques associated with them. They mapped techniques to the ATT&CK matrix and conducted intelligence research. This intelligence-led approach improved their security posture understanding and enabled prioritized, actionable recommendations. The process is ongoing to constantly evolve their defenses based on the latest intelligence.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
This document provides an overview of privilege escalation techniques. It begins with an introduction to the speaker and defines vertical privilege escalation as moving from a lower privilege user to a higher privilege user. It then covers common privilege escalation vectors for both Linux and Windows systems, such as exploiting kernel vulnerabilities, weak passwords, sudo misconfigurations, vulnerable services, and file permission issues. Specific techniques discussed include dirty cow, password cracking, escaping restricted shells, abusing cron jobs and SUID files. The document emphasizes that credentials are often found in insecure configurations, backup files, logs and other unprotected locations.
- Malware analysis involves both static and dynamic analysis techniques to understand malware behavior and assess potential damage. Static analysis involves disassembling and reviewing malware code and structure without executing it. Dynamic analysis observes malware behavior when executed in an isolated virtual environment. - Tools for static analysis include file hashing, string extraction, and PE header examination. Dynamic analysis tools monitor the registry, file system, processes, and network traffic created by malware runtime behavior. These include Process Monitor, Wireshark, Process Explorer, and network sniffers. - To safely conduct malware analysis, one should create an isolated virtual lab separated from production networks, and install behavioral monitoring and code analysis tools like OllyDbg, Process Monitor, and Wiresh
The TheFatrat is an easy tool to generate backdoor’s with msfvenom (a part from metasploit framework) and easy post exploitation attack. This tool compiles a malware with popular payload and then the compiled malware can be execute on android, windows, Linux. The malware that created with this tool also have an ability to bypass most AV software protection. Bypassing the Anti- Virus or Security Software will allow for a metasploit session between the attacker and the target without Anti-Virus detecting the malicious payload and flagging a warning back to the user.
From ATT&CKcon 3.0 By Matt Snyder, VMWare Insider threats are some of the most treacherous and every organization is susceptible: it's estimated that theft of Intellectual Property alone exceeds $600 billion a year. Armed with intimate knowledge of your organization and masked as legitimate business, often these attacks go unnoticed until it's too late and the damage is done. To make matters worse, threat actors are now trying to lure employees with the promise of large paydays to help carry out attacks. These advanced attacks require advanced solutions, and we are going to demonstrate how we are using the MITRE ATT&CK framework to proactively combat these threats. Armed with these tactics and techniques, we show you how to build intelligent detections to help secure even the toughest of environments.
The document provides an overview of incident response including: 1) It defines the difference between an event and an incident, noting that all incidents are events but not all events are incidents. 2) It outlines the typical steps in an incident response framework including pre-incident preparation, detection, initial response, formulating a response strategy, investigation, reporting, and resolution. 3) It describes each step in more detail, explaining activities like assembling an incident response team, collecting data, analyzing forensic evidence, documenting findings, restoring systems, and implementing countermeasures to prevent future incidents.
This document provides an overview of basic static malware analysis techniques. It discusses using antivirus scanners, hashing files, and finding strings to identify malware without executing it. It also covers analyzing the Portable Executable (PE) file format used in Windows executables, including examining the PE header, imported and exported functions, linked libraries, and sections like .text and .rsrc. The document demonstrates various tools for these static analysis tasks like HashCalc, strings, PEview, Dependency Walker, and Resource Hacker.
The document provides an overview of penetration testing basics from a presentation by The Internet Storm Center, SANS Institute, and GIAC Certification Program. It discusses the Internet Storm Center, SANS/GIAC training and certifications, common cyber threats, the methodology for penetration testing, tools used for various stages like reconnaissance, scanning, exploitation, and analysis, and the importance of reporting and mitigation strategies.
The document discusses purple teaming, which involves red and blue teams working together to improve security. It provides two examples using PowerShell to simulate insider threats and client-side attacks. The first story involves escalating privileges from a normal user to domain admin and creating a golden ticket. The second starts as a non-admin user using a client-side attack like an HTA when PowerShell is blocked. Detection methods like logs, Applocker, and network monitoring are also outlined. The document concludes purple teaming aims to maximize threat simulation benefits by bringing red and blue teams together.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19. From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors. In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
Threat intelligence is information that informs enterprise defenders of adversarial elements to stop them. It is information that is relevant to the organization, has business value, and is actionable. If you having all data and feeds then data alone isn’t intelligence. #Threat #Intelligence #Forensics #ELK #Forensics #VAPT #SOC #SIEM #Incident #D3pak
The document discusses IP addressing and networking concepts. It explains that IP addresses are assigned to interfaces, not hosts, and describes how interfaces connect hosts to routers and physical links. It also discusses IP address structure, private IP address ranges, network address translation, and the differences between classful and classless addressing using CIDR notation. It provides examples of IP addresses and network masks.
This document provides an overview of implementing IPv4, including: - Lessons on TCP/IP protocols, IPv4 addressing, subnetting, and configuration/troubleshooting of IPv4 - Formatting IPv4 addresses using dotted decimal notation and relating this to binary numbers - Classifying IPv4 addresses as private or public and examples of simple/complex IPv4 implementations - Benefits of subnetting like segmenting traffic and techniques for calculating subnet/host addresses - Tools for configuring and troubleshooting IPv4 like Windows PowerShell, Ping, Tracert, and Message Analyzer
Our job might be to build web applications, but we can't build apps that rely on networking if we don't know how these networks and the big network that connects them all (this thing called the Internet) actually work. I'll walk through the basics of networking, then dive a lot deeper (from TCP/UDP to IPv4/6, source/destination ports, sockets, DNS and even BGP). Prepare for an eye-opener when you realize how much a typical app relies on all of these (and many more) working flawlessly... and how you can prepare your app for failure in the chain.
用Raspberry Pi 學Linux I2C Driver http://www.ittraining.com.tw/ittraining/course/embedded/devicedriver
The document discusses IP multicasting and its use in OpenTalk groups and grids. It describes how IP multicasting works, how to send and receive multicasted messages, and how OpenTalk groups use multicasting to broadcast messages to brokers and receivers in a group. It then discusses how grids can use multicasting and a distributed framework to break tasks like password cracking into ranges and farm them out to drones for parallel processing.
The document discusses security issues related to connected devices in homes and organizations. It provides results from scanning various devices on home and work networks, including details on open ports and services. It finds issues like outdated protocols, self-signed certificates, and lack of encryption on some devices. It notes that many administrators and users are unaware of vulnerabilities in connected devices. It recommends steps administrators and developers can take to improve device security, such as applying patches, network segmentation, monitoring traffic, using encryption, and penetration testing.
The Nessus scan report summarizes the results of a vulnerability scan performed on a Windows Vista system. The scan found 20 open ports, with 46 low, 8 medium and no high severity issues. Common services like MySQL, HTTP, and SMB were identified. The operating system was determined to be Windows Vista Home and the host name was tareq-laptop. Detailed information is provided about issues found on specific ports including unknown services, web servers, and NetBIOS information retrieved from the host.
The document discusses exploiting vulnerabilities in wireless routers that have USB ports for sharing storage and printers. It describes conducting attacks against a D-Link wireless router to steal data, delete data, and implant backdoors by accessing the shared USB flash drive and printer through the router's vulnerable SharePort technology. The attacker scans the wireless network, identifies the router and connected USB devices, and then explores ways to hack into the shared resources and conduct unauthorized activities.
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1 Instructor (1).pdf
Upon reading the document, the key steps in a router's start-up process can be summarized as follows: 1. When power is applied, the router performs a power-on self-test and loads the bootstrap code from ROM to initialize hardware and find the IOS image. 2. The IOS image is then loaded from flash memory or another source such as TFTP into RAM where it is decompressed and executed. 3. The startup configuration is loaded, typically from NVRAM. If no configuration is present, the router enters setup mode to configure initial settings.
The report considers practical aspects of reliability of existing systems allowing authentication of photographic evidence originality. The reporter examines a vulnerability in the Canon Original Data Security system of image authenticity verification, which was designed to authenticate originality of images captured by the Canon digital reflex still cameras.
This document describes a C program to implement a date-time server using TCP. The server program gets the system time, binds to a port, and sends the time string to any connected client. The client program connects to the server, receives the time string from the server, and prints it out. The programs successfully demonstrate a simple client-server model where the server provides the current date and time to multiple clients on request.
This slide describes IMS authentication with AKAv1 and AKAv2 protocol in detail based on the Verizon White paper. The white paper is available on SlideShare: https://lnkd.in/gkujTRV
The document summarizes 6 network packets captured between different IP addresses. The packets used various protocols including HTTP, TLS, NBNS, SSDP, DHCPv6, and LLMNR. The most common protocols observed were HTTP, TLS, and DHCPv6 which were used to establish secure connections and request network configuration settings.
The document summarizes 6 network packets captured between different IP addresses. The packets utilize various protocols including HTTP, TLS, NBNS, SSDP, DHCPv6, and LLMNR. The most common protocols observed are HTTP, TLS, and DHCPv6 which are used to establish secure connections and dynamically configure host devices on the network.
This document describes configuring and testing extended access control lists (ACLs) on a router to filter traffic between two PCs and a server. It outlines configuring a numbered ACL to permit FTP and ICMP from PC1 to the server, and a named ACL to permit HTTP and ICMP from PC2 to the server. The ACLs are applied to router interfaces and testing verifies only allowed traffic succeeds while denied traffic fails.
This document describes configuring and testing extended access control lists (ACLs) on a router to filter traffic between two PCs and a server. It outlines configuring a numbered ACL to permit FTP and ICMP from PC1 to the server, and a named ACL to permit HTTP and ICMP from PC2 to the server. The ACLs are applied to router interfaces and testing verifies only allowed traffic succeeds while denied traffic fails.
This document discusses various issues in client/server programming and network server design. It covers topics like identifying servers, UDP and TCP client design, specifying local addresses, partial socket closes, concurrent vs iterative servers, and design alternatives like one process per client, preforked servers, and prethreaded servers. The best design depends on factors like expected client load, transaction sizes, and available system resources. Understanding these issues and testing alternatives is important for choosing an optimal server architecture.
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe. Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker? In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue. The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
ハッカーたちの間では、セキュリティ向上のために研究を共有することの重要性が何年も前から知られていた。一方、協調して脆弱性を開示することの重要性も、世界中の政府によってますます認識されるようになってきた。情報開示とセキュリティ研究者の保護という原則は国境を越えて共通であるものの、国によって重要な違いがある。本パネルでは、重要な公共政策や企業の行動に影響を与える可能性のあるグローバルな視点を提示する。 ENISAは、2022年4月に「EUにおける脆弱性開示政策の調整」を発表した。本報告書では、EU加盟国における脆弱性開示の協調政策の現状を客観的に紹介するだけでなく、中国、日本、米国における脆弱性開示の運用を紹介している。それらを踏まえて、協調的な脆弱性開示プロセスに望ましい要素やベストプラクティスの要素を検討し、その後、課題や問題点について議論する予定。 本報告書の内容を共有し、日本における運用の課題と今後の方向性、米国における国家安全保障と脆弱性対応の課題を、各法域の代表者とのパネルディスカッションで明らかにすることを目的としています。 パネリストは、日本では早期警戒パートナーシップ通知機関の実務に携わる方々、欧州では上記報告書の執筆者、米国では上記報告書の寄稿者 日本では、脆弱性対応における体制意識、インセンティブ、未処理案件の増加、いわゆるトリアージなどの課題が紹介される予定 米国からは、国家安全保障のための脆弱性情報の開示方針(Vulnerabilities Equities Process)、脆弱性研究の不起訴方針の公表などを紹介するとともに、この問題の歴史的背景を紹介する。 パネルディスカッションを通じて、脆弱性開示政策を取り巻く国際情勢や今後の動向、特にサイバーセキュリティにおける脆弱性の重要な役割とそれを取り巻く社会が抱える課題について参加者に理解していただくことを目的とする。
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior. ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues. This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions. The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US. In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced. From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.