# References The following is the collection of references at the end of each chapter. ## Chapter 1 1. 2008 Carnegie Mellon University memo by Linda Pesante titled Introduction to Information Security:
https://us-cert.cisa.gov/sites/default/files/publications/infosecuritybasics.pdf 2. Game Theory – Best Response:
https://en.wikipedia.org/wiki/Best_response 3. Non-cooperative games, Game Theory through Examples:
https://www.maa.org/sites/default/files/pdf/ebooks/GTE_sample.pdf 4. Nash Equilibria in Game Theory, A Brief Introduction to Non-Cooperative Game Theory:
https://web.archive.org/web/20100610071152/http://www.ewp.rpi.edu/hartford/~stoddj/BE/IntroGameT.htm 5. Using Bloodhound to map domain trust:
https://www.scip.ch/en/?labs.20171102 6. Bloodhound detection techniques, Teaching An Old Dog New Tricks:
http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html 7. Triaging different attacks with Microsoft ATA:
https://docs.microsoft.com/enus/advanced-threat-analytics/suspicious-activity-guide 8. What is Defense in Depth?:
https://www.forcepoint.com/cyber-edu/defensedepth 9. Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency:
https://www.youtube.com/watch?v=1Dz12M7u-S8 10. Attack tree:
https://en.wikipedia.org/wiki/Attack_tree 11. A. Duncan, S. Creese and M. Goldsmith, A Combined Attack-Tree and Kill-Chain Approach to Designing Attack-Detection Strategies for Malicious Insiders in Cloud Computing, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pages 1-9:
https://ieeexplore.ieee.org/document/8885401 12. (Network) Reconnaissance:
https://attack.mitre.org/tactics/TA0043/ 13. Command and Control:
https://attack.mitre.org/tactics/TA0011/ 14. The Python Tutorial:
https://docs.python.org/3/tutorial/ 15. Go tutorial:
https://tour.golang.org/welcome/1 16. Mitre ATT&CK Enterprise Matrix:
https://attack.mitre.org/matrices/enterprise/ 17. Raphael Mudge's Dirty Red Team Tricks:
https://www.youtube.com/watch?v=oclbbqvawQg 18. The Collegiate Cyber Defense Competition:
https://www.nationalccdc.org/index.php/competition/about-ccdc 19. Raphael Mudge on the Security Weekly Podcast:
https://www.youtube.com/watch?v=bjKpVwmKDKE 20. What is Pros V Joes CTF?:
http://prosversusjoes.net/#:~:text=What%20is%20Pros%20V%20Joes,to%20learn%20and%20better%20themselves 21. Art of War quote on deception, Sun Tzu, The Art of War 22. Barton Whaley, The Prevalence of Guile: Deception through Time and across Cultures and Disciplines:
https://cryptome.org/2014/08/prevalence-ofguile.pdf page 6 23. Robert Clark and William Mitchell define deception, Robert M. Clark and Dr. William L. Mitchell, Deception: Counterdeception and Counterintelligence, page 9 24. Robert Clark and William Mitchell on when to use deception, Robert M. Clark and Dr. William L. Mitchell, Deception: Counterdeception and Counterintelligence, page 6 25. Robert Clark and William Mitchell on cyber deception, Robert M. Clark and Dr. William L. Mitchell, Deception: Counterdeception and Counterintelligence, page 138 26. Social engineering in hacking, Kevin Mitnick and William L. Simon, The Art of Deception 27. Working with the AWS Management Console:
https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html 28. VMware ESXi:
https://en.wikipedia.org/wiki/VMware_ESXi 29. Live forensics versus dead forensics:
https://www.slideshare.net/swisscow/digital-forensics-13608661, slide 22 30. Matthew Monette on the principle of humanity, Matthew Monte, Network Attacks and Exploitation: A Framework, page 17 31. Matthew Monette on the principle of access, Matthew Monte, Network Attacks and Exploitation: A Framework, page 27 32. Chris Nickerson on Red Teaming and Threat Emulation:
https://www.slideshare.net/indigosax1/increasing-value slide 69 33. Frederick P. Brooks, Jr., The Mythical Man-Month: Essays on Software 34. US Army Field Manual on simplicity and planning:
https://en.wikipedia.org/wiki/List_of_United_States_Army_Field_Manuals#FM_3-0 35. The Canadian Forces Operational Planning Process (OPP):
http://publications.gc.ca/collections/collection_2010/forces/D2-252-500-2008-eng.pdf 36. The Checklist Manifesto on planning to counter complexity, Atul Gawande, Henery Holt and Company, 2009, The Checklist Manifesto 37. Zero-day (computing):
https://en.wikipedia.org/wiki/Zero-day_(computing) 38. To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence:
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shimdatabases-persistence.html 39. Hunting for Application Shim Databases:
https://blog.f-secure.com/huntingfor-application-shim-databases/ 40. University of Virginia's defensive tool BLUESPAWN:
https://github.com/ION28/BLUESPAWN 41. Miyamoto Musashi quote on timing in strategy, Miyamoto Musashi, The Book of Five Rings, page 7 42. Lecture 3 - Computational Security:
https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec3.pdf 43. FireEye analysis of APT 28, APT28: A Window into Russia's Cyber Espionage Operations?:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf page 27 44. CrowdStrike CTO Explains "Breakout Time" — A Critical Metric in Stopping Breaches:
https://www.crowdstrike.com/blog/crowdstrike-cto-explainsbreakout-time-a-critical-metric-in-stopping-breaches/ 45. CrowdStrike's 2019 Global Threat Report: Adversary Tradecraft and the Importance of Speed:
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf page 14 ## Chapter 2 - Preparing for Battle 1. Etherpad-lite – A real-time and collaborative note-taking application that can be privately hosted:
https://github.com/ether/etherpad-lite 2. Dokuwiki – A simple open-source wiki solution that includes templates, plugins, and integrated authentication:
https://github.com/splitbrain/dokuwiki 3. EKM – Enterprise Key Management, a feature of slack that lets organizations use their own cryptographic keys to secure communications and logs:
https://slack.com/enterprise-key-management 4. A chat application that includes strong cryptographic user verification – Melissa Chase, Trevor Perrin, and Greg Zaverucha, 2019, The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption:
https://signal.org/blog/pdfs/signal_private_group_system.pdf 5. Professional fighter Georges St-Pierre on the importance of innovation:
https://www.theglobeandmail.com/report-on-business/careers/careersleadership/professional-fighter-georges-st-pierre-on-the-importanceof-innovation/article11891399/# 6. SANS paid for Online Cybersecurity Training:
https://www.sans.org/onlinesecurity-training/ 7. Open Security Training – Free, high-quality information security courses, with college level production:
https://opensecuritytraining.info/Training.html 8. Cybrary – Free information security courses, including a skill path, with an impressive production value:
https://app.cybrary.it/browse/refined?view=careerPath 9. CrowdStrike CTO Explains "Breakout Time" — A Critical Metric in Stopping Breaches:
https://www.crowdstrike.com/blog/crowdstrike-cto-explainsbreakout-time-a-critical-metric-in-stopping-breaches/ 10. OSQuery:
https://github.com/osquery/osquery 11. GRR – Open-source EDR framework for Windows, Linux, and macOS:
https://github.com/google/grr 12. Wazuh – Open-source EDR framework that is an evolution of the OSSEC project. Supports Windows, Linux, and macOS:
https://github.com/wazuh/wazuh 13. Velociraptor – Open-source EDR framework, inspired by GRR and OSQuery. Supports Windows, Linux, and macOS:
https://github.com/Velocidex/velociraptor 14. Snort User Manual – Open-source network intrusion detection system for Windows and Linux:
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/ 15. What is Suricata? – Open-source network intrusion and prevention system. Multi-threaded engine designed for Linux systems:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/What_is_Suricata 16. Zeek Documentation – An evolution of Bro IDS, is a network IDS that collect logs and metrics on various protocol data:
https://docs.zeek.org/en/master/ 17. Port Mirroring for Network Monitoring Explained:
https://blog.niagaranetworks.com/blog/port-mirroring-for-network-monitoringexplained 18. Tcpdump: A simple cheatsheet – a command-line tool for acquiring network captures:
https://www.andreafortuna.org/2018/07/18/tcpdump-a-simplecheatsheet/ 19. What is Wireshark?:
https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs 20. Adding a basic dissector – Wireshark includes a framework to write custom modules that can parse new protocols in Wireshark:
https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html 21. tshark Examples – Theory & Implementation:
https://www.activecountermeasures.com/tshark-examples-theory-implementation/ 22. Josh Johnson, Implementing Active Defense Systems on Private Networks:
https://www.sans.org/reading-room/whitepapers/detection/implementing-activedefense-systems-private-networks-34312 23. Filebeat – A lightweight logging application:
https://www.elastic.co/beats/filebeat 24. Configure Computers to Forward and Collect Events:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11) 25. Splunk: User Behavior Analytics – A feature that allows for anomaly detection in user activities by base-lining users over time:
https://www.splunk.com/en_us/software/user-behavior-analytics.html 26. HELK, The Threat Hunter's Elastic Stack:
https://github.com/Cyb3rWard0g/HELK 27. The Elastic Stack:
https://www.elastic.co/elastic-stack 28. VAST, a SIEM for network data:
https://github.com/tenzir/vast 29. Cortex, a SOAR application to go with TheHive:
https://github.com/TheHiveProject/Cortex 30. TALR – Threat Alert Logic Repository:
https://github.com/SecurityRiskAdvisors/TALR 31. OpenIOC, an open-source alerting format with combinatory logic:
https://github.com/mandiant/OpenIOC_1.1 32. COPS – Collaborative Open Playbook Standard:
https://github.com/demisto/COPS 33. ElastAlert - Easy & Flexible Alerting With Elasticsearch:
https://elastalert.readthedocs.io/en/latest/elastalert.html 34. TheHive, an alert management system:
https://github.com/TheHive-Project/TheHive 35. MISP – Threat Intelligence Sharing Platform:
https://github.com/MISP/MISP 36. CRITS – an open-source project that uses Python to manage threat intelligence:
https://github.com/crits/crits/wiki 37. Windows Sysinternals – Advanced Windows system utilities, includes many functions and useful tools for incident responders:
https://docs.microsoft.com/en-us/sysinternals/ 38. YARA in a nutshell:
https://virustotal.github.io/yara/ 39. Binwalk, automated artifact extraction:
https://github.com/ReFirmLabs/binwalk 40. Scalpel, targeted artifact extraction:
https://github.com/sleuthkit/scalpel 41. MITRE ATT&CK Compromise Application Executable:
https://attack.mitre.org/techniques/T1577/ 42. Redline – A free FireEye product that allows for memory capture and analysis on Windows systems:
https://www.fireeye.com/services/freeware/redline.html 43. The Sleuth Kit, an open-source framework for forensic analysis of disk images:
https://www.sleuthkit.org/ 44. Volatility Framework - Volatile memory extraction utility framework:
https://github.com/volatilityfoundation/volatility 45. BLUESPAWN, a defender's multitool for hardening, hunting, and monitoring:
https://github.com/ION28/BLUESPAWN 46. BLUESPAWN: An open-source active defense and EDR solution:
https://github.com/ION28/BLUESPAWN/blob/master/docs/media/Defcon28-BlueTeamVillageBLUESPAWN-Presentation.pdf 47. PE-Sieve, an in-memory scanner for process injection artifacts:
https://github.com/hasherezade/pe-sieve 48. Viper, a Python platform for artifact storage and automated analysis:
https://github.com/viper-framework/viper 49. Cuckoo Sandbox, a dynamic sandbox for teasing out executable functionality:
https://github.com/cuckoosandbox/cuckoo 50. BoomBox, an automated deployment of Cuckoo Sandbox:
https://github.com/nbeede/BoomBox 51. INetSim, a fake network simulator for dynamic sandbox solutions:
https://github.com/catmin/inetsim 52. VirusTotal – An online application that offers basic static analysis, anti-virus analysis, and threat intel analysis on a particular file:
https://www.virustotal.com/gui/ 53. JoeSecurity – A commercial online dynamic sandbox application that offers rich executable information:
https://www.joesecurity.org/ 54. ANY.RUN –A free dynamic sandboxing application for Windows executables:
https://any.run/ 55. Hybrid Analysis – A dynamic sandboxing solution with both free and paid offerings, supports CrowdStrike intelligence:
https://www.hybrid-analysis.com/ 56. CyberChef, an open-source, data sharing and transformation application:
https://github.com/gchq/CyberChef 57. Pure Funky Magic – An open-source data transformation application written in Python:
https://github.com/mari0d/PFM 58. What is Maltego?:
https://docs.maltego.com/support/solutions/articles/15000019166-what-is-maltego 59. Security Onion 2 – An evolution of Security Onion, designed to support signal generation, log aggregation, and full SIEM like capabilities:
https://www.youtube.com/watch?v=M-ty0o8dQU8 60. 14 Cybersecurity Metrics + KPIs to Track:
https://www.upguard.com/blog/cybersecurity-metrics 61. Carloz Perez, Are we measuring Blue and Red Right?:
https://www.darkoperator.com/blog/2015/11/2/are-we-measuring-blue-and-red-right 62. John Lambert – Twitter quote on offensive research:
https://twitter.com/johnlatwc/status/442760491111178240 63. AutoRecon, automated scanning tools:
https://github.com/Tib3rius/AutoRecon 64. Scantron, a distributed scanning solution with a web interface:
https://github.com/rackerlabs/scantron 65. nmap vulners, an advanced vulnerability scanning module for nmap:
https://github.com/vulnersCom/nmap-vulners 66. OpenVAS, an open-source vulnerability scanning solution:
https://github.com/greenbone/openvas 67. Metasploit, a modular, open source scanning, exploitation, and post exploitation framework:
https://github.com/rapid7/metasploit-framework 68. Metasploit Resource Scripts – A type of scripting for automating the Metasploit framework, including post-exploitation functionality:
https://docs.rapid7.com/metasploit/resource-scripts/ 69. PowerView:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon 70. BloodHound – A tool for querying Windows domains and mapping their trust relationships in a Neo4j graph database:
https://github.com/BloodHoundAD/BloodHound 71. CobaltStrike – A popular commercial command and control framework, that includes a GUI and a scripting language called Aggressor Script:
https://www.cobaltstrike.com/ 72. Empire – A popular open-source command and control framework, supports both Windows and macOS, includes many post-exploitation features:
https://github.com/BC-SECURITY/Empire 73. Burp Suite – The defacto web proxy for web application hacking, includes a free version and a commercial version with advanced features:
https://portswigger. net/burp 74. Taipan – Web application vulnerability scanner, includes both a community version and a commercial version:
https://taipansec.com/index 75. Sqlmap – Automated vulnerability scanner focused on SQL Injection:
https://github.com/sqlmapproject/sqlmap 76. Jeff McJunkin's blogpost on measuring Nmaps performance and improving it with Masscan:
https://jeffmcjunkin.wordpress.com/2018/11/05/masscan/ 77. EternalBlue:
https://en.wikipedia.org/wiki/EternalBlue 78. Gscript, a cross platform dropper in Go:
https://github.com/gen0cide/gscript 79. Garble, a Go based obfuscation engine:
https://github.com/burrowers/garble 80. Operations security:
https://en.wikipedia.org/wiki/Operations_security 81. Fat Rodzianko's blog post on domain fronting in Azure:
https://fatrodzianko.com/2020/05/11/covenant-c2-infrastructure-with-azure-domain-fronting/ 82. The C2 Matrix – An open-source collection of various command and control frameworks comparing their features:
https://www.thec2matrix.com/matrix 83. Sliver, an open-source C2 framework written in Go:
https://github.com/BishopFox/sliver 84. Cracklord, an application for managing hash cracking jobs, written in Go:
https://github.com/jmmcatee/cracklord 85. CeWL – Custom Word List generator:
https://github.com/digininja/CeWL 86. Kali Linux – A collection of offensive security tools in a bootable Linux distro:
https://www.kali.org/ 87. Red Team Metrics Quick Reference Sheet:
https://casa.sandia.gov/_assets/documents/2017-09-13_Metrics_QRS-Paper-Size.pdf ## Chapter 3 - Invisible is Best (Operating in Memory) 1. How to Use the dd Command in Forensics – Using dd to create a forensic image:
https://linuxhint.com/dd%C2%AC_command_forensics/ 2. Sleuth Kit Autopsy in-depth tutorial – Forensic analysis with The Sleuth Kit Framework:
https://linuxhint.com/sleuth_kit_autopsy/ 3. Plaso, Forensic Timeline Tool:
https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html 4. Autopsy Digital Forensics, Law Enforcement Bundle:
https://www.autopsy.com/use-case/law-enforcement/ 5. Advanced Persistent Threats – APTs are well-resourced offensive groups:
https://en.wikipedia.org/wiki/Advanced_persistent_threat 6. ATT&CK Deep Dive: Process Injection:
https://www.youtube.com/watch?v=CwglaQRejio 7. MITRE ATT&CK's Process Injection Page:
https://attack.mitre.org/techniques/T1055/ 8. Hexacorn's Blog Listing Various Processes Injection Techniques:
https://www.hexacorn.com/blog/2019/05/26/plata-o-plomo-code-injections-executiontricks/ 9. Ten process injection techniques: A technical survey of common and trending process injection techniques:
https://www.elastic.co/blog/ten-process-injectiontechniques-technical-survey-common-and-trending-process 10. CreateRemoteThread Process Injection Technique:
https://www.ired.team/offensive-security/code-injection-process-injection/process-injection 11. Windows Privilege Abuse: Auditing, Detection, and Defense:
https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense3078a403d74e 12. Shellcode Obfuscation Framework, Obsfucator:
https://github.com/3xpl01tc0d3r/Obfuscator 13. Using MSBuild to Execute Shellcode in C#:
https://www.ired.team/offensivesecurity/code-execution/using-msbuild-to-execute-shellcode-in-c 14. NSA-leaking Shadow Brokers just dumped its most damaging release yet:
https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadowbrokers-just-dumped-its-most-damaging-release-yet/ 15. EternalBlue exploit:
https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternalblue_exploit7.py 16. Meterpreter + Donut = Reflectively and Interactively Executing Arbitrary Executables via Shellcode Injection:
https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html 17. The Sliver Command and Control Framework:
https://github.com/BishopFox/sliver 18. Sliver's generic, native OS function handlers:
https://github.com/BishopFox/sliver/blob/master/implant/sliver/handlers/handlers.go 19. Gobfuscate – A Go obfuscation framework:
https://github.com/unixpickle/gobfuscate 20. Garble's Implementation in the Sliver Framework:
https://github.com/BishopFox/sliver/blob/9beb445a3dbdd6d06a285d3833b5f9ce2dca731c/server/gogo/go.go#L131 21. The Garble Obfuscation Framework:
https://github.com/burrowers/garble 22. Seatbelt – A .NET project for performing on-host operational security checks:
ttps://github.com/GhostPack/Seatbelt 23. How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code:
https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/ 24. Detect and react to a Shellshock attack – Using Wazuh to detect malicious processes:
https://documentation.wazuh.com/current/learning-wazuh/shellshock.html 25. Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing:
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dllhollowing 26. Understanding and Evading Get-InjectedThread – _xpn_ shows how to evade GetInjectedThread by tweaking the CreateRemoteThread technique:
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/ 27. The NtAllocateVirtualMemory function (ntifs.h):
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifsntallocatevirtualmemory 28. The NtProtectVirtualMemory function, used to change memory permissions:
http://www.codewarrior.cn/ntdoc/winnt/mm/NtProtectVirtualMemory.htm 29. Agent Tesla: Evading EDR by Removing API Hooks:
https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removingapi-hooks/ 30. Automating Detection of Known Malware through Memory Forensics:
https://volatility-labs.blogspot.com/2016/08/automating-detection-of-knownmalware.html 31. Finding DLL Name from the Process Environment Block (PEB):
https://vdalabs.com/2018/09/19/finding-dll-name-from-the-process-environment-blockpeb/ 32. Hasherezade's libPeConv, a library for investigating PE files:
https://github.com/hasherezade/libpeconv 33. Hasherezade's PE-sieve, a tool for detecting malicious memory artifacts:
https://github.com/hasherezade/pe-sieve 34. Using PE-sieve: an open-source scanner for hunting and unpacking malware:
https://www.youtube.com/watch?v=fwo4XE2xgis 35. PE-sieve – import recovery and unpacking UPX (part 1):
https://www.youtube.com/watch?v=eTt3QU0F7V0 36. Hasherezade's hollows_hunter, a tool that automates PE-sieve scanning:
https://github.com/hasherezade/hollows_hunter 37. BLUESPAWN, a defensive Swiss Army knife:
https://github.com/ION28/BLUESPAWN 38. BlackHillsInfosec Demonstrating Bypassing EDR Sensors:
https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/ 39. Microsoft's Sysmon Security Sensor:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon 40. SwiftOnSecurity's Base Sysmon Config:
https://github.com/SwiftOnSecurity/sysmon-config 41. A Sysmon Rule for Some Process Injection Techniques:
https://github.com/olafhartong/sysmon-modular/blob/master/10_process_access/include_process_suspend_resume.xml 42. Olaf Hartong's combined Sysmon config:
https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml 43. ILSpy, An Open-Source .NET Assembly Browser and Decompiler:
https://github.com/icsharpcode/ILSpy 44. Jetbrains C# Decompiler, dotPeek:
https://www.jetbrains.com/decompiler/ 45. dnSpy, An Open-Source .NET Debugger, Decompiler, and Assembly Editor:
https://github.com/dnSpy/dnSpy 46. Emerging Threats, Network Security Signatures for Snort:
https://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules ## Chapter 4 - Blending In 1. SANS: Know Normal...Find Evil:
https://www.sans.org/security-resources/posters/dfir-find-evil/35/download 2. Eric Zimmerman's Forensic Tools:
https://ericzimmerman.github.io/ 3. SANS: Results in Seconds at the Command-line:
https://web.archive.org/web/20210324161646/https://digital-forensics.sans.org/media/DFIRCommand-Line.pdf 4. Technical Analysis – MSBuild App Whitelisting Bypass:
https://community.carbonblack.com/t5/Threat-Advisories-Documents/Technical-AnalysisMSBuild-App-Whitelisting-Bypass/ta-p/62308 5. Offensive Lateral Movement with MSBuild and Others:
https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f 6. CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV – Using certutil to download tools:
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malwarewhile-bypassing-av/ 7. AppInstaller.exe LOLbin technique:
https://twitter.com/notwhickey/status/1333900137232523264 8. Windows Dynamic-Link Library (DLL) Search Order:
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order 9. Find-PathDLLHijack – PowerSploit PrivEsc function for DLL search order hijacking:
https://powersploit.readthedocs.io/en/latest/Privesc/FindPathDLLHijack/ 10. Binjection – The Go successor to the Backdoor Factory:
https://github.com/Binject/binjection 11. The Backdoor Factory – A Python Tool For Backdooring Executable Files:
https://github.com/secretsquirrel/the-backdoor-factory 12. Prism Backdoor – This uses ICMP as a covert channel:
https://github.com/andreafabrizi/prism 13. icmpdoor - ICMP Reverse Shell:
https://github.com/krabelize/icmpdoor 14. Scapy Wiki – A library for manipulating different networking packet layers:
https://scapy.readthedocs.io/en/latest/introduction.html 15. icmpdoor - ICMP Reverse Shell in Python 3 – A deep dive on icmpdoor:
https://cryptsus.com/blog/icmp-reverse-shell.html 16. Sliver Wiki – Instructions to Compile From Source:
https://github.com/BishopFox/sliver/wiki/Compile-From-Source 17. Sliver Wiki – Instructions To Set Up DNS C2:
https://github.com/BishopFox/sliver/wiki/DNS-C2#setup 18. Securing our approach to domain fronting within Azure:
https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domainfronting-within-azure/ 19. Domain Fronting with Metasploit and Meterpreter:
https://beyondbinary.io/articles/domain-fronting-with-metasploit-and-meterpreter/ 20. LMNTRIX Labs: Hiding In Plain Sight with Reflective Injection and Domain Fronting:
https://lmntrix.com/lab/lmntrix-labs-hiding-in-plain-sightwith-reflective-injection-and-domain-fronting/ 21. Detecting ICMP Covert Channels through Payload Analysis:
https://www.trisul.org/blog/detecting-icmp-covert-channels-through-payloadanalysis/ 22. Detecting Covert Channels with Snort:
https://resources.infosecinstitute.com/topic/snort-covert-channels/ 23. dnstap – A Series of Libraries and Log Formats For DNS:
http://dnstap.info/ 24. How To Set Up And Configure DNS On Windows Server 2016:
https://www.businessnewsdaily.com/11019-set-up-configure-dns-on-windowsserver-2016.html 25. PowerShell DNS Debug Log:
https://p0wershell.com/wp-content/uploads/2017/06/Reading-DNS-Debug-logs.ps1_.txt 26. Get-SysMonLogs – A Wrapper for Parsing Sysmon Logs from event log:
https://github.com/0daysimpson/Get-SysmonLogs 27. Greg Farnham, Detecting DNS Tunneling:
https://www.sans.org/readingroom/whitepapers/dns/detecting-dns-tunneling-34152 28. Detecting Random – Finding Algorithmically chosen DNS names (DGA):
https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893/ 29. Freq – A tool and library for performing frequency analysis:
https://github.com/markbaggett/freq 30. Autoruns for Windows v13.98, Part of the Sysinternals Suite:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns 31. MITRE ATT&CK: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder:
https://attack.mitre.org/techniques/T1547/001/ 32. Hexacorn's Persistence Blog Entries(Over 133 at writing):
https://www.hexacorn.com/blog/category/autostart-persistence/ 33. Robber – A Tool to Detect DLL Search Order Hijacking:
https://github.com/MojtabaTajik/Robber 34. Code Signing Certificate Cloning Attacks and Defenses:
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses6f98657fc6ec 35. PowerShell Script Demoing a Certificate Cloning Attack – Cert-Clone.ps1:
https://gist.github.com/ahhh/4467b73425601a46bd0fdfaa4fc84ccd 36. PowerShell Script to Deploy Honey Tokens in AD - Deploy-Deception:
https://github.com/samratashok/Deploy-Deception 37. Responder – An offensive local network tool:
https://github.com/lgandx/Responder 38. Respounder – An anti-Responder deception tool:
https://github.com/codeexpress/respounder 39. T-Pot – A multi-honeypot Tool:
https://github.com/telekom-security/tpotce 40. T-Pot – Community Data Submission:
https://github.com/telekom-security/tpotce#community-data-submission 41. Artillery – A Python project that uses honeypots to detect malicious actors on the network:
https://github.com/BinaryDefense/artillery ## Chapter 5 - Active Manipulation 1. Simple userland rootkit – A case study:
https://blog.malwarebytes.com/threat-analysis/2016/12/simple-userland-rootkit-a-case-study/#:~:text= 2. Eventlogedit-evtx--Evolution – A project devoted to different event log clearing techniques:
https://github.com/3gstudent/Eventlogedit-evtx--Evolution 3. Windows XML event log Editing:
https://3gstudent.github.io/Windows-XML-Event-Log-(EVTX)%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E6%B8%85%E9%99%A4-%E4%B8%89-%E9%80%9A%E8%BF%87%E8%A7%A3%E9%99%A4%E6%96%87%E4%BB%B6%E5%8D%A0%E7%94%A8%E5%88%A0%E9%99%A4%E5%BD%93%E5%89%8D%E7%B3%BB%E7%BB%9F%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E8%AE%B0%E5%BD%95 4. danderspritz-evtx – The event log cleaning code from the leaked NSA toolkit:
https://github.com/fox-it/danderspritz-evtx 5. EventCleaner – A project for removing Windows event logs:
https://github.com/QAX-A-Team/EventCleaner 6. How to crash the Windows' event logging Service:
https://limbenjamin.com/articles/crash-windows-event-logging-service.html 7. apache2_BackdoorMod:
https://github.com/VladRico/apache2_BackdoorMod 8. dragon – An older Windows service and WinPcap backdoor:
https://github.com/Shellntel/backdoors 9. Windows-Rootkits – An assorted collection of Windows rootkits:
https://github.com/LycorisGuard/Windows-Rootkits 10. Reptile – Linux loadable kernel module rootkit:
https://github.com/f0rb1dd3n/Reptile 11. khook – A simplified Linux kernel hooking engine:
https://github.com/milabs/khook 12. khook – Deep-dive on the Linux kernel hooking framework:
https://dk72njlsmbogubz637bkapyxvm--www-cnblogs-com.translate.goog/likaiming/p/10970543.html 13. kmatryoshka – A framework for loading objects into an lkm:
https://github.com/milabs/kmatryoshka 14. The rootkit Reptile's local cli usage:
https://github.com/f0rb1dd3n/Reptile/wiki/Local-Usage 15. Reptile hiding its kernel module:
https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L145 16. The Five D's of Defense:
https://alamom.com/5defense/ 17. Converting PCAP Web Traffic to Apache Log – Xavier Merten's Lua Script:
https://isc.sans.edu/forums/diary/Converting+PCAP+Web+Traffic+to+Apache+Log/23739/ 18. Haka Security, a framework for alerting on pcap data:
http://www.haka-security.org/ 19. The LD_PRELOAD trick:
www.goldsborough.me/c/low-level/kernel/2016/08/29/16-48-53-the_-ld_preload-_trick/ 20. rkhunter – Linux rootkit detection tool:
https://en.wikipedia.org/wiki/Rkhunter 21. processdecloak:
https://github.com/sandflysecurity/sandflyprocessdecloak 22. unhide – Linux rootkit detection tool:
https://linux.die.net/man/8/unhide 23. Linux Memory Forensics Part 2 – Detection Of Malicious Artifacts:
https://www.otorio.com/resources/linux-memory-forensics-part-2-detection-ofmalicious-artifacts/ 24. SANS: Discovery of a Rootkit:
https://web.archive.org/web/20210216065908/https://digital-forensics.sans.org/community/papers/gcfa/discoveryrootkit-simple-scan-leads-complex-solution_244 25. Portspoof – A unique approach to countering network scanning:
https://drk1wi.github.io/portspoof 26. LaBrea – Old-school network tarpit utility:
https://github.com/Hirato/LaBrea 27. Description of Windows TCP features:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/description-tcp-features 28. Tarpit functionality added to iptables with Xtables-addons:
https://inai.de/projects/xtables-addons/ 29. Mathias Jessen - Attack Surface Reductions for Adventurous Admins:
https://youtube.com/ watch?v=KVYtPpxj_S0&t=2167 30. RansomTraps – Ransomware early detection project:
https://github.com/DrMint/Anti-Ransomware 31. Zip bomb basics:
https://en.wikipedia.org/wiki/Zip_bomb 32. The classic 42.zip zip bomb:
https://www.unforgettable.dk/ 33. A better zip bomb:
https://www.bamsoftware.com/hacks/zipbomb/ ## Chapter 6 - Real-Time Conflict 1. Known Good, Statically Compiled \*nix tools:
https://github.com/andrew-d/static-binaries 2. Seatbelt – C# tool that performs host-based security reconnaissance:
https://github.com/GhostPack/Seatbelt 3. pspy – Unprivileged Linux process snooping:
https://github.com/DominicBreuker/pspy 4. Ain't No Party Like A Unix Party – by Adam Boileau:
https://www.youtube.com/watch?v=o5cASgBEXWY 5. DEEPCE – Docker Enumeration, Escalation of Privileges and Container Escapes:
https://github.com/stealthcopter/deepce 6. sKeylogger – Simple Linux keylogger:
https://github.com/gsingh93/simplekey-logger 7. xspy – X11-based keylogger:
https://github.com/mnp/xspy 8. John Simpson's Recording SSH sessions:
https://jms1.net/ssh-record.shtml 9. Rootsh – Go shell wrapper and keylogger:
https://github.com/dsaveliev/rootsh 10. Python-based pty – Pseudo-terminal utilities:
https://docs.python.org/3/library/pty.html 11. VIM runtime – VIM reference manual:
https://github.com/vim/vim/blob/master/runtime/doc/terminal.txt 12. WireTap:
https://github.com/djhohnstein/WireTap 13. GoRedSpy – A Go cross-platform screenshot spying tool:
https://github.com/ahhh/GoRedSpy 14. EyeWitness – A utility for taking screen captures of web UIs:
https://github.com/FortyNorthSecurity/EyeWitness 15. Mimikatz – Legendary Windows Password Dumping Multitool:
https://github.com/gentilkiwi/mimikatz/wiki 16. Windows Mimikatz – Writeup on using Mimikatz in operations:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md 17. Linikatz – Linux memory-based password dumping tool:
https://github.com/CiscoCXSecurity/linikatz 18. MimiPenguin – Another Linux memory-based password dumping tool:
https://github.com/huntergregal/mimipenguin 19. 3snake – Dump SSHD and SUDO credential-related strings:
https://github.com/blendin/3snake 20. GoRedLoot – A Go cross-platform tool to search for secrets and keys:
https://github.com/ahhh/goredloot 21. SharpCollection – A group of C# offensive security utilities:
https://github.com/Flangvik/SharpCollection 22. Sudo Alias Trick – Steal Ubuntu & MacOS Sudo Passwords Without Any Cracking:
https://null-byte.wonderhowto.com/how-to/steal-ubuntu-macossudo-passwords-without-any-cracking-0194190/ 23. pambd – PAM backdoor that uses a universal password:
https://github.com/eurialo/pambd 24. Exfiltrating credentials via PAM backdoors & DNS requests:
https://x-c3ll.github.io/posts/PAM-backdoor-DNS/ 25. Linux PAM Backdoor with Patch File:
https://github.com/zephrax/linux-pambackdoor 26. Using ssh-agent with SSH:
http://mah.everybody.org/docs/ssh 27. SSH Agent Hijacking:
https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/ 28. SSH ControlMaster: The Good, The Bad, The Ugly:
https://www.anchor.com.au/blog/2010/02/ssh-controlmaster-the-good-the-bad-the-ugly/ 29. Hijacking SSH to Inject Port Forwards:
https://0xicf.wordpress.com/2015/03/13/hijacking-ssh-to-inject-port-forwards/ 30. RDP hijacking—how to hijack RDS and RemoteApp sessions transparently to move through an organization:
https://doublepulsar.com/rdp-hijacking-how-tohijack-rds-and-remoteapp-sessions-transparently-to-move-through-anda2a1e73a5f6?gi=c7b52d944b52 31. RDP Hijacking – All Windows TS Session Hijacking (2012 R2 Demo):
https://www.youtube.com/watch?v=OgsoIoWmhWw 32. Active Directory & Kerberos Abuse:
https://www.ired.team/offensivesecurity-experiments/active-directory-kerberos-abuse 33. Linux iptables: Block All Incoming Traffic But Allow SSH:
https://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-butallow-ssh.html 34. Answer to iptables allow just internet connection question:
https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection 35. How to Build a Read-Only File System on Linux:
https://www.onlogic.com/company/io-hub/how-to-build-a-read-only-linux-system/ 36. chw00t: chroot Escape Tool:
https://github.com/earthquake/chw00t 37. A Guide for Apache in a chroot jail:
https://tldp.org/LDP/solrhe/SecuringOptimizing-Linux-RH-Edition-v1.3/chap29sec254.html 38. FTP: chroot Local User:
https://beginlinux.com/server_training/ftpserver/1275-ftp-chroot-local-user 39. NsJail – An Improved Jailing System Using Namespaces:
https://github.com/google/nsjail 40. protobuf – A platform neutral library for creating serialized data structures:
https://github.com/protocolbuffers/protobuf 41. Hack-back in the Real World:
https://www.scriptjunkie.us/2017/08/hackback-in-the-real-world/ 42. Nmap Exploit – Using Portspoof to Exploit http-domino-enum-passwords.nse:
https://www.youtube.com/watch?v=iyTmxRUaQ8M ## Chapter 7 - The Research Advantage 1. GreeseMonkey – A browser automator:
https://en.wikipedia.org/wiki/Greasemonkey 2. Jon Erickson, Hacking: The Art of Exploitation:
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441 3. Open Security Training Exploits1 Course:
https://opensecuritytraining.info/Exploits1.html 4. RET2 Cyber Wargames:
https://wargames.ret2.systems/ 5. RET2 Wargames Review:
https://blog.ret2.io/2018/09/11/scalablesecurity-education/ 6. Modern Binary Exploitation (MBE):
https://github.com/RPISEC/MBE 7. Corelan free exploit tutorial:
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/ 8. How2heap – Educational Heap Exploitation:
https://github.com/shellphish/how2heap 9. Zerodium Vulnerability Purchase Program:
https://www.zerodium.com/program.html 10. Winning a Tesla Model S at Pwn2Own 2019:
https://www.securityweek.com/pwn2own-2019-researchers-win-tesla-after-hacking-its-browser 11. Pwn2Own 2021 Results:
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results 12. DEF CON 25, 20 years of DEF CON CTF Organizers:
https://www.youtube.com/watch?v=MbIDrs-mB20 13. DEFCON 2015 CTF FINALS – Blog from DEF CON CTF 2015:
https://research.kudelskisecurity.com/2015/08/25/defcon-2015-ctf-finals/ 14. Welcome to the New Order: A DEF CON 2018 Retrospective:
https://dttw.tech/posts/Hka91N-IQ 15. Kernel Panic: A DEF CON 2020 Retrospective:
https://dttw.tech/posts/Skww4fzGP 16. Have I Been Pwned, password exposure database:
https://haveibeenpwned.com/FAQs 17. Attacking SSH Over the Wire - Go Red Team! – Using Hydra to password spray:
https://isc.sans.edu/forums/diary/Attacking+SSH+Over+the+Wire+Go+Red+Team/23000/ 18. go-netscan – a multiprotocol credential spraying tool:
https://github.com/emperorcow/go-netscan 19. Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon:
https://www.amazon.com/Countdown-Zero-Day-StuxnetDigital/dp/0770436196/ 20. A RocketChat 0-Day Vulnerability Discovered as part of CPTC 2020:
https://securifyinc.com/disclosures/rocketchat-unauthenticated-access-tomessages 21. RocketChat – Open-source chat solution:
https://github.com/RocketChat/Rocket.Chat 22. Patch diff of RocketChat adding authentication to loadHistory:
https://github.com/RocketChat/Rocket.Chat/commit/ac9d7612a8fd6eae8074bd06e5449da843065be6#diff-61e120f3236b5f0bc942992a3cf0abfd107838aa5bff8cd0a1d9fc5320a43269 23. Network Finger Printer – Go tool:
https://github.com/awgh/nfp 24. Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations: Alex Birsan's software supply chain attack:
https://blog.sonatype.com/dependency-hijacking-software-supply-chain-attack-hitsmore-than-35-organizations 25. Operation Aurora – Watering hole attack on Google and Apple:
https://en.wikipedia.org/wiki/Operation_Aurora 26. What is a Drive by Download:
https://www.kaspersky.com/resource-center/definitions/drive-by-download 27. Samy Kamkar:
https://en.wikipedia.org/wiki/Samy_Kamkar 28. NAT Slipstreaming v2.0:
https://samy.pl/slipstream/ 29. Phish-in-the-Middle:
https://twitter.com/Lares_/status/1258075069714235392 30. Intelligence Concepts – F3EAD:
https://sroberts.io/blog/2015-03-24-intelligence-concepts-f3ead/ 31. Threat Hunting for Swear Words:
https://twitter.com/stvemillertime/status/1100399116876533760 32. Adam Shostack, Threat Modeling: Designing for Security:
https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998 33. Inversecos' tweet about Cobalt Strike:
https://twitter.com/inversecos/status/1377415476892987395 34. BeaconHunter – Cobalt Strike detection tool:
https://github.com/3lp4tr0n/beaconhunter 35. The Ultimate Guide to Procmon:
https://adamtheautomator.com/procmon/ 36. AmCache and ShimCache in forensic analysis:
https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/ 37. Digital Forensics – ShimCache Artifacts:
https://countuponsecurity.com/2016/05/18/digital-forensics-shimcache-artifacts/ 38. Blanche Lagny, 2019, Analysis of the AmCache v2:
https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf 39. David Cowen's Daily Blog #579: The meaning of Syscache.hve:
https://www.hecfblog.com/2018/12/daily-blog-579-meaning-of-syscachehve.html 40. Ubisoft's Advanced Anti-cheat in Rainbow Six Siege:
https://www.ubisoft.com/en-us/game/rainbow-six/siege/news-updates/4CpkSOfyxgYhc5a4SbBTx/devblog-update-on-anticheat-in-rainbow-six-siege ## Chapter 8 - Clearing the Field 1. MITRE ATT&CK: Exfil Over C2 Channel:
https://attack.mitre.org/techniques/T1041/ 2. Steganography – LSB Introduction with Python – Part 1:
https://itnext.io/steganography-101-lsb-introduction-with-python4c4803e08041?gi=9e7917a5ff8c 3. Whitespace Steganography Conceals Web Shell in PHP Malware:
https://securityboulevard.com/2021/02/whitespace-steganography-conceals-webshell-in-php-malware/ 4. Snow – a whitespace-based steganography tool:
http://www.darkside.com.au/snow/ 5. PacketWhisper:
https://github.com/TryCatchHCF/PacketWhisper 6. Cloakify kit – a substitution-based steganographic toolkit:
https://github.com/TryCatchHCF/Cloakify 7. Man-on-the-side attack:
https://en.wikipedia.org/wiki/Man-on-the-side_attack 8. Tor exit node list:
https://check.torproject.org/torbulkexitlist 9. pystemon – Monitoring tool for Pastebin-like sites:
https://github.com/cvandeplas/pystemon 10. Private network – RFC 1918 private network addresses:
https://en.wikipedia.org/wiki/Private_network 11. An example of kill date gscript:
https://github.com/ahhh/gscripts/blob/d66c791dc01d17a088144d902695e8b1508f03e4/anti-re/kill_date.gs 12. Active Directory (AD) – Krbtgt account password:
https://itworldjd.wordpress.com/2015/04/07/krbtgt-account-password-reset-scripts/ 13. How to generate and use a golden ticket:
https://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos 14. FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community – FireEye breached through the SolarWinds software supply chain attack:
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-sharesdetails-of-recent-cyber-attack-actions-to-protect-community.html