# References
The following is the collection of references at the end of each chapter.
## Chapter 1
1. 2008 Carnegie Mellon University memo by Linda Pesante titled Introduction to Information Security:
https://us-cert.cisa.gov/sites/default/files/publications/infosecuritybasics.pdf
2. Game Theory – Best Response:
https://en.wikipedia.org/wiki/Best_response
3. Non-cooperative games, Game Theory through Examples:
https://www.maa.org/sites/default/files/pdf/ebooks/GTE_sample.pdf
4. Nash Equilibria in Game Theory, A Brief Introduction to Non-Cooperative Game Theory:
https://web.archive.org/web/20100610071152/http://www.ewp.rpi.edu/hartford/~stoddj/BE/IntroGameT.htm
5. Using Bloodhound to map domain trust:
https://www.scip.ch/en/?labs.20171102
6. Bloodhound detection techniques, Teaching An Old Dog New Tricks:
http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html
7. Triaging different attacks with Microsoft ATA:
https://docs.microsoft.com/enus/advanced-threat-analytics/suspicious-activity-guide
8. What is Defense in Depth?:
https://www.forcepoint.com/cyber-edu/defensedepth
9. Using an Expanded Cyber Kill Chain Model to Increase Attack Resiliency:
https://www.youtube.com/watch?v=1Dz12M7u-S8
10. Attack tree:
https://en.wikipedia.org/wiki/Attack_tree
11. A. Duncan, S. Creese and M. Goldsmith, A Combined Attack-Tree and Kill-Chain Approach to Designing Attack-Detection Strategies for Malicious Insiders in Cloud Computing, 2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security), pages 1-9:
https://ieeexplore.ieee.org/document/8885401
12. (Network) Reconnaissance:
https://attack.mitre.org/tactics/TA0043/
13. Command and Control:
https://attack.mitre.org/tactics/TA0011/
14. The Python Tutorial:
https://docs.python.org/3/tutorial/
15. Go tutorial:
https://tour.golang.org/welcome/1
16. Mitre ATT&CK Enterprise Matrix:
https://attack.mitre.org/matrices/enterprise/
17. Raphael Mudge's Dirty Red Team Tricks:
https://www.youtube.com/watch?v=oclbbqvawQg
18. The Collegiate Cyber Defense Competition:
https://www.nationalccdc.org/index.php/competition/about-ccdc
19. Raphael Mudge on the Security Weekly Podcast:
https://www.youtube.com/watch?v=bjKpVwmKDKE
20. What is Pros V Joes CTF?:
http://prosversusjoes.net/#:~:text=What%20is%20Pros%20V%20Joes,to%20learn%20and%20better%20themselves
21. Art of War quote on deception, Sun Tzu, The Art of War
22. Barton Whaley, The Prevalence of Guile: Deception through Time and across Cultures and Disciplines:
https://cryptome.org/2014/08/prevalence-ofguile.pdf page 6
23. Robert Clark and William Mitchell define deception, Robert M. Clark and Dr. William L. Mitchell, Deception: Counterdeception and Counterintelligence, page 9
24. Robert Clark and William Mitchell on when to use deception, Robert M. Clark and Dr. William L. Mitchell, Deception: Counterdeception and Counterintelligence, page 6
25. Robert Clark and William Mitchell on cyber deception, Robert M. Clark and Dr. William L. Mitchell, Deception: Counterdeception and Counterintelligence, page 138
26. Social engineering in hacking, Kevin Mitnick and William L. Simon, The Art of Deception
27. Working with the AWS Management Console:
https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html
28. VMware ESXi:
https://en.wikipedia.org/wiki/VMware_ESXi
29. Live forensics versus dead forensics:
https://www.slideshare.net/swisscow/digital-forensics-13608661, slide 22
30. Matthew Monette on the principle of humanity, Matthew Monte, Network Attacks and Exploitation: A Framework, page 17
31. Matthew Monette on the principle of access, Matthew Monte, Network Attacks and Exploitation: A Framework, page 27
32. Chris Nickerson on Red Teaming and Threat Emulation:
https://www.slideshare.net/indigosax1/increasing-value slide 69
33. Frederick P. Brooks, Jr., The Mythical Man-Month: Essays on Software
34. US Army Field Manual on simplicity and planning:
https://en.wikipedia.org/wiki/List_of_United_States_Army_Field_Manuals#FM_3-0
35. The Canadian Forces Operational Planning Process (OPP):
http://publications.gc.ca/collections/collection_2010/forces/D2-252-500-2008-eng.pdf
36. The Checklist Manifesto on planning to counter complexity, Atul Gawande, Henery Holt and Company, 2009, The Checklist Manifesto
37. Zero-day (computing):
https://en.wikipedia.org/wiki/Zero-day_(computing)
38. To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence:
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shimdatabases-persistence.html
39. Hunting for Application Shim Databases:
https://blog.f-secure.com/huntingfor-application-shim-databases/
40. University of Virginia's defensive tool BLUESPAWN:
https://github.com/ION28/BLUESPAWN
41. Miyamoto Musashi quote on timing in strategy, Miyamoto Musashi, The Book of Five Rings, page 7
42. Lecture 3 - Computational Security:
https://www.cs.princeton.edu/courses/archive/fall07/cos433/lec3.pdf
43. FireEye analysis of APT 28, APT28: A Window into Russia's Cyber Espionage Operations?:
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf page 27
44. CrowdStrike CTO Explains "Breakout Time" — A Critical Metric in Stopping Breaches:
https://www.crowdstrike.com/blog/crowdstrike-cto-explainsbreakout-time-a-critical-metric-in-stopping-breaches/
45. CrowdStrike's 2019 Global Threat Report: Adversary Tradecraft and the Importance of Speed:
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2019GlobalThreatReport.pdf page 14
## Chapter 2 - Preparing for Battle
1. Etherpad-lite – A real-time and collaborative note-taking application that can be privately hosted:
https://github.com/ether/etherpad-lite
2. Dokuwiki – A simple open-source wiki solution that includes templates, plugins, and integrated authentication:
https://github.com/splitbrain/dokuwiki
3. EKM – Enterprise Key Management, a feature of slack that lets organizations use their own cryptographic keys to secure communications and logs:
https://slack.com/enterprise-key-management
4. A chat application that includes strong cryptographic user verification – Melissa Chase, Trevor Perrin, and Greg Zaverucha, 2019, The Signal Private Group System and Anonymous Credentials Supporting Efficient Verifiable Encryption:
https://signal.org/blog/pdfs/signal_private_group_system.pdf
5. Professional fighter Georges St-Pierre on the importance of innovation:
https://www.theglobeandmail.com/report-on-business/careers/careersleadership/professional-fighter-georges-st-pierre-on-the-importanceof-innovation/article11891399/#
6. SANS paid for Online Cybersecurity Training:
https://www.sans.org/onlinesecurity-training/
7. Open Security Training – Free, high-quality information security courses, with college level production:
https://opensecuritytraining.info/Training.html
8. Cybrary – Free information security courses, including a skill path, with an impressive production value:
https://app.cybrary.it/browse/refined?view=careerPath
9. CrowdStrike CTO Explains "Breakout Time" — A Critical Metric in Stopping Breaches:
https://www.crowdstrike.com/blog/crowdstrike-cto-explainsbreakout-time-a-critical-metric-in-stopping-breaches/
10. OSQuery:
https://github.com/osquery/osquery
11. GRR – Open-source EDR framework for Windows, Linux, and macOS:
https://github.com/google/grr
12. Wazuh – Open-source EDR framework that is an evolution of the OSSEC project. Supports Windows, Linux, and macOS:
https://github.com/wazuh/wazuh
13. Velociraptor – Open-source EDR framework, inspired by GRR and OSQuery. Supports Windows, Linux, and macOS:
https://github.com/Velocidex/velociraptor
14. Snort User Manual – Open-source network intrusion detection system for Windows and Linux:
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/
15. What is Suricata? – Open-source network intrusion and prevention system. Multi-threaded engine designed for Linux systems:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/What_is_Suricata
16. Zeek Documentation – An evolution of Bro IDS, is a network IDS that collect logs and metrics on various protocol data:
https://docs.zeek.org/en/master/
17. Port Mirroring for Network Monitoring Explained:
https://blog.niagaranetworks.com/blog/port-mirroring-for-network-monitoringexplained
18. Tcpdump: A simple cheatsheet – a command-line tool for acquiring network captures:
https://www.andreafortuna.org/2018/07/18/tcpdump-a-simplecheatsheet/
19. What is Wireshark?:
https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntroduction.html#ChIntroWhatIs
20. Adding a basic dissector – Wireshark includes a framework to write custom modules that can parse new protocols in Wireshark:
https://www.wireshark.org/docs/wsdg_html_chunked/ChDissectAdd.html
21. tshark Examples – Theory & Implementation:
https://www.activecountermeasures.com/tshark-examples-theory-implementation/
22. Josh Johnson, Implementing Active Defense Systems on Private Networks:
https://www.sans.org/reading-room/whitepapers/detection/implementing-activedefense-systems-private-networks-34312
23. Filebeat – A lightweight logging application:
https://www.elastic.co/beats/filebeat
24. Configure Computers to Forward and Collect Events:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)
25. Splunk: User Behavior Analytics – A feature that allows for anomaly detection in user activities by base-lining users over time:
https://www.splunk.com/en_us/software/user-behavior-analytics.html
26. HELK, The Threat Hunter's Elastic Stack:
https://github.com/Cyb3rWard0g/HELK
27. The Elastic Stack:
https://www.elastic.co/elastic-stack
28. VAST, a SIEM for network data:
https://github.com/tenzir/vast
29. Cortex, a SOAR application to go with TheHive:
https://github.com/TheHiveProject/Cortex
30. TALR – Threat Alert Logic Repository:
https://github.com/SecurityRiskAdvisors/TALR
31. OpenIOC, an open-source alerting format with combinatory logic:
https://github.com/mandiant/OpenIOC_1.1
32. COPS – Collaborative Open Playbook Standard:
https://github.com/demisto/COPS
33. ElastAlert - Easy & Flexible Alerting With Elasticsearch:
https://elastalert.readthedocs.io/en/latest/elastalert.html
34. TheHive, an alert management system:
https://github.com/TheHive-Project/TheHive
35. MISP – Threat Intelligence Sharing Platform:
https://github.com/MISP/MISP
36. CRITS – an open-source project that uses Python to manage threat intelligence:
https://github.com/crits/crits/wiki
37. Windows Sysinternals – Advanced Windows system utilities, includes many functions and useful tools for incident responders:
https://docs.microsoft.com/en-us/sysinternals/
38. YARA in a nutshell:
https://virustotal.github.io/yara/
39. Binwalk, automated artifact extraction:
https://github.com/ReFirmLabs/binwalk
40. Scalpel, targeted artifact extraction:
https://github.com/sleuthkit/scalpel
41. MITRE ATT&CK Compromise Application Executable:
https://attack.mitre.org/techniques/T1577/
42. Redline – A free FireEye product that allows for memory capture and analysis on Windows systems:
https://www.fireeye.com/services/freeware/redline.html
43. The Sleuth Kit, an open-source framework for forensic analysis of disk images:
https://www.sleuthkit.org/
44. Volatility Framework - Volatile memory extraction utility framework:
https://github.com/volatilityfoundation/volatility
45. BLUESPAWN, a defender's multitool for hardening, hunting, and monitoring:
https://github.com/ION28/BLUESPAWN
46. BLUESPAWN: An open-source active defense and EDR solution:
https://github.com/ION28/BLUESPAWN/blob/master/docs/media/Defcon28-BlueTeamVillageBLUESPAWN-Presentation.pdf
47. PE-Sieve, an in-memory scanner for process injection artifacts:
https://github.com/hasherezade/pe-sieve
48. Viper, a Python platform for artifact storage and automated analysis:
https://github.com/viper-framework/viper
49. Cuckoo Sandbox, a dynamic sandbox for teasing out executable functionality:
https://github.com/cuckoosandbox/cuckoo
50. BoomBox, an automated deployment of Cuckoo Sandbox:
https://github.com/nbeede/BoomBox
51. INetSim, a fake network simulator for dynamic sandbox solutions:
https://github.com/catmin/inetsim
52. VirusTotal – An online application that offers basic static analysis, anti-virus analysis, and threat intel analysis on a particular file:
https://www.virustotal.com/gui/
53. JoeSecurity – A commercial online dynamic sandbox application that offers rich executable information:
https://www.joesecurity.org/
54. ANY.RUN –A free dynamic sandboxing application for Windows executables:
https://any.run/
55. Hybrid Analysis – A dynamic sandboxing solution with both free and paid offerings, supports CrowdStrike intelligence:
https://www.hybrid-analysis.com/
56. CyberChef, an open-source, data sharing and transformation application:
https://github.com/gchq/CyberChef
57. Pure Funky Magic – An open-source data transformation application written in Python:
https://github.com/mari0d/PFM
58. What is Maltego?:
https://docs.maltego.com/support/solutions/articles/15000019166-what-is-maltego
59. Security Onion 2 – An evolution of Security Onion, designed to support signal generation, log aggregation, and full SIEM like capabilities:
https://www.youtube.com/watch?v=M-ty0o8dQU8
60. 14 Cybersecurity Metrics + KPIs to Track:
https://www.upguard.com/blog/cybersecurity-metrics
61. Carloz Perez, Are we measuring Blue and Red Right?:
https://www.darkoperator.com/blog/2015/11/2/are-we-measuring-blue-and-red-right
62. John Lambert – Twitter quote on offensive research:
https://twitter.com/johnlatwc/status/442760491111178240
63. AutoRecon, automated scanning tools:
https://github.com/Tib3rius/AutoRecon
64. Scantron, a distributed scanning solution with a web interface:
https://github.com/rackerlabs/scantron
65. nmap vulners, an advanced vulnerability scanning module for nmap:
https://github.com/vulnersCom/nmap-vulners
66. OpenVAS, an open-source vulnerability scanning solution:
https://github.com/greenbone/openvas
67. Metasploit, a modular, open source scanning, exploitation, and post exploitation framework:
https://github.com/rapid7/metasploit-framework
68. Metasploit Resource Scripts – A type of scripting for automating the Metasploit framework, including post-exploitation functionality:
https://docs.rapid7.com/metasploit/resource-scripts/
69. PowerView:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
70. BloodHound – A tool for querying Windows domains and mapping their trust relationships in a Neo4j graph database:
https://github.com/BloodHoundAD/BloodHound
71. CobaltStrike – A popular commercial command and control framework, that includes a GUI and a scripting language called Aggressor Script:
https://www.cobaltstrike.com/
72. Empire – A popular open-source command and control framework, supports both Windows and macOS, includes many post-exploitation features:
https://github.com/BC-SECURITY/Empire
73. Burp Suite – The defacto web proxy for web application hacking, includes a free version and a commercial version with advanced features:
https://portswigger.
net/burp
74. Taipan – Web application vulnerability scanner, includes both a community version and a commercial version:
https://taipansec.com/index
75. Sqlmap – Automated vulnerability scanner focused on SQL Injection:
https://github.com/sqlmapproject/sqlmap
76. Jeff McJunkin's blogpost on measuring Nmaps performance and improving it with Masscan:
https://jeffmcjunkin.wordpress.com/2018/11/05/masscan/
77. EternalBlue:
https://en.wikipedia.org/wiki/EternalBlue
78. Gscript, a cross platform dropper in Go:
https://github.com/gen0cide/gscript
79. Garble, a Go based obfuscation engine:
https://github.com/burrowers/garble
80. Operations security:
https://en.wikipedia.org/wiki/Operations_security
81. Fat Rodzianko's blog post on domain fronting in Azure:
https://fatrodzianko.com/2020/05/11/covenant-c2-infrastructure-with-azure-domain-fronting/
82. The C2 Matrix – An open-source collection of various command and control frameworks comparing their features:
https://www.thec2matrix.com/matrix
83. Sliver, an open-source C2 framework written in Go:
https://github.com/BishopFox/sliver
84. Cracklord, an application for managing hash cracking jobs, written in Go:
https://github.com/jmmcatee/cracklord
85. CeWL – Custom Word List generator:
https://github.com/digininja/CeWL
86. Kali Linux – A collection of offensive security tools in a bootable Linux distro:
https://www.kali.org/
87. Red Team Metrics Quick Reference Sheet:
https://casa.sandia.gov/_assets/documents/2017-09-13_Metrics_QRS-Paper-Size.pdf
## Chapter 3 - Invisible is Best (Operating in Memory)
1. How to Use the dd Command in Forensics – Using dd to create a forensic image:
https://linuxhint.com/dd%C2%AC_command_forensics/
2. Sleuth Kit Autopsy in-depth tutorial – Forensic analysis with The Sleuth Kit Framework:
https://linuxhint.com/sleuth_kit_autopsy/
3. Plaso, Forensic Timeline Tool:
https://plaso.readthedocs.io/en/latest/sources/user/Users-Guide.html
4. Autopsy Digital Forensics, Law Enforcement Bundle:
https://www.autopsy.com/use-case/law-enforcement/
5. Advanced Persistent Threats – APTs are well-resourced offensive groups:
https://en.wikipedia.org/wiki/Advanced_persistent_threat
6. ATT&CK Deep Dive: Process Injection:
https://www.youtube.com/watch?v=CwglaQRejio
7. MITRE ATT&CK's Process Injection Page:
https://attack.mitre.org/techniques/T1055/
8. Hexacorn's Blog Listing Various Processes Injection Techniques:
https://www.hexacorn.com/blog/2019/05/26/plata-o-plomo-code-injections-executiontricks/
9. Ten process injection techniques: A technical survey of common and trending process injection techniques:
https://www.elastic.co/blog/ten-process-injectiontechniques-technical-survey-common-and-trending-process
10. CreateRemoteThread Process Injection Technique:
https://www.ired.team/offensive-security/code-injection-process-injection/process-injection
11. Windows Privilege Abuse: Auditing, Detection, and Defense:
https://blog.palantir.com/windows-privilege-abuse-auditing-detection-and-defense3078a403d74e
12. Shellcode Obfuscation Framework, Obsfucator:
https://github.com/3xpl01tc0d3r/Obfuscator
13. Using MSBuild to Execute Shellcode in C#:
https://www.ired.team/offensivesecurity/code-execution/using-msbuild-to-execute-shellcode-in-c
14. NSA-leaking Shadow Brokers just dumped its most damaging release yet:
https://arstechnica.com/information-technology/2017/04/nsa-leaking-shadowbrokers-just-dumped-its-most-damaging-release-yet/
15. EternalBlue exploit:
https://github.com/3ndG4me/AutoBlue-MS17-010/blob/master/eternalblue_exploit7.py
16. Meterpreter + Donut = Reflectively and Interactively Executing Arbitrary Executables via Shellcode Injection:
https://iwantmore.pizza/posts/meterpreter-shellcode-inject.html
17. The Sliver Command and Control Framework:
https://github.com/BishopFox/sliver
18. Sliver's generic, native OS function handlers:
https://github.com/BishopFox/sliver/blob/master/implant/sliver/handlers/handlers.go
19. Gobfuscate – A Go obfuscation framework:
https://github.com/unixpickle/gobfuscate
20. Garble's Implementation in the Sliver Framework:
https://github.com/BishopFox/sliver/blob/9beb445a3dbdd6d06a285d3833b5f9ce2dca731c/server/gogo/go.go#L131
21. The Garble Obfuscation Framework:
https://github.com/burrowers/garble
22. Seatbelt – A .NET project for performing on-host operational security checks:
ttps://github.com/GhostPack/Seatbelt
23. How Red Teams Bypass AMSI and WLDP for .NET Dynamic Code:
https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet/
24. Detect and react to a Shellshock attack – Using Wazuh to detect malicious processes:
https://documentation.wazuh.com/current/learning-wazuh/shellshock.html
25. Masking Malicious Memory Artifacts – Part I: Phantom DLL Hollowing:
https://www.forrest-orr.net/post/malicious-memory-artifacts-part-i-dllhollowing
26. Understanding and Evading Get-InjectedThread – _xpn_ shows how to evade GetInjectedThread by tweaking the CreateRemoteThread technique:
https://blog.xpnsec.com/undersanding-and-evading-get-injectedthread/
27. The NtAllocateVirtualMemory function (ntifs.h):
https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifsntallocatevirtualmemory
28. The NtProtectVirtualMemory function, used to change memory permissions:
http://www.codewarrior.cn/ntdoc/winnt/mm/NtProtectVirtualMemory.htm
29. Agent Tesla: Evading EDR by Removing API Hooks:
https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removingapi-hooks/
30. Automating Detection of Known Malware through Memory Forensics:
https://volatility-labs.blogspot.com/2016/08/automating-detection-of-knownmalware.html
31. Finding DLL Name from the Process Environment Block (PEB):
https://vdalabs.com/2018/09/19/finding-dll-name-from-the-process-environment-blockpeb/
32. Hasherezade's libPeConv, a library for investigating PE files:
https://github.com/hasherezade/libpeconv
33. Hasherezade's PE-sieve, a tool for detecting malicious memory artifacts:
https://github.com/hasherezade/pe-sieve
34. Using PE-sieve: an open-source scanner for hunting and unpacking malware:
https://www.youtube.com/watch?v=fwo4XE2xgis
35. PE-sieve – import recovery and unpacking UPX (part 1):
https://www.youtube.com/watch?v=eTt3QU0F7V0
36. Hasherezade's hollows_hunter, a tool that automates PE-sieve scanning:
https://github.com/hasherezade/hollows_hunter
37. BLUESPAWN, a defensive Swiss Army knife:
https://github.com/ION28/BLUESPAWN
38. BlackHillsInfosec Demonstrating Bypassing EDR Sensors:
https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/
39. Microsoft's Sysmon Security Sensor:
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
40. SwiftOnSecurity's Base Sysmon Config:
https://github.com/SwiftOnSecurity/sysmon-config
41. A Sysmon Rule for Some Process Injection Techniques:
https://github.com/olafhartong/sysmon-modular/blob/master/10_process_access/include_process_suspend_resume.xml
42. Olaf Hartong's combined Sysmon config:
https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml
43. ILSpy, An Open-Source .NET Assembly Browser and Decompiler:
https://github.com/icsharpcode/ILSpy
44. Jetbrains C# Decompiler, dotPeek:
https://www.jetbrains.com/decompiler/
45. dnSpy, An Open-Source .NET Debugger, Decompiler, and Assembly Editor:
https://github.com/dnSpy/dnSpy
46. Emerging Threats, Network Security Signatures for Snort:
https://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules
## Chapter 4 - Blending In
1. SANS: Know Normal...Find Evil:
https://www.sans.org/security-resources/posters/dfir-find-evil/35/download
2. Eric Zimmerman's Forensic Tools:
https://ericzimmerman.github.io/
3. SANS: Results in Seconds at the Command-line:
https://web.archive.org/web/20210324161646/https://digital-forensics.sans.org/media/DFIRCommand-Line.pdf
4. Technical Analysis – MSBuild App Whitelisting Bypass:
https://community.carbonblack.com/t5/Threat-Advisories-Documents/Technical-AnalysisMSBuild-App-Whitelisting-Bypass/ta-p/62308
5. Offensive Lateral Movement with MSBuild and Others:
https://posts.specterops.io/offensive-lateral-movement-1744ae62b14f
6. CertUtil.exe Could Allow Attackers To Download Malware While Bypassing AV – Using certutil to download tools:
https://www.bleepingcomputer.com/news/security/certutilexe-could-allow-attackers-to-download-malwarewhile-bypassing-av/
7. AppInstaller.exe LOLbin technique:
https://twitter.com/notwhickey/status/1333900137232523264
8. Windows Dynamic-Link Library (DLL) Search Order:
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
9. Find-PathDLLHijack – PowerSploit PrivEsc function for DLL search order hijacking:
https://powersploit.readthedocs.io/en/latest/Privesc/FindPathDLLHijack/
10. Binjection – The Go successor to the Backdoor Factory:
https://github.com/Binject/binjection
11. The Backdoor Factory – A Python Tool For Backdooring Executable Files:
https://github.com/secretsquirrel/the-backdoor-factory
12. Prism Backdoor – This uses ICMP as a covert channel:
https://github.com/andreafabrizi/prism
13. icmpdoor - ICMP Reverse Shell:
https://github.com/krabelize/icmpdoor
14. Scapy Wiki – A library for manipulating different networking packet layers:
https://scapy.readthedocs.io/en/latest/introduction.html
15. icmpdoor - ICMP Reverse Shell in Python 3 – A deep dive on icmpdoor:
https://cryptsus.com/blog/icmp-reverse-shell.html
16. Sliver Wiki – Instructions to Compile From Source:
https://github.com/BishopFox/sliver/wiki/Compile-From-Source
17. Sliver Wiki – Instructions To Set Up DNS C2:
https://github.com/BishopFox/sliver/wiki/DNS-C2#setup
18. Securing our approach to domain fronting within Azure:
https://www.microsoft.com/security/blog/2021/03/26/securing-our-approach-to-domainfronting-within-azure/
19. Domain Fronting with Metasploit and Meterpreter:
https://beyondbinary.io/articles/domain-fronting-with-metasploit-and-meterpreter/
20. LMNTRIX Labs: Hiding In Plain Sight with Reflective Injection and Domain Fronting:
https://lmntrix.com/lab/lmntrix-labs-hiding-in-plain-sightwith-reflective-injection-and-domain-fronting/
21. Detecting ICMP Covert Channels through Payload Analysis:
https://www.trisul.org/blog/detecting-icmp-covert-channels-through-payloadanalysis/
22. Detecting Covert Channels with Snort:
https://resources.infosecinstitute.com/topic/snort-covert-channels/
23. dnstap – A Series of Libraries and Log Formats For DNS:
http://dnstap.info/
24. How To Set Up And Configure DNS On Windows Server 2016:
https://www.businessnewsdaily.com/11019-set-up-configure-dns-on-windowsserver-2016.html
25. PowerShell DNS Debug Log:
https://p0wershell.com/wp-content/uploads/2017/06/Reading-DNS-Debug-logs.ps1_.txt
26. Get-SysMonLogs – A Wrapper for Parsing Sysmon Logs from event log:
https://github.com/0daysimpson/Get-SysmonLogs
27. Greg Farnham, Detecting DNS Tunneling:
https://www.sans.org/readingroom/whitepapers/dns/detecting-dns-tunneling-34152
28. Detecting Random – Finding Algorithmically chosen DNS names (DGA):
https://isc.sans.edu/forums/diary/Detecting+Random+Finding+Algorithmically+chosen+DNS+names+DGA/19893/
29. Freq – A tool and library for performing frequency analysis:
https://github.com/markbaggett/freq
30. Autoruns for Windows v13.98, Part of the Sysinternals Suite:
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
31. MITRE ATT&CK: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder:
https://attack.mitre.org/techniques/T1547/001/
32. Hexacorn's Persistence Blog Entries(Over 133 at writing):
https://www.hexacorn.com/blog/category/autostart-persistence/
33. Robber – A Tool to Detect DLL Search Order Hijacking:
https://github.com/MojtabaTajik/Robber
34. Code Signing Certificate Cloning Attacks and Defenses:
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses6f98657fc6ec
35. PowerShell Script Demoing a Certificate Cloning Attack – Cert-Clone.ps1:
https://gist.github.com/ahhh/4467b73425601a46bd0fdfaa4fc84ccd
36. PowerShell Script to Deploy Honey Tokens in AD - Deploy-Deception:
https://github.com/samratashok/Deploy-Deception
37. Responder – An offensive local network tool:
https://github.com/lgandx/Responder
38. Respounder – An anti-Responder deception tool:
https://github.com/codeexpress/respounder
39. T-Pot – A multi-honeypot Tool:
https://github.com/telekom-security/tpotce
40. T-Pot – Community Data Submission:
https://github.com/telekom-security/tpotce#community-data-submission
41. Artillery – A Python project that uses honeypots to detect malicious actors on the network:
https://github.com/BinaryDefense/artillery
## Chapter 5 - Active Manipulation
1. Simple userland rootkit – A case study:
https://blog.malwarebytes.com/threat-analysis/2016/12/simple-userland-rootkit-a-case-study/#:~:text=
2. Eventlogedit-evtx--Evolution – A project devoted to different event log clearing techniques:
https://github.com/3gstudent/Eventlogedit-evtx--Evolution
3. Windows XML event log Editing:
https://3gstudent.github.io/Windows-XML-Event-Log-(EVTX)%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E6%B8%85%E9%99%A4-%E4%B8%89-%E9%80%9A%E8%BF%87%E8%A7%A3%E9%99%A4%E6%96%87%E4%BB%B6%E5%8D%A0%E7%94%A8%E5%88%A0%E9%99%A4%E5%BD%93%E5%89%8D%E7%B3%BB%E7%BB%9F%E5%8D%95%E6%9D%A1%E6%97%A5%E5%BF%97%E8%AE%B0%E5%BD%95
4. danderspritz-evtx – The event log cleaning code from the leaked NSA toolkit:
https://github.com/fox-it/danderspritz-evtx
5. EventCleaner – A project for removing Windows event logs:
https://github.com/QAX-A-Team/EventCleaner
6. How to crash the Windows' event logging Service:
https://limbenjamin.com/articles/crash-windows-event-logging-service.html
7. apache2_BackdoorMod:
https://github.com/VladRico/apache2_BackdoorMod
8. dragon – An older Windows service and WinPcap backdoor:
https://github.com/Shellntel/backdoors
9. Windows-Rootkits – An assorted collection of Windows rootkits:
https://github.com/LycorisGuard/Windows-Rootkits
10. Reptile – Linux loadable kernel module rootkit:
https://github.com/f0rb1dd3n/Reptile
11. khook – A simplified Linux kernel hooking engine:
https://github.com/milabs/khook
12. khook – Deep-dive on the Linux kernel hooking framework:
https://dk72njlsmbogubz637bkapyxvm--www-cnblogs-com.translate.goog/likaiming/p/10970543.html
13. kmatryoshka – A framework for loading objects into an lkm:
https://github.com/milabs/kmatryoshka
14. The rootkit Reptile's local cli usage:
https://github.com/f0rb1dd3n/Reptile/wiki/Local-Usage
15. Reptile hiding its kernel module:
https://github.com/linux-rootkits/Reptile/blob/master/rep_mod.c#L145
16. The Five D's of Defense:
https://alamom.com/5defense/
17. Converting PCAP Web Traffic to Apache Log – Xavier Merten's Lua Script:
https://isc.sans.edu/forums/diary/Converting+PCAP+Web+Traffic+to+Apache+Log/23739/
18. Haka Security, a framework for alerting on pcap data:
http://www.haka-security.org/
19. The LD_PRELOAD trick:
www.goldsborough.me/c/low-level/kernel/2016/08/29/16-48-53-the_-ld_preload-_trick/
20. rkhunter – Linux rootkit detection tool:
https://en.wikipedia.org/wiki/Rkhunter
21. processdecloak:
https://github.com/sandflysecurity/sandflyprocessdecloak
22. unhide – Linux rootkit detection tool:
https://linux.die.net/man/8/unhide
23. Linux Memory Forensics Part 2 – Detection Of Malicious Artifacts:
https://www.otorio.com/resources/linux-memory-forensics-part-2-detection-ofmalicious-artifacts/
24. SANS: Discovery of a Rootkit:
https://web.archive.org/web/20210216065908/https://digital-forensics.sans.org/community/papers/gcfa/discoveryrootkit-simple-scan-leads-complex-solution_244
25. Portspoof – A unique approach to countering network scanning:
https://drk1wi.github.io/portspoof
26. LaBrea – Old-school network tarpit utility:
https://github.com/Hirato/LaBrea
27. Description of Windows TCP features:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/description-tcp-features
28. Tarpit functionality added to iptables with Xtables-addons:
https://inai.de/projects/xtables-addons/
29. Mathias Jessen - Attack Surface Reductions for Adventurous Admins:
https://youtube.com/ watch?v=KVYtPpxj_S0&t=2167
30. RansomTraps – Ransomware early detection project:
https://github.com/DrMint/Anti-Ransomware
31. Zip bomb basics:
https://en.wikipedia.org/wiki/Zip_bomb
32. The classic 42.zip zip bomb:
https://www.unforgettable.dk/
33. A better zip bomb:
https://www.bamsoftware.com/hacks/zipbomb/
## Chapter 6 - Real-Time Conflict
1. Known Good, Statically Compiled \*nix tools:
https://github.com/andrew-d/static-binaries
2. Seatbelt – C# tool that performs host-based security reconnaissance:
https://github.com/GhostPack/Seatbelt
3. pspy – Unprivileged Linux process snooping:
https://github.com/DominicBreuker/pspy
4. Ain't No Party Like A Unix Party – by Adam Boileau:
https://www.youtube.com/watch?v=o5cASgBEXWY
5. DEEPCE – Docker Enumeration, Escalation of Privileges and Container Escapes:
https://github.com/stealthcopter/deepce
6. sKeylogger – Simple Linux keylogger:
https://github.com/gsingh93/simplekey-logger
7. xspy – X11-based keylogger:
https://github.com/mnp/xspy
8. John Simpson's Recording SSH sessions:
https://jms1.net/ssh-record.shtml
9. Rootsh – Go shell wrapper and keylogger:
https://github.com/dsaveliev/rootsh
10. Python-based pty – Pseudo-terminal utilities:
https://docs.python.org/3/library/pty.html
11. VIM runtime – VIM reference manual:
https://github.com/vim/vim/blob/master/runtime/doc/terminal.txt
12. WireTap:
https://github.com/djhohnstein/WireTap
13. GoRedSpy – A Go cross-platform screenshot spying tool:
https://github.com/ahhh/GoRedSpy
14. EyeWitness – A utility for taking screen captures of web UIs:
https://github.com/FortyNorthSecurity/EyeWitness
15. Mimikatz – Legendary Windows Password Dumping Multitool:
https://github.com/gentilkiwi/mimikatz/wiki
16. Windows Mimikatz – Writeup on using Mimikatz in operations:
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md
17. Linikatz – Linux memory-based password dumping tool:
https://github.com/CiscoCXSecurity/linikatz
18. MimiPenguin – Another Linux memory-based password dumping tool:
https://github.com/huntergregal/mimipenguin
19. 3snake – Dump SSHD and SUDO credential-related strings:
https://github.com/blendin/3snake
20. GoRedLoot – A Go cross-platform tool to search for secrets and keys:
https://github.com/ahhh/goredloot
21. SharpCollection – A group of C# offensive security utilities:
https://github.com/Flangvik/SharpCollection
22. Sudo Alias Trick – Steal Ubuntu & MacOS Sudo Passwords Without Any Cracking:
https://null-byte.wonderhowto.com/how-to/steal-ubuntu-macossudo-passwords-without-any-cracking-0194190/
23. pambd – PAM backdoor that uses a universal password:
https://github.com/eurialo/pambd
24. Exfiltrating credentials via PAM backdoors & DNS requests:
https://x-c3ll.github.io/posts/PAM-backdoor-DNS/
25. Linux PAM Backdoor with Patch File:
https://github.com/zephrax/linux-pambackdoor
26. Using ssh-agent with SSH:
http://mah.everybody.org/docs/ssh
27. SSH Agent Hijacking:
https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking/
28. SSH ControlMaster: The Good, The Bad, The Ugly:
https://www.anchor.com.au/blog/2010/02/ssh-controlmaster-the-good-the-bad-the-ugly/
29. Hijacking SSH to Inject Port Forwards:
https://0xicf.wordpress.com/2015/03/13/hijacking-ssh-to-inject-port-forwards/
30. RDP hijacking—how to hijack RDS and RemoteApp sessions transparently to move through an organization:
https://doublepulsar.com/rdp-hijacking-how-tohijack-rds-and-remoteapp-sessions-transparently-to-move-through-anda2a1e73a5f6?gi=c7b52d944b52
31. RDP Hijacking – All Windows TS Session Hijacking (2012 R2 Demo):
https://www.youtube.com/watch?v=OgsoIoWmhWw
32. Active Directory & Kerberos Abuse:
https://www.ired.team/offensivesecurity-experiments/active-directory-kerberos-abuse
33. Linux iptables: Block All Incoming Traffic But Allow SSH:
https://www.cyberciti.biz/tips/linux-iptables-4-block-all-incoming-traffic-butallow-ssh.html
34. Answer to iptables allow just internet connection question:
https://askubuntu.com/questions/634788/iptables-allow-just-internet-connection
35. How to Build a Read-Only File System on Linux:
https://www.onlogic.com/company/io-hub/how-to-build-a-read-only-linux-system/
36. chw00t: chroot Escape Tool:
https://github.com/earthquake/chw00t
37. A Guide for Apache in a chroot jail:
https://tldp.org/LDP/solrhe/SecuringOptimizing-Linux-RH-Edition-v1.3/chap29sec254.html
38. FTP: chroot Local User:
https://beginlinux.com/server_training/ftpserver/1275-ftp-chroot-local-user
39. NsJail – An Improved Jailing System Using Namespaces:
https://github.com/google/nsjail
40. protobuf – A platform neutral library for creating serialized data structures:
https://github.com/protocolbuffers/protobuf
41. Hack-back in the Real World:
https://www.scriptjunkie.us/2017/08/hackback-in-the-real-world/
42. Nmap Exploit – Using Portspoof to Exploit http-domino-enum-passwords.nse:
https://www.youtube.com/watch?v=iyTmxRUaQ8M
## Chapter 7 - The Research Advantage
1. GreeseMonkey – A browser automator:
https://en.wikipedia.org/wiki/Greasemonkey
2. Jon Erickson, Hacking: The Art of Exploitation:
https://www.amazon.com/Hacking-Art-Exploitation-Jon-Erickson/dp/1593271441
3. Open Security Training Exploits1 Course:
https://opensecuritytraining.info/Exploits1.html
4. RET2 Cyber Wargames:
https://wargames.ret2.systems/
5. RET2 Wargames Review:
https://blog.ret2.io/2018/09/11/scalablesecurity-education/
6. Modern Binary Exploitation (MBE):
https://github.com/RPISEC/MBE
7. Corelan free exploit tutorial:
https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/
8. How2heap – Educational Heap Exploitation:
https://github.com/shellphish/how2heap
9. Zerodium Vulnerability Purchase Program:
https://www.zerodium.com/program.html
10. Winning a Tesla Model S at Pwn2Own 2019:
https://www.securityweek.com/pwn2own-2019-researchers-win-tesla-after-hacking-its-browser
11. Pwn2Own 2021 Results:
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
12. DEF CON 25, 20 years of DEF CON CTF Organizers:
https://www.youtube.com/watch?v=MbIDrs-mB20
13. DEFCON 2015 CTF FINALS – Blog from DEF CON CTF 2015:
https://research.kudelskisecurity.com/2015/08/25/defcon-2015-ctf-finals/
14. Welcome to the New Order: A DEF CON 2018 Retrospective:
https://dttw.tech/posts/Hka91N-IQ
15. Kernel Panic: A DEF CON 2020 Retrospective:
https://dttw.tech/posts/Skww4fzGP
16. Have I Been Pwned, password exposure database:
https://haveibeenpwned.com/FAQs
17. Attacking SSH Over the Wire - Go Red Team! – Using Hydra to password spray:
https://isc.sans.edu/forums/diary/Attacking+SSH+Over+the+Wire+Go+Red+Team/23000/
18. go-netscan – a multiprotocol credential spraying tool:
https://github.com/emperorcow/go-netscan
19. Kim Zetter, Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon:
https://www.amazon.com/Countdown-Zero-Day-StuxnetDigital/dp/0770436196/
20. A RocketChat 0-Day Vulnerability Discovered as part of CPTC 2020:
https://securifyinc.com/disclosures/rocketchat-unauthenticated-access-tomessages
21. RocketChat – Open-source chat solution:
https://github.com/RocketChat/Rocket.Chat
22. Patch diff of RocketChat adding authentication to loadHistory:
https://github.com/RocketChat/Rocket.Chat/commit/ac9d7612a8fd6eae8074bd06e5449da843065be6#diff-61e120f3236b5f0bc942992a3cf0abfd107838aa5bff8cd0a1d9fc5320a43269
23. Network Finger Printer – Go tool:
https://github.com/awgh/nfp
24. Dependency Hijacking Software Supply Chain Attack Hits More Than 35 Organizations: Alex Birsan's software supply chain attack:
https://blog.sonatype.com/dependency-hijacking-software-supply-chain-attack-hitsmore-than-35-organizations
25. Operation Aurora – Watering hole attack on Google and Apple:
https://en.wikipedia.org/wiki/Operation_Aurora
26. What is a Drive by Download:
https://www.kaspersky.com/resource-center/definitions/drive-by-download
27. Samy Kamkar:
https://en.wikipedia.org/wiki/Samy_Kamkar
28. NAT Slipstreaming v2.0:
https://samy.pl/slipstream/
29. Phish-in-the-Middle:
https://twitter.com/Lares_/status/1258075069714235392
30. Intelligence Concepts – F3EAD:
https://sroberts.io/blog/2015-03-24-intelligence-concepts-f3ead/
31. Threat Hunting for Swear Words:
https://twitter.com/stvemillertime/status/1100399116876533760
32. Adam Shostack, Threat Modeling: Designing for Security:
https://www.amazon.com/Threat-Modeling-Designing-Adam-Shostack/dp/1118809998
33. Inversecos' tweet about Cobalt Strike:
https://twitter.com/inversecos/status/1377415476892987395
34. BeaconHunter – Cobalt Strike detection tool:
https://github.com/3lp4tr0n/beaconhunter
35. The Ultimate Guide to Procmon:
https://adamtheautomator.com/procmon/
36. AmCache and ShimCache in forensic analysis:
https://www.andreafortuna.org/2017/10/16/amcache-and-shimcache-in-forensic-analysis/
37. Digital Forensics – ShimCache Artifacts:
https://countuponsecurity.com/2016/05/18/digital-forensics-shimcache-artifacts/
38. Blanche Lagny, 2019, Analysis of the AmCache v2:
https://www.ssi.gouv.fr/uploads/2019/01/anssi-coriin_2019-analysis_amcache.pdf
39. David Cowen's Daily Blog #579: The meaning of Syscache.hve:
https://www.hecfblog.com/2018/12/daily-blog-579-meaning-of-syscachehve.html
40. Ubisoft's Advanced Anti-cheat in Rainbow Six Siege:
https://www.ubisoft.com/en-us/game/rainbow-six/siege/news-updates/4CpkSOfyxgYhc5a4SbBTx/devblog-update-on-anticheat-in-rainbow-six-siege
## Chapter 8 - Clearing the Field
1. MITRE ATT&CK: Exfil Over C2 Channel:
https://attack.mitre.org/techniques/T1041/
2. Steganography – LSB Introduction with Python – Part 1:
https://itnext.io/steganography-101-lsb-introduction-with-python4c4803e08041?gi=9e7917a5ff8c
3. Whitespace Steganography Conceals Web Shell in PHP Malware:
https://securityboulevard.com/2021/02/whitespace-steganography-conceals-webshell-in-php-malware/
4. Snow – a whitespace-based steganography tool:
http://www.darkside.com.au/snow/
5. PacketWhisper:
https://github.com/TryCatchHCF/PacketWhisper
6. Cloakify kit – a substitution-based steganographic toolkit:
https://github.com/TryCatchHCF/Cloakify
7. Man-on-the-side attack:
https://en.wikipedia.org/wiki/Man-on-the-side_attack
8. Tor exit node list:
https://check.torproject.org/torbulkexitlist
9. pystemon – Monitoring tool for Pastebin-like sites:
https://github.com/cvandeplas/pystemon
10. Private network – RFC 1918 private network addresses:
https://en.wikipedia.org/wiki/Private_network
11. An example of kill date gscript:
https://github.com/ahhh/gscripts/blob/d66c791dc01d17a088144d902695e8b1508f03e4/anti-re/kill_date.gs
12. Active Directory (AD) – Krbtgt account password:
https://itworldjd.wordpress.com/2015/04/07/krbtgt-account-password-reset-scripts/
13. How to generate and use a golden ticket:
https://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos
14. FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community – FireEye breached through the SolarWinds software supply chain attack:
https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-sharesdetails-of-recent-cyber-attack-actions-to-protect-community.html