Awesome-Mirrors/my-infosec-awesome
1
0
Fork 0
mirror of https://github.com/pe3zx/my-infosec-awesome.git synced 2024-06-29 23:21:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Clean working directory

Browse Source
This commit is contained in:
pe3zx 2018-02-19 21:20:59 +07:00
parent 4a703e2e6d
commit c5ff83153a
3 changed files with 9 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
README.md
View File

@ -45,7 +45,6 @@ My curated list of awesome links, resources and tools
### Anti Forensics
- [Removing Your PDF Metadata & Protecting PDF Files](https://blog.joshlemon.com.au/protecting-your-pdf-files-and-metadata/)
- Mirror copy of the script in this article is available at [files/anti-forensics/cleaning-pdf.sh](files/anti-forensics/cleaning-pdf.sh)
### Certifications
@ -58,27 +57,8 @@ My curated list of awesome links, resources and tools
### Digital Forensics and Incident Response
- [A Newbies Guide to ESXi and VM Log Files](https://www.altaro.com/vmware/introduction-esxi-vm-log-files/)
- [Booting up evidence E01 image using free tools (FTK Imager & Virtualbox)](http://www.securityisfun.net/2014/06/booting-up-evidence-e01-image-using.html?m=1&utm_content=bufferb865d&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer)
- [Certificate Chain Cloning and Cloned Root Trust Attacks](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
- Mirror copy (TLDR version) of the article is available at [files/dfir/rouge-certificate-dfir.md](files/dfir/rouge-certificate-dfir.md)
- [Malicious USB Devices](http://blog.4n6ir.com/2017/10/malicious-usb-devices.html)
- :pencil: [A Newbies Guide to ESXi and VM Log Files](https://www.altaro.com/vmware/introduction-esxi-vm-log-files/)
- [certsocietegenerale/IRM - Incident Response Methodologies](https://github.com/certsocietegenerale/IRM)
- [0x4D31/deception-as-detection - Deception based detection techniques mapped to the MITREs ATT&CK framework](https://github.com/0x4D31/deception-as-detection)
- Detecting [APT28](http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html), according to [Hacker Huricane](http://hackerhurricane.blogspot.com/2017/10/looking-at-apt28-latest-talos-security.html)
- Mirror copy (TLDR version) of the article is available at [files/dfir/detecting-apt28.md](files/dfir/detecting-apt28.md)
- Detecting [malicious dynamic data exchange (DDE) to execute code in Microsoft Office documents](https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/)
- [Detecting DDE in MS Office documents with YARA rules](https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/)
- Mirror copy (TLDR version) of the article is available at [files/dfir/detecting-dde.md](files/dfir/detecting-dde.md]
- [[DFIR] DFIR on VDI deployments](https://lists.sans.org/mailman/private/dfir/2017-August/022817.html)
- [Finding and Decoding Malicious PowerShell Scripts](http://az4n6.blogspot.com/2017/10/finding-and-decoding-malicious.html)
- [Hidden Treasure: Intrusion Detection with ETW (Part 1)](https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-1/)
- [Logging Keystrokes with Event Tracing for Windows (ETW)](https://www.cyberpointllc.com/srt/posts/srt-logging-keystrokes-with-event-tracing-for-windows-etw.html)
- [Monitoring what matters Windows Event Forwarding for everyone (even if you already have a SIEM.)](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
- [nccgroup/Cyber-Defence](https://github.com/nccgroup/Cyber-Defence)
- [Tales of a Threat Hunter 1](https://www.eideon.com/2017-09-09-THL01-Mimikatz/)
- [Use Windows Event Forwarding to help with intrusion detection](https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection)
- [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f)
#### Unix/Linux
@ -109,23 +89,30 @@ My curated list of awesome links, resources and tools
- [Amcache and Shimcache in forensic analysis](https://andreafortuna.org/amcache-and-shimcache-in-forensic-analysis-8e55aa675d2f)
- [Automating large-scale memory forensics](https://medium.com/@henrikjohansen/automating-large-scale-memory-forensics-fdc302dc3383)
- [Carving EVTX](https://rawsec.lu/blog/posts/2017/Jun/23/carving-evtx/)
- :pencil: [Certificate Chain Cloning and Cloned Root Trust Attacks](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec)
- :pencil: [Detecting DDE in MS Office documents with YARA rules](https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/)
- [Forensic Analysis of Systems that have Windows Subsystem for Linux Installed](http://blog.1234n6.com/2017/10/forensic-analysis-of-systems-with.html)
- [Hidden Treasure: Intrusion Detection with ETW (Part 1)](https://blogs.technet.microsoft.com/office365security/hidden-treasure-intrusion-detection-with-etw-part-1/)
- [How to Crack Passwords for Password Protected MS Office Documents](https://www.blackhillsinfosec.com/crack-passwords-password-protected-ms-office-documents/)
- [HUNTING EVENT LOGGING COVERUP](http://malwarenailed.blogspot.com/2017/10/update-to-hunting-mimikatz-using-sysmon.html)
- [Logging Keystrokes with Event Tracing for Windows (ETW)](https://www.cyberpointllc.com/srt/posts/srt-logging-keystrokes-with-event-tracing-for-windows-etw.html)
- :pencil: [Looking at APT28 latest Talos Security write up and how YOU could catch this type of behavior](https://hackerhurricane.blogspot.com/2017/10/looking-at-apt28-latest-talos-security.html)
- [MAC(b) times in Windows forensic analysis](https://andreafortuna.org/mac-b-times-in-windows-forensics-analysis-c821d801a810)
- [Memory Acquisition and Virtual Secure Mode](https://df-stream.com/2017/08/memory-acquisition-and-virtual-secure/)
- [pwndizzle/CodeExecutionOnWindows - A list of ways to execute code on Windows using legitimate Windows tools](https://github.com/pwndizzle/CodeExecutionOnWindows)
- [RecentApps Registry Key](https://df-stream.com/2017/10/recentapps/)
- [Some reminders about Windows file times](https://medium.com/@4n68r/some-reminders-about-windows-file-times-2debe1edb978)
- :pencil: [Tales of a Threat Hunter 1](https://www.eideon.com/2017-09-09-THL01-Mimikatz/)
- [Volume Shadow Copies in forensic analysis](https://andreafortuna.org/volume-shadow-copies-in-forensics-analysis-7708adefe61c)
- [Use Windows Event Forwarding to help with intrusion detection](https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection)
- [Windows, Now with built in anti forensics!](http://www.hecfblog.com/2017/04/windows-now-built-in-anti-forensics.html)
- [Windows Drive Acquisition](https://articles.forensicfocus.com/2017/10/19/windows-drive-acquisition/)
- [Windows event logs in forensic analysis](https://andreafortuna.org/windows-event-logs-in-forensic-analysis-d80e2a134fdd)
- [Windows Privileged Access Reference](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#ATLT_BM)
- Mirror copy of the table is available at [files/dfir/windows-privileged-access-reference.md](files/dfir/windows-privileged-access-reference.md)
- [Windows registry in forensic analysis](https://andreafortuna.org/windows-registry-in-forensic-analysis-7bf060d2da)
- [Windows Security Identifiers (SIDs)](https://andreafortuna.org/windows-security-identifiers-sids-2196a5be2f4d)
- [Windows Subsystem for Linux and Forensic Analysi](http://blog.1234n6.com/2017/10/windows-subsystem-for-linux-and.html)
- [Windows Event Forwarding for Network Defense](https://medium.com/@palantir/windows-event-forwarding-for-network-defense-cb208d5ff86f)
### Exploitation

26
files/anti-forensics/cleaning-pdf.sh
View File

@ -1,26 +0,0 @@
strip_pdf() {
echo "Original Metadata for $1"
exiftool $1
echo "Removing Metadata...."
echo ""
qpdf --linearize $1 striped1-$1
exiftool -all:all= striped1-$1
qpdf --linearize striped1-$1 striped2-$1
rm striped1-$1
rm striped1-$1_original
echo "New Metadata for striped2-$1"
exiftool striped2-$1
echo ""
echo "Securing striped2-$1...."
password=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 40 | head -n 1)
echo "Password will be: $password"
echo ""
qpdf --linearize --encrypt "" $password 128 --print=full --modify=none --extract=n --use-aes=y -- striped2-$1 striped-$1
rm striped2-$1
echo "Final status of striped-$1"
pdfinfo striped-$1
}

33
files/dfir/rouge-certificate-dfir.md
View File

@ -1,33 +0,0 @@
# Rouge Ceritifcation DFIR
Original article from: [Code Signing Certificate Cloning Attacks and Defenses](https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec) by SpecterOps
## Attacks
- Export all certificates in legitimate certificate chain, via Certificate Wizard, to disk. [Video](https://www.youtube.com/watch?time_continue=11&v=5rjJnxl50Dg).
- Signing target binary file with `New-SelfSignedCertificate` cmdlet in PowerShell. [Video](https://www.youtube.com/watch?v=qF6h2he5B7g)
- Example of uses: [CertificateCloning.ps1](https://gist.github.com/mattifestation/b2e5c5b529e770c464f149e6020e280b#file-certificatecloning-ps1)
- Remote trusting with WMI: [RemoteCertTrust.ps1](https://gist.github.com/mattifestation/429008d961bb719d5bd5ce262557bdbf#file-remotecerttrust-ps1)
## Detection
- Use Sysmon to monitor registry activity relates to certificate installation. Example config below.
- Focus on *SetValue events where the TargetObject property ends with `<THUMBPRINT_VALUE>\Blob` as this indicates the direct installation or modification of a root certificate binary blob.*
<script src="https://gist.github.com/mattifestation/75d6117707bcf8c26845b3cbb6ad2b6b.js"></script>
- Investigate the content of certificate with powershell:
```powershell
Get-ChildItem -Path Cert:\ -Recurse | Where-Object { $_.Thumbprint -eq '1F3D38F280635F275BE92B87CF83E40E40458400' } | Format-List *
```
- Investigate and compare [authroot.stl](https://gist.github.com/mattifestation/c712e525109f786fbaf6ed576b8d2832) using [GetSTLCertHashes.ps1](https://gist.github.com/mattifestation/c712e525109f786fbaf6ed576b8d2832)
## Protection
- *While there may not be strong preventative mitigations for certificate installation as an admin, it is possible to prevent root certificate installation in the current user context by setting the following registry value:*
```
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots - Flags (REG_DWORD) - 1
```