4.

Tools of the Trade:

Obj. 4.1: Given a scenario, use the appropriate tool to assess

organizational security:

* Command-Line Interface (CLI):

> Windows offers both the standard Command

shell as well as the more robust Powershell.
> macOS uses Terminal as the command-line
interface (CLI).
> Linux CLIs are often referred to as the
terminal, shell, console, bash or prompt.
> ping queries other systems on a TCP/IP
network to test connectivity.
> ipconfig (Windows) and ifconfig (macOS/Linux)
show the current status of the network settings for a host system.

* Shells:

> Windows Command Line

> Microsoft Powershell
> Linux Shells
> Python
> Benefits: Automation via scripts

* Reverse Shells:

> Reverse shells involve victim's stations

contacting attacker stations listening for connection
> Attackers often try to get reverse shell
(backdoor)
> Advanced persistent threat (APT): Attacker
has a way into the system repeatedly through reverse shell
> Tools: netcat (nc), Metasploit framework,
Cobalt Strike

* Windows Command Line:

> cmd.exe
> May need to run with elevated privileges
> Batch file scripts (.bat)

* Microsoft Powershell:

> Can run in Windows, Linux, macOS

> powershell.exe
> Object-oriented
> May need to run with elevated privileges
> Powershell scripts (.ps1)
> Powershell cmdlets take the form of verb-noun
(get-service)

* Linux Shells:

> Syntax is case-sensitive

> Various types of shells: C shell, Korn shell,
Bourne again shell (bash)
> Shell scripts (.sh): Must be flagged as
executable
> For security reasons, don't sign in with the
root account, instead use "sudo" command prefix as it runs commands with elevated
privileges.
To use "sudo", the user must be listed in
sudoers file.
> Remotely accessible via Secure Shell (SSH)
over TCP port 22

* Python:

> Multi-platform: Python interpreter

installation required
> Supports more complex needs than shell
scripts
> Syntax is case-sensitive
> Python scripts (.py)

* Windows Command-Line Tools:

> arp: Address resolution protocol (ARP).

Converts IP address to NIC MAC address mapping. Shows arp table in memory.
> netstat: shows any established connections
for listening local services or connected to remote services.
> route: To show and perform network routes
related activities
> tracert: Provides IP of each router along the
path to the destination
> pathping: Provides information about network
nodes along the path that have latency or network loss. This is ping + tracert
combination.
> nslookup: Name server lookup. Test and
troubleshoot DNS name resolution. Can be used for reconnaissance.
> icacls: Manages NTFS file system permissions.

* Linux Command-Line Tools:

> Linux commands are case-sensitive.

> Text manipulation commands include cat, grep,
head, and tail.
> logger writes to the system log.
> chmod manages file system permissions
> Network commands include ifconfig, ip a,
traceroute and dig

* Network Scanners:

> Attackers use this for reconnaissance.

> Very loud on the network (easily detected)
> Scan network nodes and show: IP addresses,
MAC addresses, Operating system, open ports.
> Periodic scans: Identify differences (rogue
systems, new listening ports). Periodic scans allow comparing to previous scans to
identify changes.
> Nmap is a network scanner that identifies
nodes IP addresses, MAC addresses, Operating system, open ports.
> Zenmap is a frontend GUI to Nmap. Nmap scans
can be saved as .XML files.
 Obj. 4.3: Given an incident, utilize appropriate data sources to
support an investigation:

* Network Protocol Analyzers:

> Capture network traffic: Network placement is

crucial. Hardware device or software. Network switch port analyzer (SPAN) copies
all VLAN traffic to one switch port.
> Wired and wireless capturing.
> Captures can be saved.
> Be aware that packets are easily forged with
free tools such as hping3.
> Filter and analyze captured traffic: Capture
and display filter. View packet headers (addressing). View packet payload data.
Analyze TCP streams.
> tcpdump in linux.
> Cisco NetFlow: Capture IP traffic on routers.
Similar to the sFlow standard. Superseded by IPFIX standard.

* Wireshark:

> Wireshark is a free GUI tool for network

packet analysis.
> Packet headers are used for addressing.
> Packet payload contains data.
> Captures can be filtered by many attributes.

* tcpdump:

> tcpdump is a command-line utility built into

linux.
> You can specify which interface to capture
traffic from.
> Captured files can be saved and analyzed at a
later date.

* Log Files:

> Network, host, and device monitoring.

> Potential indicators of compromise (IoC).
> Must ensure log files are secure: Forward log
entries to a centralized logging host.
> Windows log tools: Event Viewer, Powershell
--> get-eventlog.
> Linux logs: /var/log. logger command is used
to manually write log entries. journalctl command to view log files.
> Device logs: Router, Switch, Network Printer,
wireless AP, etc.

* Centralized Logging:

> Simple Network Management Protocol (SNMP):

Bandwidth monitoring, Software agent or built into firmware --> Management
information base (MIB). SNMP traps notify SNMP management stations.
> NXLog: Open-source log collection tool.

* Linux Centralized Logging:

 > Syslog/rsyslog protocol
> Normally uses UDP port 514

* Windows Centralized Logging:

> Event Viewer subscriptions: Send local log

data to a collector server over the WinRM (Windows Remote Management) protocol.
> Windows clients need to run wecutil qc to
allow WinRM traffic. We can configure subscription on windows log server and add
computers to get device logs to the server.

* Security Information and Event Management (SIEM):

> Sensors/collectors: Logs, intrusion

detection/ prevention system (IDS/IPS), packet captures, antivirus.
> Enterprise-level centralized log ingestion
service.
> Dashboard visualizations: Alerts, packet
captures, malware alerts, etc. Identify trends and correlation.
> SIEM Process:

# Data inputs
# Log aggregation
# Analysis
# Review reports