Last active
May 4, 2024 14:58
-
-
Save ImaginaryBIT/e818bc65f4c4d8d3199245633768c7ce to your computer and use it in GitHub Desktop.
Blue Team
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Intrusion Investigation - Is this computer compromised? | |
| Divide and Conquer Process - Breaking big questions into smaller | |
| Artifacts Categories: | |
| 1. User | |
| - Accounts | |
| - Logins | |
| - User Acitivities | |
| a. Launching programs | |
| b. Accessing data | |
| c. Searching for data | |
| 2. Malware | |
| - How did it get on the system | |
| - Persistence / Startup Mechanisms | |
| a. Triggered programs and tricery | |
| b. Dynamic Analysis | |
| c. Static Analysis | |
| d. Insider thread | |
| e. Hiding techniques | |
| - Running Processes | |
| - Remnants Left Behind | |
| 3. OS configuration | |
| - Remote Access | |
| - Detection Prevention | |
| - Response Challenges | |
| - Malware Enablement | |
| Prioritize and Brute Force approach | |
| # windows_hardening.cmd - https://gist.github.com/ricardojba/ecdfe30dadbdab6c514a530bc5d51ef6 | |
| :: Change file associations to protect against common ransomware attacks | |
| :: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell | |
| :: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :) | |
| :: --------------------- | |
| :: Changing back example (x64): | |
| :: ftype htafile=C:\Windows\SysWOW64\mshta.exe "%1" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} %* | |
| ftype batfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype chmfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype cmdfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype htafile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype jsefile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype jsfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype vbefile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype vbsfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype wscfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype wsffile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype wsfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype wshfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype sctfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype urlfile="%systemroot%\system32\notepad.exe" "%1" | |
| :: https://seclists.org/fulldisclosure/2019/Mar/27 | |
| ftype regfile="%systemroot%\system32\notepad.exe" "%1" | |
| :: https://www.trustwave.com/Resources/SpiderLabs-Blog/Firework--Leveraging-Microsoft-Workspaces-in-a-Penetration-Test/ | |
| ftype wcxfile="%systemroot%\system32\notepad.exe" "%1" | |
| :: https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ | |
| ftype mscfile="%systemroot%\system32\notepad.exe" "%1" | |
| :: https://rinseandrepeatanalysis.blogspot.com/2018/09/dde-downloaders-excel-abuse-and.html | |
| ftype slkfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype iqyfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype prnfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype diffile="%systemroot%\system32\notepad.exe" "%1" | |
| :: CVE-2020-0765 impacting Remote Desktop Connection Manager (RDCMan) configuration files - MS won't fix | |
| ftype rdgfile="%systemroot%\system32\notepad.exe" "%1" | |
| :: https://blog.redxorblue.com/2020/07/one-click-to-compromise-fun-with.html | |
| ftype applicationfile="%systemroot%\system32\notepad.exe" "%1" | |
| ftype deployfile="%systemroot%\system32\notepad.exe" "%1" | |
| :: Enable Windows Firewall and configure some advanced options | |
| :: Block Win32/64 binaries (LOLBins) from making net connections when they shouldn't | |
| :: --------------------- | |
| netsh Advfirewall set allprofiles state on | |
| netsh advfirewall firewall add rule name="Block appvlp.exe netconns" program="C:\Program Files (x86)\Microsoft Office\root\client\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\system32\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\system32\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block cmstp.exe netconns" program="%systemroot%\system32\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\system32\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block esentutl.exe netconns" program="%systemroot%\system32\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block expand.exe netconns" program="%systemroot%\system32\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block extrac32.exe netconns" program="%systemroot%\system32\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block findstr.exe netconns" program="%systemroot%\system32\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\system32\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block makecab.exe netconns" program="%systemroot%\system32\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\system32\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block msiexec.exe netconns" program="%systemroot%\system32\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block nltest.exe netconns" program="%systemroot%\system32\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\system32\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block pcalua.exe netconns" program="%systemroot%\system32\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block print.exe netconns" program="%systemroot%\system32\print.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\system32\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block replace.exe netconns" program="%systemroot%\system32\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block rundll32.exe netconns" program="%systemroot%\system32\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\system32\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block scriptrunner.exe netconns" program="%systemroot%\system32\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe netconns" program="%systemroot%\system32\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block wmic.exe netconns" program="%systemroot%\system32\wbem\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\system32\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block regasm.exe netconns" program="%systemroot%\system32\regasm.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block odbcconf.exe netconns" program="%systemroot%\system32\odbcconf.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block regasm.exe netconns" program="%systemroot%\SysWOW64\regasm.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block odbcconf.exe netconns" program="%systemroot%\SysWOW64\odbcconf.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block appvlp.exe netconns" program="C:\Program Files\Microsoft Office\root\client\AppVLP.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block calc.exe netconns" program="%systemroot%\SysWOW64\calc.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block certutil.exe netconns" program="%systemroot%\SysWOW64\certutil.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block cmstp.exe netconns" program="%systemroot%\SysWOW64\cmstp.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block cscript.exe netconns" program="%systemroot%\SysWOW64\cscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block esentutl.exe netconns" program="%systemroot%\SysWOW64\esentutl.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block expand.exe netconns" program="%systemroot%\SysWOW64\expand.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block extrac32.exe netconns" program="%systemroot%\SysWOW64\extrac32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block findstr.exe netconns" program="%systemroot%\SysWOW64\findstr.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block hh.exe netconns" program="%systemroot%\SysWOW64\hh.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block makecab.exe netconns" program="%systemroot%\SysWOW64\makecab.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block mshta.exe netconns" program="%systemroot%\SysWOW64\mshta.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block msiexec.exe netconns" program="%systemroot%\SysWOW64\msiexec.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block nltest.exe netconns" program="%systemroot%\SysWOW64\nltest.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block Notepad.exe netconns" program="%systemroot%\SysWOW64\notepad.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block pcalua.exe netconns" program="%systemroot%\SysWOW64\pcalua.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block print.exe netconns" program="%systemroot%\SysWOW64\print.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block regsvr32.exe netconns" program="%systemroot%\SysWOW64\regsvr32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block replace.exe netconns" program="%systemroot%\SysWOW64\replace.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block rpcping.exe netconns" program="%systemroot%\SysWOW64\rpcping.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block rundll32.exe netconns" program="%systemroot%\SysWOW64\rundll32.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block runscripthelper.exe netconns" program="%systemroot%\SysWOW64\runscripthelper.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block scriptrunner.exe netconns" program="%systemroot%\SysWOW64\scriptrunner.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block SyncAppvPublishingServer.exe netconns" program="%systemroot%\SysWOW64\SyncAppvPublishingServer.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block wmic.exe netconns" program="%systemroot%\SysWOW64\wbem\wmic.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall add rule name="Block wscript.exe netconns" program="%systemroot%\SysWOW64\wscript.exe" protocol=tcp dir=out enable=yes action=block profile=any | |
| netsh advfirewall firewall show rule name=all | |
| Wazuh - security platform | |
| configuration assessment | |
| incident response | |
| intrusion detection | |
| file integrity monitoring | |
| log analysis | |
| security analysis | |
| regulatory compliance | |
| vulnerability detection - software inventory monitoring | |
| //Install docker | |
| sudo apt-get remove docker docker-engine docker.io containerd runc | |
| sudo apt-get update | |
| sudo apt-get install \ | |
| ca-certificates \ | |
| curl \ | |
| gnupg \ | |
| lsb-release | |
| sudo mkdir -p /etc/apt/keyrings | |
| curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg | |
| echo \ | |
| "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ | |
| $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null | |
| sudo apt-get update | |
| sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose-plugin | |
| sudo docker run hello-world | |
| Workflow: | |
| >Remove SG ECS | |
| >Backup data on dynamoDB | |
| >Enable Maintenance Page on stylegou.com | |
| >backup docker container on US ECS | |
| >Create a new ECS on new AWS account | |
| >Upload the docker container to new ECS | |
| >Boot up MySQL and Apache | |
| >Obtain public IP and attach to new ECS | |
| >Update DNS record on cloudflare | |
| >Add IAM account on new AWS account | |
| >Update security policy | |
| >Update AWS account on vercel | |
| Redeploy on verbal | |
| Remove IAM account on old AWS account | |
| Remove credit card on old AWS account | |
| Remove old AWS account | |
| Command records: | |
| // convert ppk to pem | |
| brew update | |
| brew install putty | |
| puttygen sec.ppk -O private-openssh -o sec.pem | |
| chmod 600 sec.pem | |
| ssh -i sec.pem [email protected] | |
| sudo docker ps -a | |
| sudo docker exec -it 409e3c17461c /bin/bash | |
| // setup maintenance page | |
| vim /var/www/html/index.html | |
| vim /etc/apache2/sites-enabled/vhost.conf | |
| service restart apache2 | |
| # Container Migration | |
| du -fs | |
| tail -50 /var/log/apache2/error.log | |
| tail -50 /var/log/apache2/access.log | |
| echo '' > error.log | |
| echo '' > access.log | |
| Exit | |
| sudo docker commit -p 409e3c17461c migrate | |
| sudo docker save --output migrate.tar migrate | |
| sudo chown admin:admin migrate.tar | |
| scp -i admin.pem [email protected]:~/migrate.tar . | |
| //Create a new image from a container’s changes | |
| docker commit 2b98b5a38e53 migrate2 | |
| //Save one or more images to a tar archive (streamed to STDOUT by default) | |
| docker save migrate2 > migrate2.tar | |
| //Load an image from a tar archive or STDIN | |
| docker load --input fedora.tar | |
| sudo docker run --name stylegou -dit -p 80:80 -p 443:443 -v ~/dockerlink:/var/www/dockerlink migrate2 /bin/bash | |
| sudo docker exec -it stylegou /bin/bash | |
| service apache2 start | |
| service mysql start | |
| // upload container | |
| chmod 600 admin.pem | |
| scp -i admin.pem ./migrate.tar [email protected]:~/migrate_04May2024.tar | |
| scp -i admin.pem migrate_04May2024.tar [email protected]:/home/admin/migrate_04May2024.tar | |
| ssh -i admin.pem [email protected] | |
| // install docker | |
| Refer to https://docs.docker.com/engine/install/debian/ | |
| // start docker container | |
| sudo docker load --input migrate_04May2024.tar | |
| mkdir dockerlink | |
| sudo docker run -dit -v dockerlink:/var/www/dockerlink -p 80:80 -p 443:443 migrate2 /bin/bash | |
| sudo docker exec -it e70099b3f1eb /bin/bash | |
| vim /etc/apache2/sites-enabled/vhost.conf | |
| service apache2 start | |
| service mysql start |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment