Studied by 0 people
Looks like no one added any tags here yet for you.
tracert/traceroute
A command used to determine a route of what a packet takes to a destination, take advantage if ICMP Time to Live Exceeded error messages (hop)
nslookup/dig
A command that is used to lookup information from DNS servers (IP addresses, canonical names, timers, etc.)
ipconfig/ifconfig
-used to display TCP/IP information
-also MAC addresses
-Subnet masks
-Host name
nmap
A network utility designed to scan a network and create a map. Frequently used as a vulnerability scanner, a free open source utility.
ping/pathping
Uses ICMP to test connectivity issues and if communication between different systems is possible.
hping
An enhanced Ping utility for crafting TCP, IP, ICMP, and UDP packets to be used in port-scanning activities. A packet
netstat
A TCP/IP utility that shows the status of each active connection by monitoring network connections to and from systems, useful when viewing all listening ports on a computer
netcat
A network utility program that reads from and writes to network connections, can listen, create a backdoor
IP scanners
Able to scan networks for all IPs on it and report on the status of the IP addresses, some scanners are offered freely or through a third-party.
arp
Able to view local ARP table, the command allows administrator's the ability to see and manipulate the ARP table on a system.
route
A command used to display routing tables and modify static routes on a Windows system or Linux.
curl
A command tool designed to transfer data to or from a server, without user interaction
theHarvester
A python-based program designed to assist penetration testers in the gathering of information during the reconnaissance portion (OSINT) of a penetration test.
sn1per
A Linux-based tool used by penetration testers to combine many recon tools into a single framework, the attacker has the ability to choose the level of intrusiveness on their victim.
scanless
A command utility that interfaces with websites (separate hosts) that can perform port scans as part of a penetration test, your original IP is always hidden as the scan source.
dnsenum
A Perl script designed to enumerate DNS information, this can be used to collect information such as user names and IP addresses of targeted systems.
Nessus
A network-vulnerability scanner available from Tenable Network Security, one the leading scanners available in today's market.
Cuckoo
A sandbox used for malware analysis, its open source, free software that can run Linux/Windows.
head
A utility designed to return the first lines of a file, depending on what the writer of the code wants.
tail
A utility designed to return the last lines of a file, depending on what the writer of the code wants.
cat
A Linux command that is used to create and manipulate files
grep
find text inside files that match patterns of file contents you're searching, search many files at a time
chmod
A Linux command used to change access permissions of a file such as R,W,X
logger
A Linux command that lets you add log file information to a file.
SSH
A encrypted console communication on TCP/22 to help manage networks through unsecure spaces, this replaces Telnet.
Powershell
This is the command line for system administrators that use a .ps1 file extension.
Python
A computer language commonly used for scripting and data analysis tasks facing system administrators and security personnel, uses the file extension .py
OpenSSL
A toolkit and crypto library for SSL/TLS, this creates x.509 certificates and much more.
Tcpreplay
A free open source utility for editing and replaying previously captured network traffic, as a tool it specifically replays PCAP files on a network.
tcpdump
Utility designed to analyze network packets either from a network connection or a recorded file.
Wireshark
Application that captures and analyzes network packets, examines individual packets, monitor conversations, carve out files and more.
dd
A Linux command used to convert and copy files.
Memdump
A program that dumps system memory to the standard output stream, skipping over any holes in the memory maps, everything happens in the memory and can be seen by third-party tools
WinHex
A universal hexadecimal editor for Windows 10, able to disk clone, edit disk/files, secure wipe and more
FTK imager
A commercial program, free to use, and is designed to capture an image of a hard drive.
autopsy
A Windows tools that performs digital forensics of hard drives, smartphones and more, able to extract many different data types
Exploitation frameworks
A pre-built tool kit used to store information about security vulnerabilities. They are often used by penetration testers (and attackers) to detect and exploit software.
Password crackers
Software programs used to identify an unknown or forgotten password, many forms, but all capable of getting into systems.
Data sanitization
The method used to repeatedly delete and overwrite any traces or bits of sensitive data that may remain on a device after data wiping has been done, a one-way trip.
incident response plans
A plan that describes the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system or network.
incident response process
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
Incident response tabletop
An IR exercise that represents the closest simulation of a disaster recovery plan, making sure key players are present and go through their checklist of duties to perform.
Incident Response Exercises
tabletop, walkthroughs, simulations
Attack Frameworks
MITRE ATT&CK
The Diamond Model of Intrusion Analysis
Cyber Kill Chain
IR Stakeholder Management
The team responsible to keep a good relationship with IT, either external or internal customers who are what make IT exist.
MITRE ATT&CK
A framework that is not-for-profit that determines actions of attackers to understand the methods and identify attack techniques and block future attacks
The Diamond Model of Intrusion Analysis
Helps guide analysts to intrusions and applies specific principles to intrusion analysis, looks simple but is very complex.
Cyber Kill Chain
A systematic outline of the steps of a cyberattack, introduced at Lockheed Martin in 2011, seven phases based on a military concept.
IR Communication Plan
Part of the IR effort that answers the preceding questions and defines responsibilities for communication is a key element to developed during the prep phase, ensures that a contact list is made when disaster hits.
Disaster Recovery Plan
This plan defines the data and resources necessary and the steps required to restore critical organizational processes.
Business Continuity Plan
Guidelines and arrangements for response to disruption of critical business functions, to restore and MAINTAIN operation and create profit.
COOP (Continuity of operations planning)
This plan determines which subset of normal operations need to be continued during the periods of disruption.
Incident response team
The personnel that are composed to respond to an incident.
IR Retention Policies
This policy determines what data storage is kept secure and needed if operations were to be halted by a disaster.
Vulnerability Scan Output
Provides information as to the systems that are running, any addt. services that are listening on the network, and what the known vulnerabilities are against each of those.
SIEM dashboards
Sensors, Sensitivity, Alerts, Correlations, and Trends
SIEM Sensitivity
In a SIEM, the quality of being quick to detect or respond to slight changes, signals, or influences (important data)
SIEM Alerts
The primary communication in the SIEM that visualizes raw data, log info, and identifies security events.
SIEM Correlation
In a SIEM, the process of establishing a relationship between two variables, this is extremely useful because it can identify a large amount of malicious activity on networks much easier.
SIEM Sensors
In a SIEM, provides security data into the datastore.
Network Log Files
Files contained with switches, routers, APs, VPN concentrators, and other infrastructure devices, any routing updates or authentication issues log these files.
Application Log Files
A file specific to apps:
Windows - Event Viewer / Application log
Linux - macOS / - /var/log
Security Log Files
Files related to detailed security information, security information, security devices, malicious activity, etc.
Web Log Files
Files related to web server access, errors trying to access, malicious activity, and specific server activity.
DNS Log Files
Files that view lookup requests to websites, IP addresses, and identify queries to bad URLs
Authentication Log Files
Files that know who are logged into a system and who aren't, correlates with other devices.
Dump Files
Able to store all contents of memory into a diagnostic file, some applications have their own process.
VoIP and call messages
Files that show inbound and outbound call info, security information such as audit trails/authentications, and SIP traffic
Session Initiation Protocol (SIP) traffic
A text-based protocol used for signaling voice, video, and messaging apps over IP, alerts on unusual numbers or country codes.
Syslog
System Logging protocol that MOVES data into log files on a log server
Rsyslog
Open source variant of syslog that follows the specifications but also provides addt. features such as content-based filtering
Syslog-ng
Open source variant of syslog that follows the specifications but also provides addt. features such as content-based filtering and can tag, classify, and correlate in real time, which improves SIEM performance.
journalctl
A command in Linux systems that makes you able to view logs in plaintext and to search/filter log servers.
NXLog
A multiplatform log management tool designed to assist in the use of log data during investigations, can identify security issues, policy violations, and operational problems within a system.
Bandwidth monitors
A utility designed to measure network bandwidth usage over time, the higher it is the more resources are being used, hence slower systems.
Metadata
data that describes other data:
Email - header details, sending servers, dest. address
Mobile - type of phone, GPS
Web - OS, browser type, IP address
Files - name, address, phone number, etc.
Netflow
a tool used to gather information about data flowing through a network and shared between devices, the standard collection method, useful in intrusion investigations
IPFIX
The newer, NetFlow-based standard, has flexible data support
Protocol Analyzer Output
Software that can capture and decode network traffic through packet sniffing, can identify unknown traffic, and verify packet filtering and security controls, able to view plain-language description of app data
sFlow
Only a portion of network traffic is monitored and its usually embedded in infrastructure (switches, routers)
Legal Hold
technique to preserve relevant information to prepare for litigation, data for the most part is preserved in case of potential lash back or unknown issues in the future.
Digital Forensics Documentation
legal reasons, video, admissibility, chain of custody, time stamps, time offset, tags, reports, event logs, interviews
Admissibility
Determines what data can be used in court and can't
Chain of Custody
A list of all people who came into possession of an item of evidence, make sure to label everything so you ensure who was in contact with evidence
Time offset
Identify times on tape recordings, for example, rather than the actual time.
Acquisition Types
Snapshot, Disk, RAM, Swap/pagefile, OS, Devices, Firmware, Cache, Network, or Artifacts.
Artifacts
Something digital that a human left behind as evidence, from flash memory, recycle bin, log info, etc.
Swap/Pagefile
A place to store RAM when memory is deleted, can also store parts of applications too.
cloud forensics
Adds complexity and devices are not in you control, fully, sometimes may have limited access due to maintenance, and certain laws for the cloud may be different around the world.
Right to Audit Clauses
A legal agreement to have the option to perform a security audit at any time, ability to verify security before a breach occurs.
E-discovery
The process of identifying and retrieving relevant electronic information to support litigation efforts, doesn't include analysis
