senior member promo study guide

SQLi

structured query language injection

XSS

cross-site scripting

CSRF

cross-site request forgery

IDOR

insecure direct object references

SET

social engineering toolkit

PKI

public key infrastructure

CA

certificate authorities

C2

command-and-control

websites

largest attack surfaces that cybersecurity experts have to defend.

SQLi

Manipulating database queries through unsanitized user input. Attackers can extract, modify, or delete database contents

XSS

Injecting malicious scripts into web pages viewed by other users, allowing attackers to steal session cookies, redirect users, or perform actions on their behalf

CSRF

Tricks an authenticated user's browser into sending an unwanted request to a web application, exploiting the trust a site has in the user's session

Broken Authentication

Weak session management, poor password handling, and exposed tokens that allow attackers to assume other users' identities

IDOR

Changing a user ID or filename in a URL to access data belonging to another user without authorization.

SET

create phishing pages, distribute malware, and host C2 panels

attack delivery mechanisms

SET, Burp Suite, OWASP, ZAP

encryption

using algorithms to turn plaintext into ciphertext so only authorized parties can read it

symmetric encryption

uses the same key to encrypt and decrypt (e.g., AES). Fast, but key distribution is a challenge

asymmetric encryption

uses a public key to encrypt and a private key to decrypt (e.g., RSA). solves the key distribution problem

digital signatures

prove authenticity and integrity of a message using asymmetric keys. the sender signs with their private key; the receiver verifies with the sender's public key

PKI

the system of certificates and CAs that validates the ownership of public keys. Used in HTTPS, email signing, and VPNs

cryptography tools

openssl, certutil, GPG

blue team tasks

read org charts, network diagrams, incident response plans, rules of engagement, and legal authority docs before touching anything

blue team collect

Network diagrams, data flow diagrams, asset lists, IR plan, business continuity plan, RoE, and threat intel summaries.

network scanning

finds every live host, open port, and running service. Build a complete picture before defenders or attackers can act

network scanning tools

nmap, Nessus, OpenVAS

asset inventory

List all users, computers, servers, and AD objects. You have to understand what you're defending. Hashing files creates a baseline to detect tampering

asset inventory tools

dsquery, netdom, FCIV / certutil, MBSA

service reduction

Stop and disable anything you don't need. Every running service is an attack surface. Fewer services = fewer entry points

service reduction tools

sc / service, wmic

host firewalls

Block inbound traffic by default. Only allow what's explicitly needed. log everything dropped. Works at the individual host level

firewall tools

netsh advfirewall, iptables, ufw

application whitelisting

only allow approved programs to run. prevents malware execution even if it lands on disk. strong control, high maintenance

application whitelising tools

AppLocker, GPO

registry hardening

Disables legacy auth (NTLM/LM), admin shares, sticky keys, RDP caching, and blocks common attacker techniques at the registry level

registry hardening tools

reg add, PowerShell

packet capture

Records raw network traffic for analysis. Capturing is the primary goal pre-investigation. Rotate files so you don't fill the disk. Filter to reduce noise

packet capture tools

tcpdump, tshark, Wireshark

log auditing

Windows Event Logs and Linux syslog/auth.log record user actions, logins, policy changes, and service starts. Enable auditing first — it is off by default

log auditing tools

auditpol, wevtutil, Get-EventLog, auditd

honeypots and deception

Set traps that only an attacker would trigger. Honey ports, honey hashes, and fake accounts. Any connection is a high-confidence alert

honeypots and deception tools

netcat, HoneyDrive, DCEPT, labrea

live triage

On a running system, quickly gather who is logged in, what processes are running, what ports are listening, and what auto-starts on reboot. Do this before rebooting — volatile data is lost on shutdown

live triage tools

netstat, tasklist / ps, wmic, lsof, autoruns

malware static analysis

Examine a suspicious file without running it. Check the compile timestamp, look for embedded strings (URLs, commands, IPs), verify the file hash against threat intel databases, and check digital signatures

malware static analysis tools

strings, hexdump, sigcheck, VirusTotal, Team Cymru

memory forensics

Malware can run entirely in RAM with no disk artifacts. Memory dumps capture running processes, injected code, and credentials that disappear on reboot. Always dump memory before powering off a suspected system

memory forensics tools

Volatility, dd / LiME, Process Explorer

disk imaging

A bit-for-bit copy of a drive preserves deleted files, timestamps, and unallocated space for forensic analysis. Always image a drive before making any changes to preserve chain of custody

disk imaging tools

dc3dd, dd, FTK / Autopsy

incident indicators to look for

Processes with no icon or company name, unsigned executables, open network connections to unknown IPs, unexpected scheduled tasks or startup entries, and recently modified system files

patching

Apply OS and 3rd-party patches to close the vulnerabilities that were exploited. Patch known-bad before restoring to production

patching tools

wusa / wuauclt, apt-get / yum

kill malware process

Suspend before killing. If malware has a watchdog process, terminating directly respawns it. Suspend first, confirm it is not restarting, then kill and remove startup entries

kill malware process tools

GMER, Stop-Process (PS), kill (Linux), Autoruns

rootkit detection

they hide themselves from the OS. Run dedicated scanners from clean media. Comparing file hashes against a known-good baseline is the most reliable detection method

rootkit tools

chkrootkit, rkhunter, lynis, Linux Malware Detect (LMD)

Recon (Lockheed Martin Kill Chain Model)

Research the target — gather information about systems, personnel, and vulnerabilities

Weaponize (Lockheed Martin Kill Chain Model)

Build the payload — pair an exploit with a backdoor into a deliverable package

Deliver (Lockheed Martin Kill Chain Model)

Transmit the payload — email attachment, USB drop, watering hole website

Exploit (Lockheed Martin Kill Chain Model)

Trigger the vulnerability on the target system to execute the payload.

Install (Lockheed Martin Kill Chain Model)

Malware establishes persistence — registry keys, startup entries, scheduled tasks

C2 (Lockheed Martin Kill Chain Model)

Malware beacons out to an attacker-controlled server to receive instructions

Act on Objectives (Lockheed Martin Kill Chain Model)

Exfiltrate data, cause damage, move laterally, or deploy ransomware

blue team goal

detect and disrupt as early in the chain as possible. Stopping at phase 1-3 is far better than catching at phase 6-7. Each phase is an opportunity to: Detect, Deny, Disrupt, Degrade, Deceive, or Destroy