|
Question |
Answer |
|
start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
Netstat all executable files running running processes start learning
|
|
|
|
|
basic info about processes start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
chcek service for any malicious programm installed start learning
|
|
|
|
|
|
start learning
|
|
net sessions; logonsessions
|
|
|
|
start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
netstat TCP and UDP including ports start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
|
start learning
|
|
icmp. type==8; icmp. type==0; tcp. dstport==7; udp. dstport==7
|
|
|
|
start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
|
start learning
|
|
|
|
|
|
start learning
|
|
C\users\user_name\AppData\local\Mozilla\Firefox\Profiles\XXXdefault\cache: cookies. sqllite, fomhistory. sqllite
|
|
|
|
start learning
|
|
C\users\user_name\AppData\local\google\chrome\user data\default\cache: Profile 1(cookies): Default(history)
|
|
|
|
start learning
|
|
C\users\Admin\AppData\local\microsoft\windows\INetCache:\AC\MsEdge(cookies): History
|
|
|
|
start learning
|
|
c: programfiles\MSsqlServer\MSsql12...\MSSQL\LOG\EROR LOG: log_n. trc (open with notepad)
|
|
|
function that allows retrival of the active portion of the transaction log file start learning
|
|
|
|
|
|
start learning
|
|
SENDMAIL - log - /var/log/maillog - most linux. /var/adm/maillog Solaris. /var/log/mail. log Debian/Ubuntu
|
|
|
Microsoft Exchange Email Server Log start learning
|
|
Microsoft Exchange Email Server Log -. edb database files,. stm, checkpoint files, temp files
|
|
|
|
start learning
|
|
access locate times - dir command, ls command
|
|
|
Collecting volatile info: open files start learning
|
|
Collecting volatile info: open files - "net file", psFile utility, OpenFiles command
|
|
|
Collecting volatile info: clopboard start learning
|
|
Collecting volatile info: clopboard - Free Clopboard Viewer
|
|
|
Collecting volatile info: Service/Driver info start learning
|
|
Collecting volatile info: Service/Driver info - tasklist, wmic
|
|
|
Collecting volatile info: logged on users start learning
|
|
Collecting volatile info: logged on users - PsLoggedOn, netsessions, LogonSessions
|
|
|
Logged on users PsLoggedOn start learning
|
|
Logged on users PsLoggedOn - "-l"-only local logons, "-x"-doesnt display times
|
|
|
Logged on users LogonSessions start learning
|
|
Logged on users LogonSessions: "-c"-CSV, "-ct"-prints as tab, "-p"-processes list
|
|
|
Collecting volatile info: DLL and shared libraries start learning
|
|
Collecting volatile info: DLL and shared libraries: ListDLL(win) "-r"-relocated "-u"-unsigned DLL, "-r"-DLL version. Ldd/ls(linux)
|
|
|
|
start learning
|
|
Nbstat: "-c"-NetBIOS name-to-IP mapping, "-n"-names registered locally, "-r"-names resolved by broadcast and querying, "-s"-current NetBIOS sessions and statuses
|
|
|
netstat listening connections start learning
|
|
|
|
|
netstat ethernet statistics - number of bytes, packets start learning
|
|
|
|
|
|
start learning
|
|
Malware is the most common threat
|
|
|
port monitoring command and tool start learning
|
|
port monitoring command and tool - netstat, TCPView
|
|
|
|
start learning
|
|
registry monitoring tool - jv16 Power tools 2017
|
|
|
windows service monitoring start learning
|
|
windows service monitoring - windows server manager (SrvMan)
|
|
|
startup programs monitoring start learning
|
|
startup programs monitoring - Autoruns for Windows
|
|
|
Perform string search tool start learning
|
|
Perform string search tool - BinText
|
|
|
identyfing packing/obfuscation methotds tool start learning
|
|
identifying packing/obfuscation methotds tool - PEiD
|
|
|
intrusion analysis: covert communication tools: start learning
|
|
intrusion analysis: covert communication tools: SSDT View, ReKall, RougeKiller
|
|
|
Detect packet sniffing: MAC flooding start learning
|
|
Detect packet sniffing: MAC flooding - from various IP to single with same TTL (malformed packets)
|
|
|
Detect packet sniffing: ARP poisoning start learning
|
|
Detect packet sniffing: ARP poisoning - filter: arp. duplicate-address-detected, Xarp tool
|
|
|
Machine generating ... will be most likely running a sniffer start learning
|
|
Machine generating REVERSE DNS LOOKUP TRAFFIC will be most likely running a sniffer
|
|
|
check if host has its network card in promiscuos mode start learning
|
|
check if host has its network card in promiscuous mode - nmap -script = sniffer-detect [IP]
|
|
|
Detects potentially malicious elements within HTML: start learning
|
|
Detects potentially malicious elements within HTML: tags like <FK>, , <BR>, <DIV> and background-image, <script>, <object>, <applet>, <enabled>
|
|
|
|
start learning
|
|
Apache web server logs: /var/log/'apache2/access. log - useful with Local File Injection LFI detection
|
|
|
command line tool to locate connected devices start learning
|
|
command line tool to locate connected devices: DevCon(windows)
|
|
|
|
start learning
|
|
Behavioral analysis: 1) extract behavioral patterns 2) compare to other users 3) generated clusters based on behav simmilarity 4) build profiles of each group 5) discover outliners of each group
|
|
|
