CTRL + ALT + SEC

Author: ByteMe

TryHackMe – TheHive Project Walkthrough

Task 1 & 2 are easy “I read this” ones, so let’s skip to…

Task 3

Question 1: Which open-source platform supports the analysis of observables within TheHive?

In the reading under “Observable Enrichment with Cortex” bullet it explains that

One of the main feature integrations TheHive supports is Cortex

Answer: Cortex
(more…)

November 9, 2023
Weekly Cybersecurity Wrap-up 10/30/23
Happy Halloween! It’s already the end of the year! Time files when you are learning cybersecurity!

Videos

What Hiring Mangers Really Think

Insider Threat

Articles
- British Library knocked offline by weekend cyberattack – The British Library has been hit by a major IT outage affecting its website and many of its services following a “cyber incident” that impacted its systems on Saturday, October 28.
- Massive cybercrime URL shortening service uncovered via DNS data – An actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.
- Canada bans WeChat and Kaspersky products on govt devices – Canada has banned the use of Kaspersky security products and Tencent’s WeChat app on mobile devices used by government employees, citing network and national security concerns.
- LastPass breach linked to theft of $4.4 million in crypto – Hackers have stolen $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents.
- Hackers Accessed 632,000 Email Addresses at US Justice, Defense Departments – A Russian-speaking hacking group obtained access to the email addresses of about 632,000 US federal employees at the departments of Defense and Justice as part of the sprawling MOVEit hack last summer, according to a report on the wide-ranging attack obtained through a Freedom of Information Act request.
- ServiceNow Data Exposure: A Wake-Up Call for Companies – Earlier this week, ServiceNow announced on its support site that misconfigurations within the platform could result in “unintended access” to sensitive data.
- Okta hit by third-party data breach exposing employee information – Okta is warning nearly 5,000 current and former employees that their personal information was exposed after a third-party vendor was breached.
- Boeing Confirms Cyberattack, System Compromise – The aerospace giant said it’s alerting customers that its parts and distribution systems have been impacted by cyberattack.
- ISC2 Study: Economic Conditions Continue to Sandbag Cyber Hiring – Nearly 1.5 million people work in cybersecurity in North America, but even with a growing gap in skilled specialists, they bear a higher chance of hiring freezes and layoffs. Read the whole paper from ISC2.
Podcasts

Cyberwire Daily – Ep 1940 | 11.2.23 – The beginning of an international consensus on AI governance may be emerging from Bletchley Park.

Projects

LinkedIn Learning – CompTIA Security+ Module 8: Network Security Design and Implementation | This is a long one, I’m still working on it.

TryHackMe – SOC Level 1(90 % Complete): Velociraptor – Complete

UDemy – Python for Cybersecurity – Gitlab
November 3, 2023
TryHackMe Velociraptor Walk-Through
First task that has any questions is…

Task 2

Question 1: Using the documentation, how would you launch an Instant Velociraptor on Windows?

It’s in the documentation. Scroll to “Instant Velociraptor” and you will find…

Answer: Velociraptor.exe gui

Task 3

Question 1: What is the hostname for the client?

Open the Ubuntu terminal and run:
```
./velociraptor-v0.5.8-linux-amd64 --config velociraptor.config.yaml frontend -v
```
Let that run for a while….

Then launch Chrome and click on the short cut under the search bar called Velociraptor

If you get the warning about your connection not being private, click the advanced button, then proceed to 127.0.0.1

Enter the sign-in information given in task 3 instructions.

Once it comes up click on the magnifying glass next to the search bar:

Then this loads…

Boom! Hostname.

Answer:
```
thm-velociraptor.eu-west-1.compute.internal
```
Question 2: What is listed as the agent version?

From our last step go ahead and click on that Client ID link. It opens up a page with Agent Version on it.

Answer:
```
2021-04-11T22:11:10Z
```
Question 3: In the Collected tab, what was the VQL command to query the client user accounts?

Click the collected button at the top of the page. Then click on the requests tab in the bottom frame. The VQL statement we are looking for is the fourth one down:

Answer:
```
LET Generic_Client_Info_Users_0_0=SELECT Name, Description, Mtime AS LastLogin FROM Artifact.Windows.Sys.Users()
```
Question 4: In the Collected tab, check the results for the PowerShell whoami command you executed previously. What is the column header that shows the output of the command?

If you didn’t run the whoami command while running through the instructions, do that now. Click on magnifying glass then the Client ID and then on the right upper of the screen you will see the “>_ Shell” button click that run whoami. Then you will see this in the results tab here:

In the screenshot above you can see the column header name is Stdout.

Answer: Stdout

Question 5: In the Shell, run the following PowerShell command Get-Date. What was the PowerShell command executed with VQL to retrieve the result?

This is not the same as pulling the VQL from the previous answer. For this one we have to go to the Log tab after we run the command. There we find the VQL command that was run in the second line. Copy that out starting at the [powershell…

Answer:
```
[powershell -ExecutionPolicy Unrestricted -encodedCommand RwBlAHQALQBEAGEAdABlAA==]
```
Task 4

Question 1: Earlier you created a new artifact collection for Windows.KapeFiles.Targets. You configured the parameters to include Ubuntu artifacts. Review the parameter description for this setting. What is this parameter specifically looking for?

The answer for this is in the screenshots for the instructions:

Answer: Ubuntu on Windows Subsystem for Linux

Question 2: Review the output. How many files were uploaded?

I hope you did the exercise otherwise, you won’t find the answer. Take the time go back and do the exercise, then you can find the answer after the process completes:

I’m pretty sure I didn’t do anything wrong here. I see 19 files uploaded and saw other walk-through’s getting the same answer. But the answer TryHackMe wants is 20.

Answer: 20

Task 5

Question 1: Which accessor can access hidden NTFS files and Alternate Data Streams? (format: xyz accessor)

The answer to this is in the documentation. Read the paragraph under VFS accessors.

Answer: ntfs accessor

Question 2: Which accessor provides file-like access to the registry? (format: xyz accessor)

This answer is also in the documentation same section.

Answer: registry accessor

Question 3: What is the name of the file in $Recycle.Bin?

Ok, time to get real. Dive back into Velociraptor and click the little file folder on the left navigation, it’s called virtual file system in the nav. Click File > C: > $Recycle.Bin ? S-1….. file folder under recyclebin. There is your file.

Answer: desktop.ini

Question 4: There is hidden text in a file located in the Admin’s Documents folder. What is the flag?

Alright, Click C: again followed by Users > Administrator > Documents.

The file we want is called flag.txt and we will need to collect it from the host, in order to get the Textview tab to be clickable.

Answer: THM{VkVMT0NJUkFQVE9S}

Task 6

Question 1: What is followed after the SELECT keyword in a standard VQL query?

The answer to this question is found in the documentation. Read the Whitespace section.

Answer: Column Selectors

Question 2: What goes after the FROM keyword?

Keep reading same sentence to get the next anwser.

Answer: VQL Plugin

Question 3: What is followed by the WHERE keyword?

Just keep reading.. Just keep reading… next sentence has the next answer.

Answer: filter expression

Question marked by a “?”. This is also in the documentation, but you will need to navigate to notebooks. Look in number 5 for…

After clicking the Edit Cell button, you can type VQL directory into the cell. As you type, the GUI offers context sensitive suggestions about what possible completions can appear at the cursor. Typing “?” will show all suggestions possible.

Answer: ?

Question: What plugin would you use to run PowerShell code from Velociraptor?

Back to the documentation. Read the section about “Extending Artifacts – PowerShell” to find…

Answer: execve()

Task 7

Question 1: What are the arguments for parse_mft()?

It’s in the documentation. Look under time analysis for…

Answer: parse_mft(filename=”C:/$MFT”, accessor=”ntfs”)

Question 2: What filter expression will ensure that no directories are returned in the results?

Once again answer in the documentation. Filesystem doc under Glob Results.

Answer: IsDir

Task 8

Start the new machine.

Question 1: What is the name in the Artifact Exchange to detect Printnightmare?

Start up Velociraptor by opening a DOS shell and typing…
```
cd desktop
Velociraptor.exe gui
```
Let’s check the documentation. Using search I found. https://docs.velociraptor.app/exchange/artifacts/pages/printnightmare/

Answer is in the documentation! Again!

Answer: Windows.Detection.PrintNightmare

Question 2: Per the above instructions, what is your Select clause? (no spaces after commas)

Replace the **** per the instructions.

Answer:
```
SELECT “C:/” + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file=”C:/” + FullPath) AS PE
```
Question 3: What is the name of the DLL that was placed by the attacker?

We have to create a notebook and plugin some VQL that we build using the previous answer as a template:
```
SELECT "C:/" + FullPath AS Full_Path,FileName AS File_Name,parse_pe(file="C:/" + FullPath) AS PE
FROM parse_mft(filename="C:/$MFT", accessor="ntfs")
WHERE NOT IsDir AND FullPath =~ "Windows/System32/spool/drivers" AND PE
```
29 rows later, we see a oddly named DLL as the last row…

Answer: nightmare.dll

Question 4: What is the PDB entry?

Once you have the above, just look at the PDB line.

Answer: C:\Users\caleb\source\repos\nightmare\x64\Release\nightmare.pdb
November 1, 2023
Weekly Cybersecurity Wrap-up 10/23/23
Webinars

Articles
- D.C. Board of Elections: Hackers may have breached entire voter roll – The District of Columbia Board of Elections (DCBOE) says that a threat actor who breached a web server operated by the DataNet Systems hosting provider in early October may have obtained access to the personal information of all registered voters.
- City of Philadelphia discloses data breach after five months – The City of Philadelphia is investigating a data breach after attackers “may have gained access” to City email accounts containing personal and protected health information five months ago, in May.
- Microsoft announces Security Copilot early access program – Security Copilot, Redmond’s AI-driven security analysis tool, makes it faster for security teams to counter threats using Microsoft’s global threat intelligence expertise and the latest large language models.
- Former NSA Employee Faces Life in Prison After Espionage Attempt – The ex-employee claimed that he believed the shared information would benefit Russia and harm the US.
- Microsoft Warns as Scattered Spider Expands from SIM Swaps to Ransomware – The prolific threat actor known as Scattered Spider has been observed impersonating newly hired employees in targeted firms as a ploy to blend into normal on-hire processes and takeover accounts and breach organizations across the world.
- Hackers can force iOS and macOS browsers to divulge passwords and much more – iLeakage is practical and requires minimal resources. A patch isn’t (yet) available.
Podcasts
- Cyberwire – Ep 1935 | 10.26.23 – Some intelligence services understand the value of being underestimated.
- Smashing Security – 345: Cyber sloppiness, and why does Google really want to hide your IP address?
Projects
- LinkedIn Learning – CompTIA Security+ Module 8: Network Security Design and Implementation | This is a long one, I’m still working on it.
- TryHackMe – SOC Level 1(87 % Complete): Volatility – Complete
- UDemy – Python for Cybersecurity – Gitlab
October 30, 2023
Book Review: Confident Cyber Security
Confident Cyber Security: How to Get Started in Cyber Security and Futureproof Your Career by Jessica Barker

The Book in 3 Sentences
1. Jessica Barker is the co-CEO of Cygenta and a leader in cybersecurity awareness who is very active on social media.
2. The book acts as a primer for those interested in cyber security but don’t have a foundation in it.
3. I think the sub-title is misleading as the book spends 95% of its content teaching the basics of cyber security, which isn’t bad in itself, but it doesn’t go deep on ‘how to get started in cyber security and futureproof your career’.
Impressions

As I said in point 3 above, the book spent all its content educating on the basics of cyber and did not dive deep into getting into the field or futureproofing your career in cyber. This is all contained in 1 chapter second to last in the book. This is not a bad book, but it doesn’t accomplish the goal on the cover. I was looking for something deeper about securing a future in a cyber career.

Who Should Read It?

Anyone interested in cybersecurity that does not already have a foundation in it. Those with a basic understanding will find, like me, 90% of the book covers the basics they already know.

How the Book Changed Me

I wouldn’t say this book had a huge impact on me. I got a couple of book and website recommendations and further solidified my cyber security understanding. Other than that, I learned maybe to abandon a book a little earlier in the future.
October 26, 2023
TryHackMe – Volatility Walk-Through
This will only cover Task 10 – Practical Investigations

Question 1: What is the build version of the host machine in Case 001?

In the above screenshot look at NTBuildLab.

Answer: 2600.xpsp.080413-2111

Question 2: At what time was the memory file acquired in Case 001?

Also, in the previous screenshot look at SystemTime.

Answer: 2012-07-22 02:45:08

Question 3: What process can be considered suspicious in Case 001?

Find the last line PID 1640.

Answer: reader_sl.exe

Question 4: What is the parent process of the suspicious process in Case 001?

See previous screenshot. It is the executable just above reader_sl.exe

Answer: explorer.exe

Question 5: What is the PID of the suspicious process in Case 001?

Also in the last screenshot, look under the PID column.

Answer: 1640

Question 6: What is the parent process PID in Case 001?

Again, same screenshot, look at the PID for explorer.exe

Answer: 1484

Question 7: What user-agent was employed by the adversary in Case 001?

We are going to use memmap to figure this out:
```
./vol.py -f /Scenarios/Investigations/Investigation-1.vmem -o /tmp windows.memmap --pid 1640 --dump
```
This will load pid.1640.dmp in tmp

Now we use string to dig deeper

Answer: Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US

Question 8: Was Chase Bank one of the suspicious bank domains found in Case 001? (Y/N)

Strings to the recue again…
```
strings /tmp/pid.1640.dmp | grep "chase"
```
Answer: Y

Question 9: What suspicious process is running at PID 740 in Case 002?

Okay, case 2.
```
./vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.pstree
```
Look at PID 740

Answer: @WanaDecryptor@

Question 10: What is the full path of the suspicious binary in PID 740 in Case 002?

Time to break out dlllist and our friend grep
```
./vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.dlllist | grep 740
```
The directory is in the second line.

Answer: C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe

Question 11: What is the parent process of PID 740 in Case 002?

See screenshot above with PIDs listed. You can see that the executable before PID 740 is…

Answer: tasksche.exe

Question 12: What is the suspicious parent process PID connected to the decryptor in Case 002?

This is in the same screenshot. Basically this is asking what the PID for tasksche.exe is…

Answer: 1940

Question 13: From our current information, what malware is present on the system in Case 002?

This is kinda self-explanatory, so let’s take a wild guess..

Answer: WannaCry

Question 14: What DLL is loaded by the decryptor used for socket creation in Case 002?

PID 740 has a lot of DLLs listed. We could try each one in the answer box, but it did say socket in the question. WS stands for WinSock as in Winsock DLLs.

Answer: WS2_32.dll

Question 15: What mutex can be found that is a known indicator of the malware in question in Case 002?

We are going to use handles on this one and look for PID 1940
```
./vol.py -f /Scenarios/Investigations/Investigation-2.raw windows.handles | grep 1940
```
I could have searched for this one, but it popped out of the screen when looking for mutex…

Answer: MsWinZonesCacheCounterMutexA

Question 16: What plugin could be used to identify all files loaded from the malware working directory in Case 002?

Again, we look at the reference and find filescan

Answer: windows.filescan
October 24, 2023
Weekly Cybersecurity Wrap-up 10/16/23
Webinars

Articles
- Russia and China-backed hackers are exploiting WinRAR zero-day bug – Google security researchers say they have found evidence that government-backed hackers linked to Russia and China are exploiting a since-patched vulnerability in WinRAR, the popular shareware archiving tool for Windows.
- US Government Releases Anti-Phishing Guidance – CISA, NSA, FBI, and MS-ISAC have released guidance and prevention recommendations on common phishing techniques.
- Fake Corsair job offers on LinkedIn push DarkGate malware – A threat actor is using fake LinkedIn posts and direct messages about a Facebook Ads specialist position at hardware maker Corsair to lure people into downloading info-stealing malware like DarkGate and RedLine.
- Ragnar Locker ransomware gang taken down by international police swoop — Europol – This week, law enforcement and judicial authorities from eleven countries delivered a major blow to one of the most dangerous ransomware operations of recent years.
- Police employee arrested for computer trespassing and violation of official secrecy – An employee of the Amsterdam police unit was arrested this week on suspicion of computer trespassing and violation of official secrecy.
- D-Link confirms data breach after employee phishing attack – Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month.
- 23AndMe Hacker Leaks New Tranche of Stolen Data – Two weeks after the first data leak from the DNA ancestry service, the threat actor produces an additional 4 million user records they purportedly stole.
- The Most Popular IT Admin Password Is Totally Depressing – Top 10:
  1. admin
  2. 123456
  3. 12345678
  4. 1234
  5. Password
  6. 123
  7. 12345
  8. admin123
  9. 123456789
  10. adminisp
Podcasts
- Darknet Diaries EP 138: THE MIMICS OF PUNJAB
- Cyberwire Ep 1930 | 10.19.23 – Vigilance isn’t purely receptive. Without criticism, it will become blind with detail.
Projects

LinkedIn Learning – CompTIA Security+ Module 8: Network Security Design and Implementation

TryHackMe – SOC Level 1(85 % Complete): KAPE – Complete

Python for Cybersecurity (Section 5 out of 10)
October 21, 2023
Weekly Cybersecurity Wrap-up 10/9/23
Webinars

Articles
- MGM Resorts confirms hackers stole customers’ personal data during cyberattack – MGM Resorts has confirmed hackers stole an unspecified amount of customers’ personal information during a September cyberattack that will cost the hotel and casino giant an estimated $100 million.
- Cybersecurity Talent in America: Bridging the Gap – It’s past time to reimagine how to best nurture talent and expand recruiting and training to alleviate the shortage of trained cybersecurity staff. We need a diverse talent pool trained for tomorrow’s challenges.
- NSA and CISA reveal top 10 cybersecurity misconfigurations – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) revealed today the top ten most common cybersecurity misconfigurations discovered by their red and blue teams in the networks of large organizations.
- Microsoft to kill off VBScript in Windows to block malware delivery – Microsoft is planning to phase out VBScript in future Windows releases after 30 years of use, making it an on-demand feature until it is removed.
Podcasts
- Cyberwire – Ep 1925 | 10.12.23 – Hacktivism, auxiliaries, and the cyber phases of two hybrid wars. Challenges of content moderation. Cyberespionage in the supply chain. Don’t buy all the hype, but do fix your Linux libraries.
Projects

TryHackMe – SOC Level 1(82 % Complete): Autopsy, Redline – Complete
October 16, 2023
Weekly Cybersecurity Wrap-up 10/2/23
Webinars

I tried this and found Chat GPT to be helpful writing about myself and using “resume speak”.

Articles
- Microsoft Defender no longer flags Tor Browser as malware – Recent versions of the TorBrowser, specifically because of the updated tor.exe file it contained, were being incorrectly flagged as potential threats by Windows Defender.
- FBI warns of surge in ‘phantom hacker’ scams impacting elderly – The FBI issued a public service announcement warning of a significant increase in ‘phantom hacker’ scams targeting senior citizens across the United States.
- Sony confirms data breach impacting thousands in the U.S. – Sony Interactive Entertainment (Sony) has notified current and former employees and their family members about a cybersecurity breach that exposed personal information.
- The US Is Openly Stockpiling Dirt on All Its Citizens – A new report reveals that government agencies have been stockpiling data on US citizens through data broker pipelines. Privacy advocates have been arguing that government agencies use too broad a definition of “publicly available data” to include any data that can be purchased.
- 2023 State of API Security Report: Global Findings – This study gathered insights from 1,629 respondents across over 100 countries and six major industries. One of the highlights is that 74% of organizations have had at least three API-related data breaches in the past two years.
- Your Online Account May Have Been Breached? Don’t Just Sit There. Do Something. – How do consumers respond when their online accounts are exposed to hackers? Many of them simply don’t.
Podcasts
- Cyberwire Daily – Ep 1918 | 10.2.23 – Adventures of ransomware, and other developments in cybercrime. Cyberespionage and hybrid warfare. A government shutdown averted. Cybersecurity Awareness Month is underway.
- Cyberwire Daily – Ep 1919 | 10.3.23 – Where ICS touches the Internet. BunnyLoader traded in C2C markets. Phantom Hacker scams. API risks. Cybersecurity attitudes and behavior. DHS IG reports on two cyber issues. Updates on the hybrid war.
- Cyberwire Daily Ep 1921 | 10.5.23 – Security risks in the hardware and software supply chains. Patches and proofs-of-concept. A look at recent incidents hitting major corporations. Online surveillance and social credit in Russia.
- Smashing Security 342: Royal family attacked, keyless car theft, and a deepfake Tom Hanks
Projects
- TryHackMe – SOC Level 1 (77 % Complete): Windows Forensics 2, Linux Forensics – Complete
- LinkedIn Learning – Security + Training Domain 6: Cloud Security Design and Implementation – Complete
- Python Learning – https://gitlab.com/learn_cybersecurity/cs_learning/-/tree/main/python
October 7, 2023
Weekly Cybersecurity Wrap-up 9/25/23
Webinars

I’m studying for the Security+ right now. This was a good overview, but I think anyone with any technical background can skip directly to the Security+.

I’ll watch anything with Rachel Tobac in it. She is a master of social engineering!

This certificate looks like it would be worth while to do after the Security+ as it covers CISSP a lot and I’ll need lots of time to review the topics for that more difficult certificate.

Articles
- Cisco to acquire Splunk in $28B mega deal – Cisco has a reputation of building the company through acquisitions, but it has tended to stay away from the really huge ones.
- BORN Ontario child registry data breach affects 3.4 million people – The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware’s MOVEit hacking spree.
- National Student Clearinghouse data breach impacts 890 schools – The personally identifiable information (PII) contained in the stolen documents includes names, dates of birth, contact information, Social Security numbers, student ID numbers, and some school-related records (e.g., enrollment records, degree records, and course-level data).
- MOVEit Flaw Leads to 900 University Data Breaches – National Student Clearinghouse, a nonprofit serving thousands of universities with enrollment services, exposes more than 900 schools within its MOVEit environment.
- Nigerian man pleads guilty to attempted $6 million BEC email heist – Kosi Goodness Simon-Ebo, a 29-year-old Nigerian national extradited from Canada to the United States last April, pleaded guilty to wire fraud and money laundering through business email compromise (BEC).
- T-Mobile denies new data breach rumors, points to authorized retailer – T-Mobile has denied suffering another data breach following Thursday night reports that a threat actor leaked a large database allegedly containing T-Mobile employees’ data.
Podcasts
- CyberWire Daily – Ep 1914 | 9.26.23 – Crooks phish for guests; spies phish for drone operators. ZenRAT is used in an info-stealing campaign. More MOVEit-related incidents (some involving Cl0p). DeFi platforms hit. The UK hunts forward.
- CyberWire Daily – Ep 1916 | 9.28.23 -Buckworm APT’s specialized tools. Cyberattack against Johnson Controls. Oversight panel reports on Section 702. Cyber in election security, and in the US industrial base. Hacktivism versus Russia.
- CyberWire Daily – Ep 1917 | 9.29.23 – Malicious ads in a chatbot. A vulnerability gets some clarification. Cl0p switches from Tor to torrents. Influence operations as an adjunct to WMD. And NSA’s new AI Security Center.
- Smashing Security 341: Another T-Mobile breach, ThemeBleed, and farewell Naked Security
Projects

TryHackMe – SOC Level 1(75 % Complete): Windows Forensics 2 – In Progress
September 29, 2023