Home Blue Team Level 1 Notes
Post
Cancel

Blue Team Level 1 Notes

Introduction

Six months ago, I successfully passed the BTL1 Certification Exam on my first attempt and was awarded a shiny gold coin. It was a moment of immense pride and accomplishment for me. To achieve this feat, I made sure to prepare thoroughly and used a note to recap myself and guide me during the exam. This note played a crucial role in helping me recall the important concepts and key points, which guided me in the exam. As I believe that sharing knowledge is the best way to grow, I am sharing this experience with all of you. So, I hope this note would help you all who are currently BTL1s’ students or who are planning to take this certification.

Common Ports

Port Service Description  
20,21 FTP File Transfer Protocol used to transfer files b/w systems.  
22 SSH Secure Shell Protocol allows users to securely connect to a remote host.  
23 Telnet Used before SSH, allows users to connect to a remote host, doesn’t offer encryption.  
25 SMTP Simple Mail Transfer Protocol used to send emails between servers within the network, or over the internet.  
53 DNS Domain Name System converts human-readable domain names to machine-readable IP address.  
67,68 DHCP Dynamic Host Configuration Protocol assign IP address-related information to any hosts on the network automatically.  
80 HTTP Hypertext Transfer Protocol allows browsers (Chrome, Firefox, etc) to connect to web servers and request contents.  
443 HTTPS Hypertext Transfer Protocol Secure is a secure version of HTTP Protocol which allows browsers to securely connect to web servers and request contents.  
514 Syslog Syslog server listens for incoming Syslog notifications, transported by UDP packets. ***

Phishing Analysis


Gathering Artifacts (IOCs)

Email Artifacts -

  • Sender Address
  • Reply-To Address
  • Sending Server IP
  • Reverse DNS
  • Recipient Address
  • Subject Line
  • Date & Time

Web-based Artifacts -

  • Full-URLs (sanitized)
  • Domain Names

File-based Artifacts -

  • Filename & Extension
  • MD5/SHA1/SHA256 Hash Values

Artifacts Analysis

  1. Visualization Tools - URL2PNG, URLScan
  2. URL Reputation Tools - VirusTotal, URLScan, URLhaus, WannaBrowser
  3. File Reputation Tools - VirusTotal, Talos File Reputation
  4. Malware Sandboxing - Hybrid Analysis

Defanging URL & IP Address

  1. Defang URL, Defang IP Addresses - CyberChef (gchq.github.io)

Digital Forensics


Data representation can be done in the following ways,

  • Base64
  • Hexadecimal
  • Octal
  • ASCII
  • Binary

Metadata

1
2
3
4
5
6
7
# Provided with information such as the read/write permissions, the file name and size, and the times for when the file was last accessed and modified.
ls -lisap <file>
stat <file>

# Received metadata from files
# sudo apt-get install exiftool
exiftool <file>

File Carving

1
2
3
# To choose which file type you want to retrieve you can edit in /etc/scalpel/scalpel.conf
# To start retrieving a file using command below
scalpel -b -o <output-dir> <disk-image-file>   

Hashing

  1. Windows
    1
    
    Get-FileHash -Algorithm [algorithm-to-use] [file]
    
  2. Linux
    1
    2
    3
    
    md5sum <file>
    sha1sum <file>
    sha256sum <file>
    

Data Acquisition

  • FTK Imager - import .img file in FTK Imager. Download
  • KAPE - uses for fast acquisition of data. Download

Windows Investigation

LNK Files -

  • These files can be found at
    1
    
    %userprofile%\Appdata\Roaming\Microsoft\Windows\Recent
    
  • Windows File Analyzer can be used to view these files in form of human-readable format.

Prefetch Files -

  • These files can be found at
    1
    
    C:\Windows\Prefetch
    
  • Prefetch Explorer Command Line can be used to view these files in form of human-readable format a.k.a. PEbatch.exe.
    1
    2
    3
    
    # Using PEbatch requires administrator privilege
    PEbatch.exe -f [path-to-file].pf
    PEbatch.exe -k "string-to-match" -d [path-to-prefetch-folder]
    

Jump List -

  • These files can be found at
    1
    2
    
    C:\Users\% USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
    C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations
    
  • JumpList Explorer could be used to analyze these files.

Browsers Artifacts -

Event Logs -

  • Event ID 4624 - Successful Logon
  • Event ID 4625 - Failed Logon
  • Event ID 4672 - Special Logon (with administrative privileges logs in)
  • Event ID 4634 - Logoff from the current session
  • Event ID 4720 - User account was created
  • Event ID 4726 - User account was deleted
  • Event ID 4732 - A member was added to a security-enabled local group

These event logs could be found at

1
C:\Windows\System32\winevt\Logs

Linux Investigation

  • /etc/passwd — contains a list of user accounts on the system, and their permissions.
  • /etc/shadow — contains encrypted passwords of existing users on the system.
  • unshadow /etc/passwd /etc/shadow > <new-file> to combine the passwd and shadow together.
  • /var/lib/dpkg/status — includes list of all installed software packages on debian-based systems.
  • .bash_history — contains a list of commands that have been run by the specific user.
  • Hidden Files and Directories — usually prefix with .
  • Clear Files — the file that is accessible by standard means. i.e. browser, terminal
  • Steganography — a practice of concealing messages or files within other non-secret text or data.

Volatility — Memory Analysis -

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Determine the suggested profile for analysis
volatility -f memdump.mem imageinfo
# Print a list of processes to the terminal
volatility -f memdump.mem --profile=<PROFILE> pslist
# Print a process tree to the terminal
volatility -f memdump.mem --profile=<PROFILE> pstree
# View command line of the specific process with PID XXXX
volatility -f /path/to/file.mem --profile=PROFILE dlllist -p XXXX
# Print all available processes, including hidden ones often used by malware
volatility -f memdump.mem --profile=<PROFILE> psscan
# Dumping the process with a specific PID XXXX
volatility -f /path/to/file.mem --profile=PROFILE procdump -p XXXX -D /home/ubuntu/Desktop
# Print expected and hidden processes
volatility -f memdump.mem --profile=<PROFILE> psxview
# View any active or closed network connections
volatility -f memdump.mem --profile=<PROFILE> netscan
# Create a timeline of events from the memory image
volatility -f memdump.mem --profile=<PROFILE> timeliner
# Pull internet browsing history
volatility -f memdump.mem --profile=<PROFILE> iehistory
# Identify any files on the system from the memory image
volatility -f memdump.mem --profile=<PROFILE> filescan
# Retrieve files from the memory image
volatility -f memdump.mem --profile=<PROFILE> dumpfiles -n --dump-dir=<path-to-dump>

Security Information and Event Management


Splunk

  • Make sure you turn searching query time to All Times to see all the events
  • To quickly identify sourcetype (don’t look through every single log) make sure to turn Event Sampling to 1:100 or 1:1000 or etc.

All queries must start by referencing the dataset

1
index=<dataset>

To search for a source ip address

1
index=<dataset> src="x.x.x.x"

To search for a destination ip address that made a connection with, i.e. locahost (127.0.0.1)

1
index=<dataset> src="127.0.0.1" dst="x.x.x.x"

Incident Response


Network Traffic Analysis

Using Wireshark to analyze network traffic capture files including, .pcap, .cap, .pcapng, etc.

Command Prompt to assist with incident response

  • List network configuration information in local system
    1
    
    ipconfig /all
    
  • Print a list of running processes and programs
    1
    
    tasklist
    
  • Display running processes and associated binary file that was executed to create the process
    1
    
    wmic process get description, executablepath
    
  • Print a list of all local system users
    1
    
    net user
    
  • Print a list of all users that are resided in an administrators user group
    1
    
    net localgroup administrators
    
  • Print all users reside in a RDP group
    1
    
    net localgroup "Remote Desktop Users"
    
  • List all services and detailed information about each one
    1
    
     sc query | more
    
  • List all open ports on a system
    1
    
    netstat -ab
    

Powershell to help extracted valuable information

  • To get network-related information from the system
    1
    2
    
    Get-NetIPConfiguration
    Get-NetIPAddress
    
  • List all local users on the system
    1
    2
    3
    
    Get-LocalUser
    # To get more information about a specific user
    Get-LocalUser -Name BTLO | select *
    
  • To identify running services on the system and show the results in a nice windows
    1
    
    Get-Service | where Status -eq "Running" | Out-GridView
    
  • List the running processes and group it by their priority value
    1
    
    Get-Process | Format-Table -View priority
    
  • Get specific information from a service
    1
    2
    3
    4
    
    # specific information by including their name
    Get-Process -Name 'namehere'
    # specific information by including their id and piping for collected all properties
    Get-Process -Id 'idhere' | Select *
    
  • List tasks that are set to run after certain conditions are met
    1
    
    Get-ScheduledTask
    
  • Dig more deeper by specifying the task we’re interested in and piping for all properties
    1
    
    Get-ScheduledTask -TaskName 'PutANameHere' | Select *
    
  • Change the Execution Policy applied to specific user
    1
    
    Set-ExecutionPolicy Bypass -Scope CurrentUser
    
  1. DeepBlueCLI is a tool that was created by SANS to aid the investigation and triage of Windows Event Logs
  • Run the command to a specific local log file
    1
    
    ./DeepBlue.ps1 ../Log1.evtx
    
  • Run the command to analyze the system we are currently on
    1
    2
    3
    4
    
    # to analyze a live security log
    ./DeepBlue.ps1 -log security
    # to analyze a live system log
    ./DeepBlue.ps1 -log system
    

Appendix A — Logs Information Details


Logon Type (Event ID: 4624)

Type Description
2 Interactive (interactively logged on, meaning a physical logon to the device)
3 Network (accessed system via network)
4 Batch (started as an automated batch job)
5 Service (a Windows service started by service controller)
6 Proxy (proxy logon; not used in Windows NT or Windows 2000)
7 Unlock (unlock workstation - think Interactive logon, but unlocking to resume a previous session)
8 NetworkCleartext (network logon with cleartext credentials)
9 NewCredentials (used by RunAs when the /netonly option is used)

NETLOGON LOG ERROR CODE (Event ID: 4625)

NETLOGON log error code Description
0xC0000064 The specified user does not exist
0xC000006A The value provided as the current password is not correct
0xC000006C Password policy not met
0xC000006D The attempted logon is invalid due to a bad username
0xC000006E User account restriction has prevented successful login
0xC000006F The user account has time restrictions and may not be logged onto at this time
0xC0000070 The user is restricted and may not log on from the source workstation
0xC0000071 The user account’s password has expired
0xC0000072 The user account is currently disabled
0xC000009A Insufficient system resources
0xC0000193 The user’s account has expired
0xC0000224 User must change his password before he logs on the first time
0xC0000234 The user account has been automatically locked

Linux Logs

  • /var/log/auth.log — contains system authorization information. i.e. user logins.
  • /var/log/dpkg.log — contains information that is logged when a package is installed or remove using dpkg.
  • /var/log/btmp — contains information about failed login attempts.
  • /var/log/cron — logs information about cron job.
  • /var/log/secure — contains information related to authentication and authorization.
  • /var/log/faillog — contains user failed login attempts.
This post is licensed under CC BY 4.0 by the author.