Resources

This is a collection of usefull commands and links

For my own personal use and seen as my living document of information gathered to help me

Projects to work on

usb ssd for ramdumps and disk triage script/tool on a 1tb+ disk
- save both live and dead system and after preform checksum to print to file md5+sha1, vol3 to verify
- - live dumpit
- - dead hibernation file and pagefile plus crashdumps
- create a linux script to capture memdumps Lime or AVML and Cylr for triage image
- run EED to check for disc encryption if yes then create triage image md5+sha1 stamp it
- Run Kape and basic capture and then FTK images to get image
- dd or dcfldd for linux image capture

Websites

https://www.virustotal.com/

Host.io

https://viewdns.info/

https://dnslytics.com/

https://securitytrails.com/

whatcms.org

https://www.shodan.io/

Shodan, alternatives such as Binaryedge and Zoomeye

bgp.he.net

Bin Numbers and Swift Codes

“bincheck.io”, “freebinchecker.com”, “bintable.com”.

“wise.com”, “bank.codes”, “theswiftcodes.com”

SSL certs

“Censys” and “crt.sh”.

Windows system info

Event codes: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

hive and the data stored: https://learn.microsoft.com/en-us/windows/win32/sysinfo/registry-hives

<ul>

<li><strong>SAM</strong> (Security Account Management): information about local user accounts and groups, such as accounts passwords, creation date, last login, etc.</li>

<li><strong>SECURITY</strong>: stores security-related information about user accounts, such as password policy.</li>

<li><strong>SOFTWARE</strong>: information about all installed software, both windows programs and third-party tools.</li>

<li><strong>SYSTEM</strong>: stores information about system-wide configurations (e.g., event logs configurations, hardware configurations (USB drives)...etc.</li>

<li><strong>DEFAULT</strong>: settings associated with LOCALSYSTEM account, the highest privileged account in windows systems. Usually used by attackers to escalate privileges like getting root access on a Linux system.</li>

</ul>

Kali tools

Sublist3r (find subdomains)

Aquatone

assetfinder” tool, you can query subdomains and obtain data from many sources.

Find deleted files on image

photorec

Volatility 3 - quick lookup

lists active processes and can give you process details like PID, PPID, and memory offsets.

vol3 -f <memory_dump> windows.pslist.PsList

vol3 -f <memory_dump> windows.pstree.PsTree

vol3 -f <memory_dump> windows.psscan.PsScan

for more specific memory regions (e.g., virtual or physical address of a process's executable)

vol3 -f <memory_dump> windows.vadinfo.VadInfo --pid <PID>

vol3 -f <memory_dump> windows.dlllist.DllList --pid <PID>

This will give you a better view of the loaded ddl files if they are in InLoad InInit InMem

vol3 -f <memory_dump> windows.ldrmodules --pid <PID>

This will give you the full command line that was used to start the process, including the executable path and file

vol3 -f <memory_dump> windows.cmdline.CmdLine --pid <PID>

Shows more infomation file hlk paths

### Hive Offset Hive Name Path Last Write Time Type Name ID Count Focus Count Time Focused Last Updated Raw Data

vol3 -f <memory_dump> windows.registry.userassist | grep -i <name>

list environment variables of the process, including SystemRoot or USERPROFILE, and sometimes the PWD (current working directory).

vol3 -f <memory_dump> windows.environ.EnvironmentVariables --pid <PID>

To find the network connections (IP addresses) that a process (based on its PID)

vol3 -f <memory_dump> windows.netscan.NetScan

vol3 -f <memory_dump> windows.netscan.NetScan | grep <PID>

scans the memory dump for file handles and shows which files were opened by any process, including their PIDs.

vol3 -f <memory_dump> windows.filescan.FileScan

vol3 -f <memory_dump> windows.dumpfiles --virtaddr <Virtual_Address_Here>

vol3 -f <memory_dump> windows.handles.Handles --pid <PID>

investigating files backed by registry keys (like user configuration files)

vol3 -f <memory_dump> windows.registry.Hivelist

user associated with a process (who is running it)

vol3 -f <memory_dump> windows.getsids.GetSIDs --pid <PID>

Dump to file

## Dumps the whole tree connected to the PID

vol3 -f <memory_dump> -o “dump” windows.dumpfile --pid <PID>

## Dumps just the selected PID

vol3 -f <memory_dump> windows.pslist.PsList --pid <PID> --dump

list network connections (IP addresses, ports)

vol3 -f <memory_dump> windows.netstat

inspects open sockets and may reveal more information about network activity

vol3 -f <memory_dump> windows.sockets --pid <PID>

Find text with strings

strings <file.mem> | grep "127.0.0.1"

strings <file.mem> | grep -Ei "tcp|udp|http|dns|ip"

Find possible code injection

vol3 -f <memory_dump> windows.malfind

Find with offset xxd, stop it it after 0,5 sec

xxd -s <0xoffset> <memory_dump> > output.txt

Where to start step by step

# Mount dump

memprocfs.exe -device memory.dmp -forensic 2 -license-accept-elastic-license-2-0

#quick overview of the system

python vol.py -f memory.dmp windows.info.Info

# To find the SYSTEM hive virtual offset if needed (replace 0x<offset> with actual offset from hivelist if printkey fails to find it automatically)

# python vol.py -f memory.dmp windows.registry.hivelist.HiveList

# Query Tcpip Parameters for Domain

python vol.py -f memory.dmp windows.registry.printkey.PrintKey --key "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"

# Query Winlogon for DefaultDomainName

python vol.py -f memory.dmp windows.registry.printkey.PrintKey --key "SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Environment variables, especially for system-level or user-specific processes, can reveal domain context.

python vol.py -f memory.dmp windows.envars.Envars

#Look for sections detailing domain information, domain SIDs, or cached credentials that include a domain name (e.g., DOMAIN\username).

python vol.py -f memory.dmp windows.lsadump.Lsadump

# this can show active or recent connections to domain controllers (e.g., for DNS, Kerberos, LDAP, SMB).

python vol.py -f memory.dmp windows.netscan.Netscan

python vol.py -f memory.dmp windows.netstat.NetStat

# This key contains entries for each configured network share. Each entry will detail the share name

python .\vol.py -f memory.dmp windows.registry.printkey.PrintKey --key "SYSTEM\CurrentControlSet\Services\LanmanServer\Shares"

# This plugin lists open handles for processes. The System process (PID 4) is often responsible for SMB file sharing operations.

python .\vol.py -f memory.dmp windows.handles.Handles --pid 4

Wireshark - quick lookup

http.request.method == "GET"

http contains "<script>"

http.request.uri contains "<script>"

http.request.method == "POST" && http contains "<script>"

http.request.method == "GET" && http.request.uri contains "/reviews.php"

(ip.src == 192.168.1.10 && ip.dst == 192.168.1.20 || ip.src == 192.168.1.20 && ip.dst == 192.168.1.10)

Splunk - Dirty cheats

Calculate SHA256 of file

index=your_index "file_content_field"

| eval file_sha256=sha256(file_content_field)

| table _time file_path_field file_sha256

ZUI - Dirty cheats

alert.signature | sort -r count

event_type='alert' dest_ip=<IP>

Rita - Dirty cheats

Get started with RITA from pcap to RITA import

## make new dir for the zeek conversion

mkdir <import-dir>

cd <import-dir>

## Convert .pcap with zeek into new folder

zeek -r ../<xxxx.pcap> local

cd ..

## Import into RITA

sudo rita import <import-dir> <DATABASE>

Show SCR - DST list

sudo rita show-beacons <DATABASE> -H

Show DNS requests

sudo rita show-exploded-dns <DATABASE> -H

Create HTML report

sudo rita html-report <DATABASE>

MemprocFS

Mount dmp file windows

.\memprocfs.exe -device '..\..\..\xxxx.dmp' -forensic 3

Torsites

Ransomware Group Sites - http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd.onion/

Brower plugins

"Wappalyzer” tool (https://chrome.google.com/webstore/detail/wappalyzer-technology-pro/gppongmhjkpfnbhagpmjfkannfbllamg)

“Whatruns”, “BuiltWith” and “Whatcms” applications can be used as an alternative to the Wappalyzer tool.

“SalesQL”, “RocketReach”, “Apollo”, and “ContactOut”.

VM tools

https://github.com/mandiant/flare-vm

jq - command line

Example log so we have something to reference

If everything is in .gz files

find <FOLDER PATH> -type f -name '*.gz' -exec bash -c 'gunzip -c "$1" > "extracted/$(basename "$1" .gz)"' _ {} \;

{

"Records": [

{

"eventVersion": "1.08",

"userIdentity": {

"type": "IAMUser",

"principalId": "AIDASB5TRRVA2IJTZIHFX",

"arn": "arn:aws:iam::141573590337:user/business_analyst_peter",

"accountId": "141573590337",

"accessKeyId": "AKIASB5TRRVA7X2BMWT2",

"userName": "business_analyst_peter"

"eventTime": "2023-08-18T03:44:58Z",

"eventSource": "ec2.amazonaws.com",

"eventName": "DescribeInstances",

"awsRegion": "us-west-2",

"sourceIPAddress": "73.152.61.248",

"userAgent": "aws-cli/1.22.34 Python/3.10.6 Linux/5.15.0-60-generic botocore/1.23.34",

"errorCode": "Client.UnauthorizedOperation",

"errorMessage": "You are not authorized to perform this operation.",

"requestParameters": {

"instancesSet": {},

"filterSet": {}

jq -r '...' extracted/*.json: Processes all JSON files.

.Records[]?: Iterates through records.

select(.sourceIPAddress != null and .userIdentity.accessKeyId != null): Ensures both fields exist in the record (filters out some internal service events).

[.sourceIPAddress, .userIdentity.accessKeyId] | @tsv: Creates a two-element array with the IP and Key ID and formats it as Tab-Separated Values (TSV).

| sort | uniq: Finds the unique pairs across all files.

> ip_key_pairs.tsv: Saves the results to a file named ip_key_pairs.tsv

jq -r '.Records[]? | select(.sourceIPAddress != null and .userIdentity.accessKeyId != null) | [.sourceIPAddress, .userIdentity.accessKeyId] | @tsv' extracted/*.json | sort | uniq > ip_key_pairs.tsv

Look for uniq ips that does not match the common ip ranges and boil it down from there

select(.sourceIPAddress == "185.5.248.11"): Filters the records, keeping only those where the sourceIPAddress exactly matches the attacker's IP.

.eventTime: Extracts the timestamp from the filtered records.

-r: Outputs the timestamps as raw text strings.

| sort: Sorts the timestamps chronologically (ISO 8601 format sorts correctly).

| head -n 1: Takes only the first line from the sorted output, which corresponds to the earliest eventTime

Find the first entry of a ip and will will sort it from earliest and then only show the latest value

jq -r '.Records[]? | select(.sourceIPAddress == "<IP ADDRESS>") | .eventTime' extracted/*.json | sort | head -n 1

Find all the events with CreateAccessKey shows the whole event info

jq '.Records[]? | select(.eventName == "CreateAccessKey")' extracted/*.json

finds all the filepaths that been accessed with the IP and prints it to a new file

jq -c '.Records[]? | select(.sourceIPAddress == "<IP ADDRESS>") | {eventTime, sourceIPAddress, accessKeyId: (.userIdentity.accessKeyId // .userIdentity.arn // "Unknown"), eventSource, eventName, requestParameters}' extracted/*.json > attacker_activity_details.jsonl

looking for any files that carry a interesting name to gigg further

Find the rols of user with the attacker ip that disable logging, prints a list of the rols that ran the command.

jq -r '.Records[]? | select(.eventName == "StopLogging" or .eventName == "DeleteTrail") | .userIdentity.type' extracted/*.json | sort | uniq

Page updated

Google Sites

Report abuse