Index
Symbols
0xsp Mongoose RED
reference link 314
0xsp Mongoose RED for Windows
using 314
0xsp Mongoose v1.7
using 313
/etc/passwd file
using 309
A
accessibility features
access token manipulation 291, 292
Actions on Objectives stage 74
data exfiltration 75
Active Directory (AD) 269
active reconnaissance
versus passive reconnaissance 150
active sensors 369
detection capabilities 369-371
Acunetix 504
Address Resolution Protocol (ARP) 267
admin shares 271
Advanced Persistent Threats (APTs) 68, 150
Airgraph-ng 138
URL 139
alerts
AlienVault Unified Security Management (USM) Anywhere
reference link 394
alternate data streams (ADSs) 252
Amazon Web Services (AWS) logs 514-516
accessing, from Microsoft Sentinel 516-518
Androguard 213
download link 213
Android
rooting 309
apache-scalp tool
download link 514
applications 12
AppLocker documentation
reference link 331
ArcSight Enterprise Security Manager (ESM)
reference link 485
Armitage
using 191
ARP spoofing attack 268
Ashley Madison incident 158
asset inventory tools 480
Foundstone’s Enterprise (McAfee) 481
LANDesk Management Suite 481
Peregrine tools 480
attacks, and end user
correlation 4
attacks, current trends
analyzing 156
Automated Indicator Sharing 399
reference link 399
AWS CloudTrail events
reference link 518
Azure Active Directory (Azure AD) 20, 360
Azure Activity logs 518
accessing, from Microsoft Sentinel 520, 521
Azure Threat and Vulnerability Management 492, 493
B
Backdoor.Oldrea 302
Beacon, Command & Control (C&C) 251
behavior analytics, in hybrid cloud 382
Microsoft Defender for Cloud 382-385
behavior analytics on-premises
device placement 382
BlackEnergy 302
breached host analysis 268
bring your own device (BYOD) methodology 3, 238, 323
with corporate app approval isolation 13
broken authentication 203
Bro Network Security Monitor
reference link 394
Bucket 173
buffer overflows 187
business continuity plan (BCP) 455, 456
effective business continuity plan, creating 457, 458
business impact analysis (BIA) 443, 449
disruption impacts, identifying 449
key IT resources, identifying 449
recovery priorities, developing 450
C
Calculator 252
canary token links 149
URL 149
central administrator consoles 268
Central Intelligence Agency (CIA) server 166
CERT Coordination Center 483
Checkmarx
URL 185
Check Point firewall log 512
Chief Executive Officer (CEO) 3
Chief Information Security Officer (CISO) 3
Chrome zero-day vulnerability (CVE-2019-5786) 183
close management port
recommendations 9
cloud
usage challenges 176
cloud disaster recovery
best practices 460
cloud hacking tools
Bucket lists 173
CloudTracker 172
FDNSv2 173
Knock Subdomain Scan 174
OWASP DevSlop tool 173
Prowler 2.1 170
cloud network visibility 362-367
cloud security
customer responsibilities 176
provider responsibilities 175
recommendations 175
responsibility 175
Cloud Security Alliance (CSA) 13
Cloud Security Posture Management (CSPM) platform 21, 22, 337
CloudTracker 172
download link 173
Cobalt Strike DNS Beaconing
query 436
Command and Control (CC) server 207
Command and Control tactics 101, 102
Common Configuration Enumeration (CCE)
reference link 333
Common Vulnerability and Exposure (CVE)
reference link 333
Comodo
reference link 182
Comodo Advanced Endpoint Protection’s Dragon Platform 97, 98, 483, 491
preparation phase 99
Comodo Cybersecurity 483
Component Object Model (COM) 258
compromised system
investigating, in hybrid cloud 423-430
compromised system on-premises
computer security incident response (CSIR) 31
conditions, for evaluating app
file hash 330
path 330
publisher 330
Container 301
contingency planning 447
Cozy Bear 16
credential exploitation 282, 283
Credential Manager (CredMan) store 274
credentials 11
credential theft scenarios
enterprise users 220
home users 220
Critical Stack Intel Feed
reference link 394
cross-site scripting (XSS) 202, 203
crypto 16
data 14
ransomware 7
cyber attack
anatomy 156
cyber-attack strategies 57
blind testing strategy 58
external testing strategies 57
internal testing strategies 57, 58
targeted testing strategy 58
cybercriminal 390
cyber defense strategies
cyber espionage 390
Cybersecurity and Infrastructure Security Agency (CISA) 2
cybersecurity, challenges 15
shift, in threat landscape 16, 17
Cybersecurity Kill Chain 68
Actions on Objectives 74
command and control 74
delivery 70
evolution 84
exploitation 70
installation 73
limitations 84
Lockheed Martin Cyber Kill Chain 68
reconnaissance 68
security controls, using 77, 78
tools, using 85
weaponization 70
cyber-security strategies, for businesses 61
access limitations, for employees 63
backup copies, using 63
computers, protecting from infiltration tactics 62
firewall security, for internet connections 62
information, protecting from infiltration tactics 62
networks, protecting from infiltration tactics 62
passwords, changing 63
physical restrictions, implementing 63
security principles training, for employees 62
software updates, using 62
unique user accounts, using 63
Wi-Fi networks, securing 63
cyber strategy 53
building 53
business, defining 54
documentation 55
need for 56
threats and risks, defining 54
Cyber Threat Intelligence (CTI) 390
Cycript 214
download link 215
D
Data Centers (DCs) 252
data correlation 370, 507, 508
example, to review logs 508
data exfiltration 75
data manipulation attacks 160, 161
data manipulation attacks, countering
data encryption, using 162
endpoint visibility 162
file integrity monitoring (FIM) 162
input validation 162
integrity checking 161
logging activity 162
Data Protection Application Programming Interface (DPAPI) 274
data states
countermeasures 14
threats 14
Deauther board 94
defense-in-breadth approach 59
defense-in-depth approaches 58, 59
delivery 70
Democratic National Committee (DNC) 16
Department of Homeland Security (DHS) 399
devices
everyday devices, hacking 166
disaster recovery, best practices 459
hybrid 460
on-premises 459
disaster recovery plan (DRP) 441
benefits 442
creating 444
testing 444
disaster recovery planning process 442
approval, obtaining 445
challenges 445
data, collecting 444
disaster recovery team, forming 442
plan, maintaining 445
processes and operations, prioritizing 443
recovery strategies, determining 444
risk assessment, performing 443
discretionary access control list (DACL) 184
distributed denial of service (DDoS) attacks 2, 162, 203, 204
DLL injection 301
DLL search order hijacking 302, 303
URL 133
Domain Active Directory Database (NTDS.DIT) 274
Domain Controller (DC) 382
Duqu 302
Dylib hijacking 303
E
elements, of vulnerability strategy
people 474
process 475
technology 475
email pillaging 269
Endpoint Detection and Response (EDR) 348
endpoints 348
enumeration 69
Erdal’s Cybersecurity Blog 117
EternalBlue exploit 391
European Union Agency for Cybersecurity (ENISA) 5
Event Tracing for Windows (ETW) traces 383
EvilOSX 96
URL 97
exploitation 70
privilege escalation 71
Exploit-DB 117
exploits 284
exploration of vulnerabilities 304, 305
external reconnaissance 105
dumpster diving 108
social engineering attacks 110
social media, scanning 106, 107
external reconnaissance tools
FOCA 126
Keepnet Labs 137
open-source intelligence (OSINT) 129
PhoneInfoga 127
SAINT 117
Seatbelt 118
theHarvester 128
Webshag 125
Extra Window Memory (EWM) injection 310
F
Fancy Bear 16
FDNSv1 Dataset
reference link 173
FDNSv2 Dataset
reference link 173
Federal Emergency Management Agency (FEMA) 458
Federal Information Security Management Act (FISMA) 34
file integrity monitoring (FIM) 162
flAWS v2
reference link 171
FOCA 126
URL 127
using 126
footprinting 69
examples 69
Foundstone’s Enterprise (McAfee) 481
Frida 213
download link 214
fuzzing 184
G
GCP IAM logs 521
reference link 523
Google Cloud Platform Logs 522, 523
Group Policy Object (GPO) 325
H
hacktivist 390
URL 148
Hiren’s BootCD
download link 192
operating systems, compromising 191, 192
HoboCopy 95
URL 95
Homeland Security Exercise and Evaluation Program (HSEEP) 24
hooking 310
horizontal privilege escalation 72, 280
versus vertical privilege escalation 71
host-based intrusion detection systems (HIDS) 244
Hot Potato 314
download link 315
hybrid cloud
compromised system, investigating in 423-430
hybrid cloud network security 360-362
hybrid disaster recovery approach
best practices 460
Hydra 91
URL 92
workings 92
I
IDA PRO 186
identity
multi-layer protection 12
Identity and Access Management (IAM) 172
incident life cycle
containment phase 37
detection phase 37
post-incident activity phase 37
preparation phase 37
incident response, in cloud
toolset 49
updating 49
incident response process 31, 32
definition 35
from CSP perspective 50
guidelines 33
objective, establishing 35
priority and severity level, determining 35
roles and responsibilities 35
scope 35
security considerations 32, 33
significance 32
terminology 35
incident response team 36
on-call process 36
shifts 36
team allocation 36
indications of attack (IoAs) 435
indications of compromise (IoCs) 435
indicator of attack (IoA) 34
Indicators of Compromise (IoCs) 25, 34, 371-373, 391
information management tools 482-485
Infrastructure as a Service (IaaS) 4, 48, 175, 345
Initial Access phase, MITRE ATT&CK
recommendations 8
InsightVM 491
Instant Online Crash Analysis
URL 510
internal reconnaissance 116
internal reconnaissance tools 137
Canary token links 149
CATT 148
Masscan 144
Nessus 145
Prismdump 139
scanning tools 139
Scanrand 144
sniffing tools 139
tcpdump 140
wardriving 146
Wireshark 143
Internal Revenue Service (IRS) 167
International Mobile Equipment Identity (EMIE) code 207
Internet of Things (IoT) 2, 81, 162
inter-process communications (IPCs) 100, 268
Intruder 488
URL 487
intrusion defense systems (IDSs) 244
intrusion detection system (IDS) 16, 375, 376
intrusion prevention system (IPS) 378
anomaly-based detection 379
rule-based detection 378
iOS Implant Teardown 210
IoT device attacks 163
IoT devices
iPhone hack by Cellebrite 208
issue
IT and Cyber Risk Management software 454
IT contingency planning process 448
business impact analysis (BIA), conducting 449
contingency planning policy development 448
plan maintenance 453
preventive controls, identifying 450
recovery strategies, developing 450
J
jailbreaking 281
URL 91
K
Keepnet Labs 137
URL 137
key distribution center (KDC) 271
Key Performance Indicator (KPI) 338
URL 89
Knock Subdomain Scan 173
download link 174
Kon-Boot
operating systems, compromising 191, 192
Kusto Query Language (KQL) 429, 518
L
LANDesk Management Suite 481
lateral movement
admin shares 271
alerts, avoiding 252
AppleScript 268
application deployment 266
ARP spoofing 267
Beacon, Command & Control (C&C) 251
breached host analysis 268
central administrator consoles 268
email pillaging 269
graph, navigating 252
IPC (OS X) 268
lsass.exe process 273
malware installs 250
network sniffing 267
Pass the Ticket 271
performing 250
Remote Desktop 259
Remote Registry 265
removable media 265
scheduled tasks 264
stolen credentials 264
tainted shared content 265
TeamViewer 266
thinking like hacker 251
token stealing 264
user = admin 251
user compromised stage 250
vulnerability = admin 251
Windows DCOM 258
Windows Management Instrumentation (WMI) 262, 264
Winlogon 273
workstation admin access 251
launch daemon 306
Linux Live CD
operating systems, compromising 192
live CD 446
Log Parser
download link 513
LolrusLove 169
download link 170
lsass.exe process 273
M
malware 286
managed services provider (MSP) 444
man-in-the-disk 208
Masscan 144
Maximum Tolerable Downtime (MTD) 443, 446
Mean time to compromise (MTTC) 25
Mean time to privilege escalation (MTTP) 25
MetaDefender Cloud TI feeds
reference link 393
URL 87
Meterpreter 306
methods, to gain privileged access
credential exploitation 282, 283
exploits 284
malware 286
privileged vulnerabilities 284, 285
social engineering 285
Microsoft Defender for Cloud 382-385, 423
integrating, with SIEM for investigation 430-434
Microsoft Graph Security API Add-On for Splunk
reference link 430
Microsoft Security Development Lifecycle (SDL)
reference link 13
AWS logs, accessing from 516-518
Azure Activity logs, accessing from 520, 521
Hunting page 435
Microsoft threat intelligence 407
reference link 407
MineMeld
reference link 394
MiniStumbler 146
Mitre
reference link 182
MITRE ATT&CK
documentation, references 7
reference link 402
mobile device management (MDM) 4
mobile phone (iOS / Android) attacks 205
iOS Implant Teardown 210
iPhone hack by Cellebrite 208
man-in-the-disk 208
Spearphone 209
MS14-068 vulnerability 304
Multi-Factor Authentication (MFA) 11, 355
N
National Cybersecurity and Communications Integration Center (NCCIC) 399
National Security Agency (NSA) 164
URL 494
vulnerability management, implementing 493-500
Nessus vulnerability scanner 196
installing 188
using 188
NetScreen firewall log 512
NetStumbler 146
net utility 257
network
discovering, with network mapping tool 351-353
network access control (NAC) system 354
network intrusion detection systems (NIDS) 244
Network Management System (NMS) 6
blocking 247
clever tricks, using 249
scans, detecting 248
slowing down 247
network microsegmentation 348
Network Operations Center (NOC) 389
network scanning 69
network security
defense-in-depth approach 343, 345
infrastructure 345
services 345
network sniffing 267
Network Topology Mapper 351
New Technology LAN Manager (NTLM) 225
Nikto 87
URL 88
Nimbostratus tool
reference link 238
download link 168
Nishang 261
NIST
reference link 182
Nmap 141
advantages 142
functionalities 142
scans, detecting 248
scripting engine 249
URL 141
O
obfuscation 75
techniques 75
Office of Intelligence and Analysis (I&A) 390
OneDrive logs 509
on-premise disaster recovery
best practices 459
on-premises security 4
open-source intelligence (OSINT) 129
URL 130
Open Threat Exchange (OTX) 395
reference link 397
OpenVAS 501
Open Web Application Security Project (OWASP) methodologies 59
operating system logs 508
operating systems, compromising 191
with Linux Live CD 192
with Ophcrack 194
with preinstalled applications 193, 194
Ophcrack
operating systems, compromising 194
organizational units (OUs) 325
OSINT mini labs 131
Shodan 134
SpiderFoot 135
OWASP DevSlop tool 173
reference link 173
OWASP Top 10 Project
URL 197
P
Packet Storm Security 117
passive reconnaissance
versus active reconnaissance 150
Pass-the-Hash (PtH) 251, 271, 272, 422
credentials 272
mitigation recommendations 275, 276
password hashes 272
payloads
deploying 188
PDF Examiner
reference link 235
Pegasus spyware 182
penetration testing 151
Peregrine tools 480
personally identifiable information (PII) 35
Petya 158
phishing 177
phishing campaign 3
PhoneInfoga 127
URL 128
physical network segmentation 349-351
Platform as a service (PaaS) 175, 385
post-incident activity 41
PowerMemory
reference link 239
PowerShell Empire’s credentials module
reference link 238
PowerShell scripts, from PyroTek3
reference link 270
PowerShell utility 258
PowerSploit 261
download link 262
preinstalled applications
operating systems, compromising 193, 194
Prismdump 139
privilege account certificate (PAC) 271
privileged vulnerabilities 284, 285
accessibility features, exploiting 292, 293
access token manipulation 291, 292
Android, rooting 309
Container Escape Vulnerability (CVE-2022-0492) 301
DLL search order hijacking 302, 303
Dylib hijacking 303
/etc/passwd file, using 309
exploration of vulnerabilities 304, 305
extra window memory injection 310
hands-on example, on Windows target 306-308
hooking 310
horizontal privilege escalation 71, 280
launch daemon 306
new services 311
SAM file, dumping 308
scheduled tasks 311
startup items 312
sudo caching 312
unpatched operating systems, exploiting 290
User Account Control (UAC), bypassing 298-300
vertical privilege escalation 71, 281, 282
working 282
privilege escalation, tools
0xsp Mongoose RED for Windows 314
Hot Potato 314
proactive cyber-security strategy
ProcDump tool 422
Project Sonar 173
Prowler 2.1 170
download link 170
Q
Qualisys
URL 487
Qualys 502
R
Ransomware-as-a-Service (RaaS) 7
ransomware attacks
mitigation controls 10
Ransomware Tracker Indicators 398
reference link 398
combating 150
enumeration 69
external reconnaissance 105
footprinting 69
internal reconnaissance 116
passive, versus active reconnaissance 150
preventing 151
tools, using 117
Recovery Point Objective (RPO) 443
recovery strategies
alternative sites 451
backups 451
classroom exercises 453
equipment replacement 452
functional exercises 453
plan testing 452
theoretical training 453
Recovery Time Objective (RTO) 444, 445
Red and Blue Team tools, for mobile devices
Androguard 213
Cycript 214
Snoopdroid 212
Red/Blue Team 24
workflow 25
reflective DLL injection 301, 302
Reg utility
reference link 427
remote access
Remote Access Tools (RATs) 309
Remote Code Execution (RCE) generator 182
Remote Desktop 259
advantage 259
disadvantage 259
programs 254
protocol 196
protocol connections 385
vulnerability 260
Remote Registry 265
remote system
removable media 265
reporting and remediation tracking tools 487
resources
aggregating 349
response planning tools 487
risk assessment stage, vulnerability management strategy 467, 468
acceptable risks analysis 470, 471
data collection 469
policies and procedures analysis 469
scope 468
threat analysis 470
vulnerability analysis 469
risk assessment tools 485
risk management tools 453
IT and Cyber Risk Management software 454
RiskNAV 453
S
SAINT (Security Administrator’s Integrated Network Tool) 117
URL 118
SAM file
dumping 308
scanning 69
network scanning 69
port scanning 69
vulnerability scanning 70
Scanrand 144
Seatbelt 118
active TCP connections 121, 122
example 119
URL 118
using, remotely 124
Security Accounts Manager (SAM) database 274
security awareness 79
security awareness training
examples 324
security controls, for stopping Cyber Kill Chain
implementing 77
implementing, with security tools 78
Security Focus tool 483
security hygiene
Security Information and Event Management (SIEM) 78
Security Operations Center (SOC) 389
security policy
application whitelisting 329-333
automations 337
end user’s education 322
monitoring, for compliance 335, 337
security awareness training 324
security posture enhancement, driving via 337-339
shift left approach 321
social media security guidelines 323, 324
security posture
security posture enhancement
driving, via security policy 337-339
Seebug 117
Server Message Block (SMB) 391
service-level agreement (SLA) 36
service principal name (SPN) 270
shift left approach, security policy 321, 322
Snoopdroid 212
download link 212
Snort 378
download link 378
social engineering 285
social engineering attacks, for external reconnaissance
baiting 112
diversion theft 111
phishing 113
phone phishing (vishing) 114, 115
pretexting 110
quid pro quo 112
spear phishing 114
tailgating 112
water holing 111
social media security guidelines
Software as a Service (SaaS) 4, 48, 175
Spearphone 209
SpiderFoot 135
URL 136
SQL Injection Scanner 199
SQLi Scanner 202
download link 202
startup items 312
stolen credentials 265
stored XSS 202
strategies, for compromising user identity 223, 224
access, gaining to network 225
adversary profiles, creating 223-225
credentials, harvesting 225, 226
methods, for hacking identity 238
theft identification, through mobile devices 238
user identity, hacking 227
structured exception handling (SEH) 187, 188
sudo caching 312
supply chain attacks 5
example 6
techniques 5
working 6
system
compromising, steps 188
T
TA 002 Execution Tactics 100
tainted shared content 265
Talos Intelligence 400
reference link 400
targeted attack 15
tcpdump 140
URL 141
TeamViewer 266
techniques, used for obfuscation
drives, wiping 76
encryption 75
logs, modifying 76
onion routing 76
steganography 75
tunneling 76
theHarvester (email harvester) 128, 400
The Shadow Brokers (TSB) 392
threat actor escalation
scenarios and mitigations, to prevent 10
free threat intelligence feeds 398, 399
threat life cycle management 81
discovery phase 82
forensic data collection phase 82
investigation phase 83
investment 81
neutralization phase 83
qualification phase 83
recovery phase 83
threats 2
token stealing 264
tools, Cybersecurity Kill chain
Aircrack-ng 92
Airgeddon 93
Deauther board 94
EvilOSX 96
HoboCopy 95
Hydra 91
John the Ripper 90
Nikto 87
Twint 87
tools, for reconnaissance 117
Erdal’s Cybersecurity Blog 117
Exploit-DB 117
external reconnaissance tools 117
internal reconnaissance tools 137
Packet Storm Security 117
Seebug 117
Twint 87
URL 87
U
Universal Naming Convention (UNC) 100
unpatched operating systems
exploiting 290
UPnP Internet Gateway Device (IGD) Protocol Detection vulnerability 499
User Account Control (UAC)
user and entity behavior analytics (UEBA) 78, 379
across different entities 379
User Datagram Protocol (UDP) 247
user’s identity 219
automation 222
credentials 222
issues 220
strategies for compromising 223
V
vertical privilege escalation 72, 281, 282
versus horizontal privilege escalation 71
virtual local area network (VLAN) 349
virtual network segmentation 356-358
virtual switch
capabilities, enabling 358
Virtus Total 399
reference link 399
VPNFilter malware 3
vulnerability
exploiting 180
vulnerability assessment tools 486
vulnerability management
strategies for improving 478-480
versus vulnerability assessment 476
vulnerability management strategy
asset inventory stage 464
creating 463
elements 474
information management 465-467
reporting and remediation tracking 472, 473
stages 464
versus vulnerability assessment 476
vulnerability assessment 471, 472
vulnerability management tools 480
Acunetix 504
asset inventory tools 480
Azure Threat and Vulnerability Management 492, 493
Comodo Dragon Platform 491
implementing, with Nessus 493-500
information management tools 482-485
InsightVM 491
Intruder 488
OpenVAS 501
Patch Manager Plus 489
Qualys 502
reporting and remediation tracking tools 487
response planning tools 487
risk assessment tools 485, 486
vulnerability assessment tools 486
Windows Server Update Services (WSUS) 490
vulnerability scanning 70
W
wardriving 146
weaponization 70
Web Application Firewalls (WAFs) 59
web-based systems
compromising 197
Webshag 125
using 126
WhatsApp vulnerability (CVE-2019-3568) 182
WinDbg
URL 510
Windows 10 privilege escalation 183
Windows Distributed Component Object Model (DCOM) 258
Windows Event Viewer 421
Windows Management Instrumentation (WMI) 100, 262, 264
Windows NT filesystem (NTFS) 252
Windows privilege escalation vulnerability (CVE20191132) 184
Windows Server Update Services (WSUS) 490
Winlogon 273
Wireshark 143
URL 144
WordPress 165
Z
zero-day exploits 187
buffer overflows 187
structured exception handling (SEH) 187
zero-day vulnerabilities 180-182
Chrome zero-day vulnerability (CVE-2019-5786) 183
fuzzing 184
WhatsApp vulnerability (CVE-2019-3568) 182
Windows 10 privilege escalation 183
Windows privilege escalation vulnerability (CVE20191132) 184
Zero Trust Architecture (ZTA) 19
components 20
requisites 20
zero trust network
adoption, planning 360
implementation 360