DEV Community: Mihika

Linux Log Analysis | Hammered Lab | CyberDefenders

Mihika — Thu, 05 Dec 2024 17:10:19 +0000

Go to the CyberDefenders website, Open the lab & Download the challenge file Hammered Lab

Types of Logs given in the Challenge

kern.log: Logs related to the Linux kernel, including hardware, driver messages, and kernel errors.
auth.log: Authentication-related logs like login attempts, sudo use, and SSH access.
daemon.log: Logs from system daemons like cron, cupsd, and other services.
dmesg: Kernel ring buffer logs (boot info, hardware, drivers).
apache2: Apache web server logs (access and error logs for HTTP requests).

I am Analyzing these logs with powershell.

1. Which service did the attackers use to gain access to the system?
powershell command: Select-String -Path "auth.log" -Pattern "failed"
or
Select-String -Path "auth.log" -Pattern "accepted"

answer: SSH

2. What is the operating system version of the targeted system?
check dmesg or messages file, Look for entries mentioning the OS version or kernel version, typically near boot logs.
Linux version 2.6.24-26-server (buildd@crested) (gcc version 4.2.4 (Ubuntu 4.2.4-1ubuntu3))
answer: 4.2.4-1ubuntu3

3. What is the name of the compromised account?
filter: Select-String -Path "auth.log" -Pattern "Accepted" or
Select-String -Path "auth.log" -Pattern "failed"
users in log:
user1, user2, user3, root, dhg, fido
filter: Select-String -Path "auth.log" -Pattern "failed password for root"
the entries for failed password for root user is higher than other users.
answer: root

4. How many attackers, represented by unique IP addresses, were able to successfully access the system after initial failed attempts?
filter to extract accespted password enteries for root user:

Select-String -Path "auth.log" -Pattern "Accepted password for root" > AcceptedPass.txt

filter to extract IP addresses from AccesptedPass.txt :

Select-String -Path "AcceptedPass.txt" -Pattern "from" | ForEach-Object { ($_ -match "from (\d{1,3}(\.\d{1,3}){3})") ; $matches[1] } | Sort-Object | Select-Object -Unique > IPAddress.txt

Total 18 IP address , 1 IP is private removing it, now total is 17. answer should be 17, but it is showing wrong, there is something wrong in the challenge question . the correct answer according to challenge is 6 because there are 6 users in the logs.

5. Which attacker's IP address successfully logged into the system the most number of times?

answer: 219.150.161.20

6. How many requests were sent to the Apache Server?
navigate to folder apache2, open the terminal
filter: (Get-Content "www-access.log").Count
It will count enteries in log file uniquely
answer: 365

7. How many rules have been added to the firewall?
you have to find which firewall used in log file, it could be firewalld, ufw or iptables
navigate to the challenge directory, open the terminal
filter: Get-ChildItem -Path . -Recurse | Select-String -Pattern "iptables"
We found some references of iptables in auth.log file. No enteries related to firewalld, and there are some enteries related to ufw blocking incoming traffic.

You will see some entries for creating firewall rules using iptables

answer: 6

8. One of the downloaded files to the target system is a scanning tool. Provide the tool name.
navigate to challenge directory filter: Select-String -Path "dpkg.log" -Pattern "install"
Inspect the installed tools, you will find nmap, a scanning tool.
answer: nmap

9. When was the last login from the attacker with IP 219.150.161.20? Format: MM/DD/YYYY HH:MM:SS AM
filter: Select-String -Path "auth.log" -Pattern "accepted" | Select-String -Pattern "219.150.161.20"
answer: 04/19/2010 05:56:05 AM

10. The database displayed two warning messages, provide the most important and dangerous one.
Navigate to the directory where all the log files of this challenge is stored. filter: Get-ChildItem -Path . -Recurse | Select-String -Pattern "warning"
answer: mysql.user contains 2 root accounts without password!

11. Multiple accounts were created on the target system. Which one was created on Apr 26 04:43:15?
Navigate to challenge directory, and use filter, which will search for all occurances of "useradd" in the directory.
filter: Get-ChildItem -Path . -Recurse | Select-String -Pattern "useradd"
answer: wind3str0y

12. Few attackers were using a proxy to run their scans. What is the corresponding user-agent used by this proxy?
useragent info is present in www-access.log file, in 12th column, use filter to extract the column:
Get-Content access.log | ForEach-Object { ($_ -split "\s+")[11] } | Sort-Object | Get-Unique | Out-File useragents.txt

check the useragent, the one which is similiar to the proxy name.
answer: pxyscand/2.1

Log Analysis | Compromised wordpress | Privilege Escalation | Blue team labs online

Mihika — Tue, 03 Dec 2024 19:55:56 +0000

We are going to solve two labs in this blog. Go to Blue teams Labs online website, open our first lab & Download the file: Log Analysis - Compromised Wordpress
Let me tell you I am using Splunk here.

1. Identify the URI of the admin login panel that the attacker gained access to (include the token)
Use filter: source="access.log" | stats count by uri

answer: /wp-login.php/?itsec-hb-token=adminlogin

2. Can you find two tools the attacker used?
Use filter: source="access.log" | stats count by useragent

answer: sqlmap WPScan

3. The attacker tried to exploit a vulnerability in ‘Contact Form 7’. What CVE was the plugin vulnerable to? (Do some research!)
You can search this online

answer: CVE-2020-35489

4. What plugin was exploited to get access?
If you see requests to plugin directories that seem out of place, it could indicate an attempt to exploit a vulnerability in that plugin.
syntax: /wp-content/plugins/plugin_name/...
you can checkout this website and search specific plugin to find if it's associated with any vulnerability.
Exploit-DB www.exploit-db.com/

filter: source="access.log" method=POST | stats count by uri

ee-file-engine.php and ee-upload-engine.php, these files are part of the Simple File List plugin. Typically, the upload functionality within plugins can be targeted by attackers who want to upload malicious files.

The fr34k.php file located in the /uploads directory is highly suspicious. Typically, files in the uploads directory should contain user-generated media (like images, PDFs, etc.), not PHP scripts.

answer: simple file list 4.2.2

5. What is the name of the PHP web shell file?
answer: fr34k.php

6. What was the HTTP response code provided when the web shell was accessed for the final time?
filter: source="access.log" "fr34k.php" | stats count by _time method uri status

answer : 404

2nd Lab, Open & Download the file Log Analysis - Priviledge Escalation You can open the file in any Text Editor

1. What user (other than ‘root’) is present on the server?
you can see the command used, "cd /home/daniel/" in the given file
answer: daniel

2. What script did the attacker try to download to the server?
everything is pretty straight forward mentioned in the file
answer: linux-exploit-suggester.sh

3. What packet analyzer tool did the attacker try to use?
answer: tcpdump

4. What file extension did the attacker use to bypass the file upload filter implemented by the developer?
there is a mention of the removal of a file with .phtml extension. .phtml files are often treated as PHP scripts by web servers configured to recognize them as executable.
If the file upload filter was set to block common PHP file extensions like .php, .php3, .php5, or .phps, the attacker might have used .phtml as an alternate extension to evade these filters. After uploading the .phtml file, the attacker could access it through the server, and the server would execute it as PHP code. This allows the attacker to run arbitrary commands or use it as a web shell. The attacker deleted the uploaded .phtml file at the end to clean up traces of their activities and reduce the risk of detection.
answer: .phtml

5. Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load

Commands like sudo -l and using Python to spawn a shell (./usr/bin/python -c ...) point toward attempts to elevate privileges.
answer: 4

Log Analysis | Sysmon | Blue Team Labs Online

Mihika — Tue, 03 Dec 2024 17:09:29 +0000

Go to Blue team Labs online website and open the lab : Log Analysis - Sysmon
Download the file. We have to investigate the sysmon logs & answer some of the questions related to it.

1. What is the file that gave access to the attacker?
Inspect logs, see if you find any suspicious event, weird commands for this use the filter

source="sysmon-events.json" | stats count by Event.EventData.CommandLine

You will find alot of suspicious commands, some of them trying to establish connection to C2 server, some downloading malcious file from internet, some executing malicious code using powershell in hidden window. you will see powershell.exe, supply.exe , but we have to find who started this process, for this use the filter.

source="sysmon-events.json"| stats count by Event.EventData.CommandLine Event.EventData.ProcessId Event.EventData.ParentProcessId

the very first command we found suspicious is powershell.exe which running a code in hidden window, the Parent process ID is 2848, which is associated to updater.hta, HTA files are essentially HTML files that are executed using the Microsoft HTML Application Host (mshta.exe). we can assume that updater.hta may have some malicious embedded hidden code in it which execute malicious command in powershell.
answer : updater.hta

2. What is the powershell cmdlet used to download the malware file and what is the port?
Use the same filter to find the command, you will see the powershell command the the cmdlet used.

answer: INvoke-WebRequest 6969

3. What is the name of the environment variable set by the attacker?
filter:

source="sysmon-events.json"| stats count by Event.EventData.CommandLine

answer: comspec=C:\windows\temp\supply.exe

4.What is the process used as a LOLBIN to execute malicious commands?
A LOLBIN (Living Off The Land Binary) refers to a legitimate, trusted executable or tool that is already present on the system. Attackers abuse these binaries to execute malicious commands or payloads, reducing the likelihood of detection by security software.
Common examples of LOLBINs include PowerShell, cmd.exe, ftp.exe, and wscript.exe, which are integral to the operating system.
In this case it could be powershell.exe or ftp.exe, because all malicious activity was started with powershell command it also downloads malicious file from internet like supply.exe, but in some instances of supply.exe the parent process is ftp.exe.
the correct answer according to the lab is ftp.exe

5. Malware executed multiple same commands at a time, what is the first command executed?

answer: ipconfig

6. Looking at the dependency events around the malware, can you able to figure out the language, the malware is written.
filter:

`source="sysmon-events.json" | stats count by Event.EventData.TargetFilename Event.EventData.Image`

supply.exe targets 2 dynamic-linked libraries: Python27.dll & msvcr90.dll. Python27.dll indicating that the malware likely includes or relies on Python code. msvcr90.dll is microsoft visual C++ Runtime 9.0 library, It suggests that the Python interpreter or the malware itself was compiled or linked with Visual C++.
answer: python

7. Malware then downloads a new file, find out the full url of the file download.
filter: source="sysmon-events.json" | stats count by Event.EventData.CommandLine

answer:

https://github.com/ohpe/juicypotato/releases/download/v0.1/JuicyPotato.exe

8. What is the port the attacker attempts to get reverse shell?
Reverse shell mean when attacker establishes a backdoor connection from the infected system to the attacker's Command and Control (C2) server, enabling the attacker to execute commands on the infected machine and potentially exfiltrate sensitive information.

supply.exe execute the command juicy.exe is likely a tool that exploits privilege escalation vulnerabilities, sets a local listner on port 9999. establish a connection to the attacker's machine at IP 192.168.1.11, port 9898. question is asking for the destination port (attacker's system port).
answer: 9898

(Trickbot) Malware Analysis Report

Mihika — Sat, 16 Nov 2024 19:45:15 +0000

This report provides a detailed analysis of malware.exe, Identified as the TrickBot Trojan.
TrickBot is a banking Trojan known for stealing payment credentials by redirecting victims to phishing websites. The malware is typically distributed via spearphishing emails. Those are typically attached in the form of malicious Microsoft Word or Excel files. One way of its spreading is by exploiting vulnerabilities in SMB, a protocol that allows Windows computers to easily share and access files and folders on other systems on the same network. Trickbot can be distributed through other malware.

Trickbot Infection Chain

The Target System for this Analysis is Windows 10 Virtual Machine.

File : malware.exe , PE32 windows executable 32 bit GUI
original filename : MfcTTT.EXE
File size: 550 kb
sha256 Hash : 9FDEA40A9872A77335AE3B733A50F4D1E9F8EFF193AE84E36FB7E5802C481F72

Tagged as : Trickbot, banker, emotet, dropper

Tools used during Analysis	HitmanPro, Process monitor, Wireshark, sysmon, Unpackme, Virustotal & other malware lookup and sandbox platform

VirusTotal result for malware.exe file. When this malware.exe was run, It created multiple copies of itself on different location, also detected by malware detector HitmanPro as seen in the figure below.

files were dropped at different location:
C:\ProgramData\аНаоすは래별.exe
C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe
C:\Users\Mihika\AppData\Roaming\NuiGet\oanwate.exe

As they are copies of same file malware.exe, hashes of these dropped files are exactly same.

Indicator of peristency:
Executable scheduled a task for command "C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe" to be triggered by boot & by time, one of the tactics by malware to stay persistent on the system or to conduct remote Execution as part of Lateral Movement, to gain system privileges.

Although no changes in registry was found. The main executable, malware.exe queried many registry keys to gather information about the system, configuration, and installed software, some of regKey gives info related to:

It checks supported languages of target system.
checks user profiles, computer name, and session states.
checks regional and language configurations on the system.
Reads security settings of Internet Explore.
checks computer location settings.

the malware is using these registry queries to assess the system security configurations, language settings, compatibility modes, and file system behaviors to ensure it can run effectively, evade detection, and operate without interference from security features.

Process:

Dropped Files:

PID	Process	Filename
8648	malware.exe	C:\ProgramData\аНаоすは래별.exe
6400	svchost.exe	C:\Users\Mihika\AppData\Roaming\NuiGet\settings.ini
1928	svchost.exe	C:\Users\Mihika\AppData\Roaming\NuiGet\аНаоすは래별.exe
2508	аНаоすは래별.exe	C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\c12d0fde896f3644257b320067f915f0_305fb52e-58c2-4e89-9603-23058808ae91

Connections:
Several reconnection attempts by svchost.exe (PID: 6400) to

static-200-116-199-10.une.net.co:449
185.222.202.76:https

IP address 185.222.202.76 is indicated as malicious on virustotal, and other online platforms, associated with trickbot.
Another connection attempts to static-200-116-199-10.une.net.co at port 449, also raise suspicion. The domain une.net.co is associated with a Colombian telecommunications company, UNE EPM Telecomunicaciones.
The IP 200.116.199.10 appears to belong to this network. Unusual connections to a non-standard port could indicate, Malicious activity like botnet communication or malware.

IOC (Indicator of Compromise)
File:
C:\ProgramData\аНаоすは래별.exe
C:\Users\OqXZRaykm\AppData\Roaming\NuiGet\аНаоすは래별.exe

malware.exe
IP:
200.116.199.10 : port 449
185.222.202.76

Mitigation Strategies
Block the IP 200.116.199.10 and port 449 in your firewall.
Block the IP 185.222.202.76

References:
Trickbot Infection in Network Traffic
How Malware can detect your Virtualisation environment

Understanding Email Analysis: A Simple Guide

Mihika — Tue, 08 Oct 2024 04:47:12 +0000

Well, I assume everyone knows what email analysis or email forensics is. As the name suggests, it's exactly that—analyzing emails. But why should we learn this? Because it's important and, honestly, quite easy.

Understanding email analysis is crucial to avoid mistakenly downloading malware that could completely destroy your system, install a keylogger, or give an attacker access to your computer. They could use your system in many ways, such as a C2 server. Even if you don't regularly check or read emails, consider working in an organization where everyone shares resources. What if one of the employees is an attacker—a friend during office hours but a black hat hacker at night? It's a real possibility, and that's why email analysis matters.

Starting Out: Essential Gmail Security Features

There are some important security features you should know about in Gmail. First, let's clarify what an email client is. It's the software or application you use to send and receive emails, examples include Microsoft Outlook, Gmail, and Apple Mail. Throughout this article, we'll focus on Gmail, but the general steps might vary slightly for other email clients.

Checking Recent Activity:

Open your Gmail web app > Go to the Social tab at the top > there's a "detail" option at the bottom of the page > click on it, it will show you all last access of the account, last 24 hours duration, IP address, device, location(country).

Go to Gmail setting > see all setting > forwarding tab > see if any forwarding rule is set. These rules automatically send your emails to another address specified in the rule.
Go to Gmail setting > see all setting > filter and block addresses tab, at the top > see any filter(rule) is set, Here you can see any filters (rules) that have been set. You can use filters to block specific email addresses or create custom rules for managing your inbox.

Understanding Email Logs

Email logs record every action taken on your email client, such as sending, receiving, deleting, moving, or blocking emails. It's important to note that accessing detailed email logs is typically only available for organizational email software like Google Workspace, where admin access is required. Unfortunately, Gmail does not currently offer this functionality for individual users.

Log in to your Gmail account > Click on your profile picture > Select "Manage your Google Account" > Go to the "Security" tab > Scroll down to "Your devices" and "Recent security events" .

Before analyzing email headers, let's examine the incident response steps taken when encountering a suspicious email:

I. Preparation: Roles are determined, with the IT team, incident response team, and SOC team collaborating.
II. Detection: SIEM is configured by creating phishing alerts, utilizing threat intelligence, and implementing detection rules. The SOC team conducts initial triage, assigning priority levels to tasks and individuals. Incidents are escalated or forwarded to the IR team as needed.
III. Investigation and Analysis: Email headers are examined using the email gateway and log data. The email body, links, and attachments are investigated in a sandbox environment. The attack type, access method, distribution method, timeline, and indicators of compromise (IOCs) are identified. Findings are documented and reported to the IR team.
IV. Containment and Eradication: The email is deleted, the endpoint is isolated, IOCs are blocked, and password resets are performed.
V. Recovery: System restoration and network monitoring are implemented.
VI. Lessons Learned: Incident debriefings, reporting, and training are conducted.

Understanding Email Fields:

Go to Gmail > open any email > can you see those 3 dots, at top-right, click it and select option " show original" this will take you to the email header and content info.

lets understand each field:

Return-Path: email@gmail.com undeliverables messages will be sent to this address.
Delivered-To: email@gmail.com where you want to send the email.
Authentication-Results: mail.enemywatch.net; dkim=none; dmarc=none; spf=fail (mail.enemywatch.net: domain of karen.marshall@olympus.co.uk does not designate 37.0.10.22 as permitted sender) smtp.mailfrom=karen.marshall@olympus.co.uk
-What it is: gives you Details on how the email passed or failed authentication checks.
-In this example: The email failed the SPF check, you can see "fail" value assigned to spf field, meaning the server sending the email (37.0.10.22) was not authorized by the domain’s settings. DKIM and DMARC checks were not performed.
Received: from olympus.co.uk (unknown [37.0.10.22]) by mail.enemywatch.net (Postfix) with ESMTP id 4HZl1q6rCqz9sVx for macrus.cobb@enemywatch.net; Thu, 21 Oct 2021 11:02:34 +0000 (UTC)
- What it is: Shows the path the email took from the sender to the recipient.
- Simple Explanation: The email came from the IP address 37.0.10.22 at olympus.co.uk and was processed by the mail server at enemywatch.net.
From: KAREN MARSHALL - sender name
To: macrus.cobb@enemywatch.net - receiver email address.
Date: 21 Oct 2021 04:02:30 -0700 : date and time when send, with 0700 time zone(Pacific Time).
Message-ID: 20211021040230.7ED68DD78D4A19F2@olympus.co.uk - a unique code to identify this specific email. created by email client
MIME-Version: 1.0 - This email uses MIME version 1.0, which is a standard for formatting emails.
Content-Type: multipart/mixed; boundary="----=_NextPart_000_0012_D6D683E4.D392FCEB" The email contains multiple parts (text and attachment), separated by the boundary "----=_NextPart_000_0012_D6D683E4.D392FCEB".
Content-Type: text/html; charset="iso-8859-1" -The main body of the email is HTML text encoded in ISO-8859-1.
Content-Transfer-Encoding: quoted-printable - The email content is encoded in a way that makes it safe for transmission.
X-Mailer - is the email client that used to create email ex: Microsoft outlook 14.0

In nutshell:

Header Field Description
Return-Path Where undeliverables messages are sent back.
Delivered-To The email address where the email was delivered.
Authentication-Results Email authentication results (SPF failed, DKIM and DMARC not checked).
Received The servers involved in delivering the email.
From The sender’s name.
To The recipient’s email address.
Subject The topic of the email.
Date When the email was sent.
Message-ID A unique identifier for the email.
MIME-Version Version of the MIME protocol used.
Content-TypeThe format of the email’s content(text & attachments).
Content The actual message and attachment in the email.

Email Header Important Fields:

1. SPF : sender policy framework, A security measure to verify if an email is coming from an authorized server. It tells the mail server which IP addresses are allowed to send emails for a domain. If the IP address of the server sending the email is not on the list, the email is flagged as suspicious. If you get an email claiming to be from your bank, SPF helps check if it’s really from the bank’s email server or from a fake one. Use an SPF checker tool like MXToolbox SPF Checker. If the IP address of the sender’s mail server is not listed in the SPF record, SPF fails, which might indicate the email is fake.

you can also check spf record of a domain from your terminal : dig @8.8.8.8 twitter.com txt +short

SPF records are DNS (Domain Name System) records specifically set by domain owners(hosting provider). They are published in the DNS records of the domain. These records specify which mail servers are allowed to send email on behalf of that domain. SPF is more relevant when emails are sent from domains where the domain owner has control over the SPF records, such as in the case of business email IDs using custom domains. When an organization or individual registers a domain name (e.g., twitter.com), they gain the ability to create custom email addresses using that domain.
For example, if Twitter registers the domain twitter.com, they can create email addresses like support@twitter.com, info@twitter.com, etc., for their own use, for that the domain owner needs email hosting services.

this is what failed spf looks like: Authentication-Results: mail.example.com; spf=fail (mail.example.com: domain of sender@example.com does not designate 203.0.113.1 as permitted sender) smtp.mailfrom=sender@example.com

If SPF fails, it doesn’t always mean the email is fake, but it raises a red flag. You should consider other checks (like DKIM and DMARC).

2. DKIM (DomainKeys Identified Mail) : DKIM is an email authentication method designed to verify that an email message has been sent and authorized by the domain it claims to be from and that the content of the email has not been tampered with during transit.
A DKIM signature is created by the sender’s mail server using a private key and is included in the email’s headers.

Hashing in DKIM: DKIM uses hashing to create a digest of the email headers and, optionally, the email body. This digest is essentially a hashed version of the email content.
Signing: The hash value (digest) is then encrypted using the sender's private key to create the DKIM signature.
Verification: Upon receiving the email, the recipient's server retrieves the public key from the sender’s DNS records and uses it to decrypt the DKIM signature. This reveals the original hash value. The recipient’s server then hashes the email headers and body again and compares this newly generated hash with the decrypted hash. If they match, it confirms that the email has not been altered and is from the legitimate sender.

How They Work Together
Hashing:Used to create a fixed-size representation of the email’s headers and body. This process is part of the signature creation in DKIM.

DKIM Signature:Involves hashing the email content, then encrypting this hash with the private key to produce the DKIM signature. The recipient uses the public key to decrypt and verify this signature against a newly computed hash of the email content.

Public Key
Publication in DNS: The public key is published in the DNS (Domain Name System) records of the sender's domain. It is stored as a TXT record under a specific subdomain, which is determined by the DKIM selector. For example, if the selector is selector1 and the domain is example.com, the public key would be found in a DNS record at selector1._domainkey.example.com.
If you want to verify DKIM-signature, use site MxToolbox DKIM verification from email header copy domain name of sender and selector value under DKIM-signature field, it may look something like this : s=20230601

Verification of Signatures:
When an email is received, the recipient's email server retrieves the public key from the DNS record associated with the sender’s domain. The server uses this public key to verify the DKIM signature in the email header. This process involves checking if the signature, which was created using the sender's private key, matches the content of the email and the public key.

Private Key
Creation of Signatures: The private key is kept securely by the sender’s mail server. It is used to generate DKIM signatures for outgoing emails. When an email is sent, the sender’s mail server creates a DKIM signature by hashing the email's headers and body, then encrypting this hash with the private key. This signature is included in the email header.

Security and Confidentiality:
The private key must be kept confidential and secure, as its exposure could allow malicious actors to forge signatures or impersonate the domain. The strength and security of the DKIM system rely on the private key being protected and only used by the legitimate mail server of the sender’s domain.

other sub-fields under DKIM-signature:
v= version of DKIM specification.
a= algorithm used to create DKIM signature.
c= Indicates the canonicalization algorithms that were used for the header and the body. c=relaxed/relaxed, makes the email's headers and body less sensitive to minor variations that are often introduced by mail servers or client software. This helps ensure that the DKIM signature remains valid even if there are slight, non-malicious changes to the email content.

bh= This is the hash of the body of the message after it was canonicalized, in Base64 form. "canonicalize" means to convert something into a standard or normal form.
h= This tells us which header fields were included in the signature.
b= The signature data in Base64 form.
t= timestamp in epoch format
s=selector: Selector to locate the public key in DNS record.
d= domain name

3. MIME (Multipurpose Internet Mail Extensions) : A standard for formatting emails so they can include text, images, attachments, etc. It tells email programs how to mix and present different types of content (like text, images, and attachments) in one message. MIME allows you to send an email that has both a message and a photo attached. current version is 1.0

4. ISO-8859-1 : A character encoding standard for Western languages. ISO-8859-1 is like a dictionary for how letters and symbols are stored in emails and web pages. It helps display characters correctly, especially for English and some other European languages. ISO-8859-1 helps make sure that the letters you see in your email look correct. it is just like ASCII, but only difference is ISO-8859-1 has more character in it.

5. SMTP (Simple Mail Transfer Protocol): A protocol for sending emails between servers. SMTP is like the mail carrier for the internet. It’s the set of rules that email servers use to send emails from one server to another until they reach the recipient. SMTP is what your email app uses to send your message to the email server, which then forwards it to the recipient’s email server.

6. ESMTP (Extended Simple Mail Transfer Protocol) : ESMTP is like a more advanced version of SMTP. It has additional features for handling things like attachments and larger messages. ESMTP is used to handle more complex email tasks that SMTP alone couldn’t handle.

7. ESMTP id: A unique identifier for each email transaction in the ESMTP protocol. The ESMTP id is like a tracking number for the email’s journey from sender to receiver. It helps email servers manage and trace the email as it moves through the system. If there’s a problem with delivering an email, the ESMTP id helps tech support figure out what went wrong.

9. CC (Carbon Copy): When you send an email and want others to receive a copy for their information, you use the CC field. Everyone who receives the email can see who else received it.

BCC (Blind Carbon Copy): Similar to CC, but recipients added in the BCC field receive a copy of the email without other recipients knowing. It's a way to send the email discreetly to multiple people.

10. MUA : mail user agent, those client application running on a computer that receives and send email. example Apple mail, microsoft outlook, mozilla thunderbird, google Gmail

11. MTA : accepts mail from the source and route them along to the destination. example sendmail, Microsoft exchange, postfix.

12. MDA : mail delivery agent, The primary function of an MDA is to receive incoming emails from an MTA (Mail Transfer Agent) and then deliver them to the appropriate recipient's mailbox or mail storage location. MDAs are typically located on the recipient's mail server or within their email service provider's infrastructure. example: Dovecot, Courier Mail Server, and Cyrus IMAP. These are software programs or components that handle the final step of email delivery within the recipient's mail system.

**You will also notice, many "Received" fields, the number of received fields depend on number of MTAs the email has crossed. the Received field at the top of the email header is the most recent one and closed to the destination or receiver. the Received field at the last of email header is closest to the source or sender.*

**If the "from" field and "reply-to" field are different, it may be suspicious, but other things should also considered.*

**The domain's SPF, DKIM, DMARC, and MX records can be obtained using tools such as Mxtoolbox Comparing this information will tell you if the email is spoofed or not. you can check whether the SMTP address belongs to that institution or not by looking at the Whois records of the SMTP IP address.*

POP3 (Post Office Protocol version 3):
Operation: When an email client connects to a POP3 server, it typically downloads all emails from the server to the client's local storage. By default, emails are usually deleted from the server once downloaded, although most POP3 clients have an option to leave a copy on the server.
Port: POP3 operates over port 110 (without encryption) or 995 (with SSL/TLS encryption)

IMAP (Internet Message Access Protocol):
Operation: When an email client connects to an IMAP server, it syncs with the server, allowing users to view, organize, and manage their emails without needing to download them. Changes made (like marking emails as read, moving them between folders) are reflected on the server.
Port: IMAP operates over port 143 (without encryption) or 993 (with SSL/TLS encryption).

Storage: POP3 downloads emails to the client's device, while IMAP keeps them stored on the server.
Offline Access: POP3 requires a constant connection to the server to manage emails, whereas IMAP allows offline access to previously synced emails.
Syncing: IMAP syncs actions across all devices accessing the same account, whereas POP3 actions are typically local to the device.
Usage: POP3 is suitable for users who want to store emails locally and manage them from one device. IMAP is ideal for users who access their emails from multiple devices and need consistent email management across all devices

SMTP (Simple Mail Transfer Protocol): Used for sending and receiving emails.

POP3 (Post Office Protocol 3): Used for retrieving and downloading emails from a server.

Labs you can Try:

Lab 1 Phishing Analysis: https://blueteamlabs.online/home/challenge/phishing-analysis-f92ef500ce
Lab 2 Phishing Analysis 2: https://blueteamlabs.online/home/challenge/phishing-analysis-2-a1091574b8
Lab 3 The Planet's Prestige: https://blueteamlabs.online/home/challenge/the-planets-prestige-e5beb8e545

Tools for Email Forensics:

PhishTool Community Analyzes suspicious emails for phishing attempts.
MxToolbox Troubleshoots email, domain, and network issues.
Cisco Talos Intelligence Provides information about cyber threats and vulnerabilities.
Browserling Tests websites across different browsers and devices (online tool).
Virtual Machine (VM) Creates a virtual computer system for safe software testing.
Hex Editor Views and edits files in hexadecimal format (for data analysis).
Sandbox Environment (AnyRun) Safely executes suspicious code or opens risky files.
Mozilla Thunderbird Free and open-source email client.
Gary Kessler File Signature Resource Identifies file types based on their signatures.
ExifTool Reads, writes, and edits metadata in various file formats.
CyberChef Decodes, encodes, and manipulates various data formats (online tool).
TheHarvester Gathers email addresses, phone numbers, and social media profiles (Kali Linux tool).
dig Tool Gets information about domain names and their associated records (command-line tool).
Metasploit articles Resources for email forensics (website).
Email Headers website which shows you all the Email Header Fields and their reference.
SquareX file viewer and other useful extension

Investigating email links:
Hover your cursor over the link without clicking on it. Check if the URL matches the context of the email, check if it looks suspicious or have slight misspellings.
Ensure the URL uses HTTPS, has a valid domain name and is not a shortened or obfuscated link. check for long strings of characters, unexpected domain names, or extra subdomains.
Use URL scanner and Domain Lookup, VirusTotal, PhishTank, browerling.
Check for URL redirections that lead to unexpected sites
You can use URL Expander tool
Sometimes, links are hidden behind text (e.g., “Click here”). Ensure that the text link and the actual URL match.
Test in a virtual Environment make sure to make snapshot of that virtual machine before testing.

What if you clicked on those links and nothing much happened? How can you ensure it's not harming your device?

Disconnect your device from internet.
Run Antivirus and Anti-Malware Scans.
Look for unusual slowdowns, unexpected pop-ups, check task manager, sudden spike in memory.
Monitor your system activity and network activity, (memory, process analysis, packet capture).
See if any new program installed, control panel > programs or press window button and search "all apps".
Use a file integrity monitoring tool to see any changes made to system’s directories or critical system files.
Look for any unauthorized changes in the system registry, use tool like Autoruns.
Check your browser extensions for any new or unfamiliar ones.
Update your operating system, browser, and all software.
Restore from Backup.
changing online account passwords.

How to Investigate Email Attachments?

First thing that you can do is to verify with the sender.
Use File Extension Verification Tools ex: TrID
Monitor system and network activity when analyzing
Test attachment in virtual environment.
Review file properties and metadata and use file analysis tool like virustotal.
Scan attachment with AntiVirus.

Basic File Integrity Monitoring System

Mihika — Tue, 08 Oct 2024 03:36:24 +0000

Git Repo : Git repo of File integrity monitoring system

This Python-based system monitors assigned files and directories, notifying you of any changes. To run it, use: python3 ./FIMS.py

If no changes are detected, you're notified:

If changes occur, you decide whether they're authorized:

If authorized, the baseline (which stores details like filename, permissions, and hashes) updates accordingly.

If unauthorized, a report.txt is generated, logging the modifications for investigation.

this is what report.txt looks like:

To get started, clone the repo, modify the paths in create_baseline.py file.

run it to set up a baseline for monitoring:
python3 ./create_baseline.py

This will create baseline.csv file and snapshot directory.

also modify the paths in FIMS.py file.

we mention some files to monitor in create_baseline.py separately and also mentioned a directory to monitor in FIMS.py
all done, run the script : python3 ./FIMS.py

Memory Dump Analysis | Kali Linux

Mihika — Tue, 17 Sep 2024 15:51:08 +0000

Memory Dump Analysis or RAM forensics, What is it?

A memory dump is a snapshot of a computer's RAM (random access memory) at a specific point in time, capturing the state of the system, including running processes, loaded drivers, open files, and other data in memory. Memory dumps are often used for debugging, forensic analysis, and diagnosing system crashes or security incidents.

Tools used to take memory dump:

For windows:

Dumpit
FTK imager, It is used for drive forensics, but can also allow you to take memory dump.

For linux:

LiME( linux memory extractor)
AVML

Tools will be useful in memory analysis:

Volatility
MimiKatz tool
Intezer Analyze
Git repo for memory dump samples

Taking Memory dump in Kali Linux:

AVML is straightforward and efficient for capturing memory in forensic investigations on Linux systems. First, open your terminal in Kali Linux and enter the command.

To download avml:
> wget https://github.com/microsoft/avml/releases/latest/download/avml

After downloading, the binary file needs to be made executable. You can do this with the chmod command:
> chmod +x avml

To ensure that the file has been downloaded and is executable, you can list the file details:
> ls -lh avml

You should see the avml file with the appropriate permissions (e.g., -rwxr-xr-x).

Take the Memory Dump:
> sudo ./avml /path/to/memory_dump.raw

Replace '/path/to/memory_dump.raw' with the location where you want to save the memory dump.
Verify the Memory Dump : > ls -lh /home/kali/memory_dump.raw

*Guide : *

Root Privileges: Memory dumping requires root access, so make sure to use sudo when running the command.
Storage Consideration: The memory dump file size will be approximately equal to the size of your system's RAM. For example, if your system has 8GB of RAM, the dump file will likely be close to 8GB. Ensure you have enough storage space available at the target location.
Safe Analysis Practices: Always analyze the memory dump on a different device, ideally within a sandboxed environment, to avoid contaminating the original system. Encrypt the dump file when transferring it to maintain its integrity and security.
Familiarity with the OS: When analyzing the memory dump, having a good understanding of common processes for that specific operating system is beneficial. This knowledge helps you quickly identify any suspicious processes that might be running on the system.

How to Encrypt the Memory dump:

Step 1: Generate a GPG Key (if you don’t have one)



> gpg --full-generate-key

Run the command, and follow the prompts to generate your key.

Step 2: To Encrypt the memory dump using GPG Passphrase:



> gpg --encrypt --recipient YourEmail@example.com /path/to/memory_dump.raw

Enter your email ID used in GPG passphrase, and location where the memory dump is stored. This can only encrypt the files, not directories. this will create a encrypted memory dump file, you can delete the original one, if you wants to.

Step 3: Decrypt the Memory Dump (When Needed):



> gpg --decrypt /path/to/memory_dump.raw.gpg > /path/to/decrypted_memory_dump.raw

Replace '/path/to/memory_dump.raw.gpg' with the location where the encrypted memory dump file is. and Replace '/path/to/decrypted_memory_dump.raw' with the file where you want the output of encrypted file to be written. Enter the passphrase or private key as prompted.

Keep the passphrase or private key secure and do not share it with unauthorized users.
Store a copy of the encrypted file in a secure location to ensure data integrity.

Memory Dump Analysis:

Volatility is a command line tool, a popular open-source framework used for analyzing memory dumps. It also has a GUI version, Its called Volatility workbench. The command line tool is more comprehensive, so we gonna learn that. we are using Volatility version 3 here:

Installing Volatility:

Update the system:
> sudo apt update

Install dependencies:
> sudo apt install python3 python3-pip git

Clone the Volatility 3 repository:
> git clone https://github.com/volatilityfoundation/volatility3.git

Navigate to the Volatility 3 directory:
> cd volatility3

Install Python dependencies:
> pip3 install -r requirements.txt

Run Volatility 3:
> python3 vol.py -h

Volatility Tool provides different commands (or "plugins") to analyze memory dumps from various operating systems (OS). The choice of command depends on the OS of the memory dump and the specific analysis you want to perform. You can see that from the output of the last command : > python3 vol.py -h

Syntax :
> python3 vol.py -f <memory_dump_file> <plugin_name>

Volatility Commands:

To get the list of all processes, for that there are two commands or plugins: linux.pslist.PsList and linux.psscan.PsScan

here's the difference:

linux.pslist.PsList : is faster and more accurate for identifying active, linked processes but can miss hidden or terminated processes.
linux.psscan.PsScan : is more thorough and can detect hidden or terminated processes, but it may include false positives and is slower. well, both commands can be used together to ensure comprehensive process enumeration in a memory dump.

Make sure you are in volatility3 dir:> cd /path/to/volatility3

> python3 vol.py -f /home/kalikali/memory_dump.raw linux.pslist

If you're Encountering the same problem like me..

That actually due to the absence of symbol file for your Linux kernel version.

A symbol file in memory forensics is like a map or guide that helps tools like Volatility understand the structure of the operating system's memory. It contains information about functions, variables, and data structures used by the operating system. When analyzing a memory dump, the symbol file helps the tool accurately interpret the raw data, making it possible to identify processes, network connections, and other key details. Without the correct symbol file, the analysis might fail or give incorrect results.

I spent a lot of the time looking for the solution, but I couldn't resolved it. well but I noticed that the windows plugins works perfectly, if you want to analyze windows memory dump. For now, In the article, we will learn how to analyze Windows memory dumps. Then, I will also cover what to do with Linux memory dumps"

Analyzing Windows Memory dump:

If you need memory dump sample, download from here: Memory Dump Sample (Windows)

windows.info
> python3 vol.py -f /path/to/memory_dump.raw windows.info

This plugin (info) extracts basic information about the Windows operating system in the memory dump, such as the version of Windows, the architecture (32-bit or 64-bit), the Service Pack version, and other OS-related details.

Run the command to get the list of all processes:
> python3 vol.py -f /path/to/memory_dump.raw windows.pslist
or
> python3 vol.py -f /path/to/memory_dump.raw windows.psscan

Redirect the output of a plugin to a file for further analysis:
> python3 vol.py -f /path/to/memory_dump.raw windows.pslist > processes.txt

windows.pslist shows active processes in the official list, while windows.psscan is more thorough and can detect both active and hidden/terminated processes.

windows.filescan
To get the list of all open files:
> python3 vol.py -f /path/to/memory_dump.raw windows.filescan

To get the list of files with specific extension or word in it:
> python3 vol.py -f /path/to/memory_dump.raw windows.filescan | grep .kdbs
It will search for files in memory dump with extension .kdbs
A .kdbs file is a database file format associated with the KeePass password manager. It contains passwords, usernames, URLs, and other sensitive information. Users can organize this information into groups and subgroups. To access the contents of a .kdbx file, you need to provide a master password, key file, or both. This adds an extra layer of security. you can open a .kdbx file on different operating systems using compatible KeePass versions or other compatible password managers.

> python3 vol.py -f /path/to/memory_dump.raw windows.filescan | grep -i password
search for any file-related structures in a memory dump that might contain the word "password" in their names or paths.

windows.filescan plugin, scans the specified memory dump for file-related structures, helping to identify open files, file handles, or even files that might have been hidden or unlinked by malware.

windows.dumpfiles
Extracting any file from Memory Image.
> python3 vol.py -f /path/to/memory_dump.raw -o /output/directory windows.dumpfiles --physaddr 0xADDRESS
Replace '/output/directory' with the location where you want to save the file. And replace '0xADDRESS' with the physical memory address of the file.

windows.malfind
To detect hidden or injected processes that could be malicious:
> python3 vol.py -f /path/to/memory_dump.raw windows.malfind

windows.dlllist
lists all the Dynamic Link Libraries (DLLs) loaded into the address space of each process in the Windows memory dump.
> python3 vol.py -f /path/to/memory_dump.raw windows.dlllist

windows.pstree
displays the running processes in a hierarchical tree format, illustrating parent-child relationships between processes.
> python3 vol.py -f /path/to/memory_dump.raw windows.pstree

windows.cmdline
retrieves the command-line arguments used to start each process.
> python3 vol.py -f /path/to/memory_dump.raw windows.cmdline

windows.netstat
lists active network connections and listening ports found in the memory dump.
> python3 vol.py -f /path/to/memory_dump.raw windows.netstat

windows.memmap
Dumps entire processes from memory. This includes everything associated with the process: executable code, loaded dynamic link libraries (DLLs), stack, heap, and other memory-mapped files.
> python3 vol.py -f "/path/to/file" -o "/path/to/dir" windows.memmap --dump --pid <PID>
dumps the memory pages of a process.

Difference:

windows.memmap: Dumps entire process memory, used for extracting the full memory space of running processes.
windows.dumpfiles: Extracts specific files from memory (e.g., files loaded in the page cache or mapped into memory).

That were some basic commands, I have a lot more to discuss with you.

I use volatility2 more often then volatility3

I use both volatility 2 and volatility 3 and I think volatility2 is better than volatility 3, it has more plugins, and gives more organized output.
Some useful commands in volatility 2:
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> psscan
to get the list of all processes, even hidden or terminated once.

> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> cmdscan
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> consoles
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> cmdline
The cmdscan plugin extracts and displays command-line entries from the Windows registry, the cmdline plugin retrieves command-line arguments from running processes, and the console plugin captures and analyzes console (command prompt) history and output from memory.

clipboard
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> clipboard
The clipboard plugin extracts and displays the contents of the clipboard from memory, including any text or data stored there during the system's runtime. the clipboard is where copy and paste information is temporarily stored. In Windows, clipboard data is managed by the operating system and is typically stored in memory.

screenshot
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> screenshot -D <location_to save_screenshots>
To capture all the screenshots from memory dump. look at the screenshots carefully, look which application is opened, any string shown, any hash value. if you find any string, search it in memory dump, using string command:
> strings <memory dump> | grep -i "string_or_word"

Environment variables
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> envars
To view environmental variables.

Browser History
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> filescan | grep -i history
To view browser History file. download history file using dumpfiles plugin.

filescan with specific extensions
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> filescan | grep -E "\.(rar|png|jpeg|txt)$"
search files of specific extensions at onces.

hashdump
> python2 vol.py -f /path/to/MemoryDump.raw --profile=<profile> hashdump
get the NTLM hash value of all user's password

Practice Labs will help you better understand.

Resources & Labs:

volatility cheatsheet both vol2 & vol3
Linux Memory Dump Sample
Windows Memory Dump Sample

Labs:

Solutions of these labs are available online.

Linux Memory Dump:

I downloaded both volatility 2 and volatility 3 on Kali linux. For analyzing Windows memory dump, it works smoothly, following a simple process. For analyzing windows memory dump, you don't need to install any symbol table( In volatility 3) or no need to create profile (In volatility 2), It already has all necessary files for windows. But for analyzing Linux memory dump, I couldn't found the solution. Looking for different memory analysis tools, shifting to different VM . It didn't work out. I was trying my last attempt to solve this problem , I was using ubuntu VM its Ubuntu 2023.10.1 and I watched a video for how to setup volatility 2, the video link: Memory Forensics
I followed exactly as it mentioned in the video, but when I run the command to look for imageinfo it stucks, I waited for more than 1 hour and still no response.



determining profile based on KDBG searc......

On the Internet, user saying that sometimes it takes time, about 30 mins to 2 hours. I'll say if you want to practice linux memory dump analysis, solve labs related to linux.

Update | Backup | Recover | Kali Linux | Simple Guide

Mihika — Sun, 01 Sep 2024 08:31:33 +0000

Maintaining up-to-date systems alongside regular backups is crucial for ensuring both the security and recover-ability of your Kali Linux environment.
Without wasting time, read the below article.

To update the Linux OS:

open the terminal, and type the below commands one by one.

> sudo apt update
> sudo apt upgrade
> sudo apt autoremove
> cat /etc/os-release

sudo apt update           #update the package list
sudo apt upgrade          #update the packages to the latest version
sudo apt full-upgrade     #complete system update
sudo apt autoremove       #clean up unnecessary packages 
cat /etc/os-release       #check version of OS

To update the Browser:

> sudo apt update
> sudo apt upgrade firefex-esr
verify the update : Open firefox > help > about firefox > check version

In IT, a backup refers to storing a copy of valuable assets—such as your critical data and system configurations—in a secure location. This allows you to restore the original data or system if they become corrupted, damaged, or otherwise inaccessible. Recovery is the process of retrieving data from a backup after such an event.

If files are accidentally deleted and no backup is available, the process of attempting to recover the lost data is known as data recovery. This involves using specialized software or services to recover deleted files from storage media like hard drives, SSDs, USB drives, or memory cards. When files are deleted, the data isn’t immediately erased; instead, the space it occupied is marked as available for new data. Data recovery tools can sometimes retrieve these files before they are overwritten, although success is not guaranteed, and the chances decrease as new data is written to the storage medium.

Understanding and implementing backup and recovery processes is fundamental for anyone working in IT.

Types of Backup:

1. Full Backup : A comprehensive backup that includes your entire system, all important data, production data, databases, and everything else. It creates a complete snapshot of your system at a specific point in time.
2. Incremental Backup : This type of backup only saves the data that has changed since the last backup, whether it was a full backup or another incremental backup. It’s faster and requires less storage space.
3. Differential Backup : A backup that saves all the changes made since the last full backup. Each differential backup grows in size over time as it accumulates all changes since the last full backup, making recovery faster than with incremental backups.

Summary :Full = you back up all your data.
Incremental = Only new changes since the last backup.
Differential = All changes since the last full backup.

Backup Tools in Kali Linux:

command-line tools like rsync, tar, and dd.
Third-party tools like Deja Dup, Timeshift, and Clonezilla.

Creating a Backup Plan:

Deciding what to back up (critical files, entire system, configurations).
Choosing the right backup schedule and frequency.
Where to store backups (local, external, cloud).

Step-by-Step Backup Process:

You take Backup of your complete Filesystem and all data and keep it at safe place like external drive. when your system infected when a malware or got corrupted somehow, disconnect yourself from internet, use antivirus software to scan and remove the malware, reset your system and restore the Backup.

Before taking backup, Run the below command in terminal to estimate the size of your backup by checking the disk usage of the directories. And excluding the directories that need not to be back up.

> sudo du -shc / --exclude=/proc --exclude=/sys --exclude=/dev --exclude=/run --exclude=/tmp --exclude=/mnt --exclude=/media --exclude=/lost+found

Step 1 : Using rsync for complete backup of the Filesystem.

rsync is the most simplest and efficient way to take backup.
following the command to take backup.

> sudo apt-get install rsync
> sudo rsync -aAXv / /path/to/backup/folder --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"}

The first command is to install the rsync tool and second command to take backup. Write the commands as mentioned, replace '/path/to/backup/folder' with the actual location where you want to save the backup.
Here’s a breakdown of the options:
-a: Archive mode; preserves permissions, timestamps, and symbolic links.
-A: Preserves ACLs (Access Control Lists).
-X: Preserves extended attributes.
-v: Verbose; shows progress.
--exclude=: Uses a file to specify which files and directories to exclude.
Verify the Backup: After the rsync command completes, check the backup directory to ensure all files have been copied correctly.

Step 2 : Using tar for compressing and archiving.

Follow the below command to compress the backup folder.

> tar -czvf backup_folder.tar.gz -C /path/to/backup backup_folder

Replace '/path/to/backup backup_folder' with the path where you stored the backup. Example, If the location of backup is '/home/user1/backup_folder'. then the command will be like this:

> tar -czvf backup_folder.tar.gz -C /home/user1 backup_folder

Here's what each option does:
-c: Creates a new archive.
-z: Compresses the archive with gzip.
-v: Shows the progress in the terminal.
-f: Specifies the filename of the archive.
-C /home/user1: Changes to the directory where backup_folder is located before creating the archive.

This will create a compressed backup_folder.tar.gz in your /home/user1 directory. Store the backup in an external drive.

Now, how to restore that backup:
If the Backup is in the external drive, connect the drive to your system or if it is somewhere in cloud storage platform, download it and run this command.
> sudo rsync -aAXv /path/to/backup/folder/ /

Replace '/path/to/backup/folder/' with the location where the backup is located.

How to use rsync for backing up a folder:

To take backup of Important data:
> sudo rsync -aAXv /home/ /path/to/backup/location/home_backup/

Here, I am Taking backup of complete /home directory. Replace '/path/to/backup/location/home_backup/' with the location where you want to store it for now. After that store it in external drive or use any cloud storage platform.

To Retore the folder, in case it got deleted or something happened use the below command:
> sudo rsync -aAXv /path/to/backup/location/home_backup/ /home/

Automating Backups:

To schedule backups using rsync, you can use cron to automate the process. Open the terminal, follow the command:

Open the Crontab Editor:

crontab -e

Add a Cron Job: Add a line to schedule your backup:

0 2 * * * /usr/bin/rsync -aAXv / /path/to/external/drive --exclude={"/dev/*","/proc/*","/sys/*","/tmp/*","/run/*","/mnt/*","/media/*","/lost+found"}

This line will run a backup every day at 2 AM.
To Exit the crontab editor:
Save: Press Ctrl + O (write out).
Confirm: Press Enter to confirm the filename.
Quit: Press Ctrl + X to exit.

0 2 * * *: Schedule to run at 2:00 AM every day.
/usr/bin/rsync: Path to the rsync command.
-aAXv: Options to preserve file attributes, permissions, and show progress.
/: Source directory (root filesystem).
/path/to/external/drive: Destination for the backup, path where you want the backup to be stored.
--exclude={...}: Exclude directories that don’t need to be backed up.
Save and Exit: Save the crontab file and exit the editor. The cron job will now automatically run according to the schedule.

Keep this chart for setting time and date, according to you:

+-------+-------+-------+-------+-------+
| Min   | Hour  | Day   | Month | Week  |
+-------+-------+-------+-------+-------+
| 0-59  | 0-23  | 1-31  | 1-12  | 0-7   |
+-------+-------+-------+-------+-------+

In above cron job 0 2 * * * means no minutes are set, hour is 2 which is in AM , * (asterisk) mean every time, so every day, every month, and every week.

HANCITOR - TRAFFIC ANALYSIS - SOL-LIGHTNET

Mihika — Thu, 13 Jun 2024 16:37:18 +0000

let's start:

Downloading the Capture File and Understanding the Assignment

Download the .pcap file from PCAP
Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 10.20.30[.]0/24 (10.20.30[.]0 through 10.20.30[.]255)
Domain: sol-lightnet[.]com
Domain controller: 10.20.30[.]2 - Sol-Lightnet-DC
LAN segment gateway: 10.20.30[.]1
LAN segment broadcast address: 10.20.30[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Analyzing Network Traffic with Basic Filters:

Filter: `(http.request || tls.handshake.type eq 1) && !(ssdp)`

49.51.133.162 port 80 - gengrasjeepram.com - GET /sv.exe
This appears to be a request to download an executable file (sv.exe) from the domain gengrasjeepram.com. Analysing packet content, it's an executable file and the context, it's potentially malicious. Upon Research, associated to Hancitor Malware.

port 80 - api.ipify.org - GET /
This seems to be a request to api.ipify.org, which is a legitimate service to check the public IP address of a device. exposing the the public IP address of the compromised host.

81.177.6.156 port 80 - twereptale.com - POST /4/forum.php
81.177.6.156 port 80 - twereptale.com - POST /mlu/forum.php
81.177.6.156 port 80 - twereptale.com - POST /d2/about.php
These are POST requests to various endpoints on the domain twereptale.com. The repetitive nature suggests potential malicious activity, possibly sending system information or other data to the server.

148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/1
148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/2
These are requests to retrieve image files from the domain xolightfinance.com. While the files themselves may not be malicious, the fact that they are requested from a potentially malicious domain raises suspicion.

No other indicators of malicious activity were found.

For a deeper understanding of Hancitor malware and its infection traffic, consider reading Brad Duncan's insightful article on Unit 42: Examining Traffic from Hancitor Infections

Final report:

Executive Summary
On Thursday 2020-01-30 at 00:55 UTC, a Windows 10 client used by Alejandrina Hogue was infected with Hancitor malware.

Details
Host name: DESKTOP-4C02EMG
Host MAC address: 58:94:6b:77:9b:3c (IntelCor_77:9b:3c)
Host IP address: 10.20.30.227
User account name: alejandrina.hogue

Indicators of Compromise (IOCs)
49.51.133.162 port 80 - gengrasjeepram.com - GET /sv.exe
SHA256 hash: 995cbbb422634d497d65e12454cd5832cf1b4422189d9ec06efa88ed56891cda

port 80 - api.ipify.org - GET /
81.177.6.156 port 80 - twereptale.com - POST /4/forum.php
81.177.6.156 port 80 - twereptale.com - POST /mlu/forum.php
81.177.6.156 port 80 - twereptale.com - POST /d2/about.php
148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/1
148.66.137.40 port 80 - xolightfinance.com - GET /bhola/images/2

DRIDEX - Traffic Analysis - DUALRUNNING

Mihika — Tue, 11 Jun 2024 12:48:36 +0000

let's start:

Downloading the Capture File and Understanding the Assignment

Download the .pcap file from PCAP
Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 172.16.1[.]0/24 (172.16.1[.]0 through 172.16.1[.]255)
Domain: dualrunning[.]net
Domain controller: 172.16.1[.]2 - Dualrunning-DC
LAN segment gateway: 172.16.1[.]1
LAN segment broadcast address: 172.16.1[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Analyzing Network Traffic with Basic Filters:

Basic Filter: (http.request || tls.handshake.type eq 1) && !(ssdp)

Upon inspection, a GET request to 185.21.216.153 on port 8088 was detected, It's an Excel file, and the URL from which this file was requested is linked to the Dridex malware.

185.21.216.153 port 8088 - insiderushings.com:8088 - GET /wp-content/Receipt 9650354.xls?evagk=2MyeEdhGPszYX

and just below we can see URL for initial Dridex DLL

185.21.216.153 port 8088 - buyer-remindment.com:8088 - GET/templates/file6.bin

Dridex infection traffic consists of two parts:
Initial infection activity.
Post-infection C2 traffic.

You can Identify the C2 traffic, by identifying this pattern. This C2 traffic communicates directly with an IP address, so there are no server name or host name associated with it. It also has unusual certificate issuer data.

And we Found the following traffic directly to IP addresses instead of domain names. This is most likely Dridex HTTPS C2 traffic::
• 202.29.60.34 port 443 - HTTPS traffic
• 72.11.131.199 port 443 - HTTPS traffic
• 207.244.250.103 port 443 - HTTPS traffic
• 45.145.55.170 port 453 - HTTPS traffic
• 84.232.252.62 port 443 - HTTPS traffic

Apply this Filter to review certificate issuer for those suspected IP addresses.

Filter: tls.handshake.type eq 11

Select the packet and go to the frame details section and expand the information.

TLS > TLSv1: Certificate > handshake protocol:certificate > certificates(__ bytes) > Certificates[truncated] > SignedCertificate > Issuer > rdnSequence

We also detected suspicious activity from the malicious source IP 81.17.23.125 to our compromised host 172.16.1.239. Despite the Host line in the HTTP request headers indicating 81.17.23.125:2318, there was no corresponding traffic over TCP port 2318 in the pcap.

To investigate further, use the Wireshark filter ip.addr eq 81.17.23.125 && tcp.flags eq 0x0002 to find TCP SYN segments for the start of all TCP streams to 81.17.23.125. Follow TCP streams from each TCP SYN segment to analyze the directory listing for the infected user's Documents directory.

For a deeper understanding of Dridex malware and its infection traffic, consider reading Brad Duncan's insightful article on Unit 42: Wireshark Tutorial: Dridex Infection Traffic.

Final report:

Executive Summary
On 2021-07-14 at approximately 20:31 UTC, a Windows host used by Samantha Reed was infected with Dridex malware.

Details
MAC address: 00:13:d4:10:05:25
IP address: 172.16.1.239
Host name: DEKSTOP-F3P7XLU
Windows user account: samantha.reed

Indicators of Compromise (IOCs)
Dridex C2 traffic:

202.29.60.34 port 443 - HTTPS traffic
72.11.131.199 port 443 - HTTPS traffic
207.244.250.103 port 443 - HTTPS traffic
45.145.55.170 port 453 - HTTPS traffic
84.232.252.62 port 443 - HTTPS traffic
81.17.23.125 port 443 - HTTPS traffic

TRICKBOT - Traffic Analysis - FUNKYLIZARDS

Mihika — Mon, 10 Jun 2024 12:15:20 +0000

let's start:

Downloading the Capture File and Understanding the Assignment

Download the .pcap file from pcap
Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 10.8.19.0/24 (10.8.19.0 through 10.8.19.255)
Domain: funkylizards.com
Domain Controller: 10.8.19.8 Funkylizard-DC
LAN segment gateway: 10.8.19.1
LAN segment broadcast address: 10.8.19.255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Investigating the PCAP

Analyzing Network Traffic with Basic Filters:

(http.request || tls.handshake.type eq 1) && !(ssdp)

Upon inspection, a GET request to 185.244.41.29 on port 80 was detected, fetching a malicious Dynamic Link Library (DLL) file associated with Trickbot malware.

85.244.41.29 port 80 - 185.244.41.29 - GET /ooiwy.pdf

Post infection traffic initially consists of HTTPS/SSL/TLS traffic over TCP port 443, 447, or 449 and an IP address check by the infected Windows host. After infection, the compromised Windows host performs an IP address check. which we can see in this pcap: port 443 - api.ipify.org - GET /

(http.request || tls.handshake.type eq 1 || tcp.flags eq 1) && !ssdp

Shortly after the HTTP request for the Trickbot executable, several attempted TCP connections over port 443 to different IP addresses are observed, before a successful TCP connection to 46.99.175.149 and 182.253.210.130.

The HTTPS/SSL/TLS traffic to various IP addresses over TCP ports 447 and 449 has unusual certificate data. We can review the certificate issuer associated with these two hosts by filtering on:

tls.handshake.type == 11 && ip.addr==46.99.175.149 && ip.addr==182.253.210.130

Select the packet and go to the frame details section and expand the information.
TLS > TLSv1: Certificate > handshake protocol:certificate > certificates(__ bytes) > Certificates[truncated] > SignedCertificate > Issuer > rdnSequence

The state or province name (Some-State) and the organization name (Internet Widgits Pty Ltd) are not used for legitimate HTTPS/SSL/TLS traffic. This is an indicator of malicious traffic, and its not limited to Trickbot.

The Trickbot-infected Windows host will check its IP address using a number of different IP address checking sites. it needs to ascertain its geographical location or to determine if it's running in a virtual environment or a sandbox. This tactic allows the malware to blend in with normal network traffic, making it harder to detect and mitigate its activities. Various legitimate IP address checking services used by Trickbot include:

api.ip[.]sb
checkip.amazonaws[.]com
icanhazip[.]com
ident[.]me
ip.anysrc[.]net
ipecho[.]net
ipinfo[.]io
myexternalip[.]com
wtfismyip[.]com

Again, an IP address check by itself is not malicious. However, this type of activity combined with other network traffic can provide indicators of an infection. you may see above host in the packet.

A Trickbot infection can generates HTTP traffic. this traffic sends information from the infected host like system information and passwords from the browser cache and email clients. This information is sent from the infected host to C2 server used by Trickbot. apply the basic filter :

(http.request || tls.handshake.type eq 1) && !(ssdp)

you see a post request to host 103.148.41.195. view packet content and you see infomation like processes running on the infected host system, system information.

For a comprehensive understanding of Trickbot Malware, I recommend reading Brad Duncan's article on it: Trickbot Malware

Final report:

Executive Summary
On 2021-08-19 at approximately 19:40 UTC, a Windows host used by Monica Steele was infected with Trickbot malware.

Details
MAC address: 00:08:02:1c:47:ae
IP address: 10.8.19.101
Host name: DEKSTOP-M1TFHB6
Windows user account: monica.steele

Indicators of Compromise (IOCs)
Trickbot DLL:
185.244.41.29 port 80 - 185.244.41.29 - GET /ooiwy.pdf

SHA256 hash: f25a780095730701efac67e9d5b84bc289afea56d96d8aff8a44af69ae606404
File size: 323,584 bytes
File description: Trickbot DLL
File name: ooiwy.pdf

Trickbot C2 traffic:

port 443 - api.ipify.org - GET / [IP address check by infected host]
46.99.175.149 on port 443 - HTTPS traffic
182.253.210.130 on port 443 - HTTPS traffic
103.148.41.195 port 443 - POST /rob124/DESKTOP-M1TFHB6_W10019043.0CB9C3AE3FA9B1267DFC20141CDE9D8 4/90/

BazarLoader - Traffic Analysis - ANGRYPOUTINE

Mihika — Mon, 10 Jun 2024 10:52:58 +0000

let's start:

Downloading the Capture File and Understanding the Assignment

Download the .pcap file from pcap.
Familiarize yourself with the assignment instructions.

LAN segment data:

LAN segment range: 10.9.10[.]0/24 (10.9.10[.]0 through 10.9.10[.]255)
Domain: angrypoutine[.]com
Domain controller: 10.9.10[.]9 - ANGRYPOUTINE-DC
LAN segment gateway: 10.9.10[.]1
LAN segment broadcast address: 10.9.10[.]255

OUR TASK:

Write an incident report based on the pcap and the alerts.
The incident report should contain the following:
Executive Summary
Details (of the infected Windows host)
Indicators of Compromise (IOCs).

Identifying the Infected Host

This is my method for finding the infected host in a PCAP file, though it may not always guarantee accurate results.

In Wireshark, go to Statistics > Endpoint > IPv4.
Identify the IP associated with the most transferred packets within your LAN. This is likely the compromised host.

Investigating the PCAP

Analyzing Network Traffic with Basic Filters:

(http.request || tls.handshake.type eq 1) && !(ssdp)

Upon inspection, a GET request to 194.62.42.206 port 80 was detected, fetching a malicious Dynamic Link Library (DLL) file for BazarLoader from the following URL:
/bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7yt/date1?BNLv65=pAAS

This URL, containing '/bmdff/', consistently yields a 64-bit DLL for BazarLoader. Notably, this pattern has persisted over the past several weeks, indicating association with the TA551 (Shathak) campaign.
Further analysis reveals BazarLoader's command and control (C2) activity. Initially, BazarLoader retrieves BazarBackdoor via HTTPS traffic from 167.172.37.9 over TCP port 443. Subsequently, BazarBackdoor itself generates C2 activity, utilizing HTTPS traffic to communicate with 94.158.245.52 over TCP port 443.

It's important to note that Bazar C2 activity often directs traffic to legitimate domains. While this behavior isn't inherently malicious, it's reminiscent of various malware families conducting connectivity checks or ensuring uninterrupted internet access on infected Windows hosts.

For a comprehensive understanding of BazarLoader's network reconnaissance tactics, I recommend reading Brad Duncan's article on the case study:
Case Study: From BazarLoader to Network Reconnaissance

Final report:

Executive Summary
On 2021-09-10 at approximately 23:17 UTC, a Windows host used by Hobart Gunnarsson was infected with BazarLoader through the TA551 (Shathak) campaign.

Details
MAC address: 00:4f:49:b1:e8:c3
IP address: 10.9.10.102
Host name: DESKTOP-KKITB6Q
Windows user account: hobart.gunnarsson

Indicators of Compromise (IOCs)
BazarLoader DLL:
194.62.42.206 port 80 - simpsonsavingss.com - GET /bmdff/BhoHsCtZ/MLdmpfjaX/5uFG3Dz7y /date1?BNLv65=pAAS

SHA256 hash: eed363fc4af7a9070d69340592dcab7c78db4f90710357de29e3b624aa957cf8
File size: 284,816 bytes
File description: BazarLoader DLL
File name: date6.dll

BazarLoader C2 traffic:

167.172.37.9 port 443 - HTTPS traffic
94.158.245.52 port 443 - HTTPS traffic

DEV Community: Mihika

Linux Log Analysis | Hammered Lab | CyberDefenders

Log Analysis | Compromised wordpress | Privilege Escalation | Blue team labs online

Log Analysis | Sysmon | Blue Team Labs Online

(Trickbot) Malware Analysis Report

Trickbot Infection Chain

Understanding Email Analysis: A Simple Guide

Starting Out: Essential Gmail Security Features

Before analyzing email headers, let's examine the incident response steps taken when encountering a suspicious email:

Understanding Email Fields:

lets understand each field:

In nutshell:

Email Header Important Fields:

Labs you can Try:

Tools for Email Forensics:

Investigating email links:

What if you clicked on those links and nothing much happened? How can you ensure it's not harming your device?

How to Investigate Email Attachments?

Basic File Integrity Monitoring System

Memory Dump Analysis | Kali Linux

Tools used to take memory dump:

Tools will be useful in memory analysis:

Taking Memory dump in Kali Linux:

How to Encrypt the Memory dump:

Memory Dump Analysis:

Volatility Commands:

Analyzing Windows Memory dump:

I use volatility2 more often then volatility3

Resources & Labs:

Linux Memory Dump:

Update | Backup | Recover | Kali Linux | Simple Guide

To update the Linux OS:

To update the Browser:

Types of Backup:

Backup Tools in Kali Linux:

Creating a Backup Plan:

Step-by-Step Backup Process:

Automating Backups:

HANCITOR - TRAFFIC ANALYSIS - SOL-LIGHTNET

let's start:

Downloading the Capture File and Understanding the Assignment

LAN segment data:

OUR TASK:

Analyzing Network Traffic with Basic Filters:

Final report:

DRIDEX - Traffic Analysis - DUALRUNNING

let's start:

Downloading the Capture File and Understanding the Assignment

LAN segment data:

OUR TASK:

Analyzing Network Traffic with Basic Filters:

Final report:

TRICKBOT - Traffic Analysis - FUNKYLIZARDS

let's start:

Downloading the Capture File and Understanding the Assignment

LAN segment data:

OUR TASK:

Investigating the PCAP

Final report:

BazarLoader - Traffic Analysis - ANGRYPOUTINE

let's start:

Downloading the Capture File and Understanding the Assignment

LAN segment data:

OUR TASK:

Identifying the Infected Host

Investigating the PCAP

Final report: