Blue Team
Blue Team
Blue Team
Module 1 - Incident Response and Security Operations Fundamentals
Module 4 - Getting started using Microsoft Azure Sentinel (Cloud-Native SIEM and SOAR)
Module 5 - Hands-on Wazuh Host-based Intrusion Detection System (HIDS) Deployment
Module 7 - How to Install and use The Hive Project in Incident Management
Module 8 - Incident Response and Threat hunting with OSQuery and Kolide Fleet
Module 24 - Azure Sentinel - Using Custom Logs and DNSTwist to Monitor Malicious
Similar Domains
If you want me to modify/correct something please don't hesitate to contact me via: chiheb-
chebbi [at]
Incident Response and Security Operations
In this module, we are going to discover the required terminologies and fundamentals to
acquire a fair understanding of “Incident Response” and the different steps and teams to
perform incident response
Before exploring what incident response is, let’s explore some important terminologies
Attack vector analysis Attack vectors are the paths used by attackers to access a vulnerability.
In other words, the method used to attack an asset is called a Threat Vector or Attack vector.
Attack vectors can be analyzed. The analysis is done by studying the attack surfaces like the
entry points of an application, APIs, files, databases, user interfaces and so on. When you face
a huge number of entries you can divide the modeling into different categories (APIs, Business
workflows etc...)
IP addresses
Domain names
System calls
File hashes
1. Preparation: during this phase, the teams deploy the required tools and resources to
successfully handle the incidents including developing awareness training.
2. Detection and analysis: this is the most difficult phase. It is a challenging step for every
incident response team. This phase includes networks and systems profiling, log retention
policy, signs of an incident recognition and prioritizing security incidents.
3. Containment eradication and recovery: during this phase, the evidence pieces are collected
and the containment and recovery strategies are maintained.
4. Post-incident activity: discussions are held during this phase to evaluate the team
performance, to determine what actually happened, policies compliance and so on.
Establishing incident response teams
There are different incident response Teams: * Computer Security Incident Response Teams
Product Security Incident Response Teams * National CSIRTs and Computer Emergency
Response Team.
* ISO 27035: ISO/IEC 27035 Security incident management * SANS Incident Handler Handbook:
Incident Handler's Handbook -
* CREST Cyber Security Incident Response Guide:
Cyber Security Incident Response Guide - crest
Security Operation Centers are not only a collection of technical tools. SOCs are people,
process and technology.
To help you prepare your mission I highly recommend you to read this guide from Sampson
Chandler : Incident Response Guide
It is essential to evaluate your SOC maturity because you can’t improve what you cannot
measure. There are many maturity models in the wild based on different metrics based on your
business needs and use cases. Some of the metrics are: * Time to Detect (TTD)
* Time to
Respond (TDR)
Your maturity model will be identified using this graph from LogRythm:
By now I assume that we covered many important terminologies and steps to perform incident
response. The major goal of writing this article is delivering a collaborated guide to help our
readers learning the fundamental skills needed in a daily basis job as incident handlers. Your
comments are playing a huge role in this article. Please if you want to add or correct something
please don’t hesitate to comment so we can create together a one-stop resource for readers
who are looking for a guide to learn about Incident Response. All your comments are welcome!
In this module we are going to explore the TOP 20 open source tools that every blue teamer
should have:
The Hive
TheHive is a scalable 4-in-1 open source and free security incident response platform designed
to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing
with security incidents that need to be investigated and acted upon swiftly. Thanks to Cortex,
our powerful free and open-source analysis engine, you can analyze (and triage) observables at
scale using more than 100 analyzers.
OSSIM is an open-source security information and event management system (SIEM). It was
developed in 2003. The project was acquired later by AT&T.
If you are into threat hunting than you probabilly heard of the HELK project. The HELK was
developed by Roberto Rodriguez (Cyb3rWard0g) under GPL v3 License. The project was build
based on the ELK stack in addition to other helpful tools like Spark, Kafka and so on.
Its official website: Cyb3rWard0g/HELK: The Hunting ELK - GitHub
Scanning is one of the required steps in every attacking operation. After gathering information
about a target you need to move on to another step which is scanning. If you are into
information security you should have Nmap in your arsenal. Nmap (The abbreviation of
Network mapper) is the most powerful network scanner. It is free and open-source. It gives you
the ability to perform different types of network scans in addition to other capabilities thanks to
its provided scripts. Also, you can write your own NSE scripts.
Memory malware analysis is widely used for digital investigation and malware analysis. It
refers to the act of analyzing a dumped memory image from a targeted machine after
executing the malware to obtain multiple numbers of artifacts including network information,
running processes, API hooks, kernel loaded modules, Bash history, etc. Volatility is the most
suitable tool to do that. It is an open-source project developed by volatility foundation. It can be
run on Windows,Linux and MacOS. Volatility supports different memory dump formats
including dd, Lime format, EWF and many other files.
Security Orchestration, Automation and Response or simply SOAR are very effective platforms
and tools to avoid analysts fatigue by automating many repetitive security tasks. One of the
most-known platforms is Demisto. The platform provides also many free playbooks.
Communication and networking are vital for every modern organization. Making sure that all
the networks of the organization are secure is a key mission. The most suitable tool that will
help you monitor your network is definitely Wireshark. Wireshark is a free and open-source tool
to help you analyse network protocols with deep inspection capabilities. It gives you the ability
to perform live packet capturing or offline analysis. It supports many operating systems
including Windows, Linux, MacOS, FreeBSD and many more systems.
Atomic __Red Team__ allows every __security team__ to test their controls by executing simple
"atomic tests" that exercise the same __techniques__ used by adversaries (all mapped to Mitre's
Another threat simulation tool is Caldera.
Intrusion detection systems are a set of devices or pieces of software that play a huge role in
modern organizations to defend against intrusions and malicious activities. The role of
network-based intrusion detection systems is to detect network anomalies by monitoring the
inbound and outbound traffic. One of the most-used IDSs is Suricata. Suricata is an open-
source IDS/IPS developed by the Open Information Security Foundation (OISF)
Zeek is one of the most popular and powerful NIDS. Zeek was known before by Bro. This
network analysis platform is supported by a large community of experts. Thus, its
documentation is very detailed and good.
Its official website:
Forensics imaging is a very important task in digital forensics. Imaging is copying the data
carefully with ensuring its integrity and without leaving out a file because it is very critical to
protect the evidence and make sure that it is properly handled. That is why there is a difference
between normal file copying and imaging. Imaging is capturing the entire drive. When imaging
the drive, the analyst image the entire physical volume including the master boot record. One of
the used tools is "AccessData FTK Imager".
Malware analysis is the art of determining the functionality, origin and potential impact of a
given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware
analyst, our main role is to collect all the information about malicious software and have a
good understanding of what happened to the infected machines. The most-known malware
sandbox is cuckoo.
Another great reverse engineering tool is Ghidra. This project is open-source and it is
maintained by the National Security Agency Research Directorate. Ghidra gives you the ability
to analyze different file formats. It supports Windows, Linux and MacOS. You need to install
Java in order to run it. The project comes with many helpful detailed training, documentation
and cheat-sheets. Also, it gives you the ability to develop your own plugins using Java or
Another powerful network-based intrusion detection system is Snort. The project is very
powerful and it was developed more than 5 million times. Thus, it is well documented and it is
supported by a large community of network security experts.
Security Onion
If you are looking for a ready-to-use OS that contains many of the previously discussed tools
you can simply download Security Onion. IT is a free and open-source Linux distribution for
intrusion detection, enterprise security monitoring, and log management.
Security information and event management systems (SIEM) are very important tools in
incident response missions. Every security operation centre is equipped with a SIEM. In this
article, we are going to learn how to deploy a fully working SIEM using the amazing suite the
Elastic stack (ELK).
ELK Stack is the abbreviated form of "Elasticsearch Logstash Kibana" Stack. They are three
open source projects. This stack is one of the world's most popular log management platforms
by 500,000 downloads every month. The ELK stack is widely used in information technology
businesses because it provides business intelligence, security and compliance, and web
To build the SIEM, you need to install the required libraries and programs:
For the demonstration, I used a Ubuntu 18.04 server hosted on Microsoft Azure
java -version
sudo vi /etc/elasticsearch/elasticsearch.yml
Un-comment and http.port and assign values to them. Don't use "" in your
production servers. I am using it just for a demonstration.
sudo vi /etc/kibana/kibana.yml
server.port: 5601 "YOUR-IP-HERE"
elasticsearch.url: "http://YOUR-IP-HERE:9200"
Now go to https://YOUR-IP-HERE:5601
Voila, you can start exploring the dashboard of some pre-installed Sample Log data:
It is a good question, we can receive data from a host using what we call "Beats". You can find
the full list here:
sudo vi /etc/metricbeat/metricbeat.yml
Then, you can visualize any data you want from that beat.
By now we deployed the most important parts. Let's learn how to deploy the ELK SIEM:
Configure it by:
sudo vi /etc/auditbeat/auditbeat.yml
If you did everything correctly you will see this on the SIEM Dashboard:
A system Overviews:
Voila, you learned how to build an ELK SIEM.
Getting started using Microsoft Azure Sentinel
(Cloud-Native SIEM and SOAR)
In this module, we are going to explore Microsoft Azure Sentinel (Cloud-Native SIEM and
SOAR). We are going to learn how to deploy the SIEM from scratch and we are going to see
how to start detecting threats with it
Before learning how to use Azure Sentinel, we need to define it first. According to one of their
official blog posts:
Azure Sentinel provides intelligent security analytics at cloud scale for your entire enterprise.
Azure Sentinel makes it easy to collect security data across your entire hybrid organization
from devices, to users, to apps, to servers on any cloud. It uses the power of artificial
intelligence to ensure you are identifying real threats quickly and unleashes you from the
burden of traditional SIEMs by eliminating the need to spend time on setting up, maintaining,
and scaling infrastructure.
Most of the first steps are already discussed in details in the previous resource. Thus I am
going to go through the steps rapidly:
Go to Azure search bar and look for Azure Sentinel (preview) and add a new workplace
Create a new Workspace and press "OK"
Now you need to select a connector to receive logs:
If you want to receive logs from a windows machine: Go to "Advanced Settings" - \> Connected
Sources and select "Windows Servers". Then download the Windows agent installation binary
Open your Windows machine (in my case Windows 7 x32 ) and install the agent. Click Next
Add your ID and Key (You will find them in Windows servers dashboard )
Click Next and you are done
Now it is hunting time! Go to your Sentinel page and select Hunting and you will be able to type
your own hunting queries using KQL Azure query language.
You can also use and create your own Notebooks
You can use some pre-made hunting notebooks delivered by Azure. Click Import
and you will upload them directly from the official Sentinel GitHub account:
The Sentinel dashboards are highly customizable. In other words, you add any visualisation you
want. In this example i added a CPU visualization
You can even add your alert/detection rules. If you want to do so click "New alert rule"
I tried an arbitrary condition for educational purposes CPU \> 1.4%
You can also select your action when the condition is performed. In my case, i tried the email
notification option
You will receive a confirmation email to check that everything is ok:
Hi Peerlysters,
In this article we are going to learn how to deploy a powerful HIDS called "Wazuh"
Image Source
Host Based Intrusion Detection Systems (HIDS): they run on the enterprise hosts to detect
host attacks
Network Based Intrusion Detection Systems (NIDS): their role is to detect network
anomalies by monitoring the inbound and outbound traffic.
Wazuh is a free, open source and enterprise-ready security monitoring solution for threat
detection, integrity monitoring, incident response and compliance.
Wazuh is used to collect,
aggregate, index and analyze security data, helping organizations detect intrusions, threats
and behavioral anomalies.
Wazuh is used to collect, aggregate, index and analyze security data, helping organizations
detect intrusions, threats and behavioral anomalies.
Wazuh server
Elastic Stack
Wazuh agent
Now let's explore how to deploy it. For the demonstration i am using a Ubuntu 18.04 VM.
Installing Filebeat
sudo vi /etc/elasticsearch/elasticsearch.yml node-1 [""]
http.port: 9200
discovery.seed_hosts: []
cluster.initial_master_nodes: ["node-1"]
Installing Kibana
Kibana is a Web interface for searching and visualizing logs. It is a data-log dashboard. It
contains pie charts, bars, heat maps, bubble charts and scatter plots. It is an amazing solution
to visualize your data and detect any unusual patterns
sudo vi /etc/kibana/kibana.yml
server.port: 5601
elasticsearch.hosts: ["http://localhost:9200"]
sudo vi /etc/filebeat/filebeat.yml\</a
Configure the Filebeat instance, change the events destination from Elasticsearch instance to
the Logstash instance.
output.logstash.hosts: ["localhost:5000"]
Open a web browser and go to the Elastic Stack server's IP address on port 5601 (default
Kibana port). Then, from the left menu, go to the Wazuh App.
Click on "Add new API" and fill the API fields. If everything goes fine, you will get this main
Wazuh dashboard.
To add new agent just select the OS, curl the package and install it:
Threat Intelligence Fundamentals
What is a threat?
By definition, a threat is a potential danger for the enterprise assets that could harm these
systems. In many cases, there is confusion between the three terms Threat, Vulnerability and
Risk; the first term, as I explained before, is a potential danger while a Vulnerability is a known
weakness or a gap in an asset. A risk is a result of a threat exploiting a vulnerability. In other
words, you can see it as an intersection between the two previous terms. The method used to
attack an asset is called a Threat Vector.
"An advanced persistent threat is a stealthy computer network threat actor, typically a nation-
state or state-sponsored group, which gains unauthorized access to a computer network
and remains undetected for an extended period"
To explore some APTs Check this great resource by: FireEye
“Cyber threat intelligence is information about threats and threat actors that helps mitigate
harmful events in cyberspace. Cyber threat intelligence sources include open source
intelligence, social media intelligence, human Intelligence, technical intelligence or
intelligence from the deep and dark web "[Source: Wikipedia]
In other words, intelligence differs from data and information as completing the full picture.
These pieces can be shared accross different organizations thanks to bodies like: * Information
Sharing and Analysis Centers (ISACs)
* Computers emergency response teams (CERTs)
Malware Information Sharing Platform (MISP)
To facilitate the sharing/collecting/analyzing processes these IOCs usually respect and follow
certain formats and protocols such as:
To help you create and edit your indicators of compromise you can use, for rxample, IOC editor
by Fireeye. You can find it here: This is its user guide:
You can simply create your Indicators of compromise using a graphical interface:
It gives you also the ability to compare IOCs
How to Install and use The Hive Project in
Incident Management
In this module, we are going to explore a great incident management platform called "TheHive
"TheHive is a scalable 4-in-1 open source and free security incident response platform
designed to make life easier for SOCs, CSIRTs, CERTs and any information security
practitioner dealing with security incidents that need to be investigated and acted upon
swiftly. Thanks to Cortex, our powerful free and open-source analysis engine, you can
analyze (and triage) observables at scale using more than 100 analyzers."
8 GB of RAM
60 GB of disk
Install Elasticsearch
apt update
# Secret key
# ~~~~~
If you want to try it before installing it on your server you download the training VM. You can
find it here:
Login: admin
Password: thehive1234
To create add your team members you need to create users. To create a user go to Admin -\>
Users :
Create a new password for it by clicking " New password", type a password and press enter to
save it.
_Tags and so on. _
The case file contains also the tasks and the Observables:
To take it just click on tasks and it will be added to your "my tasks" section
Once you finish the case, click on "Close" and it will be closed
To visualize your cases statistics you need to use The Hive dashboards. To open or create a
new dashboard go to "Dashboards"
"Thanks to Cortex, observables such as IP and email addresses, URLs, domain names, files
or hashes can be analyzed using a Web interface. Analysts can also automate these
operations and submit large sets of observables from TheHive or through the Cortex REST
API from alternative SIRP platforms, custom scripts or MISP. When used in conjunction with
TheHive, Cortex largely facilitates the containment phase thanks to its Active Response
Login: admin
Password: thehive1234
This is the main dashboard of "Cortex"
In this guide, we discovered a great incident management platform called "the Hive" where we
saw how to install it and use it to manage your team cases.
In this guide, we are going to explore some powerful tools to help you enhance your incident
response and threat hunting assessments. These tools are OSQuery and Kolide Fleet.
OSQuery Overview
According to its official Github repository:
export OSQUERY\_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
Osqueryd: Deamon
To explore the schema of a specific table type
.schema <TABLE_HERE>
The official website contains the list of all the available tables and its schemes. For example
this is the scheme of Kernel_info table
For example to select the version of the kernel type:
Let's suppose that you want to automate a specific query (selecting users) every 300 seconds.
Edit the /etc/osquery/osquery.conf file and add your rules
"schedule": {
"Users": {
"query": "SELECT * FROM users;",
"interval": 300
A collection of queries is called a Pack. OSQuery provides many hekpful packs that you can use
in your assessments here:
:heavy_exclamation_mark: Kolide is no longer maintaining Fleet. The new name is Fleet and can
be found here:
Fleet is the most widely used open source osquery manager. Deploying osquery with Fleet
enables programmable live queries, streaming logs, and effective management of osquery
across 50,000+ servers, containers, and laptops. It's especially useful for talking to multiple
devices at the same time.
According to its official Github repository:
Fleet is the most widely used __ __ open-source __ __ osquery Fleet manager. Deploying
osquery with Fleet enables live queries, and effective __ __ management __ __ of osquery
sudo cp * /usr/bin/
Install this required program:
flush privileges;
Install Redis:
Prepare fleet:
--server_cert=/etc/ssl/certs/kolide.cert --server_key=/etc/ssl/private/kolide.key
--server_cert=/etc/ssl/certs/kolide.cert --
server_key=/etc/ssl/private/kolide.key \
--logging_json --auth_jwt_key=9yKI2MeThUSLtsYiCS7etUSJZD1lgHLr
Start fleet:
Go to https://\<SERVER_IP\>:8080
Add your organization name, the organization domain name/IP and submit:
Voila! Kolide fleet is deployed successfully.
Now let's add our host. To do so, click on "ADD NEW HOST" and you will get this window. It
provides a key called "OSQuery enroll secret" that we are going to use later.
To add the host, we need to install the fleet launcher. In our case we are using the same host.
Unzip the file:
cd linux
Congratulation! if you refresh the Kolide fleet dashboard you will see the newly added host
To run and add queries go to QUERY -\> New Query
How to use the MITRE PRE-ATT&CK framework
to enhance your reconnaissance assessments
In this module we are going to explore how to enrich reconnaissance assessments using the
MITRE Pre-ATT&CK framework.
Nowadays the frameworks provide different matrices: Enterprise, Mobile, and PRE-ATT&CK.
Each matrix contains different tactics and each tactic has many techniques.
Building on ATT&CK, PRE-ATT&CK provides the ability to prevent an attack before the
adversary has a chance to get in. The 15 tactic categories for PRE-ATT&CK were derived
from the first two stages (recon and weaponize) of a seven-stage Cyber Attack Lifecycle
(first articulated by Lockheed Martin as the Cyber Kill Chain)
The Cyber Kill Chain is a military inspired model to describe the required steps and stages to
perform attacks. The Cyber Kill Chain framework is created by Lockheed Martin as part of the
Intelligence Driven Defense model for identification and prevention of cyber intrusions activity.
3. Target Selection
Techniques are used to execute an attack successfully. PRE-ATT&CK frameworks presents 174
You can find the full matrix (Techniques and tactics) here:
Now let's explore some techniques:
Social engineering is the art of hacking humans. In other words, it is a set of techniques
(technical and nontechnical) used to get useful and sensitive information from others using
psychological manipulation. These are some causes why people and organizations are
vulnerable to Social engineering attacks:
Wanting to help others
Lack of knowledge
Other causes were discussed and named " Cialdini's 6 Principles of Influence"
The Cialdini's 6 principles of influence were developed by Dr Robert Cialdini. These principles
can be exploited while performing social engineering engagement. The principles are:
3. Social Proof: We tend to have more trust in things that are popular or endorsed by people
that we trust
4. Liking We are more likely to comply with requests made by people we like
5. Authority : We follow people who look like they know what they're doing
6. Scarcity: We are always drawn to things that are exclusive and hard to come by
Social engineering Toolkit is an amazing open source project developed by Trustedsec to help
penetration testers and ethical hackers perform social engineering attacks. To check the
project official GitHub repository you can visit this link:
Active reconnaissance involves interaction with the target, for example, calling technical
support to gain some sensitive information.Reconnaissance is not only technical. It is also an
important weapon of competitive intelligence. Knowing some financial aspects of the target
could mean that the attack succeeds. An example of active reconnaissance is network
scanning.The aim of network scanning is identifying the live hosts, including the network
services of an organization.
“Nmap ("Network Mapper") is a free and open source (license) utility for network discovery
and security auditing. Many systems and network administrators also find it useful for tasks
such as network inventory, managing service upgrade schedules, and monitoring host or
service uptime.
T1253 Conduct passive scanning
Passive reconnaissance involves acquiring information about the target without directly
interacting with it, for example, searching public information.
By definition:
Open source intelligence is like any methodological process is going thru a defined number of
steps.In order to perform an open source intelligence you can follow the following phases:
Direction and planning: in this phase you need to identify the sources,in other words where
you can find information
Collection: in this phase you will collect and harvest information from the selected sources
Processing and collation: during this phase you need to process information to get useful
Analysis and integration: in this phase you need to join all the information and analyse
Production, dissemination and feedback: finally when you finish the analysis you need to
present the findings and report them.
During many OSINT missions, you will be dealing with terrorism threats. Thus, it is essential to
collect many pieces of information about terrorism online. One of the most used services is the
"Global Terrorism Database". The project is managed by the National Consortium for the Study
of Terrorism and Responses to Terrorism (START) and it contains information about more than
190,000 terrorist attacks.
Firmware is a set of software that takes control of the device's hardware. You can use a lot of
tools and utilities. One of them is binwalk, which is a great tool developed also by Craig Heffner
that helps pentesters to analyze the firmware of an IoT device. You can simply grab it from this
GitHub link:
T1261 Enumerate externally facing software applications, languages and
When performing reconnaissance, it is essential to identify the used technologies. For examlpe,
to identify the used web technologies you can use:
job announcements could be a valuable source of information. Job postings can give an idea
about the used systems, technologies and products. To do so, you can check many job boards
A web application firewall (WAF) is a security solution that filters out bad HTTP traffic between
a client and web application. It is a common security control to help you protect your web
application security. Most Web application firewalls are helping you to defend against many of
the previously discussed web application vulnerabilities (XSS, SQLi and so on). For example to
detect WAFs you can use
To map network topology you can use many online tools including:
By searching online blogs and technical forums you can collect many useful pieces of
information about the targeted organization
The Whois database is a publicly accessible database containing the contact details of the
owner and contact person of each domain name as well as the data of the name server. It is
usually possible to find out the address, phone number, and e-mail address of the person who
owned or at least registered the website. In most cases, this person is the system administrator
of the website. You can use this online service:
Generally, it is hard to attack the target directly. Instead, the attackers target employees who
have access to the systems, and in particular those with elevated privileges on the target
systems. For example, a system administrator would be a great target. To find personnel with
authority you can use Linkedin search option.
When performing open-source intelligence (OSINT), you usually try to find information about
people from different publicly available social media platforms including: Facebook, Linkedin,
Instagram and so on… To do so, you can use these powerful tools and websites:
This technique consists of finding known vulnerabilities in the targeted systems and
applications. Vulnerabilities can be classified using a ranking system, for example, using the
Common Vulnerability Scoring System ( CVSS ) for the Common Vulnerabilities and
Exposures ( CVE ) vulnerabilities. To find vulnerabilities in a service you can use shodan or any
vulnerability scanner
Shodan is a search engine that lets the user find specific types of computers (webcams,
routers, servers, etc.) connected to the internet using a variety of filters. Some have also
described it as a search engine of service banners, which are metadata that the server sends
back to the client. This can be information about the server software, what options the service
supports, a welcome message or anything else that the client can find out before interacting
with the server.
In this module we explored the MITRE PRE-ATT&CK framework and we discovered some
techniques used when performing reconnaissance against an organization
How to Perform Open Source Intelligence
(OSINT) with SpiderFoot
In this module we are going to explore a powerful OSINT tool called "SpiderFoot". OSINT or
"Open source intelligence" is collecting publicly available information about a specific target.
Image source
The fuel of intelligence gathering is to get publicly available information from different sources.
Intelligence gathering is not important in information security and penetration testing, but it is
vital for national security, and as many concepts are inspired by the military strategies, in the
cyber security field intelligence gathering is also inspired by the battlefields.
Image source
Intelligence gathering not only helps improve the security position of the organization, but it
gives managers an eagle eye on the competition, and it results in better business decisions.
Basically every intelligence gathering operation basically is done following a structured
There are many intelligence gathering categories: human intelligence, signal intelligence, open
source intelligence, imagery intelligence, and geospatial intelligence.
Directed Gathering : This is a specific targeting operation. Usually, all the resources are
meant to gather information about a unique target
Active Intelligence Gathering : This process is more specific and requires less investment,
and it targets a specific environment.
Passive Intelligence Gathering : This is the foundation of human intelligence. The
information is collected in opportunistic ways such as through walk-ins or referrals. So
there is no specific target, except collecting information and trying to find something.
Image source
Signal intelligence
Signal intelligence ( SIGINT ) is the operation of gathering information by intercepting
electronic signals and communications. It can be divided into two subcategories:
communications intelligence ( COMINT ) and electronic intelligence ( ELINT ).
Open source intelligence ( OSINT ), as its name suggests, involves finding information about a
defined target using available sources online. It can be done using many techniques:
Conducting search queries in many search engines Gaining information from social media
networks Searching in _deep web _directories and the hidden wiki Using forum and discussion
Direction and planning: in this phase you need to identify the sources,in other words where
you can find information
Collection: in this phase you will collect and harvest information from the selected sources
Processing and collation: during this phase you need to process information to get useful
Analysis and integration: in this phase you need to join all the information and analyse
Production, dissemination and feedback: finally when you finish the analysis you need to
present the findings and report them.
Image source
There are many helpful tools that you can use to perform OSINT, you can find some of them in
this post:
SpiderFoot has an __ __ embedded __ __ web-server for providing a clean and intuitive __ __ web-
based __ __ interface __ __ but can also be used completely via the command-line. It's written in
__ __ Python __ __ 3 and GPL-licensed.
IP address
Domain/sub-domain name
E-mail address
Phone number
Person's name
Clone the project from its Github repository using git clone :
cd spiderfoot
Voila! Now you can use it freely to perform your OSINT operation.
There is another option which is using a ready-to-go Spiderfoot instance. To do it check this
A module is a specific entity that perform a specific task. Spiderfoot comes with a long list of
modules including:
Accounts: Looks for possible associated accounts on nearly 200 websites like Ebay,
Slashdot, reddit, etc.
AlienVault OTX: Obtains information from AlienVault Open Threat Exchange (OTX)
In this module, we explored Open source intelligence and how to perform it using a powerful
tool called "SpiderFoot"
How to perform OSINT with Shodan
Open source intelligence is like any methodological process is going thru a defined number of
steps.In order to perform an open source intelligence you can follow the following phases:
1. Direction and planning: in this phase you need to identify the sources,in other words where
you can find information
2. Collection: in this phase you will collect and harvest information from the selected sources
3. Processing and collation: during this phase you need to process information to get useful
4. Analysis and integration: in this phase you need to join all the information and analyse
5. Production, dissemination and feedback: finally when you finish the analysis you need to
present the findings and report them.
What is Shodan?
Shodan is a search engine that lets the user find specific types of computers (webcams,
routers, servers, etc.) connected to the internet using a variety of filters. Some have also
described it as a search engine of service banners, which are metadata that the server sends
back to the client. This can be information about the server software, what options the service
supports, a welcome message or anything else that the client can find out before interacting
with the server.
As a start, Shodan gives you the ability to start exploring some pre-selected search queries.
Some of the findings are:
Passwords and so on
For example, in the Industrial control systems section, you can search for
Furthermore, you can use shodan map for more geo-centric searches
Now let's explore how to perform some shodan queries.
To perform search, you will simply use the search bar in the main page
To simpliest search form is typing the "term" you are looking for, like a website name, service or
something and shodan will give pages of results that you can filter later
Queries can be more specific. Shodan provides a list of advanced queries that you can use in
order to get more accurate information. Some of them are the following:
port: <Ports_HERE>
For example:
To search for a specifit operating system(OS) type:
os: <OS_HERE>
Using MITRE ATT&CK to defend against
Advanced Persistent Threats
Nowadays, new techniques are invented on a daily basis to bypass security layers and avoid
detection. Thus it is time to figure out new techniques too and defend against cyber threats.
Image Courtesy
Before diving into how to use MITRE ATT&CK framework to defend against advanced persistent
threats and protect critical assets, let's explore some important terminologies
By definition, a threat is a potential danger for the enterprise assets that could harm these
systems. In many cases, there is confusion between the three terms Threat, Vulnerability and
Risk; the first term, as I explained before, is a potential danger while a Vulnerability is a known
weakness or a gap in an asset. A risk is a result of a threat exploiting a vulnerability. In other
words, you can see it as an intersection between the two previous terms. The method used to
attack an asset is called a Threat Vector.
To discover some of the well-known APT groups you can check this great resource from
FireEye: Advanced Persistent Threat Groups
Image Courtesy
Security operation analysts should be proactive when it comes to gathering information and
intelligence about the external threats and adversaries to achieve faster detection.
Nowadays the frameworks provide different matrices: Enterprise, Mobile, and PRE-ATT&CK.
Each matrix contains different tactics and each tactic has many techniques.
To understand tactics and techniques we need to understand the pyramid of pain first. The
pyramid of pain shows the relationship between the types of indicators found when dealing
with adversaries. By indicators, I mean Hash values, IP addresses, Domain names,
Network/host artefacts, tools and Tactics, techniques and procedures (TTPs).
Image Courtesy
Tactics, Techniques and procedures (TTPs) are how the attackers are going to achieve their
mission. A tactic is the highest level of attack behaviour. MITRE framework present the tactics
as the following:
1. Initial Access
2. Execution
3. Persistence
4. Privilege Escalation
5. Defense Evasion
6. Credential Access
7. Discovery
8. Lateral Movement
9. Collection
10. Exfiltration
Techniques are used to execute an attack successfully. For example, this is information about
the "AppCertDLLs" technique
Let's suppose that security analysts receive a report about a new APT group that threats middle
east and Africa. We can take "Muddy Water APT" as an example.
Go to
And highlight all the techniques used by Muddy Water APT Group
Image Courtesy_ _
Now you know your adversaries. It is time to prepare the mitigations (tools and techniques) and
discover the gaps in our defenses.
Create a roadmap to improve the defense gaps and update the map accordingly
Mitigations for every technique can be found on
In this module, we learned many important terminologies and how to use MITRE ATT&CK
framework to detect advanced persistent threats.
Module 13 - Hands-on Malicious Traffic Analysis
with Wireshark
Image Courtesy
Before diving deep into traffic analysis, I believe that we need to explore some networking
fundamentals first. It is essential to learn how a network works. Networking is the process of
changing information between different devices. The transmission is usually done using a
transmission mode. In communications we have generally 3 transmission modes:
Simplex Mode: in this mode the data is transferred in one direction like the transmission
used in TV broadcasting
Half-duplex Mode: in this mode the data flows in two directions but using a single mean of
Full-duplex Mode: in this mode the data flow is bidirectional and simultaneous.
When it comes to communication networks we have many types. Some of them are the
Local Area Network (LAN): this network is used in small surfaces and areas
Metropolitan area network (MAN): this network is larger than the Local Area Network. We
can use for example to connect two offices.
Wide area network (WAN): We use this type of networks to connect large distances
Personal area network (PAN): this network is used in short distances and small areas like
a single room.
Network Topologies
A topology is a schematic representation of a network. You can see it as the layout of the
network and how the connected devices are arranged in the network. In networking we have
many topologies some of the them are:
Star Topology: all the devices are connected to a single node (Hub)
"Network traffic refers to the amount of data moving across a network at a given point of time.
__Network data__ is mostly encapsulated in __network packets__ , which provide the load in
the network. __Network traffic__ is the main component for network traffic measurement,
network traffic __control__ and simulation."
Image Courtesy
Traffic Analysis with Wireshark
The most suitable tool that will help you analyze your network traffic is definitely Wireshark.
Wireshark is a free and open-source tool to help you analyse network protocols with deep
inspection capabilities. It gives you the ability to perform live packet capturing or offline
analysis. It supports many operating systems including Windows, Linux, MacOS, FreeBSD and
many more systems.
Wireshark will help capture and analyze traffic as pcap files. The analysis follows the OSCAR
Collect Evidence
Image Courtesy
Let's start by analyzing a sample pcap file so we can understand Wireshark capabilities. But
before that we need to know an important model called the OSI netwoking Model :
By Definition: "The Open Systems Interconnection model ( OSI model ) is a conceptual model
that characterizes and standardizes the communication functions of a telecommunication or
computing system without regard to its underlying internal structure and technology. Its goal is
the interoperability of diverse communication systems with standard protocols. The model
partitions a communication system into abstraction layers. The original version of the model
defined seven layers.
In other words data is moving in the network respecting a specific order. The following are the
seven Layers of the OSI Model:
7- Application layer
6 -Presentation layer
5- Session layer
4- Transport layer
3- Network layer
1- Physical layer
Once you open it with Wireshark you will get this main window:
Let's start collecting some helpful information like the Host, destination, source etc...
Dynamic Host Configuration Protocol (DHCP) is a network layer protocol based on RFC 2131
that enables assigning IP addresses dynamically to hosts. It goes through 4 steps:
_Discovery _
To learn more about Filters check this great resource: Using Wireshark – Display Filter
Now select: DHCP Request and you will get many helpful pieces of information including the
client Mac address. In switching the traffic of data is determined by Media Access Control
(MAC) addresses. A MAC address is a unique 48-bit serial number. It is composed equally of
the Organizational Unique Identifier (OUI) and the vendor-assigned address.MAC addresses are
stored in a fixed size table called the Content Addressable Memory (CAM)
The IP address, MAC address, and host name of the infected Windows host
By highlighting "Internet Protocol Version 4" we can get the IP address which is:
The MAC address is: 00:01:24:56:9b:cf
Like what we did previously to detect the hostname we can see that the hostname is: JUANITA-
To get the windows user account by analyzing the kerberos traffic using this filter: _
kerberos.CNameString _
Based on the alerts we can get that the malware was a variant of " Ursnif"
_ Ursnif steals system information and attempts to steal banking__ and online account
credentials. (from: F-Secure Labs: )_
The malware appears to come from a mail because if you notice closely you will find that the
victim visited
In this article, we explored Wireshark and how to use to perform malicious traffic analysis.
To learn more about traffic analysis you can download this doc that contains many useful
resources: Malicious Traffic Analysis Resources
Hands-on Guide to Digital Forensics
Digital forensics is one of the most interesting fields in information security. In this post, we will
explore what digital forensics is and we will learn how to perform some digital forensics tasks
using some powerful tools and utilities.
Forensics Imaging
Practical Lab: Autopsy Forensics Browser
Like any methodological operation, Computer forensic analysis goes through well-defined
steps: Identification , Preservation , Collection , Examination , Analysis and Presentation.
According to worldsecuresystems:
"A chain of custody is a document that is borrowed from law enforcement that tracks
evidence from the time the Computer Forensics Examiner gains possession of the item until
it is released back to the owner. "
During investigations, digital forensics experts are dealing with many hardware pieces and
devices including RAMs and Storagemedia devices. Thus, it is important to acquire a suitable
hardware equipment to perform the task in good condition. Some of the required hardware
pieces are the following:
As I said previously, a digital forensics computer needs to be equipped with many DF tools.
Some of the most used tools and operating systems are the following:
_Volatility _
X-Ways Forensics
Autopsy: the Sleuth Kit
Bulk Extractor
"Tcpdump is a powerful command-line packet analyzer; and __libpcap__ , a portable C/C++ library
for __network traffic__ capture." (Source:
"Wireshark is the world's foremost and widely-used __network protocol__ analyzer. It lets you
see what's happening on your network at a microscopic level and is the de facto (and often de
jure) __standard__ across many commercial and non-profit __enterprises__ , __government
agencies__ , and educational institutions. __Wireshark__ __development__ thrives thanks to the
__volunteer__ contributions of networking __experts__ around the globe and is a continuation
of a __project__ started by Gerald Combs in 1998". (Source: __wireshark.org__ )
As a demonstration let's explore how to analyse a small pcap file with Wireshark.
Open Wireshark
For example, we are going to extract the files from the captured packet:
Hard drive
USB drive
The removable storage media pieces need to be formatted with a specific filesystem. Some of
the most used filesystems are:
To collect host-based evidence, you need to know the difference between volatile data and non-
volatile data. Volatile data is data that is lost after a shutdown or some system changes. CPU
data and ARP cache are some forms of volatile data. Data stored in hard drives and Master File
Table (MFT) entries are non-volatile data. The host-based evidence acquisition can be done
locally or remotely. Also, it can be done online or offline. Evidence collection is performed with
what we call "Forensics Imaging"
Forensics Imaging
Forensics imaging is a very important task in digital forensics. Imaging is copying the data
carefully with ensuring its integrity and without leaving out a file because it is very critical to
protect the evidence and make sure that it is properly handled. That is why there is a difference
between normal file copying and imaging. Imaging is capturing the entire drive. When imaging
the drive, the analyst image the entire physical volume including the master boot record. There
are two imaging techniques:
Raw images
Smart and so on
"FTK Imager is a data preview and imaging __tool__ used to acquire data (evidence) in a
__forensically__ sound manner by creating copies of data without making changes to the original
If you are using Kali Linux, can found it directly there without the need to install it:
Add a host
Check the configuration and click Add Image
For the demo, we are going to use a memory dump sample (NTFS Undelete) from (Digital Forensics Tool Testing Images)
System Calls
Kernel hooks
To analyse memory You can simply use volatility framework, which is an open-source memory
forensics tool written in Python. It is available under GPL. Volatility comes with various plugins
and a number of profiles to ease obtaining basic forensic information about memory image
files. To download it you can visit this website: The Volatility Foundation - Open Source Memory
Forensics or GitHub - volatilityfoundation/volatility
As a hands-on practice, we are going to analyse a memory dump from an infected computer
with Volatility. You can find many samples here:
For the demonstration, we are going to analyse a memory dump called " cridex.vmem"
Get Processes
Processes as Parent/Child
Get SIDs:
sudo python -f cridex.vmem getsids
Networking information:
Kernel modules:
For more information about the most used Volatility commands check these two helpful
SANS Volatility-memory-forensics-cheat-sheet.pdf
Digital Forensics and Incident Response
In this module, we discovered what digital forensics is, what are the different steps to perform
it, including evidence acquisition and analysis. Later, we explored some well-known digital
forensics tools by analyzing some memory dumps using Autopsy and Volatility framework.
How to Perform Static Malware Analysis with
In this article, we are going to explore how to perform static malware analysis with Radare2.
Before diving into technical details let's explore first what is malware analysis and what are the
different approaches to perform it.
Malware analysis is the art of determining the functionality, origin and potential impact of a
given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware
analyst, our main role is to collect all the information about malicious software and have a
good understanding of what happened to the infected machines. Like any process, to perform a
malware analysis we typically need to follow a certain methodology and a number of steps. To
perform Malware Analysis we can go through three phases:
the work of malware analysts harder so they are always using packers and cryptors to evade
detection. That is why, during static analysis, it is necessary to detect them using tools like
To perform malware analysis you need to build a malware lab. To learn how to do it, I highly
recommend you to read my article:
Github account:
It is more than a reverse engineering tool. R2 is able to perform many other tasks. Usually, you
will find it hard to learn Radare2 but after a while, you will acquire a good understanding of
most of its features.
Let's get started by exploring this great tool. As a demonstration, we are going to learn how to
perform some static malware analysis with it. Usually, in the static analysis, we need to perform
these tasks and to collect many pieces of information including:
Decoding obfuscation
Determining Packers and Cryptors
Header information
Radare2 installation:
cd radare2
$ sys/
Radare2 contains many tools such as rabin2 , radiff2 , rax2 , rasm2 etc...
If you are using Kali Linux you can use it directly by typing:
For the demonstration, I downloaded "Multi-Platform Linux Router DDoS ELF".
rabin2 -I halfnint
rabin2 -z halfnint
Load the binary
radare2 halfnint
To get information use the " i " option. Check all the available gathered information by typing:
To calculate the hashes type:
But it is a bit outdated, thus, There is Yara support in r2 and PEiD signatures are available in
Yara format.
install libyara
r2pm init
r2pm -i yara3-lib
In this module, we explored the different techniques to perform malware analysis. Later we
learned how to install an amazing tool called "Radare2" and how to use to perform some static
malware analysis tasks.
2. Chiheb Chebbi: How to bypass Machine Learning Malware Detectors with Generative
adversarial Networks
Malware Analysis: How to use Yara rules to
detect malware
When performing malware analysis, the analyst needs to collect every piece of information that
can be used to identify malicious software. One of the techniques is Yara rules. In this article,
we are going to explore Yara rules and how to use them in order to detect malware.
After reading this article you can download this small document that includes other helpful
resources: Yara Rules Resources
Malware Analysis
Malware is a complex and malicious piece of software.Its behavior range from basic actions
like simple modifications of computer systems to advanced behaviors patterns.
By definition, a malware is a malicious piece of software with the aim of damaging computer
systems like data andidentity stealing ,espionage,legitimate users infection and gaining full or
limited control to its developer.To have a clear understanding of malware analysis, a malware
categorization based on its behavior is a must. Even sometimes we cannot classify a malware
because it uses many different functionalities but in general, malware can be divided into many
categories some of them are described below:
Virus: this type of malware copy itself and infect computer machines
Malware analysis is the art of determining the functionality, origin and potential impact of a
given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware
analyst, our main role is to collect all the information about malicious software and have a
good understanding of what happened to the infected machines. Like any process, to perform a
malware analysis we typically need to follow a certain methodology and a number of steps. To
perform Malware Analysis we can go thru three phases:
Static malware analysis refers to the examination of the malware sample without executing it.
It consists of providing all the information about the malicious binary. The first steps in static
analysis are knowing the malware size and file type to have a clear vision about the targeted
machines, in addition to determining the hashing values, because cryptographic hashes like
MD5 or SHA1 can serve as a unique identifier for the sample file. To dive deeper, finding strings,
dissecting the binary and reverse engineering the code of malware using a disassembler like
IDA could be a great step to explore how the malware works by studying the program
instructions. Malware authors often are trying to make the work of malware analysts harder so
they are always using packers and cryptors to evade detection. That is why, during static
analysis, it is necessary to detect them using tools like PEiD.
In this article, we are going to explore how to use YARA Rules. When performing static malware
analysis there are many techniques to classify malware and identify it such as hashes. Another
technique is using YARA rules. According to Wikipedia:
" YARA is the name of a tool primarily used in malware research and detection. It provides a
rule -based approach to create descriptions of malware families based on textual or binary
patterns. A description is essentially a Yara rule name, where these rules
Install Yara:
The first step, of course, is installing YARA. If you are using Ubuntu for example, you can simply
Or you can download the tar file and install it from Github
cd yara-3.7.1
make install
Yara needs the following libraries automake libtool make and gcc so ensure that you already
installed them
We already learned that we use Yara rules to detect malware. Let's discover how to do that in a
real-world example. For testing purposes, I am going to use malware from a dataset called
"theZoo": The project owners define the repository as follows:
theZoo is a project created to make the possibility of malware analysis open and available to the
public. Since we have found out that almost all versions of malware are very hard to come by in a
way which will allow analysis, we have decided to gather all of them for you in an accessible and
safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.
_ Please remember that these are live and dangerous malware! They come encrypted and
locked for a reason! Do NOT run them unless you are absolutely sure of what you are doing! _
To identify malware we are going to use publically available rules as a demonstration. One of
the greatest resources is
Clone them
This project covers the need of a group of IT __Security Researchers__ to have a single repository
where different Yara __signatures__ are compiled, classified and kept as up to date as possible,
and began as an open source __community__ for collecting Yara rules. Our Yara ruleset is under
the GNU-GPLv2 license and open to any user or organization, as long as you use it under this
yara /home/azureuser/rules/malware/RAT\_Njrat.yar
Yara detect the malicious file
Now let's explore the structure of a Yara rule. Yara rules usually contain:
Metadata: Information about the rule (Author, development date and so on)
Strings identification: You need to add the strings that YARA needs to look for in order to
detect malware.
Condition: this is a logical rule to detect the identified strings and indicators.
rule Malware\_Detection
$a = "Sring1"
$b = "String2"
($a or $b)
all, and, any, ascii, at, condition, contains,entrypoint, false, filesize, fullword, for, global, in ,import,
include, int8, int16, int32, int8be, int16be,int32be, matches, meta, nocase, not, or, of,private, rule,
strings, them, true, uint8, uint16,uint32, uint8be, uint16be, uint32be, wide
Let's suppose that we are going to create a rule that detects Ardamax Keylogger. First we need
to extract the strings using strings command
strings ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18
rule FirstRule {
author = "Chiheb"
last_updated = "2019"
category = "Test"
confidence = "medium"
($a or $b or $c)
wide was added to search for strings encoded with two bytes per character
As you can see Yara detected the malicious file based on our rules:
Yara supports regular expressions thus you can use one of the following expressions
? Match 0 or 1 time
Yara Python
It is possible to add Yara capabilities to your python API thanks to a library called "Yara-Python".
With this library you can use YARA from your Python programs. It covers all YARA's features, from
compiling, saving and loading rules to __scanning__ files, strings and processes.
To install it:
cd yara-python
This is an example that shows how to include Yara-python in your python application:
>>> print(matches)
>>> print(matches[0].rule)
>>> print(matches[0].tags)
>>> print(matches[0].strings)
Evasion techniques
Black hat Hackers are highly intelligent people. That is why they are looking every day for
methods to escape antiviruses and avoid detection.Antiviruses are not totally protection
solutions. All the AV vendors are failing to detect advanced persistent attacks no matter how
sophisticated their solutions are. Attackers are using many means and tactics to bypass
Antivirus protection. Below are some methods used to fool the antiviruses:
Obfuscation is a technique used to make the textual structure of a malware binary hard to
read as much as possible. In malware development world is vital to hide what we call the
strings. Strings are significant words usually are URLs, registry keys etc.. To do this,
cryptographic standards are used in many cases to achieve this task
Binding is the operation of binding the malware into another legitimate application
Crypters and packers are tools and techniques used to encrypt a malware and keep the
antivirus away from peeking inside. Packers some time called executable compression
methods are used to make reverse engineering more difficult.
By now, we explored what is the different malware analysis approaches after a small overview
of some types of malicious pieces of software. Later we start exploring Yara rules, their
structures, how to detect malware with them and how to create your own first Yara rule. Then
we discovered the python interface of Yara. Finally, we learned some AV evasion techniques.
Getting started with IDA Pro
To install IDA Pro on Windows you just simply need to go to: https://www.hex-
Once you start it, you will have the choice to work on a new project and load an old disassembly
As a demonstration, we are going to disassemble a simple malicious PE file from Paloalto
Networks. You can download it from here:
Portable Executable ( PE ) files are file formats for executables, DDLs, and object codes used in
32-bit and 64-bit versions of Windows. They contain many useful pieces of information for
malware analysts, including imports, exports, time-date stamps, subsystems, sections, and
resources. The following is the basic structure of a PE file:
Source: pe_format.png
DOS Header : This starts with the first 64 bytes of every PE file, so DOS can validate the
executable and can run it in the DOS stub mode.
PE Header : This contains information, including the location and size of the code.
If you load a file, IDA will create a database "idb". The database contains:
This bar called "the navigation band" illustrates the memory space used by the binary
Functions Window:
It shows the imported libraries by the loaded binary
You can find a lot of other available views: view -\> Open Subviews
To facilitate the navigation you can simply use the IDA shortcuts including:
You can find the full list here: Datarescue Interactive Disassembler (IDA) Pro Quick Reference
Based on its great capabilities IDA Pro is very helpful when it comes to Malware Analysis since
it gives you the ability to extract many pieces of information including Strings (F21), imports,
exports, graph flows and so on:
If you want to explore another great tool, I highly recommend you to take a look at my article:"
How to Perform Static Malware Analysis with Radare2"
In this article, we did a high-level overview of IDA PRO
Getting Started with Reverse Engineering using
In this article, we are going to explore how to download Ghidra, install it and use it to perform
many important tasks such as reverse engineering, binary analysis and malware analysis.
"Ghidra is a software reverse engineering (SRE) framework created and maintained by the
National Security AgencyResearch Directorate. This framework includes a suite of full-featured,
high-end software analysis tools that enable users to analyze compiled code on a variety of
platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly,
decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports
a wide variety of processor instruction sets and executable formats and can be run in both
user-interactive and automated modes. Users may also develop their own Ghidra plug-in
components and/or scripts using Java or Python.
In support of NSA's Cyber Security mission, Ghidra was built to solve scaling and teaming
problems on complex SRE efforts, and to provide a customizable and extensible SRE research
platform. NSA has applied Ghidra SRE capabilities to a variety of problems that involve
analyzing malicious code and generating deep insights for SRE analysts who seek a better
understanding of potential vulnerabilities in networks and systems.
As you can notice from the official description that this tool was developed and maintained by
the US NSA (National Security Agency) which leads us to think about if this tool is secure.
Check this post if you didn't know what i am talking about:
Before diving into the fundamentals of reverse engineering with this powerful tool (Ghidra) ,
let's explore the compiling phases in order to get an executable and some important
"_Reverse engineering, also called back engineering, is the process by which a human-made
object is deconstructed to reveal its designs, architecture , or to extract knowledge __from the
object; similar to scientific research, the only difference being that scientific research is about a
natural phenomenon." _
As a demonstration, let's compile a simple c program. The most known easy program is simply
a " hello world!" program
#include <stdio.h>
void main(void)
To use Ghidra we need to install it of course. As technical requirements, you need the following
1 GB storage (for installed Ghidra binaries)
We learned the compilation phases in order to generate a fully working binary. Now it is time to
continue our learning experience with acquiring some fundamentals about reverse engineering.
That is why we are going to download a small and easy CrackMe challenge and we will try to
understand what is doing and how it works in order to find the correct password to solve the
The challenge that we are going to solve is a part of this free and publicly available training
Download the GitHub repository, go to /IOLI-crackme/bin-win32 and you will find the challenge
Enter a random password. In my case I entered "root" but i get an "Invalid Password!" error
Open Ghidra
Start a new project:
To solve the challenge let's first start with extracting the binary strings
As you can notice we get all the strings of the file. One of them is "Password OK :)"
Ghidra is powerful. It gives you the ability to decompile the file. As you can see from the
screenshot it is giving us a readable code.
If you check the code carefully you will notice this line of code
If (local_8 == 0x149a)
_Printf ( “Password OK :) /n ”)
At the other side of the window you will see the CMP instruction. With a small Google search
you will find that
"CMP is generally used in conditional execution. This __ _ instruction _ basically subtracts one
operand from the other for comparing whether the operands are equal or not. It does not disturb
the destination or source operands. It is used along with the conditional jump _ instruction _ __
for decision making. "
Then if our analysis is correct then the valid password will be a conversion of "0x149a"
To check its value double click on it and you will get this.
Go back to your terminal and run the binary and this time type 5274:
Congratulations, you solved your first crackme challenge.
This article will be updated with more interesting sections in the next few hours like Malware
Analysis with Ghidra
Further resources
This article was a good opportunity to learn the fundamentals of reverse engineering with an
amazing tool called "Ghidra"
How to Perform Memory Analysis
Source: malware-analysis-virtual-box-cyber-forensicator.jpg
Malware threats are a very serious problem in information security nowadays. Dangerous
hackers are inventing new techniques on a daily basis to bypass security layers and avoid
detection. Thus it is time to figure out how to analyse memorydumps as.
But this time I want to take this opportunity to elaborate more Memory analysis because it is a
required skill to every Forensics expert and malware analyst.
Dissecting Memory
Memory Management
Memory Analysis
Volatility Framework
Malware analysis is the art of determining the functionality, origin and potential impact of a
given malware sample, such as a virus, worm, trojan horse, rootkit, or backdoor. As a malware
analyst, your main role is to collect all the information about the malicious software and have a
good understanding of what happened to the infected machines. Like any process, to perform a
malware analysis you typically need to follow a certain methodology and a number of steps.
Memory malware analysis is widely used for digital investigation and malware analysis. It
refers to the act of analysing a dumped memory image from a targeted machine after
executing the malware to obtain multiple numbers of artefacts including network information,
running processes, API hooks, kernel loaded modules, Bash history, etc. ... This phase is very
important because it is always a good idea to have a clearer understanding of the malware
networking information and interfaces (TCP/UDP) • Kernel modules including the hidden
Opened files in the kernel
Dissecting Memory
If we are going to learn how to analyse memory dumps we need first to explore what memory
is? and how it works.
Memory is a vital component in the computer architecture. Computers are composed by:
A __RAM (pronounced ramm) is an acronym for random access memory, a type of computer
memory that can be accessed randomly; that is, any byte of memory can be accessed without
touching the preceding bytes. RAM__ is found in servers, PCs, tablets, smartphones and other
devices_, such as printers. __ RAM is volatile _
source: RAM061711.jpg
The memory is divided into 4,096-byte memory chunks named pages, to facilitate internal
handling. The 12 least significant bits are the offset; the rest is the page number. On the recent
x86 architecture, For example, the Linux kernel divides the virtual space, usually 4 GB into 3 GB
dedicated to UserLand, and 1 GB for kernel land. This operation is named segmentation. The
kernel uses a page table for the correspondence between physical and virtual addresses. To
manage the different regions of memory, it uses a virtual memory area (VMA)
The stack is a special memory space. In programming, it is an abstract data type used to
collect elements using two operations: push and pop. This section grows automatically, but
when it becomes closer to another memory section, it will cause a problem and a confusion to
the system. That is why attackers are using this technique to confuse the system with other
memory areas.
The heap is used for dynamic memory allocation. It resides in the RAM like the stack, but it is
slower. The kernel heap is using the following three types of allocators:
A simple list of blocks (SLOB): This is an allocator used in small systems. It uses a first-fit
You can explore the detailed sections of memory check this great cheat sheet:
Memory Management
3. Bus addresses
The most common goal of performing forensics is to gain a better understanding of an event of
interest by finding and analyzing the facts related to that event... Forensics may be needed in
many different situations, such as evidence collection for legal_ proceedings and internal
disciplinary actions, and handling of malware incidents and unusual operational problems. _
Like any methodological operation, Computer forensic analysis goes through well-defined
steps: Collection; Examination, Analysis and reporting. let's explore these steps one by one:
2. Examination: assessing and extracting the relevant pieces of information from the
collected data
3. Analysis
4. Reporting
The steps are based on the NIST Guide to Integrating Forensic Techniques into Incident
Response. I highly recommend exploring the Process in details (Performing the Forensic
source: nist+process.jpg
Routing tables, process tables, memory
Hard drive
Memory Acquisition
The first step of memory analysis is memory acquisition by dumping the memory of a machine
using a number of utilities. One of these tools is fmem, which is a kernel module to create a
new device called /dev/fmem to allow direct access to the whole memory. After downloading it
from their official repository and compiling it you can acquire the machine memory using this
Another tool is The Linux Memory Extractor. LIME is a Loadable Kernel Module (LKM) to allow
volatile memory acquisition from Linux and Linux- based devices, such as Android.
Mdd (Memory DD) (is no longer under active development.)
A full list of useful tools can be found here: Tools: Memory Imaging
( )
source: volatility-sockets.gif
To identify malicious network activities many experts recommend following these steps. First,
you can identify Process IDs of network connections.
source: pslist.png
Later you need to map that IDs to Process Names and later terminate every step and process
by collecting the artefacts by taking notes, screenshots and of course time-stamps.
source: Fig2lg061711.jpg
Note: this section is not completed yet. The processes will be described in a detailed way. Stay
Useful PhD thesis: Advances in Modern Malware and Memory Analysis - contains 4 new
Post Updates
2. Advanced Infrastructure Penetration Testing Chiheb Chebbi
Modern organizations face cyber threats on a daily basis. Black hat hackers do not show any
indication that they are going to stop. New hacking techniques appear regularly. According to
multiple information security reports, the number of APT attacks is increasing in a notable way,
targeting national defenses, manufacturing, and the financial industry. Thus, classic protection
techniques are, in many cases, useless. Deploying suitable platforms and solutions can help
organizations and companies defend against cyber attacks, especially APTs. Some of these
platforms are attack simulation tools. In this article we are going to learn how to deploy a red
teaming simulation platform called Atomic Red Team
“Red teaming is the practice of rigorously challenging plans, policies, systems and
assumptions by adopting an adversarial approach. A red team may be a contracted external
party or an internal group that uses strategies to encourage an outsider perspective.”
Initial compromise
Establish persistence
Escalate privileges
Internal Recon
Lateral movement
Data analysis
Image source
1. Initial Access
2. Execution
3. Persistence
4. Privilege Escalation
5. Defense Evasion
6. Credential Access
7. Discovery
8. Lateral Movement
9. Collection
10. Exfiltration
Import-Module ./Invoke-AtomicRedTeam.psm1
Now you can run any test you want by simply run the following commands:
Invoke-AtomicTest $TXXXX
How to build a Machine Learning Intrusion
Detection system
Machine learning techniques are changing our view of the world and they are impacting all
aspects of our daily life. Thus machine learning is playing a huge role in information security. In
this module you will not only explore the fundamentals behind machine learning techniques but
you will dive into a hands-on experience to learn how to build real world Intrusion detection
systems from scratch using cutting edge techniques, programming libraries and publicly
available datasets.
Artificial intelligence
Artificial intelligence is the art of making computer programs to behave like a human and by
behave i mean perceiving, learning, understanding and knowing. AI is involving many areas
such as computer science, neuroscience, psychology and so on.
Machine Learning models
Machine learning is the study and the creation of algorithms that learn from given data and
examples. It is a particular approach to artificial intelligence.Tom M. Mitchell (an american
computer scientist ) defines machine learning as "A computer program is said to learn from
experience E with respect to some class of tasks T and performance measure P if its
performance at tasks in T, as measured by P, improves with experience E" . In machine learning
we have four major models; supervised, semi-supervised,unsupervised and reinforcement.
I. Supervised learning: if we have the Input and the Output variable then it is a supervised
learning. In this case we only need to map the function between the inputs and the outputs.
Supervised learning could be divided into two other sub-categories; Classification and
- Classification: when the output is a categorical variable
- Regression: when the
output variables are continuous values.
Naive Bayes: this classification algorithm is based on the the Bayes' theorem.
Decision Trees: are machine learning algorithms that predict the possible outputs thanks
to a tree-like graph,the entire data is represented as a root node and the final leafs are
called Terminal Nodes.Dividable nodes are known as Decision Nodes.
Support Vector Machines: are binary classifiers used to identify a separating hyper-plane
of data that are represented in a multi-dimensional space.Thus, that hyper-plane is not
necessary a simple line.
II. Semi-supervised: this model is not fully supervised while it contains both labeled and
unlabeled data. This model is used generally to improve the learning accuracy.
- Unsupervised:
If we don't have information about the output variables then it is unsupervised learning.The
model is trained totally with unlabeled data.Clustering is one of the most well known
unsupervised techniques.
III. Reinforcement: in this model the agent is being optimized based on the feedback from the
environment (the reward)
tp = True Positive
fp = False Positive
tn = True Negative
fn = False Negative
Precision or Positive Predictive Value, is the ratio of the positive samples that are correctly
classified by the the total number of positive classified samples.Simply it is the number of the
Recall or True Positive Rate, is the ratio of true positive classifications by the total number of
positive samples in the dataset. It represents how many of the true positives were found.
F-Score of F-Measure, is a measure that combines precision and recall in a one harmonic
Accuracy is the ratio of the total correctly classified samples by the total number of samples.
This measure is not sufficient by itself,because it is used when we have equal number of
Confusion Matrix
Confusion matrix is is a table that is often used to describe the performance of a classification
As a programming language we used python for many reasons. First comparing to other
languages it is more productive and flexible than Java and C++.According to
78% of developers are using python in their Artificial intelligence projects that means a better
documentation and support from the development community. Python is coming with external,
easy and advanced machine learning packages in terms of run-time and complexity. The
following are some of the most used Python libraries in Machine learning:
• Theano : is an open source neural network library written in Python running on top of
TensorFlow to ease the experimentation and the evaluation of the neural networks model.
To install any Python library this command will do the job : pip install Package-Here
The following graph illustrates a comparison between some machine learning frameworks
made by Favio Vázquez especially Deep learning frameworks
The main goal of Artificial neural networks is to mimic how the brain works.To have a better
understanding let's explore how a human brain actually works.Human brain is a fascinated
complex entity with many different regions to perform various tasks like listening, seeing,
tasting and so on. If the human brain is using many regions to perform multiple tasks so
logically every region act using a specific algorithm for example an algorithm for seeing, an
algorithm for hearing etc...Right? Wrong! The brain is working using ONE Algorithm. This
hypothesis It is called The "one learning algorithm" hypothesis. There is some evidence that the
human brain uses essentially the same algorithm to understand many different input
modalities. For more information check Ferret experiments, in which the "input" for vision was
plugged into auditory part of brain, and the auditory cortex learns to "see." The cell that
compose the neuron system is called a neuron.The information transmission is happening
using electrochemical signalling and propagation is done thanks to the neuron dendrites.
The analogy of the human brain neuron in machine learning is called a perceptron. All the input
data is summed and the output applies an activation function. We can see activation functions
as information gates.
PS: " The analogy between a perceptron and a human neuron is not totally correct. It is
used just to give a glimpse about how a perceptron works. The human mind is so far more
complicated than Artificial neural networks. There are few similarities but a comparison
between the mind and Neural networks is not really correct."
ReLu Function : It is also called a rectified linear unit.It gives an output x if x is positive and
0 otherwise.
Many connected perceptrons build a simple neural network that consists of three parts: Input
layer,hidden layer and an output layer.The hidden layer is playing the inter-communication role
in the neural network or sometimes what what we call a Multi-layer perceptron network. If we
have more than 3 hidden layers then we are talking about Deep Learning and Deep learning
According to the data scientist and deep learning experts like the machine learning practitioner
Dr. Jason Brownlee; every deep learning model must go thru five steps:
• Network Definition: in this phase we need to define the layers.Thanks to Keras this step is
easy because it defines neural networks as sequences and to define layers we just need to
create a sequence instance with mentioning the number of outputs
• Network Compiling: Now we need to compile the network including choosing the optimizing
technique like Stochastic Gradient Descent (sgd) and a Loss function (Loss function is used to
measure the degree of fit) to evaluate the model we can use Mean Squared Error (mse)
• Network Fitting: a Back-Propagation algorithm is used during this step based on the
parameters specified in the compiling step.
• Network Evaluation : After fitting the network an evaluation operation is needed to evaluate
the performance of the model
• Prediction: Finally after training the deep learningmodel we now can use it to predict a new
malware sample using a testingdataset
Host Based Intrusion Detection Systems (HIDS): they run on the enterprise hosts to
Network Based Intrusion Detection Systems (NIDS): their role is to detect network
anomalies by monitoring the inbound and outbound traffic.
Anomaly-based intrusion technique: inspects the traffic based on the behavior of activities.
Modern organization are facing thousands of threats in a daily basis.That is way the classic
techniques could not be a wise solution to defend against them.Many researchers and
information security professionals are coming with new concepts,prototypes or models to try
solving this serious security issues.For example this is graph shows the different intrusion
detection techniques including the discussed machine learning algorithms
By now, after reading the previous sections we are able to build a Machine learning detection
system. As discussed before the first step is Data processing.The are many publicly available
datasets in the wild used by data scientist to train machine learning models.You can download
some of them from here:
The NSL-KDD is one of the most used datasets in intrusion detection anomaly based models.It
contains different attacks categories: DoS, Probe, U2R and R2L.
After choosing the feature that you are going to work on and splitting the dataset into two sub-
datasets for the training and the experience (They should not be the same) you can choose one
of the machine learning algorithms represented in the graph of intrusion detection techniques
and train your model.Finally when you finish the training phase it is time to put your model to
the test and check its accuracy based on the machine learning evaluation metrics. To explore
some of the tested models i recommend taking an eye on "Shallow and Deep Networks
Intrusion Detection System: A Taxonomy and Survey" research paper.
There are a lot of talks about the promise of machine learning or AI ininformation security but
in the other side there is a debate and some concerns about it. To discover more about
Machine learning promises in cyber security it is highly recommended to watch Thomas Dullien
Talk : " Machine Learning, offense, and the future of automation" from here:
You can also download the presentation slides from this link: Presentation Slides
This article is a fair overview of machine learning in information security.We discussed the
required fundamentals in every machine learning project starting from the fundamentals to
gaining the skills to build a machine learning projects.We took intrusion detection systems as
real world case study.
Azure Sentinel: Process Hollowing (T1055.012)
Before jumping into the detection part, it is essential to explore some important terminologies.
According to MITRE:
To learn more about Process hollowing, i highly recommend you to check this piece from
For the detection we are going to use Azure Sentinel and sysmon. Sysmon can be downloaded
from here:
To explore sysmon events, use Windows Event Viewer: Applications and services logs -\>
Microsoft -\> Windows -\> Sysmon -\> Operational
To send sysmon events to Azure sentinel, deploy a new connector (Security Events) to start
with Windows Event logs
To check the events go to Azure Sentinel Logs section and run the following query:
As you will notice the EventData fields are not parsed and filtered. Thus, it is recommended to
use one of Azure Sentinel sysmon parsers:
To use the parser, copy the file content in log analytics and save it as a function (e.g
Sysmon_Parser). Now the events are well parsed:
To correlate APIs with Events, a mapping phase is needed for a better visibility. Thankfully, you
can use these sheets:
More details about mapping can be found here: Uncovering The Unknowns
Module 23 - Azure Sentinel - Send Events with
Filebeat and Logstash
In this new post we are going to explore how to send events/logs to Azure Sentinel using
Filebeat and Logstash.
Filebeat comes with some available log modules such as the following modules
sudo vi /etc/filebeat/filebeat.yml
Start Filebeat
Enter /etc/logstash/conf.d/
cd /etc/logstash/conf.d/
sudo vi Azure-Sentinel.conf
input {
beats {
filter {
output {
microsoft-logstash-output-azure-loganalytics {
Start logstash
In this article, we are going to explore how to monitor similar domains to yours, in order to
protect your users from being victims of social engineering attacks.
When performing computer-based social engineering attacks such as phishing, attackers buy
similar domains to yours in order to trick your users. This is why keeping an eye on similar
domains is essential to avoid such attacks.
First we need to find these domains. One of the tools that helps you to generate similar
domains is "DNS Twist". You can find it here:
You can even try to generate some domains online here:
In this demonstration, we are going to use python on Windows to generate similar domains:
For example these are some similar domains to "" after parsing only the domain
You can also use this API:
To store the similar domains you can build a small script to achieve that. For example the
following snippet stores similar domains in a file called "Similar-Domains.txt"
Once, we have a file that contains the similar domains, now we need to send them to sentinel
so later we can create rules based on them.
Go to "Custom logs" sections and upload a log sample (a snippet from your similar domains
Add the file path. In my case "C:\Users\Computer\Similar-Domains.txt". If you have many log
files you can use regular expression such as * eg: C:\Users\Computer*.txt
Go to Sentinel log section and you will find it under Custom Logs
“Great things are done by a series of small things brought together.“ - Vincent Van Gogh
Modern organizations face cyber threats on a daily basis. Black hat hackers do not show any
indication that they are going to stop. Thus, it is essential for every organization to protect its
assets and its clients against these threats. Information security is a journey and cannot be
achieved overnight. Furthermore, organizations do not need the next {AI-ML-Nextgen-
blockchain- put any buzzword here} security product to secure your organization, but if you
need to protect your organization and users, it is essential to take the first steps. Small actions
can take you so far in your cybersecurity journey.
Do you have an idea how many data breaches and cyber-attacks could be avoided by taking
small actions like simply enabling MFA or by updating and patching a system?
That is why “Security Hygiene” is very important. Security hygiene is simply a set of small
actions and best practices that can be performed to protect the organization and enhance its
security posture. There are many security hygienes principles that you can follow immediately.
Some of them are the following:
Enabling MFA
Now let’s explore how Azure Security Center can help you in your cyber hygiene journey.
Microsoft documentation describes Azure Security Center as follows:
Secure Score
You can’t enhance what you can’t measure. That is why one of the most helpful metrics
provided by the Security Center is “Secure Score”. Secure Score is an aggregation of many
values and assessment results to give you a clear idea about your current security situation and
per consequence to help you track your situation. The score is represented as a percentage and
it is calculated as follows:
To raise the “secure score”, you need to take actions based on the provided recommendations.
For example, if you enable MFA, 10 points will be added to your score. More details about the
scure score calculation can be found here:
Recommendations can be found simply by selecting the “Recommendations” link in the side
menu. The recommendations page gives you helpful insights about your resource health.
Resource health is identified based on a pre-defined list of security controls. You need to
remediate the provided security controls to increase the “Secure score”. Thus your security
posture will increase accordingly.
Some insights about the recommendations are shown on the main page of the security center
Visibility is very important when it comes to information security and especially in security
hygiene. Azure Security Center gives you clear visibility for your assets and resources on the
“Inventory” page.
Furthermore, it is possible to check the coverage by exploring the “coverage” page, where you
can identify the covered Azure subscriptions.
Regulatory Compliance
Many organizations need to be aligned and compliant with industry and regulatory standards,
and benchmarks. Azure Security Center saves your precious time and provides you with a
regulatory compliance section where you can ensure how your organization is aligned with
industry standards or internal policies.
To explore it, simply select the “Regulatory compliance” page. For example, as a start, you are
provided with “Azure Security Benchmark v2”.
“The Azure Security Benchmark (ASB) provides prescriptive best practices and
recommendations to help improve the security of workloads, data, and services on Azure.”
(Source: )
You can enable and disable the standards
Furthermore, you can add regulatory compliance standards from a list provided by the security
center to help you start right away.
Azure Defender
Azure defender is integrated with the Security center and it helps you protect your hybrid
resources and workloads. According to Microsoft documentation:
“Azure Defender provides security alerts and advanced threat protection for virtual machines,
SQL databases, containers, web applications, your network, and more.”
Alerts are shown on the “Security Alerts” page where you can see the triggered alerts with
different severities and the affected resources.
If you select a specific alert you will get more details about it
Alerts are mapped to the MITRE ATT&CK Framework. MITRE ATT&CK is a framework
developed by the Mitre Corporation. The comprehensive document classifies adversary
attacks, in other words, their techniques and tactics after observing millions of real-world
attacks against many different organizations. This is why ATT&CK refers to "Adversarial
Tactics, Techniques & Common Knowledge".
Nowadays the frameworks provide different matrices: Enterprise, Mobile, and PRE-ATT&CK.
Each matrix contains different tactics and each tactic has many techniques.
Tactics, Techniques, and procedures (TTPs) are how the attackers are going to achieve their
mission. A tactic is the highest level of attack behaviour. The PRE-ATT&CK MITRE framework
present the 15 tactics as the following:
3. Target Selection
Azure Security Center gives you the ability to integrate workloads from other cloud providers
such as AWS and Google GCP. To connect your cloud accounts select the “Cloud Connectors”
- Take Actions Now
"What would life be if we had no courage to attempt anything?" - Vincent Van Gogh
It is time to take some actions and try Azure Security Center by yourself. Go to your Azure
Portal and search for "Security Center"