links collected from SOC Core Skills class, December 14 to 17, 2020.
SOC Core Skills w/ John Strand
- strandjs/IntroLabs: These are the labs for my Intro class(Yes, this is public. Yes, this is intentional.
- Home - PingCastle
- sans-blue-team/DeepBlueCLI
- davehull/Kansa: A Powershell incident response framework
- Velociraptor / Dig deeper
- ComodoSecurity/openedr: Open EDR public repository
- OS Detection | Nmap Network Scanning
- Service and Version Detection | Nmap Network Scanning
- Unfetter Project
- Neo23x0/sigma: Generic Signature Format for SIEM Systems
- mvelazc0/PurpleSharp: PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments
- Home | CyberDefenders ® | Blue Team CTF Challenges
- Online translator for SIEM saved searches, filters, queries and Sigma rules - Uncoder.IO
- Endpoint security delivers anti-malware, high-fidelity alerting, and faster hunting & response | Elastic
- Training - Cyber Threat Hunting w/ Chris Brenton - Active Countermeasures
- Cybersecurity Supply And Demand Heat Map
- Cyber Security Resources | SANS Institute
- Welcome to Zentral - Zentral
- Joplin - an open source note taking and to-do application with synchronisation capabilities
- Objective-See
- cherrytree – giuspen
- fireeye/red_team_tool_countermeasures
- Tactics, Techniques and Procedures (TTPs) Utilized by FireEye’s Red Team Tools
- IOC Bucket - Most Recent IOCs Uploaded
- Cyberseek
- The Ultimate List of SANS Cheat Sheets | SANS Institute
- Boundary by HashiCorp
- OverTheWire: Bandit
- Terminus
- SS64 Command line reference
- The Bash Guide
- Linux Survival | Where learning Linux is easy
- explainshell.com - match command-line arguments to their help text
- aristocratos/bpytop: Linux/OSX/FreeBSD resource monitor
- trashhalo/readcli: Tool that lets you read website content on the command line
- steveshogren/10-minute-vim-exercises: The exercise files from 10 Minute Vim, for convenience of readers
- Learn SQL | Codecademy
- Smart Searching with GoogleDorking
- Bpytop - An Efficient Resource Monitor in Linux
- 12 Days of Cyber Defense - YouTube
- Checklists & Step-by-Step Guides | SCORE | SANS Institute
- IncidentResponse.com | Incident Response Playbooks Gallery
- Rumble Network Discovery
- IT & Software - Tutorial Bar
- CIS Controls SME Companion Guide
- Microsoft Word - SEC503HANDOUT_TCPIP_RG_E01_01
- SANS Blue Team Operations
- Protocol Header Cheetsheets — Pingfu
- Default TTL (Time To Live) Values of Different OS - Subin's Blog
- Learn Azure in a Month of Lunches | Microsoft Azure
- Welcome to SecurityTube.net
- Chappell University | Laura's Lab Blog
- Wireshark Tutorial: Changing Your Column Display
- Cheat Sheet - Common Ports
- Cheat Sheets - PacketLife.net
- 5 Fun & Geeky Things You Can Do With the Telnet Client | Digital Citizen
- Shodan Cheat Sheet: Keep IoT In Your Pocket | The Dark Source
- Shodan Pentesting Guide – TurgenSec Community
- ICS Village
- 15 Vulnerable Sites To (Legally) Practice Your Hacking Skills
- 124 legal hacking websites to practice and learn – blackMORE Ops
- Enterprise Attacker Emulation and C2 Implant Development w/ Joff Thyer – Wild West Hackin' Fest
- Hacking VoIP | No Starch Press
- Cyber Security Training : HTB Academy
- OverTheWire: Wargames
- TryHackMe | 25 Days of Cyber
- Offensive Countermeasures: 9781974671694: Computer Science Books @ Amazon.com
- Applied Incident Response: 9781119560265: Computer Science Books @ Amazon.com
- Electronic library Download books free. Finding books
- google/timesketch: Collaborative forensic timeline analysis
- How SPF, DKIM, and DMARC Authentication Works to Increase Inbox Penetration (Testing) Rates - Black Hills Information Security
- Cyber Range - Black Hills Information Security
- Wappalyzer - Chrome Web Store
- Complete Python Developer in 2021: Zero to Mastery | Udemy
- Recorded Future - Chrome Web Store
- Blog - Active Countermeasures
- How to Think Like a Computer Scientist — How to Think Like a Computer Scientist: Learning with Python 3
- Ransomware Activity Targeting the Healthcare and Public Health Sector | CISA
- Certified Reverse Engineering Analyst (CREA)
- Department of Computer Science and Technology – Course pages 2019–20: Software and Security Engineering – Course materials
- Homepage | CISA
- redcanaryco/atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK.
- Hacking a Security Career - Deviant Ollam - YouTube
- palantir/alerting-detection-strategy-framework: A framework for developing alerting and detection strategies for incident response.
- Library Genesis
- Exploit Pack
- VECTR | Overview
- Autonomous Red Teaming for Everyone | Prelude Operator
- SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack - YouTube
- Summary of SolarWinds breach for InfoSec noobs – Michele's Blog
- Kroll Artifact Parser and Extractor - KAPE
- Eric Zimmerman's tools
- Active Defense & Cyber Deception w/ John Strand – (16 Hours) – Wild West Hackin' Fest
- But what is a Neural Network? | Deep learning, chapter 1 - YouTube
- Blue Team News (@blueteamsec1) / Twitter
- CybatiWorks - CybatiWorks for Applied Research and Development
- Free Firewall for Home Edition | Sophos Home Firewall
- 13Cubed Episode Guide
- SRUM forensics
- Another Forensics Blog: Triage Collection and Timeline Generation with KAPE
- Introduction to DFIR(One of my favorite things is talking to… | by Scott J Roberts | Medium
- Autopsy and Cyber Triage DFIR Training
- The DFIR Report - Real Intrusions by Real Attackers, The Truth Behind the Intrusion
- Firewalla | Firewalla: Cybersecurity Firewall For Your Family and Business
- Cyber Triage - Online Incident Response Training with Brian Carrier
- Protectli: Trusted Firewall Appliances with Firmware Protection
- Download VMware vSphere Hypervisor for Free
- LabGopher :: Great server deals on eBay
- Sophos Free Demos: Next Generation Security Solutions
- Hackers used SolarWinds' dominance against it in sprawling spy campaign | Reuters
- How the SolarWinds Hackers Bypassed Duo’s Multi-Factor Authentication - Schneier on Security
Networking
- tcpdump-cheat-sheet.jpg (2500×1803)
- Getting Started With TCPDump - Black Hills Information Security
- Visio-tcpdump.vsd
- ASCII - Wikipedia
- Why use a named pipe instead of a file? - Ask Ubuntu
- Using ping to exfiltrate data
- Malware-Traffic-Analysis.net
- Practical Packet Analysis, 3rd Edition | No Starch Press
- tcpdump101.com - Build PCap Syntax Online
- Getting Started With Wireshark - Black Hills Information Security
- A tcpdump Tutorial with Examples — 50 Ways to Isolate Traffic | Daniel Miessler
- tcpdump.pdf
- Microsoft Word - SEC503HANDOUT_TCPIP_RG_E01_01
- Wireshark Tutorial: Identifying Hosts and Users
- Malware-Traffic-Analysis.net - Traffic Analysis Exercises
- wizardzines
- Brim
- Wireshark Tutorial: Decrypting HTTPS Traffic (Includes SSL and TLS)
- Scapy
- Packet Analysis | Chris Sanders
- GDPR Summary - An overview of the General Data Protection Act
- The Zeek Network Security Monitor
- how to make IP geolocation map using WireShark - kalitut
- Malware of the Day Archives - Active Countermeasures
- Malware-Traffic-Analysis.net
- Decrypting and analyzing HTTPS traffic without MITM – Silent Signal Techblog
- Getting started with TCPDump - John Strand - YouTube
- Chappell University | Certification
- Notable Privacy and Security Books 2020 - TeachPrivacy
- ntopng – ntop
- Cisco Certified CyberOps Associate - Cisco
Memory Forensics
- editcap - The Wireshark Network Analyzer 3.4.1
- Security for Professionals
- Understanding IP Addressing and CIDR Charts — RIPE Network Coordination Centre
- robcowart/elastiflow: Network flow analytics (Netflow, sFlow and IPFIX) with the Elastic Stack
- SampleCaptures - The Wireshark Wiki
- CyberChef
- Powershell: Encode and decode Base64 strings
- TLS Fingerprinting with JA3 and JA3S | by John Althouse | Salesforce Engineering
- clong/DetectionLab: Automate the creation of a lab environment complete with security tooling and logging best practices
- Packet Diagrams in Wireshark - YouTube
- brimsec/zq: Search and analysis tooling for structured logs
- Office 95 Excel 4 Macros
- RITA - Black Hills Information Security
- SIEMonster | Affordable Security Monitoring Software Solution
- PacketTotal - A free, online PCAP analysis engine
- Link-Local Multicast Name Resolution - Wikipedia
- Releases | volatilityfoundation
- Product Downloads | AccessData
- fireeye/win10_volatility: An advanced memory forensics framework
- 2020 Agenda - OSDFCon
- Belkasoft RAM Capturer: Volatile Memory Acquisition Tool
- CheatSheet_v2.4
- Mimikatz – Active Directory Security
- Memory Forensics Cheat Sheet
- Six Facts about Address Space Layout Randomization on Windows | FireEye Inc
- gcla/termshark: A terminal UI for tshark, inspired by Wireshark
- AMF | memoryanalysis
Egress Traffic Analysis
- LOLBAS
- WADComs
- Webcast: Attack Tactics 7 - The Logs You Are Looking For - Black Hills Information Security
- Cyber Threat Hunting | Chris Brenton | October 2020 | 4 Hours - YouTube
- Pi-hole – Network-wide protection
- BPF: A New Type of Software
- salesforce/ja3: JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way.
- Raspberry Pi sensors for home networks - YouTube
- Corelight@Home
- How to use a Raspberry Pi as a Network Sensor - Bill Stearns - YouTube
- The Practice of Network Security Monitoring | No Starch Press
- Real Intelligence Threat Analytics (RITA) Overview & AI-Hunter Demo - YouTube
- cyber.dhs.gov - Emergency Directive 21-01
- SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack - SANS Institute
- ET Pro Telemetry edition — OPNsense documentation
- Tool Analysis Result Sheet
- Advanced Persistent Threat Actors Targeting U.S(Think Tanks | CISA
- JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event log
- Neo4j Graph Platform – The Leader in Graph Databases
- Defenders think in lists(Attackers think in graphs. As long as this is true, attackers win. | Microsoft Docs
- Security Researcher Reveals Solarwinds' Update Server Was 'Secured' With The Password 'solarwinds123' | Techdirt
- You Should Probably Change Your Password! | Michael McIntyre Netflix Special - YouTube
- Sysmon - Windows Sysinternals | Microsoft Docs
- splunk/botsv1
- splunk/botsv2: Splunk Boss of the SOC version 2 dataset.
- splunk/botsv3: Splunk Boss of the SOC version 3 dataset.
- Enterprise Cybersecurity - Recon InfoSec
- OpenSOC - Network Defense Simulation
- Demystifying the Windows Firewall – Learn how to irritate attackers without crippling your network | New Zealand 2016 | Channel 9
- research/uniq-hostnames.txt at main · bambenek/research
- Windows Security Log Encyclopedia
- Detecting Kerberoasting Activity – Active Directory Security
- Kerberos & Attacks 101 - SANS Institute
- Basic Kerberos Authentication - YouTube
- PowerPoint Presentation
- SANS Webcast: Kerberos & Attacks 101 - YouTube
- Kerberos and Attacks 101 - Tim Medin - YouTube
- How To Disable LLMNR & Why You Want To - Black Hills Information Security
- Kerberos & Attacks 101 - YouTube
- Kerberos & Attacks 101 - YouTube
- Proof-of-Concept Exploit Code for Kerberos Bronze Bit Attack Published - Binary Defense
- Kerberoasting How To with Tim Medin - YouTube
- Unofficial Guide to Mimikatz & Command Reference – Active Directory Security
- Mimikatz - Metasploit Unleashed
- Prevent Windows from storing an LM hash of the password in AD and local SAM databases - Windows Server | Microsoft Docs
- Collecting Process Start Events (4688) Without the Noise
- Set up PowerShell script block logging for added security
- Use Windows Event Forwarding to help with intrusion detection (Windows 10) - Windows security |Microsoft Docs
- olafhartong/sysmon-modular: A repository of sysmon configuration modules
- activecm/BeaKer: Beacon Kibana Executable Report(Aggregates Sysmon Network Events With Elasticsearch and Kibana
- palantir/windows-event-forwarding: A repository for using windows event forwarding for incident detection and response
- Applied Purple Teaming w/ Kent Ickler and Jordan Drysdale – (16 Hours) – Wild West Hackin' Fest
- How to Write Sigma Rules - Nextron Systems
- How to Build an Active Directory Hacking Lab - YouTube
- Setting up Active Directory in Windows Server 2019 (Step By Step Guide) - YouTube
- Sigma Rules Repository Mirror | TDM by SOC Prime
- Accessing Event Data and Fields in the Configuration | Logstash Reference [7.10] | Elastic
- Filter plugins | Logstash Reference [7.10] | Elastic
- AWS Penetration Testing
- sbousseaden/EVTX-ATTACK-SAMPLES: Windows Events Attack Samples
- Windows Security Log Event ID 4776 - The domain controller attempted to validate the credentials for an account
- Jump start with Docker · JPCERTCC/LogonTracer Wiki
- Attack Tactics 6: Return of the Blue Team - YouTube
- 4724(S, F) An attempt was made to reset an account's password((Windows 10) - Windows security | Microsoft Docs
- Attack Tactics 7: The logs you are looking for - YouTube
- Attack Tactics - YouTube
- nathanmcnulty/Disable-NetBIOS.ps1 at master - nathanmcnulty/nathanmcnulty
- Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS
- Memory Samples · volatilityfoundation/volatility Wiki
- ATT&CK® EVALUATIONS
Endpoint Protection Analysis
Vulnerability Management