Copyright © Blue Team Handbook. All rights reserved.
A condensed guide for the Cyber Security Incident Responder.
Below is the Table of Contents for Version 3.0.
Introduction to V3.0. 11
GotHub Code here.
Chapter One: Practical Incident Response Defined. 15
The NIST Incident Response Life Cycle. 16
The SANS Incident Response Life Cycle. 17
Dynamic Incident Response and Intelligence Lifecycles. 17
Time Based Security by Winn Schwartau. 19
Leveraging MITRE ATT&CK® for Incident Response. 21
Prioritizing Data Collection Using ATT&CK. 23
Threat Informed Defense. 25
Need a Place to Start?. 26
Adapting IR Lifecycles to Your Organization. 27
The Changing Adversary Landscape. 27
Further Reading. 29
Chapter Two: The Six Steps of Modern Incident Response. 30
Preparation: Know Thy Network and Identities That Use It. 31
Preparation: Tools and Techniques Survey and Checklist. 39
Australia’s Strategies to Mitigate Cybersecurity Incidents. 40
Physical and Data Link Layer Practices. 41
Network and Routing Layer. 43
Application Layer. 44
Visibility Tools and Techniques. 45
Preparation: Command Line Auditing. 46
Preparation: Learn Data Breach Rules of the Road. 48
Preparation: Policy and Procedure. 49
Preparation: Enable Early Warning Indicators. 50
Identification: How Serious Is It?. 51
Containment: Stopping the Adversary. 55
Eradication: Revert Adversary Actions. 60
Recovery: Back Up and Running. 61
Lessons Learned: Reporting and Follow Up. 62
Incident Driven Countermeasures. 63
Chapter Three: Incident Response Skills and Practices. 65
Finding Metrics That Matter. 65
Golden Rules of IR Metrics. 65
Incident Response Metrics. 66
Improving Investigations. 68
Understand the Alexiou Principle. 70
Externalization. 70
Be Aware of Confirmation Bias. 71
Follow Scene Safe. 72
The Incident Command Role. 72
Indicator of Attack vs. Indicator of Compromise. 73
Examples of Indications of Attack. 74
Examples of Indications of Compromise. 78
Using The OODA Loop. 80
Assessing the Impact of a Cyber Attack. 82
Avoid Analysis Paralysis. 83
Essential IR Business Process and Paperwork. 84
Regulatory Considerations. 84
Chain of Custody and Evidence Topics. 86
Suggestions for Organizing Evidence Data. 86
The Traffic Light Protocol 87
Computer Security Incident Response Plan and Success Criteria. 88
CSIRP Sample Table of Contents. 88
CSIRP Development Success Criteria. 90
Incident Response Templates. 91
PICERL Six Step Incident Response Template. 92
Commercial Incident Response Template. 94
PenTest Authorization Letter by Ed Skoudis. 96
Develop a Trap and Trace Authorization Letter. 98
End User Focused Data Collection Form(s). 98
Countermeasures and the SBAR Format. 99
Secure IR Communications. 101
Using GnuPG for Free Encrypted Email 101
Incident Response and Forensics Are Partners. 102
Understand the Order of Volatility. 102
Triage: 5% of the Data Tells Most of the Story. 103
System Forensics: Dig Deep and Dissect at a Cost. 103
Derailing IR and DFIR: Mistakes to Avoid. 104
Packaged Cyber Threat Intelligence for IR. 108
Using Bootable Linux Distributions. 108
Using Linux with VMware Workstation. 109
Chapter Four: Understanding Adversary Tools and Tactics. 113
The Attack Process, IR Tools, and IR Points. 113
Adversary Campaign Patterns. 114
Reconnaissance: Tools and Techniques. 118
Google Searching. 120
Web Based Recon Sites. 121
Weaponization: Building the Adversary Toolset. 122
canning: Tools and Techniques. 123
Nmap Scanning. 123
Using Nmap Scripting Engine Scripts. 125
Ping Sweep Scans. 126
IPv6 Networks. 126
Massscan for IPv4 Networks. 126
Windows Counter Loops. 127
Exploitation: Tools and Techniques. 128
Maintain Access: Tools and Techniques. 129
Over the Wire. 129
Rootkits. 131
LOLBins. 131
User Accounts. 132
ASEPs and Registry Based Persistence. 133
File System Persistence. 134
Scheduled Tasks. 134
Logon Script. 134
Data Relay and Backdoor: Netcat and Cryptcat on Linux. 135
Netcat Data Transfer. 135
Netcat Backdoor Techniques. 136
Linux netcat backdoor without the -e Option. 137
Setup a Netcat Relay on Linux. 137
Cryptcat. 138
Password Guessing. 138
Password Guessing. 138
Chapter Five: Windows Volatile Data Investigation. 141
Normal Windows 11 Processes. 141
Step One: Prepare IR Collection Environment. 142
Option One: Collect Data to Local USB. 143
Option Two: Collect Data to Network Share. 144
Option Three: Upload to a Web Server. 144
Step Two: Collecting Physical Memory. 145
VMware ESX Memory Dump. 146
Step Three: Memory Analysis with Volatility. 147
Volatility 2.6.1. 147
Volatility V3. 148
Step Four: Process Indicator Analysis Questions. 151
Windows Suspicious Processes: Process Explorer. 152
Step Five: Collect Live System State Data. 154
Step Six: Windows Server-Side Collection and Open File Support. 159
Step Seven: Collect Disk Details and Image. 160
Using FTK Imager to create a Triage Image. 162
Using FTK Imager to create a Logical Volume Image. 164
Step Eight: Collect Supplemental System Information. 165
Windows Firewall 166
Common Windows Directories Used for Startup. 168
Windows Scheduled Tasks. 168
Common Windows 32bit/64bit Registry AutoStart Locations. 169
Other Windows Artifact Investigation. 172
Windows Log Files and Locations. 172
Automated Collection With KAPE. 173
KAPE Quick Start. 174
KAPE and Missing Binaries. 175
DeepBlueCLI for Windows. 176
RDBMS Incident Response. 176
Microsoft SQL Server Notes. 177
Chapter Six: Windows Host Analysis with PowerShell 179
Investigating a Stand-Alone Remote System with WinRM... 179
Investigating Local vs. Remote Systems. 182
Use PSSession for 1:1 Remoting. 182
Using Invoke-Command to Script Remote System Interrogation. 183
Directory Sharing. 184
Creating System and Date Stamped Files. 185
Determine PowerShell Version. 185
Document TimeZone, ENV, System Date, and Time. 185
Machine and OS Information. 187
User Accounts, Groups, and Current Logins. 188
Network Configuration for IPv4 and IPv6. 190
AutoStart Extensibility Points (ASEP’s). 191
Running Processes. 193
Installed and Running Services. 197
Installed Certificates. 197
Drivers Installed and Running. 198
Files and Directories. 198
Shares and Currently Open Server-Side Files. 201
WMI Indicators. 205
Physical Drives. 207
Mapped Drives. 207
Registry Export. 209
Scheduled Tasks. 210
Active Network Connections. 212
Currently Installed Hotfixes. 214
Installed Applications. 214
Windows AppLocker. 215
Files Changed Since. 216
Search for Alternate Data Streams. 217
Search for Specific files by Extension. 218
Search for Files by Size. 218
Search for Hidden Files and Retrieving File Times. 218
Collecting USB Related Information. 219
Shadow Copy State. 220
DNS Cache. 220
Analyzing Windows Event Logs. 222
Investigating Specific Event IDs in the Security Log. 226
Using the Positional Method for Logins (Event ID 4624). 226
Using the XML Overlay Method For Logins (Event ID 4624). 228
Event 4688 and Command Line Auditing. 228
Examining Sysmon Event Logs. 229
Chapter Seven: Active Directory Analysis. 235
Adversary Actions Start with Reconnaissance. 235
Kerberoasting. 236
Authentication Server Response (AS-REP) Roasting. 237
Password Spray Attack. 238
Unconstrained Delegation Account Abuse. 239
Certificate Services (AD CS) Compromise. 239
DCSync and its Cousin, DCShadow.. 239
Golden Ticket. 240
FOSS Active Directory Assessment. 241
Chapter Eight: Linux Volatile Data System Investigation. 243
Linux and IR. 243
Linux Command Background. 243
Grep Quick Start. 245
Step One: Preparing Storage for Data Collection. 247
Step Two: Dump and Analyze Physical Memory. 248
Dump/Capture Memory to a Remote System using NetCat. 249
Volatility 3 and Linux Command Set. 249
Step Three: Collect Live System State Data. 251
Capture System State. 252
User Accounts. 252
Secure Shell Service and Details. 254
Network Activity. 256
Sudo Configuration and Activity. 257
Process Details. 257
System Services and Cron. 259
Step Four: Linux Investigation Using lsof. 261
Step Five: Linux Additional Artifact Investigation. 263
Filesystem Information. 263
File Sharing with NFS and SAMBA.. 264
Log Collection. 265
Linux Package Management and Investigation. 267
Other Topics. 270
Containment with Linux Iptables Essentials: An Example. 270
Using The iptables Command. 270
Using nft. 272
Recovery: Firewall Assurance/Testing with HPing. 273
Recovery: Vulnerability Testing with OpenVAS. 273
Chapter Nine: Network Based Analysis. 275
Capturing Packet Data. 275
Local Capture. 276
Mirror / SPAN Enterprise Switch Configurations. 276
Deploying a Network Tap. 277
Hypervisors. 277
Cloud Service Providers and Packet Capture. 278
NGFW’s and TLS Decrypted Packet Export. 278
Network Device Collection and Analysis Process. 278
Website Investigation Techniques. 282
Reputation Risk. 283
Network Traffic Analysis Techniques. 284
Berkley Packet Filter (BPF) and Capturing Data. 284
View Interfaces. 285
Profiling a PCAP With tshark and capinfos. 286
Connections: Find the SYN and SYN/ACK Packets. 288
Extract Port/Pair Combinations. 289
Application Specific Analysis Techniques. 290
Top Talkers. 293
Suspicious Traffic Patterns. 293
Unusual Internal Address Activity. 294
Certificates. 294
Uncommon apps and port numbers. 295
Snort Rules: DarkNet Example. 302
Chapter Ten: Enterprise Detection and Response Capabilities. 303
Sample Attack Flow.. 303
Entry Points. 303
Attack Visualization with the StoryLineTM Report. 307
Mitigation Actions. 310
Response Actions. 311
Hyperautomation. 313
Other Capabilities. 314
Appendix: IP Protocol Headers. 315
Appendix: Common TCP and UDP Port Table. 323Index 327