Resources

This page contains a collection of links which I found valuable for different reasons. It is basically an extended bookmarking section for myself, but maybe they are also useful for you.

Red Team

OS, Distros, Tools

SANS “Slingshot” – Penetration testing distribution based on Ubuntu Linux

FireEye “Commando VM” – Penetration testing VM based on Windows

Burp Suite – Hacking proxy & toolset, available in a free community edition

Invoke Obfuscation – Powershell code obfuscation

LDAPFragger – C&C for LDAP

shodan.io – Discover hosts & vulnerabilities and much more in one interface

Tutorials, Research

Bypass Execution Policy – 15 ways how to bypass

exploit-db.com – Footprinting with Google

Kerberosity – How Kerberos works and how to attack it

Preparation Guide for OCSP – On the same blog many other relevant articles

Windows Scripting Host Documentation – Allows to execute scripts like Javascript outside the browser to perform OS exploits

Blue Team

OS / Distros

SANS “SIFT” – Incident response & forensics distribution based on Ubuntu

Security Onion – Threat hunting, defense and log management distribution

Tools

Hardening & Preparation

Policy Analyzer – Compare GPOs on different systems; useful for hardening

Windows Hardening Script – Together with using the Policy Analyzer (see above), you might want to consider running this script to have a sensibly hardened security baseline.

Mitre Att&ck Navigator – Neat tool to work on security posture

Programming

CyberChef – Decrypt and convert to and from many encodings (base64 etc.)

uncoder.io – Translate SIEM rules for different platforms.

NSACyber – The GitHub account of the NSA with very useful code, for example to detect and mitigate web shell attacks.

Regex101 – Regular Expression tester for different languages

cURL Converter – Convert cURL syntax into Python and other languages

Detection & Forensics

Volatility – Digital forensics toolkit written in Python (also included in SIFT)

Sigma – Generic Signature Format for SIEM Systems;here is also a good tutorial on how to write your own recognition patterns

Network Miner – Instead of starting your pcap analysis with Wireshark and getting lost in the bits and bytes, it’s a good idea to use this neat tool to get an overview on what’s happening on a higher level (which hosts involved, which connections observed, which files accessed, etc.). The website also offers video tutorials.

Suricata – This well-known alternative to even better known Snort is a good addition to your analysis with Network Miner (see above), because it can throw detection rules on recorded traffic (pcap files) and recognize suspicious behavior retrospectively, that might have gone unnoticed before.

urlscan.io – See website contents & security ranking without opening it

VirusTotal – Check an URL or file with more than 70 virus scanners

X-Force Exchange – Threat Intelligence

Tutorials, Research

Technology Basics

TLS Handshake Explained – Detailed yet comprehensible explanation of one of the cornerstones of safe internet communication

VPNs (IPsec) Explained – Graphics make this learning material one of the better choices

Hardening & Preparation

cyber.gov.au – Very good publications on hardening, 2FA, WEF, policies, etc.

Cyber Incident Handling Program – Slightly dated but still very relevant information by the US Department of Defence

ISECOM security research community – publications on security testing methodologies, attack surface calculator, security certifications

Center for Internet Security (CIS) Benchmarks – Nonprofit organization that offers best-practice recommendations on securing infrastructure

ENISA Trainings – European Union Agency for Cybersecurity

Windows-specific

Microsoft Auditing Recommendations – Tips for many different events, both in general terms and for specific events, for example cryptographic key operations (5059, 5061), service installations (4697), unregistering security event sources (4905), or changes of security-enabled groups (4735).

Event Log Analysis – Based on event logs as described on the Microsoft KB pages (see above for different event IDs), you can write monitoring and alerting rules. This page shows which events are created when running different tools that are usually run by attackers.

Detecting Powershell attacks with SIEM – Research by SANS

Malware

YARA Rules – Getting started with this versatile malware detection standard

Eideon.com – Tales of a Threat Hunter. Slightly dated, but very useful research

On the wire

Wireshark Capture files from Wireshark Wiki, NetReSec Forensics and Malware-Traffic-Analysis.net, the latter also with tutorials on how to find IoCs.

Network Profiling Using Flows – Network flows are less often used than log events, but very helpful for different network security monitoring tasks