Відео

Have not dig much to Blue Team Labs but thanks for sharing will take a look at it and maybe create videos for it too :)

@@cybersecurityfreeresource278 thanks then i Go dort Cyber Defender

Yep it is I used Remnux Virtual machine for the lab. The other evidence/logs are already stored in LetsDefendIO platform as well.

@@cybersecurityfreeresource278 i am quite new to all this and would like to know when doing any exercise in Letsdefend, or alert exercise i should do majority in lab ??? Since some of it include attachment Thank You

​@@cybersecurityfreeresource278 i am still new to this so should i do majority of exercise in lab ? because some include attachment Thank you ​

Hello @MichaelAngeloValenzuela nothing really special to setting it up I mainly used images that already have built in forensic and malware analysis tools. You just need to have invest in either any VM software (there are free ones as well) like VMWare/VirtualBox (free) etc. Download the image and mount it that's it. They make life much more easier rather than building from blank VM and installing tools one by one. Here are my top recommendations or all time favorites so far. Hope this helps. :) -www.sans.org/tools/sift-workstation/ -remnux.org/#distro -github.com/mandiant/flare-vm

Yeah definitely they are really good back then most of them are free and as you can see much of my content is from them. CCD is one of the cheapest Blue team cert out there and I have heard the instructor who made them are really good they have undergone SANS trainings too. If you have not heard of SANS trainings I suggest you research about it and compare the cost of CCD against SANS training.

@@cybersecurityfreeresource278 Ohh ok i will check SANs, I got another question is it okay to use the NAT option in VM while downloading and activating those laboratory file practice from cyberdefenders in my VM? or should i use the host-only option?

I have really no one size fits all reference for you, but one thing I can give you is go to Cyberdefenders.org and try to take on the malware analysis challenges from there and read walkthrus about it. Then build yourself a document containing all what you learned, there's an element of retention and retaining the knowledge in your memory thru that method. Also try to read one article about malware analysis every day. That will compound over time. Hope that helps.

Thanks for watching! Please like and subscribe :)

Glad it helped! Please subscribe and share :)

Hello @user-wb8kw4lr9v maybe these writeup version could help you. It will walk you through how to setup Volatility memory analysis tool. Please have a read and let me know - cybersecurityfreeresource.wordpress.com/2022/05/24/volatility3-memory-analysis-tool-setup-guide/

Hello @user-wb8kw4lr9v oh for the Volatility you have to set it up and install on your linux machine like Ubuntu or other flavors. Windows have subsystem linux as well you can follow my guides below how to set it up. ua-cam.com/video/4WwX6EHurvU/v-deo.html ua-cam.com/video/vn5RliRFtWo/v-deo.html

Thanks @@cybersecurityfreeresource278

Oh sure thing is it also from CYberDefenders website if you can share some threat hunting labs it will be appreciated :)

@detdouche2382 Oh yeah thank you for that feedback you are right I think I assumed viewer are familiar with volatility commands. Will try to be more verbose on my explanations on my succeeding videos. Cheers! :)

Hi @zhalgaskamzabekov2151 good question, PECmd.exe is a windows prefetch parser developed by Eric Zimmerman. You cannot view the contents of a prefetch file as it is encrypted hence we need some tool that will parse it for us. Hope this helps.

Not that I know of, as per its normal behavior it is written in memory at first and then written to registry upon shutdown/reboot. It also has limited entries around 1024 for Win10 last I checked and it rolls over meaning oldest entry are being replaced by new ones. Hope this helps.

Sure thing what about the video do you need more explanation? Please let me know.

what do you mean by sm? sorry did not get it :D

Haha yeah fun days :D

Can you clarify please what instruction are you looking for specifically?

You are welcome. :)

It is good to double check your account membership as C:\Windows\Prefetch is only accessible by user with admin rights.

Glad it was helpful!

Thanks for the kind feedback :)

Welcome please like and subscribe thanks😊

Yeah you can, you can also throw it to any online sandbox like Anyrun it also works.

Thank you, I will

Yeah just between you and me :D

Sorry about that will try to use noise cancelling headset on my future recording thanks for the kind feedbacks :D Cheers!

I have not got it sadly when I am trying this challenge pls share if you manage to solve it Kyle :)

Hey buddy oh the dfir is the username on my machine. Basically you just need to change that with correct directory where you Downloaded the file if it is in your Downloads folder so that path will be something like this C:\Users\youruser\Downloads so let's say if your username is say Matthew for example. The path will be C:\Users\Matthew\Downloads so in command prompt you could type cd C:\Users\Matthew\Downloads. Hope this makes sense and help. :)

@@cybersecurityfreeresource278 wow ha nice thanks!

Hi @Matucha yes definitely if you have a malware analysis machine with reversing tools like procmon or regshot or others you could detonate the malware and watch the written files in the temp using those tools. Hope this helps :)

Thanks buddy! Your comment means a lot will improve more :)

Thanks for the kind words glad you liked it :)

Here is a good article for that hope this helps blueteamops.medium.com/shimcache-flush-89daff28d15e hope I can make a video for this soon but quite busy with CTF these days :D

Thanks Warde yup thanks for reminding me that already submitted to CyberDefenders Cheers :D

Thanks happy to help. :D Please like and subscribe!

Sure mate glad you liked it and hope it was helpful in some way will sure do please subscribe and share :)

Try running it using administrator user and pointing to a path that is not used by the Operating System such as C:\Windows try using another path like your drive D or drive E of course it has to have enough free space as well more than the size of physical RAM of the machine being captured. Let me know if this helps or not. Thanks. :)

Hello Abid sure I have a parallel blog writeup for all my videos you can find here please like and subscribe cheers :D cybersecurityfreeresource.wordpress.com/2022/05/24/volatility3-memory-analysis-tool-setup-guide/

@@cybersecurityfreeresource278 I have been for a long time follow your UA-cam Channel and seeing your videos.

@@abidhossainmanu7827 appreciate it that means a lot to me thanks Abid :D

Oh that's good to hear brother congratulations on your new job and I'm glad to be of some help to you in any way. Wish you all the best in your new job God bless! :)

Thanks glad it helped. Prefer to stay anonymous and just contribute back to community :)

@@cybersecurityfreeresource278 I like that .. good video and message

Glad you liked it please share and subscribe :)

Hi Bao Ngoc, here is the best Sandbox result I can share with you for the weaponized doc file. Of course you could analyze it manually on your own malware lab but as SOC specialist time is of the essence in Incident Response and manual reverse engineering should be our last resort if all available sandbox is not giving us any credible results so I can advise you to maximize online tools out there. :) app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/

@@cybersecurityfreeresource278 hey is there any chance to make refud the follina or can we put somthing else like ps1 or shellcode or command prompt script or anything else

Hi @Pa Paa can you elaborate further on your question? What do you mean by refud?

@@cybersecurityfreeresource278 i mean can we lover the detection rate or can we put somthing else instead of html like command script or any other script to run payload

Hi @PaPaa it doesn't work that way its not something that can be simulated by just a script. First and foremost, for exploits to run the machine where it is being run must have that vulnerability present. So for the case of Follina 0 day you have to know if your test machine is vulnerable to CVE-2022-30190. To ensure exploit will run successfully uninstall security patches related to that CVE. Disable windows defender or any endpoint protection on your test machine. Hope this helps.

Hello Mike, yeah sorry for late reply was busy with work these past days. I think what I can share with you is you are correct the related user is makman but take into consideration that this is SQLi attack so from attacker perspective, the attacker is iterating or enumerating user salt hashes without real knowledge of actual DB users which can be used for brute forcing or decrypting further later on to compromise credentials. Hope that helps.

@@cybersecurityfreeresource278 my man I realised what is going on eventually it became way more obvious when you were looking for the password of butn as you used a different query that went through all the requests and became way more clear. In the moment of the comment timestamp it was just salts have a nice one

@@Voskos good to know your breakthrough have fun as well :)