Cybersecurity Labs - Module 3

🎯 Goal: Generate SHA256 hash for malware identification

📝 Why This Matters:
File hashes are unique fingerprints. Before analyzing malware, calculate its hash to check against threat intelligence databases (VirusTotal, MISP). This quickly identifies known malware without risking execution.

💻 Command:
sha256sum /samples/suspicious.exe

🔍 What This Does:
• Generates unique 256-bit hash of file
• Hash changes if even 1 byte is modified
• Used to search threat intel databases

🎯 Goal: Find readable text in the binary

📝 Why This Matters:
Strings reveal malware capabilities without execution: C2 server URLs, registry keys modified, files created, error messages, and attacker comments. This is safe static analysis that exposes intent.

💻 Command:
strings /samples/suspicious.exe | grep -E "(http|\.exe|reg|cmd|password)"

🔍 What to Look For:
• URLs - C2 communication
• Registry paths - Persistence mechanisms
• File paths - Payload drops
• Commands - System manipulation
• Encoded strings - Obfuscation attempts

🎯 Goal: Verify actual file format vs extension

📝 Why This Matters:
Attackers disguise malware with fake extensions (invoice.pdf.exe, image.jpg.scr). The file command reads magic bytes to determine actual type, exposing extension spoofing attacks.

💻 Command:
file /samples/suspicious.exe

🔍 Common Disguises:
• .pdf.exe - Exploits hidden extensions
• .jpg.scr - Screensaver masquerading as image
• .doc.js - JavaScript in Office disguise
• Double extensions trick users

🎯 Goal: Submit sample to automated sandbox for dynamic analysis

📝 Why This Matters:
Cuckoo Sandbox is a real open-source malware analysis system. It runs malware in isolated VMs, monitors all behavior, and generates detailed reports. Used by security teams worldwide.

💻 Command:
cuckoo submit /samples/suspicious.exe

🔍 Cuckoo Features:
• Automated VM execution
• API hooking and syscall monitoring
• Network traffic capture (InetSim)
• Memory dumps for forensics
• Behavioral signatures database

🎯 Goal: Examine automated analysis results

📝 Why This Matters:
Cuckoo's analysis reveals runtime behavior: process trees, file drops, registry changes, network connections. The severity score and triggered signatures help prioritize response.

💻 Command:
cuckoo analyze 1547

🔍 Analysis Report Sections:
• Severity score (0-10)
• Behavioral signatures triggered
• Network activity (DNS, HTTP, TCP)
• File system changes
• Registry modifications
• Process tree

🎯 Goal: Examine C2 communication from PCAP

📝 Why This Matters:
Cuckoo captures all network traffic during execution. Using tcpdump to read this PCAP reveals exact C2 communications, data exfiltration, and payload downloads.

💻 Command:
cat /opt/cuckoo/storage/analyses/1547/network.pcap | tcpdump -r - -nn

🔍 Network IOCs:
• C2 server IPs and ports
• Beacon intervals
• Data exfiltration volume
• Protocol patterns

🎯 Goal: Analyze memory dump for injected code

📝 Why This Matters:
Volatility Framework is the industry-standard memory forensics tool. It extracts process trees, detects code injection, finds hidden processes, and recovers encryption keys from RAM.

💻 Command:
volatility -f /opt/cuckoo/storage/analyses/1547/memory.dmp --profile=Win10x64 pstree

🔍 Volatility Capabilities:
• Process tree analysis (pstree)
• Injected code detection (malfind)
• Network connections (netscan)
• Registry extraction (hivelist)
• Password hashes (hashdump)

🎯 Goal: Parse Cuckoo JSON report to extract IOCs

📝 Why This Matters:
Cuckoo generates JSON reports with all findings. Using jq (command-line JSON processor) extracts specific IOCs for import into SIEM, EDR, and threat intel platforms.

💻 Command:
cat /opt/cuckoo/storage/analyses/1547/reports/report.json | jq '.signatures,.network.hosts' > /reports/iocs.json && echo "IOC report generated"

🔍 Extracted IOCs:
• File hashes (MD5, SHA1, SHA256)
• Network indicators (IPs, domains, URLs)
• YARA rule matches
• Behavioral signatures

🎯 Goal: Capture live network traffic

📝 Why This Matters:
Packet capture is the foundation of network forensics. Every network communication leaves traces - even encrypted traffic reveals metadata like timing, volume, and destinations useful for investigation.

💻 Command:
sudo tcpdump -i eth0 -w /captures/traffic.pcap -c 1000

🔍 Parameters:
• -i eth0 - Interface to capture
• -w - Write to file
• -c 1000 - Capture 1000 packets

🎯 Goal: Isolate outbound data transfers

📝 Why This Matters:
Raw captures contain millions of packets. Filtering isolates relevant traffic - large outbound transfers to unknown IPs are classic exfiltration indicators.

💻 Command:
tcpdump -r /captures/traffic.pcap 'src net 192.168.0.0/16 and dst port 443 and greater 1000'

🔍 Filter Logic:
• src net 192.168.0.0/16 - From internal network
• dst port 443 - HTTPS (common exfil channel)
• greater 1000 - Large packets only

🎯 Goal: Extract detailed protocol information

📝 Why This Matters:
tshark (command-line Wireshark) parses protocols deeply. It extracts HTTP headers, DNS queries, TLS certificates - revealing what applications transmitted and to whom.

💻 Command:
tshark -r /captures/traffic.pcap -Y "http.request" -T fields -e ip.src -e ip.dst -e http.host -e http.request.uri

🔍 Output Fields:
• Source/destination IPs
• HTTP host header (domain)
• Request URI (path accessed)
• Reveals web traffic patterns

🎯 Goal: Identify domains contacted

📝 Why This Matters:
DNS reveals intent - malware queries C2 domains, exfiltration contacts file sharing sites. DNS tunneling hides data in queries. Every domain lookup leaves a trace even with encrypted traffic.

💻 Command:
tshark -r /captures/traffic.pcap -Y "dns.qry.name" -T fields -e dns.qry.name | sort | uniq -c | sort -rn

🔍 DNS Analysis:
• High query count = suspicious
• Long random subdomains = DGA/tunneling
• Newly registered domains = risky
• Country TLDs (.ru, .cn) = depends on business

🎯 Goal: Find high-volume data flows

📝 Why This Matters:
Data exfiltration requires moving data out - large outbound transfers to unusual destinations are red flags. Statistical analysis of flow data quickly identifies anomalies.

💻 Command:
tshark -r /captures/traffic.pcap -q -z conv,tcp | sort -k 10 -rn | head -20

🔍 Conversation Stats:
• Bytes transferred per flow
• Duration of connections
• Top talkers by volume
• Unusual destinations

🎯 Goal: Recover exfiltrated data

📝 Why This Matters:
Knowing that data left isn't enough - you need to know WHAT data. File carving from packet captures recovers transmitted files for impact assessment and breach notification requirements.

💻 Command:
tshark -r /captures/traffic.pcap --export-objects http,/extracted/

🔍 What Gets Extracted:
• Documents (PDF, DOC, XLS)
• Images
• Archives (ZIP, RAR)
• Any HTTP-transferred file

🎯 Goal: Analyze encrypted connection destinations

📝 Why This Matters:
HTTPS encrypts content but TLS certificates reveal the server identity. Self-signed certs, suspicious issuers, or mismatched names indicate malicious infrastructure or MitM attacks.

💻 Command:
tshark -r /captures/traffic.pcap -Y "tls.handshake.certificate" -T fields -e x509sat.uTF8String -e x509ce.dNSName

🔍 Certificate Red Flags:
• Self-signed certificates
• Recently issued (< 30 days)
• Free CA (Let's Encrypt abuse)
• Name mismatches

🎯 Goal: Document findings for incident response

📝 Why This Matters:
Network analysis findings feed incident response: IPs to block, domains to sinkhole, compromised systems to isolate. Documentation supports legal action and compliance reporting.

💻 Command:
tshark -r /captures/traffic.pcap -q -z endpoints,ip > /reports/network-analysis.txt

🔍 Report Contents:
• Timeline of suspicious connections
• Source systems involved
• Destination IPs/domains
• Volume of data transferred
• Extracted file inventory

🎯 Goal: Triage incoming security alerts

📝 Why This Matters:
EDR generates hundreds of alerts daily. Effective triage separates critical threats from noise. Dashboard review identifies patterns - multiple similar alerts suggest coordinated attack.

💻 Actions:
1. Click "View Alerts" button
2. Filter by Severity: Critical & High
3. Note the PowerShell alerts across workstations
4. Identify affected endpoints

🔍 Alert Triage:
• Critical - Active exploitation, immediate action
• High - Confirmed malicious, investigate quickly
• Medium - Suspicious, needs analysis
• Low - Anomaly, review when time permits

🎯 Goal: Deep dive into compromised system

📝 Why This Matters:
Alert context determines response. Full endpoint investigation reveals: Was the attack successful? What processes spawned? What files were accessed? This guides containment decisions.

💻 Actions:
1. Click "Investigate Endpoint" button
2. Select: WKS-FIN-042
3. Review process tree and timeline
4. Note suspicious parent-child relationships

🔍 Investigation Focus:
• Process tree - What spawned what?
• Network connections - Where did it connect?
• File modifications - What was changed?
• Registry changes - Persistence mechanisms?

🎯 Goal: Search all endpoints for indicators

📝 Why This Matters:
One compromised endpoint often means more are affected. IOC hunting searches your entire fleet for matching artifacts - file hashes, registry keys, network connections - revealing full scope of compromise.

💻 Actions:
1. Click "Threat Hunt" button
2. IOC Type: File Hash
3. Enter hash: a1b2c3d4e5f6... (from investigation)
4. Scope: All Endpoints
5. Click "Search"

🔍 Hunt Queries:
• File hash - Find same malware elsewhere
• Process name - Suspicious executables
• Network destination - C2 connections
• Registry key - Persistence locations

🎯 Goal: Contain threat by network isolation

📝 Why This Matters:
Isolation prevents lateral movement and data exfiltration. EDR can quarantine endpoints while maintaining management access - the system can't attack others but analysts can still investigate and remediate.

💻 Actions:
1. Click "Isolate Endpoint" button
2. Select endpoints: WKS-FIN-042, WKS-FIN-017
3. Isolation Type: Network Quarantine
4. Click "Confirm Isolation"

🔍 Isolation Options:
• Full isolation - No network except EDR
• Partial - Allow specific IPs/services
• Warning mode - Alert but don't block

🎯 Goal: Preserve evidence for analysis

📝 Why This Matters:
Remote forensic collection captures volatile data before it's lost: running processes, network connections, memory artifacts. This evidence supports incident investigation and potential legal action.

💻 Actions:
1. Click "Collect Forensics" button
2. Select: WKS-FIN-042
3. Collection Type: Full Triage Package
4. Include: Memory dump, event logs, browser history
5. Click "Start Collection"

🔍 Triage Package Includes:
• Memory dump - Running processes, encryption keys
• Event logs - User activity, process execution
• File timeline - Recent changes
• Network connections - Active sessions

🎯 Goal: Remove malware and attacker access

📝 Why This Matters:
Remediation eliminates the threat from affected systems: kill malicious processes, delete dropped files, remove persistence mechanisms. Incomplete remediation allows attackers to return.

💻 Actions:
1. Click "Remediate" button
2. Actions:
• Kill Process - Terminate malware
• Delete File - Remove malicious files
• Remove Registry Key - Clear persistence
3. Apply to affected endpoints
4. Click "Execute Remediation"

🔍 Remediation Checklist:
• Terminate malicious processes
• Delete malware files
• Remove scheduled tasks
• Clean registry persistence
• Reset compromised credentials

🎯 Goal: Prevent recurrence with custom detection

📝 Why This Matters:
Every incident teaches what to detect. Creating custom rules based on observed TTPs catches the same attack if it recurs. This turns reactive response into proactive defense.

💻 Actions:
1. Click "Create Rule" button
2. Rule Name: Suspicious PowerShell Download
3. Detection Logic:
• Process: powershell.exe
• Command contains: DownloadString
4. Action: Alert + Block
5. Click "Save Rule"

🔍 Rule Types:
• Behavioral - Suspicious activity patterns
• Signature - Known malware indicators
• Anomaly - Deviation from baseline