Please enable JavaScript.

Coggle requires JavaScript to display documents.

COMPUTERS - Coggle Diagram

- - - - virtual function tables :question:
      - how to export functions
    - - debugging
        
        http://pythontutor.com/visualize.html#mode=edit
  - - - difference with NFC :question:
  - - - www.youtube.com/watch?v=CuonyS3xdwg
    - - get an idea for sth interesting to write a driver about
- - - - NTFS
        
        file attributes
        
        encryption
      - What is an Inode exactly
    - - Windows
        
        COM : wow, such mysterious
        
        www.youtube.com/watch?v=Ut5zYcDKGwk
        
        WinRM ? WS-man? how is it different from COM :question:
        
        DCOM
        
        randomimzed ports used (not firewall friendly)
        
        authentication
        
        Kerberos
        
        NTLM
        
        Enterprise managment systems
        
        WMI
        
        Checkout Tarik's and Terkia's slides :question:
        
        PSEXEC
        
        does PSEXEC create a new service every time it is executed?
        
        ActiveDirectory
        
        What is the windows sdk?
        
        wtf is hotpatching, (cf mov edi, edi instruction, page 189 of sans 610) ? How does this work with write xor execute:question:
        
        desktop.ini :question:
        
        file ownership
        
        a domain can be the owner of a file? (right-click, file ownership, work/personnal) :question:
        
        why is there no difference when I go into properties :question:
        
        Processes
        
        difference between a service, a process and a task :question:
        
        what happens to orphaned processes ? :check:
        
        Nothing : Windows does not maintain a process tree. The parent process ID is set when a process is created, but not updated when the parent exits. (windows does maintain a groupping of processes though)
        
        Process Genealony : www.youtube.com/watch?v=s98_p3bheL0
        
        god mode :question:
        
        CSRSS.exe :question:
      - Unix
        
        what is the Global Offset Table :question:
        
        Orphaned processes
        
        The init process automatically becomes the parent of any orphaned process. This is done on purpose in the case of a daemon.
        
        modules (executed as "drivers" in kernel mode? there is a video by LiveOverflow :question:
        
        :link: https://elixir.bootlin.com/linux/latest/source a website to explore the linux source code #
    - - How programs get run
        
        What is a Shim/Stub? (Shim application?)
        
        Dynamic Linking
        
        Is the mechanism for not loading a library twice the COW (Copy On Write) ? That is, a child program inherits the loaded library from its parent?
        Is a common library loaded at the very start of the OS? does the init process load printf for example? what about rare libraries, surely not all of them are loaded ?
        If not, then what is the mechanism for not loading a library twice?
        
        the loaded libraries must be relocatable right? (in case the code already uses an address needed in the library)
        Does that mean that a library may need to be loaded twice to satisfy the constraints posed by two processes?
        
        www.youtube.com/watch?v=UdMRcJwvWIY
        
        how does the linker know where to get the librairies?
        
        they are in a set path, determined either inside the executable, either determined on the fly
        
        PLT (procedure linkage table)
        
        the first time a function is accessed, the PLT is modified
        Could you elaborate pls?
        
        How does Write Xor Execute allow the modification of the PLT
        
        is this OS-specific :question:
        
        relocating
        
        www.youtube.com/watch?v=dOfucXtyEsU @ about 20:00
        
        location independance, windows vs linux
        
        https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3d2a3ec7-0747-4add-a56d-809c3e54ff97&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
        
        https://community.broadcom.com/symantecenterprise/viewdocument/dynamic-linking-in-linux-and-window-1?CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
        
        (stored localy under formations
        
        ASLR
        
        Debuggers
        
        how do debuggers work :question:
        
        can a debugger inspect kernel level code (what happens inside syscalls) :question:
        
        what does it mean to "attatch" to a process :question:
        
        File descriptors
        
        is there a standard out and standard in per process? else, when I have several command prompts running, how does the right output arrive in the right prompt :question:
        Similar question with all file descriptors. Where is the info for what file descriptors correspond to what stored? in the process-specific data (same place where ........ is stored) :question:
      - compiling
        
        compiler explorer : https://godbolt.org/
        
        ODA disassembler : https://onlinedisassembler.com/odaweb/
    - - when the boot process is over, is the bios still running or is it only active to set things up and then exits?
        
        Depends : in older OSes, the BIOS was still active. In newer OSes (windows for ex), the OS can interface more directly with hardware.
        cf www.youtube.com/watch?v=ZplB2v2eMas
      - Tetris with no OS (quite educationnal): www.youtube.com/watch?v=FaILnmUYS_U
        https://github.com/jdah/tetris-os
    - - the kernel is mapped inside every process's memory map, in a region accessibleonly in kernel mode. The point is to not change the adress table (exact name, acronym:question:) at every syscall, since its an overhead.
        
        meltdown (or spectre:question:) attacks make use of the kernel memory being mapped in the process's adress table :question: . Therefore, it has become necessary to map the kernel memory separately (acronym for this :question:) except for the least dangerous and most frequently called syscalls.
        
        www.youtube.com/watch?v=DdUeTN0qfuE
        www.youtube.com/watch?v=g9HTAK0WwkY
        www.youtube.com/watch?v=AKGtJAi4wGo
    - - containers
    - - Are drivers standalone processes? Are they like services hosted in a bigger process (I know the System process on windows "has" drivers) :question:
- - - - Burp Suite for reverse
      - Set up ProcDOT
      - miasm ?
      - VMs
        
        REMnux
      - questions
        
        what order are the bytes addressed in?
        
        linux equivaletn of COM?
        
        Where to look when I want ot know the interface of a function (where are the arguments and return in _strlen of libc for example?)
        
        self-modifying code VS write XOR execute :question:
      - formation
        
        understand dynamic loading of libraries better, vs IAT, vs whatever else there is
        
        IAT is par of PE header
        
        deep dive into PE
      - debugger
        
        how to make GDB nice
        https://stackoverflow.com/questions/209534/how-to-highlight-and-color-gdb-output-during-interactive-debugging
        
        is there a debugger that can go inside a syscall and show kernel level instructions? Windbg?
      - shellcode
        
        Guide to writing shellcode : https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html
      - object-oriented reversing (vtables, etc)
    - - Email Analysis
        
        SPF
        
        DKIM
        
        DMARC
      - VMs
        
        SIFT
        
        Tsurugi
      - memory forensics
        
        Volatility
      - tools
        
        DFIR ORC :question:
        
        Velociraptor
      - Windows
        
        SIDs
      - tools to detect persistence on dead disk images (autoruns-like :question:
      - tool to detect executables / DLLs out of place (from mft :question:
    - - Tools
        
        Antivirus
        
        How does an antivirus work?
        
        why can only one run at a time :question:
        
        what does it mean to quarantine a file :question:
        
        Network Access Control
        
        IPS/IDS
        
        HIPS/HIDS
        
        Oveliane:OSE
        
        Trendmicro:Tippingpint
        
        Firewalls
        
        Checkpoint
        
        Forninet
        
        Stormshield
        
        proxies
        
        dynatrace :question:
        
        F5 :question:
        
        AppLocker :question:
        
        windows integritiy levels :question:
      - Techniques
        
        networks
        
        TLS inspection/decryption :question:
        
        alternatively, an explicit proxy can be used, and it plays the same role as a man in the middle : the browser trusts its certificates, which allows it to pretend like it's the server for all websites the user visits :question:
        
        needs user browser to be configured to save TLS encryption keys :question:
        
        web
        
        what is a CSRF token :question:
        
        why does using domain names rather than direct IP access help defend against MITM :question:
        
        URL encoding as a way to sanitize input :question:
        
        Encryption
        
        How come when my disk is encrypted my computer doesn't run much slower? isn't it an overhead to every disk operation :question:
        
        How to set up encryption on windows :question:
        
        when the disk is encrypted, where is the key stored? is it the session password?
        
        Password storage and transmission
        
        How come on many web sites (google for example), the credential are passed in clear-text (encrypted by HTTPS) ? wouldn't it be more secure to have a hash (with some salt) sent so that the actual password never circulates, and so that the server may never know what the original password was
        
        how do NTLM, KERBEROS ,and Linux do this?
      - frameworks
        
        NIST
      - Risk Analysis
        
        Find a resource on how to do risk analysis :question:
    - - TTPs
        
        Mitre
    - - Windows
        
        sysinternals
        
        procdump
        
        sysmon
        
        event IDs
        
        what is the windows logging called?
        
        how are windows logs sent to a SIEM?
        
        WMI
        
        eventIDs?
        
        Windows defender sandboxing capabilities :question: CF FCSC2021 reverse chall
      - SIEMs
        
        RSA
        
        Qradar
        
        Splunk
        
        Graylog
      - Linux
      - network
      - EDR
  - - - burp suite
        
        web-pentest capabilities?
      - mimikatz
      - cobaltstrike
      - Red Canary
      - Atomic Red Team
      - VMs
        
        Kali
      - caldera
      - metasploit
        
        meterpreter
        
        MSFVenom #
      - scanning
        
        shodan
        
        vulnerability scanning
        
        nessus
    - - Named Pipes
      - processes
        
        Payloads dropped to memory only (not to disk)
        
        process hollowing?
        
        any other techniques?
        
        meterpreter works that way?
        
        Procdump :question:
        
        dump LSASS :question:
        
        crack keys
        
        process injection/ DLL injection
        
        www.youtube.com/watch?v=44-TOfLGBzk (watch the enfire channel)
        
        mavinject.exe
        
        Hooking :question:
        
        https://nee.lv/2021/02/28/How-I-cut-GTA-Online-loading-times-by-70/
        
        https://github.com/TsudaKageyu/minhook
      - Web
        
        Webshells : how do they work :question:
        
        XSS
        
        :+1:: https://webhook.site : a website that you can use as a listener, for cookie stealing purposes for example.
        Usage example : www.youtube.com/watch?v=UXtxfka2TuY
        
        SSRF
      - Windows
        
        Active Directory
        
        authentication
        
        Kerberos
        
        kerberos golden ticket :question:
        
        Kerberoast :question:
        
        NTLM
        
        WMI
        
        Windows APIs for attack
        
        hooking
        
        what are the permissions needed to attack other processes via windows APIs? # #
        
        injection
        
        dump LSASS
      - malware
        
        self-modifying code
        
        how is this possible with write xor execute policies?
        
        because write xor execute is often not enfored ! this allows hotpatching ant other techniques used by windows legitimate processes
        
        viruses
        
        How to write a vrus : www.youtube.com/watch?v=2Ra1CCG8Guo :check:
        
        polymorphic viruses (chameleon family for example)
        
        rootkits
        
        kernel-level rootkits
        
        user-level rootkits
      - Network
        
        DNS
        
        DNS fast-flux :question:
        
        DNS rebinding
        
        WRITE A REPORT
        
        slow lorris attack :question:
        
        DNS tunneling
      - hardware
        
        voltage fault attacks (~glitching) :question:
        
        www.youtube.com/watch?v=_E0PWQvW-14 :check:
        
        using a j-link as a hardware debugger :question:
      - phishing
        
        MSFvenom : generator of phishing payloads?
      - exploits
        
        overflows
        
        www.youtube.com/watch?v=Do1Ri8TCF0Q
      - reverse_TCP
      - herpaderping
  - - - known plain text attack
  - - - mandiant #
    - - unit42 #
  - - - COR&RIN
  - - - www.youtube.com/c/13cubed
    - - www.youtube.com/watch?v=FZtprMfP9d0
      - https://securekm.com/blog/zh-hans/2017/10/cybersecurity-mind-map/
      - http://rafeeqrehman.com/2020/06/12/ciso-mindmap-2020-what-do-infosec-professionals-really-do/
      - https://cacm.acm.org/magazines/2020/4/243625-why-is-cybersecurity-not-a-human-scale-problem-anymore/fulltext
      - mindmaps
        
        https://github.com/hackerscrolls/SecurityTips/tree/master/MindMaps (Good ressource in general)
        
        Web pentest
        https://github.com/iamthefrogy/Web-Application-Pentest-Checklist
      - https://www.youtube.com/c/PwnFunction/videos
      - https://www.youtube.com/c/DaedalusCommunity/playlists
    - - https://azad.eu.org/blog/fcsc2020.html
    - - attack detect defend for CVEs :question:
        
        https://www.youtube.com/channel/UChbH7B5YhXANmlMYJRHpw0g/videos :question:
      - HackNDo:link:
    - - CrowdStrike report (telechargements/Report2021GTR)
      - Mandiant cyber report
    - - Matt Graeber
      - Lenny Zeltser
    - - grant collins : https://www.youtube.com/channel/UCTLUi3oc1-a7dS-2-YgEKmA (tool usage, installation, enterprise environments)
    - - pentester explains techniques : https://www.youtube.com/c/InfiniteLogins/videos
      - https://threatexpress.com/redteaming/resources/
        
        https://github.com/mantvydasb/RedTeam-Tactics-and-Techniques
        
        https://github.com/infosecn1nja/Red-Teaming-Toolkit
        
        https://github.com/BankSecurity/Red_Team
        
        https://github.com/an4kein/awesome-red-teaming
        
        https://github.com/tobor88/PowerShell-Red-Team
        
        https://github.com/winterwolf32/Red-teaming
        
        https://github.com/Sorsnce/red-team
        
        https://github.com/ihebski/A-Red-Teamer-diaries
        
        https://github.com/blackarrowsec/redteam-research
    - - Urgent11
      - Vault 7 (CIA hacktools revealed by wikileaks)
    - - https://andreafortuna.org
- - - - Attacks
        
        Kerberoast
        
        Golden ticket
        
        the secret used for the TGT (NTLM hash of the KRBTGT account in Windows :question:) is stolen : any TGT can be created
        
        Silver ticket
        
        The secret of a service is stolen : any TGS can be created for this service
      - Amazing tutorial :link: https://www.kerberos.org/software/tutorial.html
      - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)
    - - Attacks
        
        Pass-theHash