Full-Stack Incident Response
With
@sambowne
,
@djhardb
,
@KaitlynGuru
, and
@infosecirvin
.
Scoreboard
·
Submit Flags
Archived Videos
Black Hat Trainings 2021 (First section)
Archived Scores
Black Hat Trainings, 2021, Section 1
Splunk Boss of the SOC
BOTSv1: Threat Hunting with Splunk
325
ATT&CK Matrix v9
Reference: ATT&CK Matrix v9 for Enterprise
ATT 1: ATT&CK Tactics
10
ATT 2: ATT&CK Techniques for Tactics 43, 42, & 1‑3
10
ATT 3: ATT&CK v9 Techniques for Tactics 4-6
10
ATT 4: ATT&CK v9 Techniques for Tactics 7-9
10
ATT 5: ATT&CK v9 Techniques for Tactics 11, 10, and 40
10
ATT 6: ATT&CK v9 Groups
10
ATT 7: ATT&CK v9 Navigator
10
Windows and Linux Machines
IR 100: Windows and Linux Machines
20
Defending Windows
IR 371: Velociraptor Server on Linux
(recommended)
25
IR 372: Investigating a PUP with Velociraptor
40
IR 373: Investigating a Bot with Velociraptor
50
IR 370: Installing Velociraptor on Windows
(not recommended)
30
IR 301: Installing Splunk on a Windows Server
15
IR 330: Detecting Ransomware with Splunk and Sysmon
20
IR 303: Capturing RAM from a Process
15
IR 304: VirusTotal & Wireshark
35
IR 305: PacketTotal
45
IR 306: Yara
40
IR 307: Prefetch Forensics
15
IR 350: Zeek Interactive Tutorial
59
IR 351: Installing and Using Zeek
25
PE Files and DLLs
PMA 105: Process Explorer
10
PMA 102: Unpacking
25
PMA 121: Unpacking with OllyDbg and pestudio
50
PMA 122: PE Headers
50
PMA 123: Importing DLLs
45
PMA 124: DLL Hijacking
15
PMA 125: Installing Visual Studio 2019
Skip for our cloud machines
10
PMA 126: DLL Proxying
20
PMA 403: API Monitor
15
Debugging
PMA 301: x86 Assembler with Jasmin
30
PMA 401. Simple EXE Hacking with Ollydbg
120
PMA 402: Hacking Minesweeper with Ollydbg
45
Kernel Debugging
PMA 410c: Kernel Debugging with LiveKD
15
PMA 430: WinDbg Preview
15
PMA 431: WinDbg Preview: Source-Level Debugging
10
PMA 432: WinDbg Preview: Kernel Debugging
35
PMA 433: Kernel Debugging with Breakpoints
30
PMA 434: Debugging a Driver
30
ATT 100: Caldera
25+
ATT 101: Caldera Operation
15
Defending Linux Servers
ED 200: Google Cloud Linux Server
15
IR 201: Splunk & Suricata
45
IR 202: Metasploit & Drupalgeddon
85
IR 308: osquery
15
Exploit Development
ED 308: Exploiting "Vulnerable Server" (Local VM)
·
(Cloud)
25
ED 309: Defeating DEP with ROP
20
ED 318: Exploiting Easy RM to MP3 Converter
30
ED 319: SEH-Based Stack Overflow Exploit (Win 2016)
·
(Win 10)
65
Bootkits
PMA 420: Bootkit Analysis with Bochs
15
PMA 421: Understanding the MBR
70
TPM 1: Trusted Platform Modules on Windows
15
DOT NET
PMA 132: Reversing a .NET Executable
40
ED 330: Using C# DOT NET
20
ED 331: Dot Net Reflector
45
PowerShell
U-Cen and U-Cyb: PowerShell
75
Rust
R 10: Rust Basics, Overflows, & Injection
35
R 20: Dangling Pointers & Memory Leaks in Rust
35
Disassembly
PMA 303: IDA Pro
40
PMA 304: C Constructs in Assembly
15
PMA 510: Starting with Ghidra
10
PMA 511: Ghidra Data Displays
40
Windows Memory Protections
ED 301: Windows Stack Protection I: Assembly Code
15
ED 302: Windows Stack Protection II: Exploit Without ASLR
15
ED 303: Windows Stack Protection III: Limitations of ASLR
15
ED 310: Windows Mitigations
10
Malware Analysis
PMA 101: Basic Static Techniques
50
PMA 110: capa
15
PMA 131: Custom UPX
25
PMA 221: Basic Dynamic Analysis
60
PMA 222: Making a Windows Keylogger
10
Assembly Language
Prepare a Linux VM
ED 30: Linux Virtual Machine
15
H 201: Google Cloud Linux Server
10
ASM 100: Basics
69
ASM 104: Bases & Printing
40
ASM 105: ASCII
20
ASM 110: Gdb
30
ASM 120: Files
55
ASM 200: Caesar Cipher
35
ASM 210: XOR
20
Basics
H 101 - 104: Binary Games
20
LJ: Linux Journey
83
B: Bandit Challenges
69
U-Cen and U-Cyb: PowerShell
75
Linux Unhatched: Free Course
ICSI | Certified Penetration Tester: Free Course
Networking
H 410: Nmap
40
H 420: Wireshark
110
H 430: Scapy
20
Making Your Own Windows VM
Optional
Recommended
PMA 41: Windows 10 with Analysis Tools
20
Not Recommended
PMA 40: FLARE-VM
20
Alternative Local System
H 2: Windows 2016 Server Virtual Machine
15
Best Cloud System
PMA 60: Windows 10 on Azure Cloud
15
Alternate Cloud System
PMA 30: Windows 2016 Server on Google Cloud
15
Virtual Machine Resources
Practical Malware Analysis Samples
Hypervisors
VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)
Posted 6-12-2020
IR 340 added 6-19-2020
IR 350 added 6-21-2020
IR 351 added 6-26-2020
Updated for GRAYHAT, IR 340 removed 10-27-20
Scores archived and cleared 3-18-21
IR 370 added 5-7-2021
Updating ATT&CK to v9 started 7-7-2021