This week’s DFIR link
So this past weekend I started the Offensive Security Training course, Penetration Testing with Kali Linux, and so far so good. The course material was downloaded without any issues, but the VM took a little bit. I was able to get everything that first night though, and tested my connection to the lab environment, which worked without a single issue. Yeah!
The material is well done. Easy to follow, and understand. I have gone through the first third so far at least once, a good chunk of it twice, and a some sections many more times. I have been taking notes as i go through material, so I can have steps and testing ideas handy when I hit the lab. This leads me to go back and repeat things, once or twice.
You might be able to tell that I have not been able to tackle anything in the lab just yet, other than testing my connection. I wanted to go through a good portion of the material first, and “sharpen my axe” so to speak. I did spend a large chunk of time with the external OSINT. I wanted to gather as much as I could externally, before getting started internally. This gave me some possible information I might be able to use in the lab environment. Maybe giving me some ideas of where I should first swing at the tree.
Their was a good portion of this weekend spent playing puzzles, or cars, or something with my daughter as well. Plus, chores, like laundry, shopping, and what not. I have the week off from work to really dig into the materials starting this morning, so we will see if I can pick up the pace a little. (I already this morning do not see much success with this, as my chat client is already exploding. Honestly had forgotten to turn it off. crap) Anyway,
Let me tackle that, and Get started on my course again!
When you see an AV alert you need to triage the system, because it has been compromised + there may be still some undetected malware present on it.
So I played with a vulnerable VM this weekend. This particular one is called Kioptrix 1. You can check out the write up of it, under that section of the site, or click here to go straight there,
After mulling it over for a while, though, I realized that the entire process really boiled down to a set of questions that the analyst needs to have answers for.
- Was this an actual attack?
- Was the attack successful?
- What other assets were also compromised?
- What activities did the attacker carry out?
- How should my organization respond to this attack?