Full-Stack Incident Response

With @sambowne, @djhardb, @KaitlynGuru, and @infosecirvin.

Scoreboard · Submit Flags

Splunk Boss of the SOC

BOTSv1: Threat Hunting with Splunk  325

ATT&CK Matrix v9

Reference: ATT&CK Matrix v9 for Enterprise
ATT 1: ATT&CK Tactics  10
ATT 2: ATT&CK Techniques for Tactics 43, 42, & 1‑3  10
ATT 3: ATT&CK v9 Techniques for Tactics 4-6  10
ATT 4: ATT&CK v9 Techniques for Tactics 7-9  10
ATT 5: ATT&CK v9 Techniques for Tactics 11, 10, and 40  10
ATT 6: ATT&CK v9 Groups  10
ATT 7: ATT&CK v9 Navigator  10

Windows and Linux Machines

IR 100: Windows and Linux Machines20

Defending Windows

IR 371: Velociraptor Server on Linux (recommended)  25
IR 372: Investigating a PUP with Velociraptor  40
IR 373: Investigating a Bot with Velociraptor  50
IR 370: Installing Velociraptor on Windows (not recommended)  30
IR 301: Installing Splunk on a Windows Server  15
IR 330: Detecting Ransomware with Splunk and Sysmon  20
IR 303: Capturing RAM from a Process  15
IR 304: VirusTotal & Wireshark  35
IR 305: PacketTotal  45
IR 306: Yara  40
IR 307: Prefetch Forensics  15
IR 350: Zeek Interactive Tutorial  59
IR 351: Installing and Using Zeek  25

PE Files and DLLs

PMA 105: Process Explorer10
PMA 102: Unpacking25
PMA 121: Unpacking with OllyDbg and pestudio50
PMA 122: PE Headers50
PMA 123: Importing DLLs45
PMA 124: DLL Hijacking15
PMA 125: Installing Visual Studio 2019
      Skip for our cloud machines
10
PMA 126: DLL Proxying20
PMA 403: API Monitor15

Debugging

PMA 301: x86 Assembler with Jasmin30
PMA 401. Simple EXE Hacking with Ollydbg120
PMA 402: Hacking Minesweeper with Ollydbg45

Kernel Debugging

PMA 410c: Kernel Debugging with LiveKD15
PMA 430: WinDbg Preview15
PMA 431: WinDbg Preview: Source-Level Debugging10
PMA 432: WinDbg Preview: Kernel Debugging35
PMA 433: Kernel Debugging with Breakpoints30
PMA 434: Debugging a Driver30

ATT 100: Caldera  25+
ATT 101: Caldera Operation  15

Defending Linux Servers

ED 200: Google Cloud Linux Server  15
IR 201: Splunk & Suricata  45
IR 202: Metasploit & Drupalgeddon  85
IR 308: osquery  15

Exploit Development

ED 308: Exploiting "Vulnerable Server" (Local VM) · (Cloud)25
ED 309: Defeating DEP with ROP20
ED 318: Exploiting Easy RM to MP3 Converter30
ED 319: SEH-Based Stack Overflow Exploit (Win 2016) · (Win 10) 65

Bootkits

PMA 420: Bootkit Analysis with Bochs15
PMA 421: Understanding the MBR70
TPM 1: Trusted Platform Modules on Windows15

DOT NET

PMA 132: Reversing a .NET Executable40
ED 330: Using C# DOT NET20
ED 331: Dot Net Reflector45

PowerShell

U-Cen and U-Cyb: PowerShell75

Rust

R 10: Rust Basics, Overflows, & Injection35
R 20: Dangling Pointers & Memory Leaks in Rust35

Disassembly

PMA 303: IDA Pro40
PMA 304: C Constructs in Assembly15
PMA 510: Starting with Ghidra10
PMA 511: Ghidra Data Displays40

Windows Memory Protections

ED 301: Windows Stack Protection I: Assembly Code15
ED 302: Windows Stack Protection II: Exploit Without ASLR15
ED 303: Windows Stack Protection III: Limitations of ASLR15
ED 310: Windows Mitigations10

Malware Analysis

PMA 101: Basic Static Techniques50
PMA 110: capa15
PMA 131: Custom UPX25
PMA 221: Basic Dynamic Analysis60
PMA 222: Making a Windows Keylogger10

Assembly Language

Prepare a Linux VM

ED 30: Linux Virtual Machine  15
H 201: Google Cloud Linux Server  10
ASM 100: Basics  69
ASM 104: Bases & Printing  40
ASM 105: ASCII  20
ASM 110: Gdb  30
ASM 120: Files  55
ASM 200: Caesar Cipher  35
ASM 210: XOR  20

Basics

H 101 - 104: Binary Games  20
LJ: Linux Journey  83
B: Bandit Challenges  69
U-Cen and U-Cyb: PowerShell  75
Linux Unhatched: Free Course  
ICSI | Certified Penetration Tester: Free Course  

Networking

H 410: Nmap  40
H 420: Wireshark  110
H 430: Scapy  20

Making Your Own Windows VM
Optional

Recommended
    PMA 41: Windows 10 with Analysis Tools
20
Not Recommended
    PMA 40: FLARE-VM
20
Alternative Local System
    H 2: Windows 2016 Server Virtual Machine
15
Best Cloud System
    PMA 60: Windows 10 on Azure Cloud
15
Alternate Cloud System
    PMA 30: Windows 2016 Server on Google Cloud
15

Virtual Machine Resources

Practical Malware Analysis Samples

Hypervisors

VMware Player (for Windows hosts, free)
VMware Fusion (for Mac hosts, 30-day trial)
VirtualBox (free for all platforms)

Posted 6-12-2020
IR 340 added 6-19-2020
IR 350 added 6-21-2020
IR 351 added 6-26-2020
Updated for GRAYHAT, IR 340 removed 10-27-20
Scores archived and cleared 3-18-21
IR 370 added 5-7-2021
Updating ATT&CK to v9 started 7-7-2021