• Configured a Host-Only Network in VirtualBox with:
  • HDCP Server
  • Ubuntu Server (SOC Tools)
  • Debian (Web Server)
• Configured the following security tools on an Ubuntu Server VM:
  • Wazuh (SIEM/XDR)
  • Suricata (IDS/IPS)
  • TheHive (CMS)
  • Admyral (SOAR)
  • MISP (TI)
• Configured the following vulnerable web servers on a Debian VM:
  • DVWA
  • bWAPP

Source: https://github.com/robsann/JAHWebServerMonitoring

• Configured in VirtualBox an Internal Network with:
  • DHCP Server
  • Ubuntu Server (Elastic Host)
  • Windows 10 (Victim)
• Configured Elastic Stack 8 on Ubuntu Server:
  • Elastic Stack: Elasticsearch, Kibana (UI), and Elastic Agent + Integrations.
  • Integrations: Fleet Server, System, Windows, and Elastic Defend.
• Simulated two malicious tests on the Victim machine:
  • EICAR Malware Test.
  • MITRE ATT&CK Test with Red Team Automation (RTA).

Source: https://github.com/robsann/ElasticStackLab

• Configured in VirtualBox a NAT Network with:
  • DHCP Server and Host Gateway access.
  • Windows 11 (Target) with Windows Defender disabled, Sysmon and LimaCharlie sensor installed.
  • Ubuntu Server (Attack) with Sliver installed, a Command & Control (C2) framework by BishopFox.
• Generated in Sliver a C2 payload and executed the payload on the Target machine to start a Sliver C2 session on the Attack machine.
• Used the Sliver C2 session to perform two attacks on the Target machine:
  • LSASS access (credential-stealing attack).
  • Volume shadow copies deletion using vssadmin Windows utility (used in ransomware attacks).
• Detection and response rules were created in the LimaCharlie platform to detect the two previous attacks and take action. The rules were tested by repeating the attacks.

Source: https://github.com/robsann/LimaCharlieEDRTelemetry

• Snort network IDS mode configuration in Ubuntu Server.
• NMAP scan detection using Snort (NIDS):
  • NMAP Ping Scan, various TCP scans including SYN, Connect, NULL, FIN, and XMAS, as well as UDP Scans.
• Attack detection using Snort (NIDS):
  • SQL injection attacks using tools like WPSCan & WordPress and Burp Suite & SQLmap.
  • Backdoor attacks using Empire post-exploitation framework and Katana penetration test framework.
  • Rogue DHCP & Rogue Routing attacks.
  • ICMP Redirect attack.

Source: https://github.com/robsann/NetworkSecurityWithSnort

• Microsoft Sentinel was used to monitor failed RDP login attempts from global attackers on an exposed Windows 10 virtual machine configured in Microsoft Azure.
• A custom log file (failed_rdp.log) was generated using a PowerShell script that extracts failed login events from Security Log on Event Viewer and forwards them to a third-party API to get geolocation data.
• A custom table (FAILED_RDP_WITH_GEO_CL) was created in Log Analytics Workspace on Microsoft Azure using the generated log file (failed_rdp.log). Custom fields were extracted from the table using a Kusto Query Language (KQL) query.
• A workbook was created in Microsoft Sentinel using KQL to query data from the FAILED_RDP_WITH_GEO_CL table to display global attackers (RDP login failure) on the world map according to physical location and magnitude (attack count).

Source: https://github.com/robsann/AzureSentinelSIEMAttackMap

The CompTIA A+ Core 2 certification objectives cover advanced troubleshooting, operating systems, security, and software troubleshooting. It includes topics like hardware, networking, mobile devices, virtualization, and cloud computing. Candidates are tested on their ability to secure and manage various devices and technologies, ensuring comprehensive IT skills and knowledge. CompTIA A+ Core 2 demonstrates proficiency in essential IT areas.

1.0 Operating Systems

2.0 Security

3.0 Software Troubleshooting

4.0 Operational Procedures

Professor Messer CompTIA A+ Core 2 (220-1102) course - YouTube Link

The CompTIA Linux+ certification validates essential skills in Linux system administration and operation. Covering topics such as system architecture, Linux installation, package management, command line usage, file permissions, and security, this certification ensures proficiency in managing Linux-based systems. Candidates learn troubleshooting, scripting, and networking in a Linux environment, making them well-equipped for various IT roles requiring Linux expertise. Achieving CompTIA Linux+ certification demonstrates a thorough understanding of Linux systems.

1.0 System Management

2.0 Security

3.0 Scripting, Containers, and Automation

4.0 Troubleshooting

Shawn Powers' CompTIA Linux+ (XK0-005) prep (in progress) - YouTube Link

The CompTIA Network+ certification validates essential skills in networking, covering topics such as network architecture, security, troubleshooting, and cloud technologies. Candidates learn to design and implement functional networks, configure network devices, and manage network security protocols. The certification also emphasizes practical skills in areas like network installation, configuration, and diagnostics, ensuring proficiency in both wired and wireless networks. Overall, CompTIA Network+ certification demonstrates expertise in network administration.

1.0 Networking Fundamentals

2.0 Network Implementations

3.0 Network Operations

4.0 Network Security

5.0 Network Troubleshooting

Professor Messer CompTIA Network+ (N10-008) course - YouTube Link

The CompTIA Security+ certification objectives cover essential topics in cyber security, including network security, threats and vulnerabilities, access control, identity management, cryptography, and risk management. It also emphasizes security compliance, incident response, and security architecture. Successfully mastering these objectives demonstrates proficiency in securing IT systems.

1.0 Threats, Attacks and Vulnerabilities

2.0 Technologies and Tools

3.0 Architecture and Design

4.0 Identity and Access Management

5.0 Risk Management

6.0 Cryptography and PKI

Professor Messer's CompTIA Security+ (SY0-501) course - YouTube Link

The CompTIA Cybersecurity Analyst (CySA+) certification focuses on identifying and responding to security threats and vulnerabilities in a cyber security context. CySA+ certified professionals demonstrate skills in threat detection, analysis, and response using various tools and techniques. They are proficient in analysing data to identify vulnerabilities, threats, and risks to an organization's information systems. CySA+ certification validates expertise in cyber security operations, enhancing an individual's ability to protect and secure organizational assets against cyber threats.

1.0 Security Operations

2.0 Vulnerability Management

3.0 Incident Response and Management

4.0 Reporting and Communication

Mind map from 2021 that provides a comprehensive overview of the various domains within cyber security.

• LetsDefend: Hands-on security operations training with alert addressing on simulated SOC environment.
• CyberDefenders: A blue team training platform.
• TryHackMe: Hands-on cyber security training with offensive and defensive paths.
• HackTheBox: Hands-on cyber security training with offensive and defensive paths.

The Linux File System is a hierarchical structure that organizes and stores files on a Linux system. It uses a tree-like directory structure, starting with the root directory ("/"), with directories and files arranged systematically to facilitate efficient file management and access.

Linux File Permissions dictate the access level of users (owner, group, and others) to files and directories. They are represented by read, write, and execute permissions, providing control over file security and user interactions.

Linux commands help users navigate the file system, interact with the files, and administer the entire system using the command line interface.

Note: Use the man command to display the manual page for other commands (e.g., man ls), providing detailed documentation and usage instructions, or use the --help option (e.g., ls --help) for a quick overview of the command options.

• Configuration files (/etc/) store system-wide settings, preferences, and configurations for various applications, facilitating centralized management.
• System Info files (/proc/) provide a virtual file system exposing kernel and process information, allowing dynamic access to real-time system details and parameters.
• Log files (/var/log/) store system and application logs, aiding in troubleshooting by capturing events, errors, and diagnostic information for analysis and monitoring.

The Open Systems Interconnection (OSI) model is a conceptual framework used to describe how network communications work. The OSI model characterizes computing functions into a universal set of rules and requirements in order to support interoperability between different products and software.

TCP (Transmission Control Protocol) is a connection-oriented and reliable transport layer protocol, that ensures data integrity and ordered delivery. UDP (User Datagram Protocol) is a connectionless and lightweight transport layer protocol that sacrifices reliability for reduced latency, making it suitable for real-time applications where occasional data loss is acceptable.

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on IP networks that, in 4 steps, automatically assigns IP addresses and other communication parameters to devices connected to the network using a client-server architecture.

The Domain Name System (DNS) is a naming database that translates human-readable domain names (e.g., www.example.com) to machine-readable IP addresses (e.g., 93.184.216.34) used for device communication. If the website is not cached, the DNS resolver will query Root Servers, Top-Level Domain (TLD) Servers, and Authoritative Nameservers to retrieve the IP address.

The CIA Triad is a fundamental concept in information security, representing the core principles of Confidentiality (ensuring data privacy), Integrity (maintaining data accuracy and trustworthiness), and Availability (ensuring data accessibility). These principles guide security measures and strategies to protect information assets in various computing environments.

The Cyber Kill Chain is a framework outlining the stages of a cyber attack, from initial reconnaissance to achieving the attacker's objectives, providing a structured approach for understanding, analysing, and defending against advanced cyber threats.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that catalogues and describes the tactics, techniques, and procedures used by cyber adversaries. It provides a comprehensive framework for understanding and analysing the full spectrum of cyber threats, aiding organizations in improving their detection, defence, and response capabilities.

The Pyramid of Pain is a conceptual framework in cyber security that categorizes indicators of compromise (IOCs) in six levels based on the difficulty for adversaries to change or evade detection. The pyramid is structured in ascending order of difficulty, as illustrated below:

Security Operations Center (SOC) technologies encompass a range of tools designed to monitor, analyse, and respond to cyber security threats. These include SIEM for log analysis, EDR for endpoint protection, SOAR for orchestration, and other solutions that collectively fortify an organization's cyber security posture.

The NIST Incident Response Framework provides a systematic approach for organizations to prepare for, detect, respond to, and recover from cyber security incidents. It guides the development of robust incident response capabilities through a four-phase process: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.

The SANS Incident Response Framework provides a structured approach for organizations to effectively respond to cyber security incidents, comprising six key phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. It guides the development of robust incident response capabilities to detect, mitigate, and recover from security incidents.

This script utilizes the ps command to display the top n processes based on CPU and Memory usage. You can access the script by clicking here.

This script utilizes the ss and ps commands to show the listening ports along with the corresponding process and usernames, as well as the PID number. You can access the script by clicking here.

This script utilizes Nmap to retrieve the IP addresses and MAC addresses of devices connected to the network, then compiles them into a table. You can access the script by clicking here.

Zabbix is an open-source monitoring software tool used for monitoring the performance and availability of servers, network devices, and other IT infrastructure components. It provides real-time monitoring, alerting, and visualization features to help IT teams identify and resolve issues quickly. Zabbix can monitor a wide range of devices and applications, making it a versatile tool for managing and maintaining IT systems.

The procedure for the Zabbix installation can be found here.

Screenshots

• Docker containers

• Dashboards

• Hosts monitoring

• Problems monitoring

• Host dashboard

I wrote a suggestion to address the issue related to bytes and str types when running the AutoBlue MS17-010 exploit on Python 3, which was originally developed for Python 2. You can access the suggestions by clicking here.