5. **Applications**: The software users interact with (Browsers, Office, Malware).
1. **ASLR (Address Space Layout Randomisation)**: OS defence that randomises base addresses of stack, heap, and libraries on each execution. Makes it harder for attackers to know where to jump in memory.
- *Bypass techniques*: Information disclosure leaks that reveal addresses, or brute force (practical only on 32-bit address spaces).
- **4625**: Failed Logon (Brute Force / Credential Stuffing indicator)
- **4740**: Account Locked Out (Correlate with brute force attempts)
# $1$=MD5(broken) $5$=SHA-256 $6$=SHA-512
wmic process list brief Process list via WMI (harder to hook)
- **255.255.255.255** = limited broadcast.
2. **Broadcast address** (all host bits = 1)
1. **DISCOVER**: Client broadcasts on \`0.0.0.0\` → \`255.255.255.255\`, UDP port 67.
2. **OFFER**: DHCP server broadcasts or unicasts an IP address offer.
3. **REQUEST**: Client broadcasts acceptance.
- Broadcast so other DHCP servers know their offer was not selected.
1. **Local Cache**: Browser and OS check local DNS cache first.
Brute force target. Use VPN/MFA. |
Broadcasts frames |
One break kills all |
One break kills ring |
Hybrid |
- **WEP (Wired Equivalent Privacy)**: **COMPLETELY BROKEN**. RC4-based, crackable in minutes. Never use. Finding WEP on a network is a critical vulnerability.
1. Open a browser and navigate to \`http://example.com\` (note: http, NOT https — we need cleartext). Or in terminal: \`curl http://example.com\`.
3. You will see: \`GET / HTTP/1.1\`, Host: \`example.com\`, User-Agent (browser identification), Accept headers.
• One-way functions. MD5 (Broken), SHA-1 (Deprecated), **SHA-256** (Secure).
explanation: 'Snapshots are essential for reverting to a clean state if a lab exercise breaks the VM.'
options: ['Bridged Adapter', 'NAT', 'Host-Only Adapter', 'Internal Network'],
explanation: 'SHA-256 is a modern, secure hashing algorithm. MD5 and SHA-1 are considered broken or deprecated.'
- **4625**: Failed Logon (Multiple failures suggest brute force).
- **Integrations**: Browse the integration catalog to see what data sources are supported (e.g., AWS, Azure, Cisco, Windows).
Detection rules are the "brain" of the SIEM. They analyze incoming data and trigger alerts when specific patterns are matched.
• **Brute Force Detection**:
2. **Triage**: In Kibana, go to **Security -> Alerts**. You should see a "Brute Force" alert.
- **Root Cause**: How did the ransomware get in? (e.g., RDP brute force, phishing).
• **Directory Brute-forcing**: \`gobuster\`, \`ffuf\`.
description: 'Attacking users through their browsers.',
• **Framework**: **BeEF** (Browser Exploitation Framework).`
description: 'Cracking and brute-forcing credentials.',
- **Breaking Silos**: Ensuring that different departments (IT, Legal, HR) work together on security.
1. **GOVERN**: Establish and monitor the organization's cybersecurity risk management strategy. This is the "brain" of the framework.
1. **Policy**: The "What" (Mandatory). High-level, broad scope (e.g., Acceptable Use Policy).