Skip to content

Latest commit

 

History

History
254 lines (169 loc) · 3.99 KB

README.md

File metadata and controls

254 lines (169 loc) · 3.99 KB

Blue Sheet

GitHub last commit

Cheat sheet for the Blue Team 🧢

Hopefully, this is not Bull S***!!!

Disclaimer

I prioritize the simplest commands. Most of the time, you don't need all the things.

While this is a cheat sheet, this is not exhaustive at all. TO BE CONTINUED indefinitely...

Nmap

These are my favorite Nmap commands:

# Simple way to enumerate open ports
nmap --open {IP}

# Simple scan for services
nmap -sV {IP}

# Simple UDP + TCP scan
nmap -Pn -sU -sT {IP}

However, it's best if you can send the output to a txt file or use the export option -o with additional formats to customize the output. For example, -oG followed by the path to your output files allows saving all results in a structured format.

Run executables

Linux exec

chmod +x myexec.sh
./myexec.sh
sh myexec.sh
bash myexec.sh

Windows exec

script.bat
binary.exe
script.ps1

Just type the path to your exec on the console and press enter.

Inspect the Network

Linux network

ifconfig
ip add
lsof -i
arp -a
netstat -na | egrep 'LISTEN|ESTABLISH'

Windows network

ifpconfig
ifpconfig /all
net view /all
arp -a 

Best filters for Wireshark

Detecting Nmap or Massscan

The following filter can spot half-open TCP connections that are used to bypass basic detection and logging systems:

tcp.flags.syn==1 and tcp.flags.ack==0 and tcp.window_size <= 1024

Review the hardware

Linux system

hostnamectl

Windows info

Get-ComputerInfo

Inspect files

Linux files

# files that have been recently modified
ls -lat | less /
lsof -u {USER}

# list dotfiles in sensitive directories
find / -name ".*" -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2> /dev/null

Windows forfiles

# text files that have been recently modified
forfiles /S /M *.txt /C "cmd /c echo @path @file @fdate @ftime"

Source: Stackoverflow

# view unsigned files in system32
sigcheck -u -e c:\windows\system32

Change passwords

Linux passwords

# only modify the password for user
passwd {USER}

# unlock password for user
passwd -u {USER}

# delete password for user
passwd -d {USER}

Windows passwords

net {USER} *

# if it's a domain account
net {USER} * /{DOMAIN}

Stop processes

Linux processes

ps -aux
ps -aux | grep ^root
kill -9 {PID}

Windows processes

tasklist /NH | sort
wmic process {PROCESS} delete
Stop-Process -Name {PROCESS}

Disable services

Linux services

systemctl list-units --type service
systemctl disable {SERVICE}

Windows services

sc query
sc stop {SERVICE}

Analyze alware

Linux malware - inspection

strings {FILE} | head -7
strings {FILE} | less
file -i {FILE}

Windows malware - inspection

debug {FILE}

# view 250 first bytes of file
hexdump -C -n 250 {FILE}

# check file with Virus Total
sigcheck.exe -vt {FILE}

Analyze Memory

Linux memory

# dump
head /dev/mem | hexdump -C

# analysis
gcore -o {file} {PID}
cat /proc/{PID}/smaps > results.txt

Use Volatility for analysis.

Windows memory

Use Volatility for analysis.

Other useful resources

  • Volshell: direct introspection and access to all features of the volatility library from within a command line environment
  • Valgrind: the memcheck tool can analyze memory errors (overflows, leaks)

Shutdown

Linux off

poweroff

Windows off

shutdown /s /t 0

Powershell Commands

Personal cheat sheet

Monitoring

Linux packages

  • whowatch (very handy)
  • htop (instead of the pre-packaged top on some distros)