Blue Team Field Manual (BTFM) is a Cyber Security Incident Response  Guide that aligns with the NIST Cybersecurity Framework consisting of  the five core functions of Identify, Protect, Detect, Respond, and  Recover by providing the tactical steps to follow and commands to use  when preparing for, working through and recovering from a Cyber Security  Incident.

Preparation (Documentation Review)

  • Organization Chart
  • Network Diagrams
  • Data Flow Diagrams
  • Critical Asset, Data and Services List
  • Rules of Engagement (ROE) Limitations and Boundaries
  • Incident Response Plan
  • Business Continuity Plans
  • Disaster Recovery Plan
  • Required Notification Guidance
  • Action to Date
  • Physical Access Requirements
  • On call/contracted resources
  • Communication Plan
  • Authority and Legal Condition
  • Threat Intelligence Summary
  • Meetings and Deliverable Reporting Requirements
  • Physical Security Plan
  • Risk Assessment Decision Matrix
  • Data and Info Disclosure Procedures
  • Consent to Monitor, Collect and Assess Data
  • MOA/MOU/NDA Documents and Requirements

Identify (Scope)

NMAP

Ping sweep for network:
# nmap -sn -PE <IP ADDRESS OR RANGE>
Scan and show open ports:
# nmap --open <IP ADDRESS OR RANGE>
Determine open services:
# nmap -sV <IP ADDRESS>
Scan two common TCP ports, HTTP and HTTPS
# nmap -p 80,443 <IP ADDRESS OR RANGE>
Scan UDP and TCP together, verbose on single host include optional skip ping:
# nmap -v -Pn -sU -sT -p U:53,111,137,T:21-25,80,139,8080 <IP ADDRESS>

NESSUS

Basic Nessus Scan:
# nessus -q -x -T html <NESSUS SERVER IP ADDRESS> <NESSUS SERVER PORT 1234> <ADMIN ACCOUNT> <ADMIN PASSWORD> <FILE WITH TARGETS>.txt <RESULTS FILE NAME.html
# nessus [-vnh] [-c.rcfile] [-V] [-T <format]
Batch-mode scan:
# nessus -q [-pPS] <HOST> <PORT> <USER NAME> <PASSWORD> <targets-file> <result-file>
Report conversation:
# nessus -i in.[nsr|nbe] -o out.[xml|nsr|nbe|html|txt]

OPENVAS

Step 1: Install the server, client and plugin packages:
# apt-get install openvas-server openvar-client openvas-plugins-base openvas-plugins-dfsg
Step 2: Update the vulnerability database:
# openvas-nvt-sync
Step 3: Add a user to run the client:
# openvas-adduser
Step 4: Login: sysadm
Step 5: Authentication (pass/cert) [pass]: [HIT ENTER]
STEP 6: Login password:
You will then be asked to add "User rules"
Step 7: Allow this user to scan authorized network by typing:
accept <YOUR IP ADDRESS OR RANGE> default deny
Step 8: type ctrl-D to exit, and then accept.
Step 9: Start the server:
# service openvas-server start
Step 10: Set targets to scan:
Create a text file with a list of hosts/networks to scan.
# vi scanme.txt
Step 11: Add one host, network per line: <IP ADDRESS OR RANGE>
Step 12: Run scan:
# openvas-client -q 127.0.0.1 9390 sysadm nsrc+ws scanme.txt openvas-output-.html -T txt -V -x
Step 13: (Optional) run scan with HTML format:
# openvas-client -q 127.0.0.1 9390 sysadm nsrc-ws scanme.txt openvas-output.txt -T html -V -x

Windows

Network Discovery

Basic network discovery
C:\> net view /all
C:\> net view \\<HOST NAME>
Basic ping scan and write output to file:
C:\> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "Reply" >> <OUTPUT FILE NAME>.txt

DHCP

Enable DHCP server logging:
C:\> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1
Default Location Windows 2003/2008/2012:
C:\> %windir%\System32\Dhcp

DNS

Default location Windows 2003:
C:\> %SystemRoot%\System32\Dns
Default location Windows 2008:
C:\> %SystemRoot%\System32\Winevt\Logs\DNSServer.evtx
Default location of enhanced DNS Windows 2012 R2:
C:\> %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl
Enable DNS Logging:
C:\> DNSCmd <DNS SERVER NAME> /config /logLevel <PATH TO LOG FILE> 0x8100F331
Set log location:
C:\> DNSCmd <DNS SERVER NAME> /config /LogFilePath <PATH TO LOG FILE>
Set size of log file:
C:\> DNSCmd <DNS SERVER NAME> /config /logfilemaxsize 0xffffffff

HASHING

File checksum Integrity Verifier (FCIV):
Ref. http://support2.microsoft.com/kb/841290
Hash a file:
C:\> fciv.exe <FILE TO HASH>
Hash all files on C:\ into a database file:
C:\> fciv.exe C:\ -r -md5 -xml <FILE NAME>.xml
List all hashed files:
C:\> fciv.exe c-list -sha1 -xml <FILE NAME>/.xml
Verify previous hashes in db with file system:
C:\> fciv.exe -v sha1 -xml <FILE NAME>.xml
Note: May be possible to create a master db and compare to all system from a cmd line. Fast baseline and difference.
Ref. https://technet.microsoft.com/en-us/library/dn520872.aspx
PS C:\> Get-FileHash <File TO HASH> | Format-List
PS C:\> Get-FileHash -algorithm md5 <FILE TO HASH>
C:\> certutil -hashfile <FILE TO HANH> SHA1
C:\> certutil -hashfile <FILE TO HASH> MD5

NETBIOS

Basic nbtstat scan:
C:\> nbtstat -A <IP ADDRESS>
Cached NetBIOS info on localhost:
C:\> nbtstat -C
Script loop scan:
C:\> for /L %I in (1,1,254) do nbstat -An 192.168.1.%I

USER ACTIVITY

Ref. https://technet.microsoft.com/en-us/sysinternals/psloggedon.aspx
Get users logged on:
C:\> psloggedon \\computername
Script loop scan:
C:\> for /L %i in (1,1,254) do psloggedon \\192.168.1.%i >> C:\users_output.txt

PASSWORDS

Password guessing or checks:
# for /f %i in (<PASSWORD FILE NAME>/txt) do @echo %i & net use \\<TARGET IP ADDRESS> %i /u:<USER NAME> 2>nul && pause
# for /f %i in (<user name file>.txt) do @(for /f %j in (<PASSWORD FILE NAME>.txt) do @echo %i:%j & @net use \\<TARGET IP ADDRESS> %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\<IPADDRESS>/del)

MICROSOFT BASELINE SECURITY ANALYZER (MBSA)

Basic scan of a target IP address:
C:\> mbsacli.exe /target <TARGET IP ADDRESS> /n os+iis+sql+password
Basic scan of a target IP range:
C:\> mbsacli.exe /r <IP ADDRESS RANGE> /n os+iis+sql+password
Basic scan of a target domain:
C:\> mbsacli.exe /d <TARGET DOMAIN> /n os+iis+sql+password
Basic scan of a target computer names in txt file:
C:\> mbsacli.exe /listfile <LISTNAME OF COMPUTER NAMES>.txt /n os+iis+sql+password

ACTIVE DIRECTORY INVENTORY

List all OUs:
C:\> dsquery ou DC=<DOMAIN>,DC=<DOMAIN EXTENSION>
List of workstations in the domain:
C:\> netdom query SERVER
List of domain controllers:
C:\> netdom query DC
List of organizational units under which the specified user can create a machine object:
C:\> netdom query OU
List of primary domain controller:
C:\> netdom query PDC
List the domain trusts
C:\> netdom query TRUST
Query the domain for the current list of FSMO owners
C:\> netdom query FSMO
List all computers from Active Directory:
C:\> dsquery COMPUTER "OU=servers,DC=<DOMAIN NAME>,DC=<DOMAIN EXTENSION>" -o rdn -limit 0 > C:\machines.txt
List user accounts inactive longer than 3 weeks:
c:\> dsquery user domainroot -inactive 3
Find anything (or user) created on date in UTC using timestamp format YYYYMMDDHHMMSS.sZ:
C:\> dsquery * -filter "(whenCreated>=20101022083730.0z)"
C:\> dsquery * -filter "((whenCreated>=20101022083730.0Z)&(objectClass=user))"
Alt option:
C:\> idifde -d ou=<OU NAME>,dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -l whencreated, whenchanged -p onelevel -r "(ObjectCategory=user)" -f <OUTPUT FILENAME>
The last login timestamp format in UTC: YYYYMMDDHHMMSS
Alt option:
C:\> dsquery * dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -filter "(&(objectCategory=Person)(objectClass=User)(whenCreated>=20151001000000.0Z))"
C:\> adfind -csv -b dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -filter "(&(objectCategory=Person)(objectClass=User)(whenCreated>=20151001000000.0Z))"
Using PowerShell, dump new Active Directory accounts in last 90 Days:
PS C:\> import-module activedirectory
PS C:\> Get-QADUser -CreatedAfter (Get-Date).AddDays(-90)
PS C:\> Get-ADUser -Filter * -Properties whenCreated | Where-Object {$_.whenCreated -ge ((Get-Date).AddDays(-90)).Date}

LINUX

NETWORK DISCOVERY

Net view scan:
# smbtree -b
# smbtree -D
# smbtree -S
View open SMB shares:
# smbclient -L <HOST NAME>
# smbstatus
Basic ping scan:
# for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done

DHCP

View DHCP lease logs:
Red hat 3:
# cat /var/lib/dhcpd/dhcpd.leases
Ubuntu:
# grep -Ei 'dhcp' /var/log/syslog.1
Ubuntu DHCP logs:
# tail -f dhcpd.log

DNS

Start DNS logging
# rndc querylog
View DNS logs:
# tail -f /var/log/messages | grep named

HASHING

Hash all executables files in these specified locations:
# find /<PATHNAME TO ENUMERATE> -type f -exec md5sum {} >> md5sums.txt \;
# md5deep -rs / > md5sums.txt

NETBIOS

Basic nbtstat scan:
# nbtscan <IP ADDRESS OR RANGE>

PASSWORDS

Password and username guessing or checks:
# while read line; do username=$line; while read line; do smbclient -L <TARGET IP ADDRESS> -U $username%$line -g -d 0; echo $username:$line; done<<PASSWORDS>.txt; done<<USER NAMES>.txt

PROTECT (DEFEND)

WINDOWS

DISABLE/STOP SERVICES

Get a list of services and disable or stop:
C:\> sc query
C:\> sc config "<SERVICE NAME>" start= disabled
C:\> sc stop "<SERVICE NAME>"
C:\> wmic service where name='<SERVICE NAME>' call ChangeStartmode Disabled

HOST SYSTEM FIREWALLS

Show all rules:
C:\> netsh advfirewall firewall show rule name=all
Set firewall on/off:
C:\> netsh advfirewall set currentprofile state on
C:\> netsh advfirewall set currentprofile firewall policy blockinboundalways,allowoutbound
C:\> netsh advfirewall set publicprofile state on
C:\> netsh advfirewall set privateprofile state on
C:\> netsh advfirewall set domainprofile state on
C:\> netsh advfirewall set allprofile state on
C:\> netsh advfirewall set publicprofile state off
Set firewall rules examples:
C:\> netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes
C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0./16,LocalSubnet profile=domain
C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=157.60.0.1,172.16.0.0./16,LocalSubnet profile=private
C:\> netsh advfirewall firewall delete rule name=rule name program="C:\MyApp\MyApp.exe"
C:\> netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=No profile=public
Setup logging location:
C:\> netsh advfirewall set currentprofile logging C:\<LOCATION>\<FILE NAME>
Windows firewall log location and settings:
C:\> more %systemroot%\system32\LogFiles\Firewall\pfirewall.log
C:\> netsh advfirewall set allprofile logging maxfilesize 4096
C:\> netsh advfirewall set allprofile logging droppedconnections enable
C:\> netsh advfirewall set allprofile logging allowedconnections enable
Display firewall logs:
PS C:\> Get-Content $env:systemroot\system32\LogFile\Firewall\pfirewall.log

PASSWORDS

Change password:
C:\> net user <USER NAME> * /domain
C:\> net user <USER NAME> <NEW PASSWORD>
Change password remotely:
C:\> pspasswd.exe \\<IP ADDRESS or NAME OF REMOTE COMPUTER> -u <REMOTE USER NAME> -p <NEW PASSWORD>
Change password remotely:
PS C:\> pspasswd.exe \\<IP ADDRESS or NAME OF REMOTE COMPUTER>

HOST FILE

Flush DNS of malicious domain/IP:
C:\> ipconfig /flushdns
Flush NetBios cache of host/IP:
C:\> nbtstat -R
Add new malicious domain to hosts file, and route to localhost:
C:\> echo 127.0.0.1 <MALICIOUS DOMAIN> >> C:\Windows\System32\drivers\etc\hosts
Check if hosts file is working, by sending ping to 127.0.0.1:
C:\> ping <MALICIOUS DOMAIN> -n 1

WHITELIST

Use a proxy Auto Config(PAC) file to create Bad URL or IP List (IE, Firefox, Chrome):

function FindProxyForURL(url, host) {
// Send bad DNS name to the proxy
if (dnsDomainIs(host, ".badsite.com"))
return "PROXY http://127.0.0.1:8080";
// Send bad IPs to the proxy
if (isInNet(myIpAddress(), "222.222.222.222","255.255.255.0"))
return "PROXY http://127.0.0.1.8080";
// All other traffic bypass proxy
return "DIRECT";
}

APPLICATION RESTRICTIONS

AppLocket - Server 2008 R2 or Window 7 or higher:
Using GUI Wizard configure:

  • Executable Rules (.exe, .com)
  • DLL Rules (.dll, .osx)
  • Script Rules (.ps1, .bat, .cmd, .vbs, .js)
  • Windows Install Rules (.msi, .msp, .mst)

Steps to employ AppLocker (GUI is neede for digital signed app restrictions):

  1. Create a new GPO.
  2. Right-click on it to edit, and then navigate through COmputer Configation, Policies, Windows Settings, Security Settings, Application Control Policies and AppLocker.
    Click configure Rule Enforcement.
  3. Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  4. In the left pane, click Executable Rules.
  5. Right-click in the right pane and select Create New Rule.
  6. On the Before You Begin screen, click Next.
  7. On the persmissions screen, click Next.
  8. On the Conditions screen, select the Publisher condition and click Next.
  9. Click the Browser button and browse to any executable file on your system. It doesn't matter which.
  10. Drag the slider up to Any Publisher and then click Next.
  11. Click Next on the Execeptions screen.
  12. Name policy, Example "Only run executables that are signed" and click Create.
  13. If this is your first time creating an AppLocker policy, Windows will prompt you to create default rule, click Yes.
  14. Ensure Application Identity Service is Running.
    C:\> net start AppIDSvc
    `C:> REG add "HKLM\SYSTEM\CurrentControlSet\services\AppIDSrc" /v Start /t REG_DWORD /d 2 /f
  15. Change requires reboot.
    C:\ shutdown.exe /r
    C:\ shutdown.exe /r /m \\<IP ADDRESS OR COMPUTERNAME> /f
    Add the AppLocker cmdlets into PowerShell
    PS C:\> import-module AppLocker
    Gets the file information for all of the files and scripts in the directory:
    PS C:\> Get-AppLockerFileInformation -Directory C:\Windows\Systm32 -Recure -FileType Exe, Script Create a AppLocker Policy that allow rules for all of the executable files in C:\Windows\System32: PS C:> Get-ChildItem C:\Windows\System32*.exe | Get-AppLockerFileInformation | NewAppLockerPolicy- RuleType Publisher, Hash -User Everyone - RuleNamePrefix System32Sets the local AppLocker policy to the policy specified in C:\Policy.xml:PS C:> Set AppLockerPolicy -XML Policy C:\Policy.xmlUses the AppLocker policy in C:\Policy.xml to test whether calc.exe and notepad.exe are allowed for to run for users who are members of the everyone group . If you do not specify a group, the everyone group is used by default.PS C:> Test-AppLockerPolicy -XMLPolicy C:\Policy.xml -Path C:\Windows\System32\calc.exe, C:\Windows\System32\notepad.exe -User Everyone
    Review how many times a file would have been blocked from running if rules were enforced:
    PS C:\> Get-AppLockerFileInformation -Eventlog -Logname "Microsoft-Windows-AppLocker\EXE and DLL" -EventType Audited -Statistics
    Creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log, applied to and current AppLocker policy will be overwritten:
    PS C:\> Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher,Hash -User domain\<group> -IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP "LDAP://<DC>.<DOMAIN>.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies,CN=System,DC=<DOMAIN>,DC=com"
    Export the local AppLocker policy, comparing User's explicity denied access to run and output text file:
    OS C:\> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User domain\<USER NAME> -FILTER Denied | Format-List -Property Path > C:\DeniedFiles.txt
    Export the results of the test to a file for analysis:
    PS C:\> Get-ChildItem <DirectoryPathtoReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy <Path ToExportedPolicyFile> -User <domain\username> =Filter <TypeofRuleToFilterFor> | ExportCSV <PathToExportResultsTo.CSV
    GridView list of any local rules applicable:
    PS C:\> Get-AppLockerPolicy -Local -Xml | Out-GridView