C2 information (https://www.varonis.

com/blog/what-is-c2), TShark , malicious macro

documents (maldocs) , spearphishing, MalwareBazaar and Malshare, for detection
rules (https://tdm.socprime.com/signup), ssdeep is a program for computing context
triggered piecewise hashes (CTPH). Also called fuzzy hashes : it's used to chack
similarities between two files for exemple a malware that attackers tried to change
and disguize a bit can be detected with fuzzy hashing, TTPs stands for Tactics,
Techniques & Procedures, Framework est un ensemble de lignes directrices
volontaires conçues pour aider les organisations à évaluer et à améliorer leur
capacité à prévenir, détecter et répondre aux risques de cybersécurité (such as
mittre att&ck), An advanced persistent threat (APT) is a prolonged and targeted
cyber attack in which an intruder gains access to a network and remains undetected
for an extended period, and APT groups are threat actors,

CyberKillChain : "The term kill chain is a military concept related to the

structure of an attack. It consists of target identification, decision and order to
attack the target, and finally the target destruction.

Thanks to Lockheed Martin, a global security and aerospace company, that

established the Cyber Kill Chain® framework for the cybersecurity industry in 2011
based on the military concept. The framework defines the steps used by adversaries
or malicious actors in cyberspace"

*So, why is it important to understand how Cyber Kill Chain works?*

The Cyber Kill Chain will help you understand and protect against ransomware
attacks, security breaches as well as Advanced Persistent Threats (APTs). You can
use the Cyber Kill Chain to assess your network and system security by identifying
missing security controls and closing certain security gaps based on your company's
infrastructure.

The steps of the cyber kill chain are :

-Reconnaissance
-Weaponization
-Delivery
-Exploitation
-Installation
-Command & Control
-Actions on Objectives

speaking of reconnaissance ...

|
|>
****Reconnaissance (Recon)****: Reconnaissance is the broader process of gathering
information about a target. A target can be an organization, network, or
individual. This information (both technical and non-technical) is collected from
publicly available sources, such as websites, social media, job postings, press
releases, and more. The goal of reconnaissance is to build a general understanding
of the target’s environment, like identifying key personnel, technology used, and
potential vulnerabilities. Reconnaissance doesn’t involve directly interacting with
the target; it’s about passive information gathering.
****Footprinting****: Footprinting is a specific phase within reconnaissance. It
focuses on collecting detailed and specific information (technical information)
about a target’s network infrastructure, system architecture, and IP addresses.
This phase typically involves more active techniques, such as network scanning, DNS
queries, and traceroutes, to map out the target’s digital footprint. The aim of
footprinting is to create a detailed profile of the target’s network structure,
which can be useful for planning further stages of an ethical hacking engagement.

Email harvesting is the process of obtaining email addressesfrom public, paid, or

free services.
theHarvester - other than gathering emails, this tool is also capable of gathering
names, subdomains, IPs, and URLs using multiple public data sources
Hunter.io - this is an email hunting tool that will let you obtain contact
information associated with the domain
OSINT Framework - OSINT Framework provides the collection of OSINT tools based on
various categories

speaking of Weaponization ...

|
|>
a "weaponizer" that, according to Lockheed Martin, combines malware and exploit
into a deliverable payload.

Malware: This refers to the harmful software that performs malicious actions once
it is successfully deployed on the target system (e.g., stealing data, encrypting
files, etc.).
Exploit: This refers to the method or code that takes advantage of vulnerabilities
in software or systems to gain unauthorized access or perform unintended actions.
Combination: The weaponizer integrates these two components. The exploit is used to
gain access to the target system, and once access is achieved, the malware is
delivered and executed to achieve the attacker's goals (such as data theft or
system disruption).
for learning about VBA and macros "https://www.trustedsec.com/blog/intro-to-macros-
and-vba-for-script-kiddies"

In the Weaponization phase, the attacker would:

Create an infected Microsoft Office document containing a malicious macro or VBA

(Visual Basic for Applications) scripts. If you want to learn about macro and VBA,
please refer to the article "Intro to Macros and VBA For Script Kiddies" by
TrustedSec.
An attacker can create a malicious payload or a very sophisticated worm, implant it
on the USB drives, and then distribute them in public. An example of the virus.
An attacker would choose Command and Control (C2) techniques for executing the
commands on the victim's machine or deliver more payloads. You can read more about
the C2 techniques on MITRE ATT&CK.
An attacker would select a backdoor implant (the way to access the computer system,
which includes bypassing the security mechanisms).

In the Delivery phase, the attacker would:

|
|>
Phishing email
USB Drop Attack
Watering hole attack
drive-by download

In the Exploitation phase, the attacker would:

|
|>
After gaining access to the system, the malicious actor could exploit software,
system, or server-based vulnerabilities to escalate the privileges or move
laterally through the network. According to CrowdStrike, lateral movement refers to
the techniques that a malicious actor uses after gaining initial access to the
victim's machine to move deeper into a network to obtain sensitive data.

the zero-day exploit or a zero-day vulnerability is an unknown exploit in the wild

that exposes a vulnerability in software or hardware and can create complicated
problems well before anyone realizes something is wrong. A zero-day exploit leaves
NO opportunity for detection at the beginning
A zero-day vulnerability is a vulnerability in a system or device that has been
disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability
is called a zero-day exploit.

In the Intallation phase, the attacker would:

|
|>

Once the attacker gets access to the system, he would want to reaccess the system
if he loses the connection to it or if he got detected and got the initial access
removed, or if the system is later patched. He will no longer have access to it.
That is when the attacker needs to install a persistent backdoor. A persistent
backdoor will let the attacker access the system he compromised in the past.

Meterpreter is a Metasploit attack payload that provides an interactive shell from

which an attacker can explore the target machine and execute code. It is typically
deployed using in-memory DLL injection to reside entirely in memory.

The persistence can be achieved through:

Installing a web shell on the webserver. A web shell is a malicious script written
in web development programming languages such as ASP, PHP, or JSP used by an
attacker to maintain access to the compromised system. Because of the web shell
simplicity and file formatting (.php, .asp, .aspx, .jsp, etc.) can be difficult to
detect and might be classified as benign. You may check out this great article
released by Microsoft on various web shell attacks.
Installing a backdoor on the victim's machine. For example, the attacker can use
Meterpreter to install a backdoor on the victim's machine. Meterpreter is a
Metasploit Framework payload that gives an interactive shell from which an attacker
can interact with the victim's machine remotely and execute the malicious code.
Creating or modifying Windows services. This technique is known as T1543.003 on
MITRE ATT&CK (MITRE ATT&CK® is a knowledge base of adversary tactics and techniques
based on real-world scenarios). An attacker can create or modify the Windows
services to execute the malicious scripts or payloads regularly as a part of the
persistence. An attacker can use the tools like sc.exe (sc.exe lets you Create,
Start, Stop, Query, or Delete any Windows Service) and Reg to modify service
configurations. The attacker can also masquerade the malicious payload by using a
service name that is known to be related to the Operating System or legitimate
software.
Adding the entry to the "run keys" for the malicious payload in the Registry or the
Startup Folder. By doing that, the payload will execute each time the user logs in
on the computer. According to MITRE ATT&CK, there is a startup folder location for
individual user accounts and a system-wide startup folder that will be checked no
matter what user account logs in.

Adversaries may modify file time attributes to hide new or changes to existing
files. Timestomping is a technique that modifies the timestamps of a file (the
modify, access, create, and change times), often to mimic files that are in the
same folder
In the C&C phase, the attacker would:
|
|>

The most common C2 channels used by adversaries nowadays:

The protocols HTTP on port 80 and HTTPS on port 443 - this type of beaconing blends
the malicious traffic with the legitimate traffic and can help the attacker evade
firewalls.
DNS (Domain Name Server). The infected machine makes constant DNS requests to the
DNS server that belongs to an attacker, this type of C2 communication is also known
as DNS Tunneling.

Key aspects of C2 Beaconing:

Periodic Communication: The infected machine "beacons" or sends signals to the C2
server at predefined intervals to report its status or ask for new commands. This
can include instructions for data exfiltration, executing malicious code, or
downloading additional malware.

Stealthy Behavior: Beaconing is often designed to mimic legitimate network traffic

or to blend in with normal activity, making it harder for network monitoring tools
to detect.

Indicators of C2 Beaconing:

Repeated connections to the same external IP or domain at regular intervals.

Small data packets being sent frequently to external servers.
Communication to uncommon or suspicious ports.
Purpose: The goal of beaconing is to maintain control over compromised systems
while minimizing the risk of discovery. Attackers may use beaconing to establish a
persistent foothold in a network for later stages of an attack.

In Actions on Objectives (Exfiltration), the attacker would:

|
|>
After going through six phases of the attack, "Megatron" can finally achieve his
goals, which means taking action on the original objectives. With hands-on keyboard
access, the attacker can achieve the following:

Collect the credentials from users.

Perform privilege escalation (gaining elevated access like domain administrator
access from a workstation by exploiting the misconfiguration).
Internal reconnaissance (for example, an attacker gets to interact with internal
software to find its vulnerabilities).
Lateral movement through the company's environment.
Collect and exfiltrate sensitive data.
Deleting the backups and shadow copies. Shadow Copy is a Microsoft technology that
can create backup copies, snapshots of computer files, or volumes.
Overwrite or corrupt data.
Fallback channels : Les adversaires peuvent utiliser des canaux de communication de
secours ou alternatifs si le canal principal est compromis ou inaccessible afin de
maintenir un commandement et un contrôle fiables et d'éviter les seuils de
transfert de données

The Insider Threat is the potential for an insider to use their authorized access
or understanding of an organization to harm that organization.