# Analyse réseau
- Wireshark          # Capture et analyse de paquets
- tcpdump            # Capture en ligne de commande
- tshark             # Wireshark CLI
- Zeek (Bro)         # Network security monitoring
- nmap               # Scan réseau
- netcat (nc)        # Connexions réseau
- socat              # Tunnel réseau avancé

# Commandes essentielles pour SOC
tail -f /var/log/syslog              # Suivi logs en temps réel
journalctl -xe                        # Logs systemd
grep -r "pattern" /var/log/          # Recherche dans logs
find / -name "*.log" -mtime -1       # Fichiers modifiés 24h
ps aux | grep suspicious             # Processus suspects
netstat -tulpn                       # Connexions réseau
ss -tunap                            # Sockets actifs
lsof -i :80                          # Fichiers ouverts sur port
last -a                              # Dernières connexions
who                                  # Utilisateurs connectés

4624 - Successful logon
4625 - Failed logon
4672 - Special privileges assigned
4720 - User account created
4732 - User added to security group
4688 - New process created
4697 - Service installed
7045 - Service installed (System log)
1102 - Audit log cleared
4104 - PowerShell script block logging
4103 - PowerShell module logging

# Analyse de sécurité Windows
Get-EventLog -LogName Security -Newest 100
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624}
Get-Process | Select-Object Name, ID, Path
Get-Service | Where-Object {$_.Status -eq "Running"}
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}
Get-NetTCPConnection -State Established
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run
Get-WmiObject Win32_StartupCommand

# Installation ELK sur Ubuntu
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt update

# Elasticsearch
sudo apt install elasticsearch
sudo systemctl enable elasticsearch
sudo systemctl start elasticsearch

# Kibana
sudo apt install kibana
sudo systemctl enable kibana
sudo systemctl start kibana

# Logstash
sudo apt install logstash

# /etc/logstash/conf.d/syslog.conf
input {
  syslog {
    port => 514
    type => "syslog"
  }
  beats {
    port => 5044
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGLINE}" }
    }
    date {
      match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    index => "syslog-%{+YYYY.MM.dd}"
  }
}

# Installation Wazuh Manager
curl -sO https://packages.wazuh.com/4.x/wazuh-install.sh
sudo bash ./wazuh-install.sh -a

# Features principales
- Host-based IDS (HIDS)
- Log analysis
- File integrity monitoring
- Vulnerability detection
- Configuration assessment
- Incident response
- Regulatory compliance (PCI DSS, GDPR, etc.)

<!-- Custom rule pour détecter brute force SSH -->
<rule id="100001" level="10">
  <if_matched_sid>5551</if_matched_sid>
  <same_source_ip />
  <description>Multiple SSH authentication failures</description>
  <frequency>5</frequency>
  <timeframe>120</timeframe>
</rule>

# Graylog - Alternative ELK
sudo apt install graylog-server

# Configuration /etc/graylog/server/server.conf
password_secret = <généré>
root_password_sha2 = <hash SHA-256>
http_bind_address = 0.0.0.0:9000

# Installation Splunk
wget -O splunk-9.x.tgz 'https://download.splunk.com/...'
tar xvzf splunk-9.x.tgz -C /opt
/opt/splunk/bin/splunk start --accept-license

# Recherches Splunk essentielles
index=main sourcetype=linux_secure "Failed password"
| stats count by src_ip
| where count > 5

index=windows EventCode=4625
| timechart count by Account_Name

index=firewall action=blocked
| top 20 dest_port

# grep avancé pour logs
grep -E "Failed|Error|Critical" /var/log/syslog
grep -C 5 "pattern" file.log                    # 5 lignes contexte

# awk pour parsing
awk '{print $1, $4, $5}' /var/log/apache2/access.log
awk -F: '/Failed password/ {print $11}' /var/log/auth.log | sort | uniq -c

# sed pour manipulation
sed -n '/ERROR/p' application.log

# Log analysis tools
- GoAccess             # Web log analyzer (temps réel)
- Logwatch             # Analyse automatique logs système
- OSSEC                # HIDS avec log analysis
- Lnav                 # Log navigator avec couleurs

# https://github.com/WithSecureLabs/chainsaw
chainsaw hunt evtx_files/ -s sigma_rules/ --mapping mappings/sigma-event-logs.yml
chainsaw search evtx_files/ -e "4624" -t "Logon Type 3"

# Installation Zeek
sudo apt install zeek

# Configuration /opt/zeek/etc/node.cfg
[zeek]
type=standalone
host=localhost
interface=eth0

# Démarrer Zeek
sudo zeekctl deploy
sudo zeekctl status

# Logs Zeek importants
/opt/zeek/logs/current/
├── conn.log          # Toutes les connexions
├── dns.log           # Requêtes DNS
├── http.log          # Traffic HTTP
├── ssl.log           # Connexions SSL/TLS
├── files.log         # Fichiers transférés
├── notice.log        # Alertes Zeek
└── weird.log         # Anomalies protocoles

# Analyse Zeek logs
zeek-cut id.orig_h id.resp_h id.resp_p < conn.log | sort | uniq -c
zeek-cut query answers < dns.log | grep -v "^-"

# detect-beaconing.zeek
@load base/frameworks/notice

event connection_state_remove(c: connection) {
    if (c$duration > 3600 && c$orig_bytes > 1000000) {
        NOTICE([$note=Possible_C2_Beacon,
                $msg=fmt("Long duration connection detected"),
                $conn=c]);
    }
}

sudo apt install suricata

# Configuration /etc/suricata/suricata.yaml
# Définir HOME_NET, EXTERNAL_NET
# Activer les règles

# Mise à jour des règles
sudo suricata-update
sudo suricata-update list-sources
sudo suricata-update enable-source et/open

# Démarrer Suricata
sudo systemctl start suricata

# /etc/suricata/rules/local.rules
alert http any any -> $HOME_NET any (msg:"Potential webshell access"; \
  flow:established,to_server; content:"POST"; http_method; \
  content:".php"; http_uri; content:"cmd="; http_client_body; \
  sid:1000001; rev:1;)

alert dns any any -> any any (msg:"DNS tunneling attempt"; \
  dns_query; content:"|00|"; depth:512; isdataat:100,relative; \
  sid:1000002; rev:1;)

# Analyseur eve.json
jq '.alert | select(.signature_id == 2100498)' /var/log/suricata/eve.json
jq '.flow | select(.dest_port == 443)' /var/log/suricata/eve.json

# Security Onion inclut:
- Suricata/Snort (IDS)
- Zeek (NSM)
- Wazuh (HIDS)
- Elasticsearch + Kibana
- Stenographer (PCAP complet)
- CyberChef (analyse données)
- NetworkMiner (forensic réseau)
- Playbook (case management)

# Installation
https://github.com/Security-Onion-Solutions/securityonion

# Installation agent Linux
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | apt-key add -
echo "deb https://packages.wazuh.com/4.x/apt/ stable main" > /etc/apt/sources.list.d/wazuh.list
apt update && apt install wazuh-agent

# Configuration /var/ossec/etc/ossec.conf
<client>
  <server>
    <address>MANAGER_IP</address>
  </server>
</client>

# Windows agent
# Download MSI installer et configurer

# Installation Osquery
export OSQUERY_KEY=1484120AC4E9F8A1A577AEEE97A80C63C9D8B80B
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys $OSQUERY_KEY
sudo add-apt-repository 'deb [arch=amd64] https://pkg.osquery.io/deb deb main'
sudo apt install osquery

# Requêtes Osquery pour sécurité
osqueryi

SELECT * FROM listening_ports WHERE port != 0;
SELECT * FROM processes WHERE name LIKE '%python%';
SELECT * FROM users WHERE username != '' AND directory LIKE '/home/%';
SELECT * FROM startup_items;
SELECT * FROM kernel_modules WHERE name LIKE '%rootkit%';

{
  "queries": {
    "kernel_modules": {
      "query": "SELECT * FROM kernel_modules;",
      "interval": 3600,
      "description": "Monitor kernel modules"
    },
    "suspicious_processes": {
      "query": "SELECT * FROM processes WHERE name IN ('nc', 'ncat', 'netcat');",
      "interval": 60
    }
  }
}

# EDR/DFIR tool moderne
# https://github.com/Velocidex/velociraptor

# Déploiement serveur
./velociraptor-v0.x-linux-amd64 --config server.config.yaml frontend -v

# Features:
- Live forensics
- Hunting queries (VQL)
- Artifact collection
- Timeline analysis
- Remote shell

-- Recherche fichiers suspects
SELECT * FROM glob(globs='C:\\Users\\**\\*.exe')
WHERE Mtime > timestamp(epoch=now() - 86400)

-- Processus avec connexions réseau
SELECT * FROM pslist()
WHERE Pid IN (SELECT Pid FROM netstat())

# OSSEC HIDS
wget -U "Mozilla" https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -zxvf 3.7.0.tar.gz
cd ossec-hids-3.7.0
sudo ./install.sh

# Capabilities:
- File integrity monitoring (FIM)
- Rootkit detection
- Active response
- Log analysis

# MISP - Malware Information Sharing Platform
# Installation via Docker
git clone https://github.com/MISP/misp-docker
cd misp-docker
docker-compose up -d

# Features MISP:
- Threat intel sharing
- IOC management
- Event correlation
- API integration
- Feed integration

rule Suspicious_PowerShell_Script
{
    meta:
        description = "Detects suspicious PowerShell"
        author = "SOC Team"
        date = "2024-01-01"

    strings:
        $s1 = "Invoke-Expression" nocase
        $s2 = "DownloadString" nocase
        $s3 = "WebClient" nocase
        $s4 = "-enc" nocase
        $s5 = "bypass" nocase

    condition:
        3 of ($s*)
}

# Utilisation YARA
yara rules.yar /path/to/scan
yara -r rules.yar /path/to/directory

# YARA sur processus (Linux)
yara rules.yar $(pidof suspicious_process)

title: Suspicious PowerShell Execution
id: 12345678-1234-1234-1234-123456789abc
status: experimental
description: Detects suspicious PowerShell with encoded commands
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4104
        ScriptBlockText|contains:
            - '-enc'
            - '-encodedcommand'
            - 'FromBase64String'
    condition: selection
falsepositives:
    - Legitimate admin scripts
level: high

# Sigmac - Converter
pip install sigmatools

# Convertir vers différents SIEM
sigmac -t elastalert rule.yml
sigmac -t splunk rule.yml
sigmac -t qradar rule.yml
sigmac -t arcsight rule.yml

# 1. Recherche de processus suspects
# Linux
ps aux | grep -E '(nc|ncat|/dev/tcp|base64)'
lsof -i -P -n | grep LISTEN

# Windows PowerShell
Get-Process | Where-Object {$_.ProcessName -match "powershell|cmd"}
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"}

# 2. Analyse persistance
# Linux
cat /etc/crontab
ls -la /etc/cron.*
systemctl list-units --type=service --state=running

# Windows
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"}
Get-WmiObject Win32_StartupCommand

# 3. Connexions réseau suspectes
netstat -antp | grep ESTABLISHED
ss -tnp | grep -v "127.0.0.1"
lsof -i -n -P | grep -E "ESTABLISHED|LISTEN"

# 4. Analyse fichiers récents
find / -type f -mtime -1 -ls 2>/dev/null
find /tmp -type f -executable
Get-ChildItem -Recurse | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}

# Bloodhound - Active Directory analysis
sudo apt install bloodhound neo4j

# SharpHound collector (Windows)
.\SharpHound.exe -c All

# DeepBlueCLI - PowerShell threat hunting
git clone https://github.com/sans-blue-team/DeepBlueCLI.git
.\DeepBlue.ps1 .\evtx\security.evtx

# Hayabusa - Windows event log analysis
hayabusa-2.x-win-x64.exe csv-timeline -d C:\Windows\System32\winevt\Logs

# Zircolite - Sigma sur EVTX
python3 zircolite.py --evtx Security.evtx --ruleset rules/ --outfile results.json

# 1. Mise à jour système
sudo apt update && sudo apt upgrade -y
sudo apt autoremove

# 2. Configuration SSH sécurisée
# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
Port 2222  # Changer port par défaut
AllowUsers username
MaxAuthTries 3

# 3. Firewall (UFW)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 2222/tcp
sudo ufw enable

# 4. Fail2ban (brute force protection)
sudo apt install fail2ban
sudo systemctl enable fail2ban

# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 2222
maxretry = 3
bantime = 3600

# 5. Audit et logging
sudo apt install auditd
sudo systemctl enable auditd

# 6. File integrity monitoring
sudo apt install aide
sudo aideinit
sudo aide --check

# 7. Désactiver services inutiles
sudo systemctl list-unit-files --state=enabled
sudo systemctl disable <service>

# 8. Kernel hardening (sysctl)
# /etc/sysctl.conf
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.log_martians = 1
kernel.dmesg_restrict = 1

# CIS-CAT scanner
# https://www.cisecurity.org/cybersecurity-tools/cis-cat-pro

# Lynis - Security auditing tool
sudo apt install lynis
sudo lynis audit system

# OpenSCAP
sudo apt install libopenscap8
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
  /usr/share/xml/scap/ssg/content/ssg-ubuntu2004-ds.xml

# 1. Activer Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $false

# 2. Enable Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True

# 3. Disable SMBv1
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# 4. Enable LSASS protection
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" `
  -Name "RunAsPPL" -Value 1 -PropertyType DWORD -Force

# 5. PowerShell logging
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" `
  -Name "EnableScriptBlockLogging" -Value 1 -PropertyType DWORD

# 6. AppLocker configuration
# Utiliser GPO pour définir les règles

# 7. Disable LLMNR
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" `
  -Name "EnableMulticast" -Value 0 -PropertyType DWORD

# 8. Audit policy
auditpol /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol /set /category:"Account Logon" /success:enable /failure:enable

# Installation OpenVAS
sudo apt install openvas
sudo gvm-setup
sudo gvm-start

# Accès web: https://localhost:9392
# Scanner complet avec base NVT (50k+ tests)

# Download depuis Tenable
# Installation
sudo dpkg -i Nessus-x.x.x-debian10_amd64.deb
sudo systemctl start nessusd

# Accès: https://localhost:8834

# Modern vulnerability scanner
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

# Templates communautaires
nuclei -u https://example.com -t exposures/ -t cves/

# Scan réseau
nuclei -l targets.txt -t technologies/ -o results.txt

# Scan images Docker
trivy image nginx:latest
trivy image --severity HIGH,CRITICAL myapp:1.0

# Scan filesystem
trivy fs /path/to/project

# Scan dépendances
trivy repo https://github.com/user/repo

# Linux - Unattended upgrades
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

# Ansible playbook pour patch management
---
- name: Update all systems
  hosts: all
  tasks:
    - name: Update apt cache
      apt:
        update_cache: yes
      when: ansible_os_family == "Debian"

    - name: Upgrade all packages
      apt:
        upgrade: dist
      when: ansible_os_family == "Debian"

# Windows - WSUS / SCCM
# Ou PowerShell module PSWindowsUpdate
Install-Module PSWindowsUpdate
Get-WindowsUpdate
Install-WindowsUpdate -AcceptAll -AutoReboot

# Email header analysis
# https://mxtoolbox.com/EmailHeaders.aspx

# PhishTool - Email analysis
# https://www.phishtool.com/

# emlAnalyzer
pip3 install eml-analyzer
emlAnalyzer -i suspicious.eml --header --html -u

# VirusTotal API
curl --request POST \
  --url https://www.virustotal.com/vtapi/v2/file/scan \
  --form apikey=YOUR_API_KEY \
  --form file=@suspicious.eml

sudo apt install spamassassin
spamassassin -t < email.eml

# Modern spam filtering
sudo apt install rspamd
rspamc < message.eml

# Installation avec Apache
sudo apt install libapache2-mod-security2

# OWASP Core Rule Set
git clone https://github.com/coreruleset/coreruleset.git /etc/modsecurity/crs
cp /etc/modsecurity/crs/crs-setup.conf.example /etc/modsecurity/crs/crs-setup.conf

# Configuration Apache
<IfModule security2_module>
    SecRuleEngine On
    Include /etc/modsecurity/crs/crs-setup.conf
    Include /etc/modsecurity/crs/rules/*.conf
</IfModule>

# Compilation Nginx avec ModSecurity
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity
git clone --depth 1 https://github.com/SpiderLabs/ModSecurity-nginx

# Configuration nginx
load_module modules/ngx_http_modsecurity_module.so;

http {
    modsecurity on;
    modsecurity_rules_file /etc/nginx/modsec/main.conf;
}

# OWASP ZAP
sudo apt install zaproxy
zaproxy

# Nikto web scanner
nikto -h https://example.com

# WPScan (WordPress)
wpscan --url https://example.com --enumerate u,p

# Gobuster (directory bruteforce)
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt

# SQLMap
sqlmap -u "http://example.com/page?id=1" --batch

## PLAYBOOK: Ransomware Response

### Phase 1: Detection (0-15 min)
- [ ] Alert confirmée: fichiers chiffrés détectés
- [ ] Identifier patient zero
- [ ] Noter l'heure de détection
- [ ] Activer l'équipe IR

### Phase 2: Containment (15-60 min)
- [ ] Isoler machine(s) infectée(s) du réseau
      - Désactiver WiFi/Ethernet
      - Pas d'extinction (RAM forensics)
- [ ] Bloquer C2 IPs au firewall
- [ ] Désactiver comptes compromis
- [ ] Snapshot/backup machines avant actions
- [ ] Isoler segments réseau si spread lateral

### Phase 3: Analysis (parallel)
- [ ] Identifier variante ransomware
- [ ] Rechercher IOCs (hashes, IPs, domains)
- [ ] Vérifier backups intégrité
- [ ] Timeline reconstruction
- [ ] Identifier vecteur d'infection (phishing, RDP, vuln)

### Phase 4: Eradication
- [ ] Supprimer malware de tous systèmes
- [ ] Patcher vulnérabilités exploitées
- [ ] Reset credentials compromis
- [ ] Vérifier persistance supprimée

### Phase 5: Recovery
- [ ] Restaurer depuis backups propres
- [ ] Vérifier intégrité fichiers restaurés
- [ ] Réactiver services graduellement
- [ ] Monitoring accru 72h

### Phase 6: Post-Incident
- [ ] Rapport complet incident
- [ ] Lessons learned meeting
- [ ] Améliorer détections
- [ ] Formation utilisateurs
- [ ] Mise à jour playbook

### Contacts
- IR Lead: [nom] [tel]
- CISO: [nom] [tel]
- Legal: [nom] [tel]
- PR/Comms: [nom] [tel]
- Vendor support: [contacts]

### Outils nécessaires
- Network isolation capability
- Forensic workstation
- Backup verification tools
- Malware analysis sandbox
- ID Ransomware (https://id-ransomware.malwarehunterteam.com/)

## PLAYBOOK: Phishing Response

### Triage (0-15 min)
- [ ] Email reporté par utilisateur
- [ ] Vérifier headers (SPF, DKIM, DMARC)
- [ ] Analyser liens/attachments (sandboxing)
- [ ] Déterminer criticité

### Si confirmé malveillant:
- [ ] Quarantaine tous emails similaires (règle Exchange/Gmail)
- [ ] Identifier tous destinataires
- [ ] Vérifier qui a cliqué/téléchargé
- [ ] Block sender domain/IP

### Containment utilisateurs compromis:
- [ ] Reset credentials
- [ ] Scan endpoint (EDR)
- [ ] Vérifier activité suspecte compte
- [ ] MFA enforcement

### Analysis:
- [ ] Extraire IOCs
- [ ] Soumettre à threat intel platforms
- [ ] Documenter campagne

### Prevention:
- [ ] Update email filters
- [ ] Security awareness reminder
- [ ] Améliorer détections

# SIFT Workstation (SANS)
# https://github.com/teamdfir/sift
wget https://github.com/teamdfir/sift-cli/releases/download/v1.x/sift-cli-linux
chmod +x sift-cli-linux
sudo ./sift-cli-linux install

# CAINE (Computer Aided INvestigative Environment)
# Live distro forensics
# https://www.caine-live.net/

# DEFT Linux
# Digital Evidence & Forensics Toolkit

# Installation
pip3 install volatility3

# Acquisition mémoire Linux
sudo apt install lime-forensics-dkms
sudo insmod /path/to/lime.ko "path=/tmp/memdump.lime format=lime"

# Acquisition mémoire Windows
# Utiliser: DumpIt, FTK Imager, WinPmem

# Analysis avec Volatility
vol3 -f memory.dump windows.info
vol3 -f memory.dump windows.pslist
vol3 -f memory.dump windows.psscan
vol3 -f memory.dump windows.netscan
vol3 -f memory.dump windows.cmdline
vol3 -f memory.dump windows.malfind         # Recherche code injecté
vol3 -f memory.dump windows.dlllist
vol3 -f memory.dump windows.handles
vol3 -f memory.dump windows.filescan
vol3 -f memory.dump windows.registry.hivelist

# Linux memory analysis
vol3 -f linux.mem linux.pslist
vol3 -f linux.mem linux.bash

# Alternative à Volatility
pip install rekall

rekall -f memory.dump pslist
rekall -f memory.dump netstat

# Installation
sudo apt install sleuthkit autopsy

# Utilisation TSK (ligne de commande)
mmls disk.img                    # Partition layout
fsstat -o 2048 disk.img          # Filesystem info
fls -o 2048 disk.img             # Liste fichiers
icat -o 2048 disk.img 15 > file  # Extraire fichier par inode
fiwalk -f disk.img               # Walk filesystem

# Autopsy GUI
autopsy

# Création image disque
sudo dd if=/dev/sda of=disk.img bs=4M status=progress
# Ou avec dc3dd pour hashing
sudo dc3dd if=/dev/sda of=disk.img hash=md5 hash=sha256 log=acquisition.log

# Plaso (log2timeline)
sudo apt install plaso-tools

# Créer timeline
log2timeline.py timeline.plaso disk.img

# Filtrer et exporter
psort.py -o l2tcsv timeline.plaso "date > '2024-01-01 00:00:00'" -w filtered.csv

# Analyser avec timesketch
# https://github.com/google/timesketch

# Analyser Master File Table
# Utiliser: MFTECmd, analyzeMFT

MFTECmd.exe -f "C:\$MFT" --csv output --csvf mft.csv

# NetworkMiner
# GUI pour analyse PCAP
# https://www.netresec.com/?page=NetworkMiner

# Wireshark analysis
wireshark capture.pcap

# Filtres Wireshark utiles pour IR
http.request.method == "POST"
dns.qry.name contains "malicious"
tcp.flags.syn==1 and tcp.flags.ack==0    # SYN scan
!(arp or icmp or dns or stp)             # Filtrer bruit

# Zeek pour analyse PCAP post-incident
zeek -r capture.pcap

# Cuckoo Sandbox
# https://cuckoosandbox.org/
git clone https://github.com/cuckoosandbox/cuckoo
cd cuckoo
python3 stuff/monitor.py

# ANY.RUN (online sandbox)
# https://any.run/

# Joe Sandbox (online)
# https://www.joesandbox.com/

# Strings
strings malware.exe | less
strings -el malware.exe    # Unicode strings

# File type
file malware.exe
xxd malware.exe | head     # Hex dump

# PE analysis
sudo apt install pev
readpe malware.exe
pescan malware.exe
pestr malware.exe

# objdump disassembly
objdump -d malware.exe

# radare2
r2 malware.exe
aaa    # Analyze all
pdf    # Print disassembly function

yara -r malware_rules/ /path/to/scan

# Windows artifact collection
kape.exe --tsource C: --tdest D:\Collection --target KapeTriage

# Collecte:
- Event logs
- Registry hives
- Browser history
- Prefetch
- $MFT
- USN Journal
- Etc.

# Collection artifacts Unix/Linux
./uac -p full /path/to/output

# Création collector
velociraptor config generate > server.config.yaml
velociraptor --config server.config.yaml gui

# Build collector
# Déployer sur endpoints et collecter

#!/bin/bash
# IR Collection Script Linux

OUTPUT_DIR="/tmp/ir_collection_$(date +%Y%m%d_%H%M%S)"
mkdir -p $OUTPUT_DIR

# System info
uname -a > $OUTPUT_DIR/uname.txt
hostname > $OUTPUT_DIR/hostname.txt
uptime > $OUTPUT_DIR/uptime.txt
date > $OUTPUT_DIR/date.txt

# Users
who -a > $OUTPUT_DIR/users_logged.txt
last -f /var/log/wtmp > $OUTPUT_DIR/last_logins.txt
cat /etc/passwd > $OUTPUT_DIR/passwd.txt
cat /etc/shadow > $OUTPUT_DIR/shadow.txt  # Si root

# Network
netstat -antp > $OUTPUT_DIR/netstat.txt
ss -antp > $OUTPUT_DIR/ss.txt
arp -a > $OUTPUT_DIR/arp.txt
ip addr show > $OUTPUT_DIR/ip_addr.txt
ip route show > $OUTPUT_DIR/ip_route.txt
iptables -L -n -v > $OUTPUT_DIR/iptables.txt

# Processes
ps auxwww > $OUTPUT_DIR/ps.txt
pstree -p > $OUTPUT_DIR/pstree.txt
top -b -n 1 > $OUTPUT_DIR/top.txt
lsof > $OUTPUT_DIR/lsof.txt

# Files
find / -type f -mtime -1 2>/dev/null > $OUTPUT_DIR/files_modified_24h.txt
find / -type f -name "*.sh" -o -name "*.py" -perm /u+x 2>/dev/null > $OUTPUT_DIR/scripts_executable.txt

# Persistence
cat /etc/crontab > $OUTPUT_DIR/crontab.txt
crontab -l > $OUTPUT_DIR/crontab_user.txt 2>/dev/null
ls -la /etc/cron.* > $OUTPUT_DIR/cron_dirs.txt
systemctl list-units --type=service > $OUTPUT_DIR/systemd_services.txt

# Logs
cp -r /var/log $OUTPUT_DIR/logs/

# Hash collection
tar czf $OUTPUT_DIR.tar.gz $OUTPUT_DIR
sha256sum $OUTPUT_DIR.tar.gz > $OUTPUT_DIR.tar.gz.sha256

echo "Collection terminée: $OUTPUT_DIR.tar.gz"

# IR_Collection.ps1
$OutputDir = "C:\IR_Collection_$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $OutputDir -Force

# System info
Get-ComputerInfo | Out-File "$OutputDir\system_info.txt"
systeminfo | Out-File "$OutputDir\systeminfo.txt"
Get-HotFix | Out-File "$OutputDir\hotfixes.txt"

# Users
Get-LocalUser | Out-File "$OutputDir\local_users.txt"
Get-LocalGroupMember -Group "Administrators" | Out-File "$OutputDir\admins.txt"
quser | Out-File "$OutputDir\logged_users.txt"
Get-EventLog -LogName Security -InstanceId 4624 -Newest 100 | Out-File "$OutputDir\recent_logons.txt"

# Network
Get-NetTCPConnection | Out-File "$OutputDir\tcp_connections.txt"
Get-NetUDPEndpoint | Out-File "$OutputDir\udp_endpoints.txt"
Get-DnsClientCache | Out-File "$OutputDir\dns_cache.txt"
arp -a | Out-File "$OutputDir\arp.txt"
ipconfig /all | Out-File "$OutputDir\ipconfig.txt"
netstat -anob | Out-File "$OutputDir\netstat.txt"

# Processes
Get-Process | Select-Object Name, Id, Path, Company | Out-File "$OutputDir\processes.txt"
Get-WmiObject Win32_Process | Select-Object ProcessId,Name,CommandLine | Out-File "$OutputDir\process_cmdline.txt"

# Services
Get-Service | Out-File "$OutputDir\services.txt"
Get-WmiObject Win32_Service | Select-Object Name,PathName,State,StartMode | Out-File "$OutputDir\services_detailed.txt"

# Scheduled tasks
Get-ScheduledTask | Out-File "$OutputDir\scheduled_tasks.txt"

# Autorun
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Run | Out-File "$OutputDir\autorun_hklm.txt"
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run | Out-File "$OutputDir\autorun_hkcu.txt"

# Files modified recently
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)} | Out-File "$OutputDir\files_modified_24h.txt"

# Event logs
wevtutil epl Security "$OutputDir\Security.evtx"
wevtutil epl System "$OutputDir\System.evtx"
wevtutil epl Application "$OutputDir\Application.evtx"
wevtutil epl "Microsoft-Windows-PowerShell/Operational" "$OutputDir\PowerShell.evtx"

# PowerShell history
Copy-Item "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" "$OutputDir\"

# Compress
Compress-Archive -Path $OutputDir -DestinationPath "$OutputDir.zip"
Get-FileHash "$OutputDir.zip" -Algorithm SHA256 | Out-File "$OutputDir.zip.sha256"

Write-Host "Collection complete: $OutputDir.zip"

# dd - Basic imaging
sudo dd if=/dev/sda of=/mnt/evidence/disk.img bs=4M status=progress conv=noerror,sync

# dc3dd - Enhanced dd avec hashing
sudo dc3dd if=/dev/sda of=disk.img hash=md5 hash=sha256 log=acquisition.log

# ddrescue - Pour disques endommagés
sudo ddrescue /dev/sda disk.img rescue.log

# FTK Imager (Windows GUI)
# - E01 format (Expert Witness)
# - Compression
# - Hashing intégré

# ewfacquire (EnCase format)
sudo apt install ewf-tools
ewfacquire /dev/sda

# Hash original
md5sum /dev/sda > original.md5
sha256sum /dev/sda > original.sha256

# Hash image
md5sum disk.img > image.md5
sha256sum disk.img > image.sha256

# Compare
diff original.md5 image.md5

# Linux - LiME
git clone https://github.com/504ensicsLabs/LiME
cd LiME/src
make
sudo insmod lime-*.ko "path=/tmp/mem.lime format=lime"

# Linux - AVML (Azure)
sudo ./avml memory.lime

# Windows - DumpIt
DumpIt.exe /O C:\Forensics\

# Windows - Magnet RAM Capture
# GUI tool gratuit

# Windows - WinPmem
winpmem_mini_x64.exe memory.raw

# Registry Explorer (Eric Zimmerman)
# https://ericzimmerman.github.io/

# Registry hives locations
C:\Windows\System32\config\SAM
C:\Windows\System32\config\SECURITY
C:\Windows\System32\config\SOFTWARE
C:\Windows\System32\config\SYSTEM
%UserProfile%\NTUSER.DAT
%UserProfile%\AppData\Local\Microsoft\Windows\UsrClass.dat

# RegRipper
rip.exe -r NTUSER.DAT -p userassist
rip.exe -r SOFTWARE -p recentdocs

# Important Registry keys
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run       # Autorun
HKLM\SYSTEM\CurrentControlSet\Services                   # Services
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs  # Recent files
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist  # Program execution

# Prefetch files: C:\Windows\Prefetch\*.pf
# Show program execution

# PECmd (Eric Zimmerman)
PECmd.exe -f "C:\Windows\Prefetch\CHROME.EXE-12345.pf"
PECmd.exe -d "C:\Windows\Prefetch" --csv output --csvf prefetch.csv

# Info: Nombre exécutions, dernière exécution, fichiers chargés

# EVTX Explorer
EvtxECmd.exe -f Security.evtx --csv output --csvf security.csv

# Chainsaw - Sigma rules sur EVTX
chainsaw hunt evtx/ -s sigma/ --mapping mappings/sigma-event-logs.yml

# Hayabusa - Timeline EVTX
hayabusa-2.x-win-x64.exe csv-timeline -d evtx_folder/ -o timeline.csv

# Event IDs importants (voir section SOC)

# Change journal NTFS
# MFTECmd peut parser USN Journal
MFTECmd.exe -f "C:\$Extend\$UsnJrnl:$J" --csv output --csvf usnjrnl.csv

# Info: Toutes modifications fichiers (create, delete, rename, etc.)

# Hindsight - Chrome/Chromium analysis
hindsight.py -i "C:\Users\User\AppData\Local\Google\Chrome\User Data" -o output/

# Firefox
# Places: %AppData%\Mozilla\Firefox\Profiles\xxx\places.sqlite

# SQLite analysis
sqlite3 places.sqlite "SELECT url, title, visit_count FROM moz_places ORDER BY last_visit_date DESC LIMIT 100;"

# Browser History Viewer
# https://www.nirsoft.net/utils/browsing_history_view.html

# Master File Table - Référence tous fichiers NTFS
# MFTECmd
MFTECmd.exe -f "C:\$MFT" --csv output --csvf mft.csv

# analyzeMFT (Linux)
pip install analyzeMFT
analyzeMFT.py -f MFT -o mft.csv

# Info: Timestamps (MACB), file attributes, resident data

# Plaso (log2timeline)
log2timeline.py --storage-file timeline.plaso image.dd

# Filter and export
psort.py -o l2tcsv -w timeline.csv timeline.plaso "date > '2024-01-01'"

# Timesketch visualization
# Docker deployment pour UI

# ext4 forensics
debugfs /dev/sda1
# Commandes: ls, stat, logdump, etc.

# Sleuth Kit
fls -r -o 2048 linux.img
ils -e linux.img
icat linux.img 12345 > recovered_file

# Autopsy pour UI

# Principaux logs
/var/log/syslog
/var/log/auth.log
/var/log/secure
/var/log/messages
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/mysql/mysql.log
~/.bash_history

# Parsing avec awk/grep
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr

# aureport (auditd)
aureport --summary
aureport --login
aureport --executable

# ~/.bash_history par user
# /root/.bash_history

# Timestamps bash history
export HISTTIMEFORMAT="%F %T "
history

# Analyser toutes bash_history
find /home -name ".bash_history" -exec cat {} \; > all_bash_history.txt

# Volatility 3 Linux
vol3 -f linux.mem linux.pslist
vol3 -f linux.mem linux.pstree
vol3 -f linux.mem linux.bash
vol3 -f linux.mem linux.lsmod
vol3 -f linux.mem linux.lsof
vol3 -f linux.mem linux.malfind

# ADB (Android Debug Bridge)
adb devices
adb shell
adb pull /data/data/com.android.providers.contacts/databases/contacts.db

# Autopsy avec Android module
# ALEAPP (Android Logs Events And Protobuf Parser)
python aleapp.py -t fs -i /path/to/android/dump -o output/

# Andriller
# https://github.com/den4uk/andriller

# libimobiledevice
ideviceinfo
idevicebackup2 backup --full /backup/location/

# iLEAPP (iOS Logs, Events, And Plists Parser)
python ileapp.py -t fs -i /path/to/ios/dump -o output/

# iTunes backups location:
# macOS: ~/Library/Application Support/MobileSync/Backup/
# Windows: %APPDATA%\Apple Computer\MobileSync\Backup\

# Wireshark
wireshark capture.pcap

# tshark (CLI)
tshark -r capture.pcap -Y "http.request.method == POST"
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name
tshark -r capture.pcap -q -z http,tree

# NetworkMiner
# GUI Windows/Linux pour carving PCAP

# tcpflow - Reconstruct TCP sessions
tcpflow -r capture.pcap

# Zeek analysis (voir section SOC)
zeek -r capture.pcap
cat conn.log http.log dns.log

# Foremost - File carving
foremost -i capture.pcap -o carved/

# Scalpel - Advanced carving
scalpel capture.pcap -o output/

# binwalk
binwalk -e capture.pcap

# theHarvester - Email, subdomains, IPs
theHarvester -d example.com -b all

# Amass - Subdomain enumeration
amass enum -d example.com
amass intel -whois -d example.com

# Shodan CLI
shodan search "port:22 country:US"
shodan host 8.8.8.8

# Censys
# https://search.censys.io/

# Maltego - Graphical OSINT
# Community edition gratuite

# SpiderFoot
spiderfoot -s example.com -o output

# OSINT Framework
# https://osintframework.com/

# SecurityTrails
# https://securitytrails.com/

# VirusTotal passive DNS
# Integrate via API

# PassiveTotal (RiskIQ)
# https://community.riskiq.com/

# MISP Docker
git clone https://github.com/MISP/misp-docker
cd misp-docker
docker-compose up -d

# Accès: https://localhost
# Default: admin@admin.test / admin

# Features:
- Event management
- IOC database
- Correlation engine
- Threat sharing
- Feed integration
- API integration

# OpenCTI - Cyber Threat Intelligence platform
git clone https://github.com/OpenCTI-Platform/docker
cd docker
docker-compose up -d

# Features:
- Knowledge graph
- STIX 2.1 compliant
- Connectors (MITRE, CVE, etc.)
- Threat dashboards

# YETI install
git clone https://github.com/yeti-platform/yeti
cd yeti
docker-compose up -d

# Threat intel repository

# Abuse.ch
- URLhaus: https://urlhaus.abuse.ch/
- MalwareBazaar: https://bazaar.abuse.ch/
- ThreatFox: https://threatfox.abuse.ch/
- Feodo Tracker: https://feodotracker.abuse.ch/

# AlienVault OTX
https://otx.alienvault.com/

# Emerging Threats
https://rules.emergingthreats.net/

# Talos Intelligence
https://talosintelligence.com/

# CIRCL feeds
https://www.circl.lu/services/misp-malware-information-sharing-platform/

# Blocklist.de
https://www.blocklist.de/en/export.html

# Script Python pour pull feeds et ingest vers SIEM
import requests
import json

# Exemple AlienVault OTX
OTX_API_KEY = "your_key"
url = "https://otx.alienvault.com/api/v1/pulses/subscribed"
headers = {"X-OTX-API-KEY": OTX_API_KEY}

response = requests.get(url, headers=headers)
pulses = response.json()

for pulse in pulses['results']:
    for indicator in pulse['indicators']:
        # Ingest to SIEM
        # Send to Elasticsearch, Splunk, etc.
        print(f"{indicator['type']}: {indicator['indicator']}")

# ATT&CK Navigator
# https://mitre-attack.github.io/attack-navigator/
# Visualisation et mapping

# Atomic Red Team
# Tests d'attaque ATT&CK
git clone https://github.com/redcanaryco/atomic-red-team
cd atomic-red-team
powershell
Import-Module .\invoke-atomicredteam\Invoke-AtomicRedTeam.psd1
Invoke-AtomicTest T1003.001  # Dump LSASS

# CALDERA
# Automated adversary emulation
git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt
python3 server.py --insecure

# Sigma rules mapping vers ATT&CK
# Chaque rule contient tags ATT&CK

┌─────────────────────────────────────────────────┐
│           Home SOC Lab Architecture             │
├─────────────────────────────────────────────────┤
│                                                 │
│  ┌──────────────┐      ┌──────────────┐        │
│  │  pfSense FW  │──────│  SIEM Server │        │
│  │  (Router)    │      │  (ELK/Wazuh) │        │
│  └──────────────┘      └──────────────┘        │
│         │                      │               │
│         │                      │               │
│  ┌──────────────────────────────────────┐      │
│  │         Network Switch               │      │
│  └──────────────────────────────────────┘      │
│         │           │            │             │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐       │
│  │ Windows  │ │  Linux   │ │ Security │       │
│  │ Client   │ │  Server  │ │  Onion   │       │
│  └──────────┘ └──────────┘ └──────────┘       │
│                                                 │
│  ┌──────────┐ ┌──────────┐                     │
│  │ Malware  │ │ Attacker │                     │
│  │ Analysis │ │   VM     │                     │
│  │ Isolated │ │ (Kali)   │                     │
│  └──────────┘ └──────────┘                     │
│                                                 │
└─────────────────────────────────────────────────┘