***
< [Home](https://github.com/SeanOhAileasa) | [README](https://github.com/SeanOhAileasa/cap-incident-response/blob/main/README.md) >

## CompTIA Cybersecurity Analyst (CySA+) - Course Material 2022
###### Topic: ``Indicators of Compromise - IoCs``
***

Course material for the ``CompTIA Cybersecurity Analyst (CySA+)`` module of the ``ICT Associate Apprenticeship (Cybersecurity)`` programme.

<a id="top"></a>
***
## Table of Contents
***

### [Indicators of Compromise - IoCs](#a) <br/><br/>

- [Traffic Spike and DDoS-Related IoCs](#1) ``C&C Activity`` <br/><br/> 
    - [Botnet DDoS](#2) <br/><br/> 
    - [Bandwidth Consumption](#3) <br/><br/> 
        - [Distributed Reflection Denial of Service](#3) ``DRDoS`` <br/><br/> 
            - [Amplification Attack](#3) ``Amplification Factor During DDoS`` <br/><br/> 
- [Beaconing](#4) | [Advertise Presence / Establish Link](#4) ``AP``/``Beacon Management Frame`` <br/><br/> 
    - [Used by Legitimate Software/Applications](#4) <br/><br/> 
    - [``IoC``](#4) <br/><br/> 
        - [``RAT``](#4) ``Communications`` <br/><br/> 
            - [``C&C``](#4) ``Server`` <br/><br/> 
        - [Internet Relay Chat](#5) ``IRC`` <br/><br/> 
            - [Declining C&C Activity](#5) <br/><br/> 
        - [``HTTP``/``HTTPS``](#6) <br/><br/> 
            - [New Normal for C&C activity](#6) <br/><br/> 
                - [Mitigation](#6) <br/><br/> 
                    - [Implement Intercepting Proxy to Decrypt / Inspect all Traffic](#6) ``< Delivery`` <br/><br/> 
        - [Domain Name System](#7) ``DNS`` <br/><br/> 
            - [Internal DNS](#7) ``C&C Traffic Move Around Undetected`` <br/><br/> 
                - [Most DNS is Unfiltered](#7) <br/><br/> 
            - [Detect DNS Abuse](#7) <br/><br/> 
                - [Look for Multiple Repeated Attempts Consecutively](#7) <br/><br/> 
                    - [Attempting to see What it can Get Away With](#7) ``Bot`` <br/><br/> 
        - [Social Media](#8) <br/><br/> 
            - [Vector for Threat Actors](#8) <br/><br/> 
                - [Communicate Outbound without Detection](#8) | [ [Flashback Malware](https://www.intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center/) ] <br/><br/>
        - [Cloud Services / Media Files](#9) <br/><br/>         
            - [Cloud / Cloud-connected Files](#9) ``Establish a C&C`` <br/><br/>         
                - [Media Formats](#9) ``.jpeg``/``.mp3``/``.mpeg`` <br/><br/>         
                    - [Using Metadata Fields](#9) ``Embed / Send Messages Undetected`` <br/><br/> 
        - [Peer-to-Peer Communication](#10) <br/><br/> 
            - [Unintended Redirecting IP Addr to MAC Addr](#10) ``ARP Spoofing`` <br/><br/> 
                - [``IDS``](#10) ``Detect ARP Patterns`` <br/><br/> 
                    - [Search Local Cache](#10) ``Host``

<hr width=50%;>

- [Rogue Devices](#11) <br/><br/> 
    - [Network Taps](#11) <br/><br/> 
    - [Wireless Access Points](#11) ``WiFi Pineapple`` <br/><br/> 
        - [Capture Credentials](#11) <br/><br/> 
    - [Servers](#11) <br/><br/> 
        - [Malicious Honeypots](#11) <br/><br/> 
    - [Wired / Wireless Clients](#11) ``Look Legitimate`` <br/><br/> 
- [Scanning / Sweeping IoCs](#12) <br/><br/> 
    - [Port Scan](#12) <br/><br/> 
        - [Enumerate](#12) ``TCP``/``UDP`` <br/><br/> 
    - [Fingerprinting](#12) <br/><br/> 
        - [Operating System](#12) ``Type``/``Version`` <br/><br/> 
    - [Sweep](#12) <br/><br/> 
        - [Directed at Multiple IP Addresses](#12) ``Host Responds to Connection Requests`` <br/><br/> 
    - [Footprinting](#12) ``Attacker``/``PenTest``<br/><br/> 
        - [Gathers Information](#12) ``< Attack`` <br/><br/> 
- [Common / Non-Standard Port / Protocol IoCs](#13) <br/><br/> 
    - [Non-Standard Port](#13) <br/><br/> 
        - [Particular Service / Process](#13) <br/><br/> 
    - [Mismatched Port/Application Traffic](#13) <br/><br/> 
        - [Communicating Non-standard Traffic](#13) ``Over Well-known Registered Port`` <br/><br/>  
- [Data Exfiltration IoCs](#14) ``Attacker`` <br/><br/> 
    - [Private Network to External Network](#14) <br/><br/> 
        - [Channels](#14) <br/><br/> 
            - ``HTTP`` <br/><br/>
            - ``HTTPS`` <br/><br/>
            - ``DNS`` <br/><br/>
            - ``FTP`` <br/><br/>
            - ``P2P`` <br/><br/>
            - ``SSH`` <br/><br/>
            - Even ``VPN`` <br/><br/> 
- [Covert Channels](#15) <br/><br/> 
    - [Lack of Egress Filtering on Non-standard Ports](#15) <br/><br/> 
    - [Sending Data in Separate Chunks](#15) ``Avoid Signature Detection`` <br/><br/> 
    - [Encoding Data in Headers of TCP/IP Packets](#15) <br/><br/> 
    - [Sending in Encrypted Data that will not be Inspected](#15) <br/><br/> 
    - [Sending Data in HEX Format](#15) ``Avoid Character String Detection`` <br/><br/> 
    - [Sending Data in Images to Avoid Detection](#15) ``Steganography`` <br/><br/> 
- [Analyzing Host-Related IoCs](#16) <br/><br/> 
    - [Malicious Process IoCs](#16) <br/><br/> 
        - [Tools](#16) ``Abnormal OS Process Behavior`` <br/><br/> 
            - ``Sysinternals`` <br/><br/>
            - ``Tasklist`` <br/><br/>
            - ``PE Explorer`` <br/><br/>
            - ``Systemd`` <br/><br/>
            - ``Pstree`` <br/><br/>
            - ``FTK Imager`` <br/><br/>
            - ``Encase`` <br/><br/>
            - ``Fireeye`` <br/><br/>
            - ``Volatility`` <br/><br/>        
    - [Memory / Processor Consumption IoCs](#16) ``Establish Baseline`` <br/><br/> 
        - [Commands](#16) <br/><br/> 
            - [``free``](#16) <br/><br/> 
                - [Memory Consumption Summary](#16) <br/><br/> 
            - [``top``](#16) <br/><br/> 
                - [Table of Processes Running](#16) ``Constantly Refreshed`` <br/><br/> 
    - [Disk / File System IoCs](#16) <br/><br/> 
        - [Staging Areas](#16) ``Launch Points for Data Exfiltration`` <br/><br/> 
            - ~~Common on a User Machine~~ <br/><br/> 
                - [File Archive](#16) <br/><br/> 
                - [Compressions](#16) <br/><br/> 
                - [Encryption Activity](#16) <br/><br/> 
        - [Drive Capacity Consumption](#16) <br/><br/> 
            - [Scan](#16) ``Statistics`` <br/><br/> 
                - [Real-time Information Written to Disk](#16) <br/><br/> 
                - [Visual of Storage Space Allocation](#16) <br/><br/> 
                - [Listing of Folders/Files](#16) ``Sort by Extension`` <br/><br/> 
            - [Tool](#16) ``Linux`` <br/><br/> 
                - [``lsof``](#16) <br/><br/> 
    - [Unauthorized Privilege IoCs](#16) <br/><br/> 
        - [Privilege Escalation](#16) <br/><br/> 
            - [Perform Regular Audits](#16) ``Account Privileges`` <br/><br/> 
        - [``IoC``](#16) ~~Auditing~~ <br/><br/> 
            - [Repeated Failed Log-ons](#16) <br/><br/> 
            - [New Account Creation](#16) <br/><br/> 
            - [Guest Account Usage](#16) <br/><br/> 
            - [Unauthorized Sessions](#16) <br/><br/> 
            - [Off-hours Usage](#16) <br/><br/> 
        - [Tools](#16) ``Windows``/``Monitor Unauthorized Privileges`` <br/><br/> 
            - [``sysinternals``](#16) ``Suite``<br/><br/> 
                - [``AccessChk``](#16) <br/><br/> 
                - [``AccessEnum``](#16) <br/><br/> 
    - [Persistence IoCs](#16) ``Maintain Covert Access`` <br/><br/>
        - [Registry Changes](#16) <br/><br/>
            - [``autorun``](#16) ``Entries in Registry`` <br/><br/>
                - [Insert Malicious Code](#16) <br/><br/>
        - [Change File Association/Extension](#16) <br/><br/>
            - [Trick User into Running a Shell-type File](#16) ``Loads from the Registry`` <br/><br/>
        - [Scheduled Tasks](#16) <br/><br/>
            - [Access / Persistence](#16) <br/><br/>
                - [Recurring Script Execution](#16) <br/><br/>
            - [``crontab -L``](#16) ``List Current Jobs Scheduled to Run`` <br/><br/>
- [Analyzing Application-Related IoCs](#17) <br/><br/> 
    - [Anomalous Activity](#17) <br/><br/> 
        - [Unwanted Outbound Communications](#17) <br/><br/> 
            - [Ports Open/Operating](#17) ``Outbound Ports`` <br/><br/> 
                - [``netstat``](#17) <br/><br/> 
                - [``nmap``](#17) <br/><br/> 
        - [Unexpected Outputs](#17) <br/><br/> 
            - [``MitM``](#17) <br/><br/> 
        - [Defacement](#17) <br/><br/> 
    - [Service Interruption IoCs](#17) <br/><br/> 
        - [Failed Application Services](#17) ``Tampering``/``Full Compromise`` <br/><br/> 
            - [Service Analysis](#17) ``Tools``/``Commands`` <br/><br/> 
                - [Windows](#17) <br/><br/> 
                    - [``net start``](#17) <br/><br/> 
                    - [``Get-Service``](#17) <br/><br/> 
                - [Linux](#17) <br/><br/> 
                    - [``cron``](#17) <br/><br/> 
                    - [``systemctl``](#17) <br/><br/> 
                    - [``ps``](#17) <br/><br/> 
                    - [``top``](#17) <br/><br/>                
    - [Application Log IoCs](#17) <br/><br/> 
        - [Logs Properly Restricted / Encrypted](#17) ``When Sending to SIEM`` <br/><br/> 
            - [Access Log related IoCs](#17) ``Logs`` <br/><br/> 
                - [``HTTP``](#17) <br/><br/> 
                - [``DNS``](#17) <br/><br/>
                - [``FTP``](#17) <br/><br/> 
                - [``SSH``](#17) <br/><br/>
                - [``SQL``](#17) <br/><br/> 
    - [Lateral Movement / Pivot IoCs](#17) <br/><br/>
        - Attacks <br/><br/>
            - [``PtH``](#17) ``Network-based Attack`` <br/><br/> 
                - [Steals Hashed User Credentials](#17) <br/><br/> 
                    - [Attacker Authenticates with Hashed Credentials](#17) <br/><br/> 
            - [``Golden Ticket``](#17) ``Kerberos`` <br/><br/>
                - [Authentication Ticket](#17) ``Grant other Tickets in an AD Environment`` <br/><br/> 
                    - [``krbtgt``](#17) ~~``Reset``~~ <br/><br/> 
        - [Lateral Movement Techniques](#17) <br/><br/> 
            - [Remote Access Services](#17) <br/><br/>              
                - [``RDP``](#17) ``3389`` <br/><br/>              
                - [``VNC``](#17) <br/><br/>              
            - [Windows Management Instrumentation Command-Line](#17) ``WMIC`` <br/><br/>              
            - [``PsExec``](#17) ``Alternative to Telnet`` <br/><br/>              
            - [Windows PowerShell](#17) <br/><br/>              
        - [Pivoting Techniques](#17) <br/><br/>              
            - [Compromised Host](#17) ``The Pivot``

<hr width=50%;>

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="a"></a>
***
### Indicators of Compromise - IoCs
***

> Analyze network-related IoCs

> Analyze host-related IoCs

> Analyze application-related IoCs

> Analyze lateral movement and pivot IoCs

Effective identification of different ``IoC`` is an essential skill - the following is a list of the associated ``IoC`` with its official definition.

< [Table of Contents](#top) | [References](#references) >
<a id="1"></a>
***
###### Traffic Spike and DDoS-Related IoCs
***

Distributed Denial of Service (DDoS) is an attack that uses multiple compromised hosts to overwhelm a service with request or response traffic.

< [Table of Contents](#top) | [References](#references) >
<a id="2"></a>
***
###### Botnet DDoS
***

A traffic spike is a sharp increase in connection requests in comparison with a normal baseline.

< [Table of Contents](#top) | [References](#references) >
<a id="3"></a>
***
###### Bandwidth Consumption
***

Distributed Reflection Denial of Service (``DRDoS``) is a network-based attack where the attacker dramatically increases the bandwidth sent to a victim during a ``DDoS`` attack by implementing an amplification factor.

- Known as an ``Amplification Attack``.

< [Table of Contents](#top) | [References](#references) >
<a id="4"></a>
***
###### Beaconing IoCs
***

Beaconing is the means for a network node to advertise its presence and establish a link with other nodes, such as the beacon management frame sent by an ``AP``. 

Legitimate software and applications do this, but it is also associated with ``RAT`` communications with a ``C&C`` server.

< [Table of Contents](#top) | [References](#references) >
<a id="5"></a>
***
###### Internet Relay Chat - ``IRC``
***

IRCs were commonly used in command and control activity, but they have slowly declined over the years as their effectiveness has worn out.

< [Table of Contents](#top) | [References](#references) >
<a id="6"></a>
***
###### ``HTTP``/``HTTPS``
***

``HTTP`` is now the new normal for command and control activity, as it is much more difficult to detect with everything requiring ``HTTP`` in one form or another. 

One method to mitigate these types of attacks is by implementing an intercepting proxy to decrypt and inspect all traffic before its delivery.

< [Table of Contents](#top) | [References](#references) >
<a id="7"></a>
***
###### Domain Name System - ``DNS``
***

Internal DNS is a very popular way for C&C traffic to move around undetected, as most DNS is unfiltered. 

- Common method used to detect DNS abuse is to look for multiple repeated attempts consecutively, as this could be a bot attempting to see what all it can get away with.

< [Table of Contents](#top) | [References](#references) >
<a id="8"></a>
***
###### Social Media
***

Social media can be used as a vector for threat actors to communicate outbound without detection.

- [ [Flashback Malware](https://www.intego.com/mac-security-blog/flashback-mac-malware-uses-twitter-as-command-and-control-center/) ]

< [Table of Contents](#top) | [References](#references) >
<a id="9"></a>
***
###### Cloud Services and Media Files
***

Another common vector for beaconing ``IoC`` is by using the cloud and cloud-connected files to establish a C&C. 

Media formats like ``.jpeg``, ``.mp3``, and ``.mpeg`` are notorious for using metadata fields to embed and send messages undetected.

< [Table of Contents](#top) | [References](#references) >
<a id="10"></a>
***
###### Peer-to-Peer Communication IoCs
***

When an attacker redirects an IP address to a MAC address that was not intended, this is ultimately how ``ARP`` spoofing is performed. 

By using your ``IDS``, you can detect ``ARP`` patterns or by searching the local cache of an affected machine.

< [Table of Contents](#top) | [References](#references) >
<a id="11"></a>
***
###### Rogue Devices
***

A rogue device is an unauthorized device or service, such as a ``WAP`` or ``DNS Server``, on a corporate network that allows unauthorized individuals to connect to the network - examples of rogue devices include:

> Network Taps

Attaching a physical device to a networking cable to intercept.

> Wireless Access Points

WiFi Pineapples can be used to capture credentials.

> Servers

Malicious honeypots.

> Wired or Wireless Clients

Malicious clients dressed up to look legitimate.

There are several ways to inspect or monitor for these types of devices, including:

- Visual inspection of physical assets.


- Monitoring wireless networks for peer-to-peer communications.


- Packet sniffing to identify unauthorized protocol communications.


- Using a ``NAC`` solution for intrusion detection.


- Network topology mapping.

< [Table of Contents](#top) | [References](#references) >
<a id="12"></a>
***
###### Scanning / Sweeping IoCs
***

> Port Scan

Enumerating the status of ``TCP``/``UDP`` ports on a target system using software tools.

> Fingerprinting

Identifying the type and version of an OS by analyzing its responses to network scans.

> Sweep

A scan directed at multiple IP addresses to discover whether a host responds to connection requests for particular ports.

> Footprinting

The phase in an attack or penetration test in which the attacker gathers information about the target before attacking it.

< [Table of Contents](#top) | [References](#references) >
<a id="13"></a>
***
###### Common / Non-Standard Port / Protocol IoCs
***

> Non-Standard Port

A port that is not commonly used for a particular service or process.

> Mismatched Port/Application Traffic

Communicating non-standard traffic over a well-known registered port.

< [Table of Contents](#top) | [References](#references) >
<a id="14"></a>
***
###### Data Exfiltration IoCs
***

Data exfiltration is process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

Data exfiltration IoCs can be performed over several different channels, including:

- ``HTTP``


- ``HTTPS``


- ``DNS``


- ``FTP``


- ``P2P``


- ``SSH``


- Even ``VPN``

< [Table of Contents](#top) | [References](#references) >
<a id="15"></a>
***
###### Covert Channels
***

Covert channels allow hackers to send out data without notifying the affected user of their presence - some examples of covert channels include the following:

- Lack of Egress Filtering usage on Non-standard Ports


- Sending Data in Separate Chunks to Avoid Signature Detection


- Encoding Data in Headers of ``TCP/IP`` Packets


- Sending in Encrypted Data that will not be Inspected


- Sending Data in ``HEX`` Format to Avoid Character String Detections


- Sending Data in Images to Avoid Detection (``Steganography``)

< [Table of Contents](#top) | [References](#references) >
<a id="16"></a>
***
###### Analyzing Host-Related IoCs
***

Analysing malicious process, unauthorized privilege, presistence, and a variety of other host-related IoCs:

> Malicious Process IoCs

A malicious process is executed without proper authorization from the system owner for the purpose of damaging or compromising the system in question.

An abnormal ``OS`` process behavior involves indicators that a legitimate ``OS`` process has been corrupted with malicious code for the purpose of damaging or compromising the system.

Tools Used to Detect Malicious Processes:

- Sysinternals


- Tasklist


- PE Explorer


- Systemd


- Pstree


- FTK Imager


- Encase


- Fireeye


- Volatility

> Memory and Processor Consumption IoCs

In order to detect nefarious activity within memory, analysis of both the processor and the memory consumption must be done to establish a baseline of what is normal. 

The following commands can be used to help with this process:

- ``free``

Summary of amount of memory consumption.

- ``top`` 

Table of all processes running and constantly refreshed

> Disk / File System IoCs

``Staging Areas`` can be used on local files or folders as launch points for data exfiltration. 

In order to analyze and detect local Staging, scans must be performed for file archive, compressions, and encryption activity that are not common on a user machine, such as ``RAR`` and ``gzip``. 

Another way to detect is to locate files that are not in their proper location, like the recycling bin within a systems folder.

> Drive Capacity Consumption

When a file or application starts to consume more drive capacity than originated, it could mean something malicious is using it. 

In order to detect this ``IoC``, a scan can be performed to locate the following statistics.

- Real-time information being written to disk


- Some kind of visual of storage space allocation


- Listing of folders, files, and sort by extension

One popular Linux tool that can help gather this information is called ``lsof`` - tool allows you to dig into a file or application, process by process, to determine illegitimate activity.

> Unauthorized Privilege IoCs

Privilege Escalation is the practice of exploiting flaws in an ``OS`` or other application to gain a greater level of access than was intended for the user or application.

One way to detect unauthorized privileges being used is to perform regular audits around account privileges. 

- By performing regular audits, you can ensure only the permissions that are required are set for use on each account.

The following are some IoCs that could occur by not auditing account privileges.

- Repeated Failed Log-ons


- New Account Creation


- Guest Account Usage


- Unauthorized Sessions


- Off-hours Usage

``AccessChk`` and ``AccessEnum`` in the Microsoft ``sysinternals`` suites are great tools for monitoring the unauthorized privileges being used.

> Persistence IoCs

Persistence is the ability of a threat actor to maintain covert access to a target host or network.

Registry changes are a common way for attackers to compromise a system. 

One of the more common is by abusing the ``autorun`` entries in the registry to insert malicious code that will automatically execute once that ``autorun`` is triggered. 

Another common tactic is to change the file association or extension to trick the user into running a shell-type file that loads from the registry.

Lastly, by taking advantage of scheduled tasks, hackers can gain both access and persistence on a machine by ensuring a recurring execution of their script. 

- ``crontab -L`` command can list all current jobs that are scheduled to run on a machine.

< [Table of Contents](#top) | [References](#references) >
<a id="17"></a>
***
###### Analyzing Application-Related IoCs
***

Section discusss ``Anomalous Activity``, ``Service Interruption``, ``Application Log``, ``Lateral Movement``, and ``Pivoting IoCs``:

> Anomalous Activity IoCs

With applications, it is important to understand what is intended and what is not, and have full control over what you intend to happen with each application.

The following are some common IoCs that can occur within a piece of malicious software:

- Unwanted Outbound Communications

Commands like ``netstat`` or ``nmap`` can help to identify all outbound ports that are open and operating.

- Unexpected Outputs

This could be a sign that man in the middle is in progress if the end user is receiving unexpected outputs from what is intended.

- Defacement

This is very obvious and observed after the fact. 

- If visuals on your application have changed in some way without going through the change control process, then your application could have been defaced.

> Service Interruption IoCs

Failed application services can be the results of tampering or even full compromise. 

The following are some examples of what could be occurring:

- Processes running authorized services have been compromised.


- The threat could be preventing services from running on purpose.


- Anti-virus could be preventing services from running.


- The service is disabled due to a ``DoS`` type attack.

Some popular tools/commands for service analysis include the following:

- ``net start`` (Windows)


- ``Get-Service`` (Windows)


- ``cron`` (Linux)


- ``systemctl`` (Linux)


- ``ps`` (Linux)


- ``top`` (Linux)

> Application Log IoCs

Ensuring that your ``Applications Logs`` are properly restricted and encrypted when sending to a ``SIEM`` is essential in preventing log-related IoCs. 

The following are some Access Log related IoCs to consider when structuring and hardening your application:

- ``HTTP`` logs


- ``DNS`` logs


- ``FTP`` logs


- ``SSH`` logs


- ``SQL`` logs

Logs are meant to provide visibility to professionals who are helping to protect and troubleshoot the application, not to enrich attackers' arsonals by sending them explicit details about each service running.

> Lateral Movement and Pivot IoCs

A Pass the Hash (``PtH``) attack is a network-based attack. 

The attacker first steals hashed user credentials and then, the attacker uses them as-is to try and authenticate to the same network that the hashed credentials originated from:

![image.png](attachment:image.png)

A ``Golden Ticket`` is a Kerberos authentication ticket that can grant other tickets in an Active Directory environment:

![image.png](attachment:image.png)

> Lateral Movement Techniques

Complementing most attacks are ``Lateral Movements``, which provide the attacker with the ability to either locate additional access or move to locations that store sensitive information. 

The following are some common examples of terms in relation to lateral movements:

- Remote access services like ``RDP`` (Remote Desktop Protocol) and ``VNC`` (Virtual Network Computing)


- ``WMIC`` (Windows Management Instrumentation Command-Line)


- ``PsExec`` (alternative to ``Telnet``)


- Windows PowerShell

# Pivoting Techniques

Pivoting is when an attacker uses a compromised host (the pivot) as a platform from which to spread an attack to other points in the network:

![image.png](attachment:image.png)

***
## END

< [Table of Contents](#top) >
<a id="references"></a>
***
## References
***

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;cybrary, "Indicators of Compromise - IoCs," [cybrary.it](https://web.archive.org/web/20220724081418/https://www.cybrary.it/), n.d..

***
## END

< [Table of Contents](#top) | [References](#references) >
<a id="appendix"></a>
***
## Appendix
***

***
## END

In [1]:
from IPython.display import display,HTML
display(HTML("<style>.container { width:100% !important; }</style>"))

# END JUPYTER NOTEBOOK