• Cyber Security Homelabs
  • Threat Hunting with Elastic Stack 8 (XDR)
  • Detection & Response with LimaCharlie (EDR)
  • Attack Monitoring with Microsoft Sentinel (SIEM)
  • Network Security with Snort (IDS/IPS)
• IT and Cyber Security Fundamentals
  • System Administration
  • Network Administration
  • Cyber Security
• IT and Cyber Security Concepts
  • SysAdmin Concepts
  • Networking Concepts
  • Cyber Security Concepts

I've been exploring some homelabs described in YouTube channels and blogs on topics such as threat hunting (XDR), endpoint security (EDR), monitoring (SIEM), and network security (IDS/IPS)

• Configured in VirtualBox an Internal Network with:
  • DHCP Server
  • Ubuntu Server (Elastic Host)
  • Windows 10 (Victim)
• Configured Elastic Stack 8 on Ubuntu Server:
  • Elastic Stack: Elasticsearch, Kibana (UI), and Elastic Agent + Integrations.
  • Integrations: Fleet Server, System, Windows, and Elastic Defend.
• Simulated two malicious tests on the Victim machine:
  • EICAR Malware Test.
  • MITRE ATT&CK Test with Red Team Automation (RTA).

Source: https://github.com/robsann/ElasticStackLab

• Configured in VirtualBox a NAT Network with:
  • DHCP Server and Host Gateway access.
  • Windows 11 (Target) with Windows Defender disabled, Sysmon and LimaCharlie sensor installed.
  • Ubuntu Server (Attack) with Sliver installed, a Command & Control (C2) framework by BishopFox.
• Generated in Sliver a C2 payload and executed the payload on the Target machine to start a Sliver C2 session on the Attack machine.
• Used the Sliver C2 session to perform two attacks on the Target machine:
  • LSASS access (credential-stealing attack).
  • Volume shadow copies deletion using vssadmin Windows utility (used in ransomware attacks).
• Detection and response rules were created in the LimaCharlie platform to detect the two previous attacks and take action. The rules were tested by repeating the attacks.

Source: https://github.com/robsann/LimaCharlieEDRTelemetry

• Microsoft Sentinel was used to monitor failed RDP login attempts from global attackers on an exposed Windows 10 virtual machine configured in Microsoft Azure.
• A custom log file (failed_rdp.log) was generated using a PowerShell script that extracts failed login events from Security Log on Event Viewer and forwards them to a third-party API to get geolocation data.
• A custom table (FAILED_RDP_WITH_GEO_CL) was created in Log Analytics Workspace on Microsoft Azure using the generated log file (failed_rdp.log). Custom fields were extracted from the table using a Kusto Query Language (KQL) query.
• A workbook was created in Microsoft Sentinel using KQL to query data from the FAILED_RDP_WITH_GEO_CL table to display global attackers (RDP login failure) on the world map according to physical location and magnitude (attack count).

Source: https://github.com/robsann/AzureSentinelSIEMAttackMap

• Snort network IDS mode configuration in Ubuntu Server.
• NMAP scan detection using Snort (NIDS):
  • NMAP Ping Scan, various TCP scans including SYN, Connect, NULL, FIN, and XMAS, as well as UDP Scans.
• Attack detection using Snort (NIDS):
  • SQL injection attacks using tools like WPSCan & WordPress and Burp Suite & SQLmap.
  • Backdoor attacks using Empire post-exploitation framework and Katana penetration test framework.
  • Rogue DHCP & Rogue Routing attacks.
  • ICMP Redirect attack.

Source: https://github.com/robsann/NetworkSecurityWithSnort

I'm developing educational materials covering IT fundamentals like system and network administration, as well as cyber security fundamentals. I started by creating visual maps to outline the content of various certification exams, including CompTIA A+, CompTIA Linux+, CompTIA Network+, CompTIA Security+, and CompTIA CySA+. You can access these maps in PDF format on Dropbox by clicking on the images.

The CompTIA A+ Core 2 certification objectives cover advanced troubleshooting, operating systems, security, and software troubleshooting. It includes topics like hardware, networking, mobile devices, virtualization, and cloud computing. Candidates are tested on their ability to secure and manage various devices and technologies, ensuring comprehensive IT skills and knowledge. CompTIA A+ Core 2 demonstrates proficiency in essential IT areas.

1.0 Operating Systems

2.0 Security

3.0 Software Troubleshooting

4.0 Operational Procedures

Professor Messer CompTIA A+ Core 2 (220-1102) course - YouTube Link

The CompTIA Linux+ certification validates essential skills in Linux system administration and operation. Covering topics such as system architecture, Linux installation, package management, command line usage, file permissions, and security, this certification ensures proficiency in managing Linux-based systems. Candidates learn troubleshooting, scripting, and networking in a Linux environment, making them well-equipped for various IT roles requiring Linux expertise. Achieving CompTIA Linux+ certification demonstrates a thorough understanding of Linux systems.

1.0 System Management

2.0 Security

3.0 Scripting, Containers, and Automation

4.0 Troubleshooting

Shawn Powers' CompTIA Linux+ (XK0-005) prep (in progress) - YouTube Link

The CompTIA Network+ certification validates essential skills in networking, covering topics such as network architecture, security, troubleshooting, and cloud technologies. Candidates learn to design and implement functional networks, configure network devices, and manage network security protocols. The certification also emphasizes practical skills in areas like network installation, configuration, and diagnostics, ensuring proficiency in both wired and wireless networks. Overall, CompTIA Network+ certification demonstrates expertise in network administration.

1.0 Networking Fundamentals

2.0 Network Implementations

3.0 Network Operations

4.0 Network Security

5.0 Network Troubleshooting

Professor Messer CompTIA Network+ (N10-008) course - YouTube Link

The CompTIA Security+ certification objectives cover essential topics in cybersecurity, including network security, threats and vulnerabilities, access control, identity management, cryptography, and risk management. It also emphasizes security compliance, incident response, and security architecture. Successfully mastering these objectives demonstrates proficiency in securing IT systems.

1.0 Threats, Attacks and Vulnerabilities

2.0 Technologies and Tools

3.0 Architecture and Design

4.0 Identity and Access Management

5.0 Risk Management

6.0 Cryptography and PKI

Professor Messer's CompTIA Security+ (SY0-501) course - YouTube Link

The CompTIA Cybersecurity Analyst (CySA+) certification focuses on identifying and responding to security threats and vulnerabilities in a cybersecurity context. CySA+ certified professionals demonstrate skills in threat detection, analysis, and response using various tools and techniques. They are proficient in analyzing data to identify vulnerabilities, threats, and risks to an organization's information systems. CySA+ certification validates expertise in cybersecurity operations, enhancing an individual's ability to protect and secure organizational assets against cyber threats.

1.0 Security Operations

2.0 Vulnerability Management

3.0 Incident Response and Management

4.0 Reporting and Communication

Mind map from 2021 that provides a comprehensive overview of the various domains within cyber security.

• TryHackMe: Hands-on cyber security training with offensive and defensive paths.
• HackTheBox: Hands-on cyber security training with offensive and defensive paths.
• LetsDefend: Hands-on security operations training with alert addressing on simulated SOC environment.
• CyberDefenders: A blue team training platform.

The Linux File System is a hierarchical structure that organizes and stores files on a Linux system. It uses a tree-like directory structure, starting with the root directory ("/"), with directories and files arranged systematically to facilitate efficient file management and access.

Linux File Permissions dictate the access level of users (owner, group, and others) to files and directories. They are represented by read, write, and execute permissions, providing control over file security and user interactions.

Linux commands help users navigate the file system, interact with the files, and administer the entire system using the command line interface.

Note: Use the man command to display the manual page for other commands (e.g., man ls), providing detailed documentation and usage instructions, or use the --help option (e.g., ls --help) for a quick overview of the command options.

• Configuration files (/etc/) store system-wide settings, preferences, and configurations for various applications, facilitating centralized management.
• System Info files (/proc/) provide a virtual file system exposing kernel and process information, allowing dynamic access to real-time system details and parameters.
• Log files (/var/log/) store system and application logs, aiding in troubleshooting by capturing events, errors, and diagnostic information for analysis and monitoring.

The Open Systems Interconnection (OSI) model is a conceptual framework used to describe how network communications work. The OSI model characterizes computing functions into a universal set of rules and requirements in order to support interoperability between different products and software.

TCP (Transmission Control Protocol) is a connection-oriented and reliable transport layer protocol, that ensures data integrity and ordered delivery. UDP (User Datagram Protocol) is a connectionless and lightweight transport layer protocol that sacrifices reliability for reduced latency, making it suitable for real-time applications where occasional data loss is acceptable.

The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on IP networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a client-server architecture.

The Domain Name System (DNS) is a naming database that translates human-readable domain names (e.g., www.example.com) to machine-readable IP addresses (e.g., 93.184.216.34) used for device communication. If the website is not cached, the DNS resolver will query Root Servers, Top-Level Domain (TLD) Servers, and Authoritative Nameservers to retrieve the IP address.

The CIA Triad is a fundamental concept in information security, representing the core principles of Confidentiality (ensuring data privacy), Integrity (maintaining data accuracy and trustworthiness), and Availability (ensuring data accessibility). These principles guide security measures and strategies to protect information assets in various computing environments.

The Cyber Kill Chain is a framework outlining the stages of a cyber attack, from initial reconnaissance to achieving the attacker's objectives, providing a structured approach for understanding, analyzing, and defending against advanced cyber threats.

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that catalogs and describes the tactics, techniques, and procedures used by cyber adversaries. It provides a comprehensive framework for understanding and analyzing the full spectrum of cyber threats, aiding organizations in improving their detection, defense, and response capabilities.

The Pyramid of Pain is a conceptual framework in cybersecurity that categorizes indicators of compromise (IOCs) in six levels based on the difficulty for adversaries to change or evade detection. The pyramid is structured in ascending order of difficulty, as illustrated below:

Security Operations Center (SOC) technologies encompass a range of tools designed to monitor, analyze, and respond to cyber security threats. These include SIEM for log analysis, EDR for endpoint protection, SOAR for orchestration, and other solutions that collectively fortify an organization's cyber security posture.

The NIST Incident Response Framework provides a systematic approach for organizations to prepare for, detect, respond to, and recover from cybersecurity incidents. It guides the development of robust incident response capabilities through a four-phase process: preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.

The SANS Incident Response Framework provides a structured approach for organizations to effectively respond to cybersecurity incidents, comprising six key phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. It guides the development of robust incident response capabilities to detect, mitigate, and recover from security incidents.