This document consists of a list of academic labs that I have had hands-on experience with throughout my studies to acquire my GFACT, GSEC, and GCIH certification. Each lab in the document is labeled in the following structure: Certification - lab number - title of lab. Some of the labs will include a brief intro describing what was intended to be learned in the lab. They may also include additional details about some of what was covered in the lab. Some labs may only have a title with no description or information covered. Some will only have a title and information covered.
The purpose of this document is to assist in my Job hunting process. My master resume does not include everything that I have learned in these labs. However, if something that I’ve learned in these labs can be drawn from to make any adaptations to my resume so that it will better align with a target job posting, this document will be used to make that adjustment. This is so that I can make truthful and strategic adjustments to my resume when applying to different positions.
(LIST OF LABS START HERE)
GCIH - lab 1.1 - live windows investigation with powershell
Description:
In this lab you will learn to apply different PowerShell commands to review a Window-system for signs of a possible compromise. Many of the PowerShell commands we'll review can also be used to create a baseline for Windows systems. This is important because having a baseline to compare against will make identifying anomalous and/or malicious activity much easier. While it is not always possible to have a baseline, having a baseline should be considered an essential preparation task.
Information covered in this lab:
Process enumeration with Get-Process, Select-Object -Property
Network enumeration with Get-NetTCPConnection
Investigating autostart locations in Windows registry with Get-ChildItem, Get-ItemProperty
Differential Analysis with Get-Content, Get-ScheduledTask, Get-LocalUser, Compare-Object
GCIH - lab 1.2 - Network Investigation
Description:
In this lab you will analyze network evidence from a simulated compromise. The scenario used in this lab is continued in the two labs that follow (Lab 1.3: Memory Investigation, and Lab 1.4: Malware Investigation). In these labs you will examine additional evidence (memory images and malware) from the same compromise. So, make sure to keep your notes from this exercise, and add to them in later labs.
Information covered in this lab:
Identifying network traffic that correlates with the CEO’s statement using grep and awk to look through log files
Looking for beacons in log files with findbeacons.py
Finding compromised hosts with grep and tcpdump
GCIH - lab 1.3 - Memory Investigation
Description:
In this lab you will analyze memory evidence from the Falsimentis compromise. Feel free to add to any notes you took during the previous lab with information you discover in this lab.
Information covered in this lab:
Preprocessing with volatility, NetScan plugin, PsTree plugin, PsList plugin, CmdLine plugin, FileScan plugin, and DllList plugin to save results to text files
Preprocessing with strings using strings command, strings -e l, strings -e b
Examining network connections
Examining processes
Examining loaded DLLs
Examining Command Lines
Examining Strings
GCIH - lab - 1.4 Malware Investigation
Description:
In this lab you will continue investigating the Falsimentis incident by examining some of the malware used by the Midnite Meerkats.
Information covered in this lab:
Calculate hash sums with Get-FileHash
Examine malware strings with strings.exe
Examining registry and file system changes with regshot
Examine process activity with procmon.exe
GCIH - lab 2.1 - Nmap
Description:
In this lab, you will evaluate several of the features of Nmap for host discovery, port scanning, and service enumeration
Information covered in this lab:
Host discovery with nmap -sN
Port scanning with nmap -sT
Version scanning with -sV
Script scanning with -sC, and --script
GCIH - lab 2.2 - Cloud Scanning
Description:
In this lab, you will scan a large range of IP addresses simulating a cloud environment to identify a previously unknown Falsimentis server using Masscan, TLS-Scan, JQ, and Nmap
Information covered in this lab:
Enumerate cloud targets with masscan
Build a target IP list with awk
Collect TLS information with tls-scan
Conduct target attribution with jq
Target data collection with nmap
GCIH - lab 2.3 - SMB Security Investigation
Description:
SMB is a widely-used protocol on many network environments. Understanding essential tools and tactics to enumerate and attack SMB servers is valuable to understand how attackers exploit SMB targets.
Information covered in this lab:
Identify target IP address with nmap
Enumerate shares with smbclient utility
Connect to target share
Download directories and files from a share with get and tar commands
GCIH - lab 2.4 - Windows threat analysis with hayabusa
Description:
In this exercise, you will use Hayabusa to evaluate Windows 10 event log records as part of an incident response investigation. You will use the output of Hayabusa in Timeline Explorer to identify the attack activity details.
Information covered in this lab:
Assess event logs
View hayabusa CSV in timeline explorer
GCIH - lab 2.5 - Netcat’s many uses
Description:
Netcat is a powerful tool. In this lab, you will use four different modes of Netcat:
Mode 1: Making connections to open ports
Mode 2: Data transfer (moving files)
Mode 3: Backdoors
Mode 4: Relays
Information covered in this lab:
Making connections with a client and listener. Using commands like nc -l -p
Data transfer: pulling and pushing files
Creating a linux backdoor
Creating a reverse windows shell
Create a one way relay and a full relay using a pivot system
Utilize named pipes
GCIH - lab 3.1 - Password Attacks with Legba
Description:
In this lab, you'll apply several varieties of online password attacks using Legba.
Information covered in this lab:
Legba -U
Legba -P
Legba -T
GCIH - lab 3.2 - Attacking microsoft 365 passwords
Description:
In this Cloud Spotlight lab you will implement a password spray attack against our simulated Microsoft 365 target server, using MSOLSpray and FireProx to evaluate and recover login credentials against Falsimentis Corporation.
Information covered in this lab:
Harvest emails with CeWL
Invoke-MSOLSpray -UserList
Fireprox
Creating an AWS API Gateway endpoint with fireprox
GCIH - lab 3.3 - Hashcat
Description:
In this lab exercise, you will conduct an assessment of domain passwords for the Falsimentis wholly-owned subsidiary Wardrobe99. You will use Hashcat to recover the password hash data retrieved from the Wardrobe99 domain controller.
Information covered in this lab:
Identify hash types with hashcat --identify
Crack passwords with -a 0 straight attack
Show cracked passwords with --show and --username
Show uncracked passwords with --left
GCIH - lab 3.4 - Metasploit Attack and Analysis
Description:
In this lab, we'll attack the Windows VM from the Linux VM. In doing so, we'll expose you to some of the features of Metasploit. You will learn what skillful attackers can do to a victim system. Additionally, you'll see that even advanced attackers will leave traces that skillful defenders can use to track what the adversary is doing.
Information covered in this lab:
MSFconsole
Psexec exploit
Configuring exploit parameters
Meterpreter host interrogation
Meterpreter process interrogation
Process migration for privilege escalation
GCIH - lab 3.5 - BeEF for browser exploitation
Description:
BeEF, the Browser Exploitation Framework, is a great tool for attacking a victim's browser and can be used to conduct client-side social engineering attacks that are very difficult for almost any user to detect.
Information covered in this lab:
Creating and hosting malware with msfvenom
GCIH - lab 4.1 - forced browsing and insecure direct object reference attacks
Description:
In this lab we'll explore two common web application vulnerabilities: forced browsing and insecure direct object reference (IDOR) attacks. We'll introduce the Falsimentis Customer Support website, a target web application that we'll use for several lab exercises.
Information covered in this lab:
Forced browsing discovery with Ffuf
Ffuf -w
Ffuf -u
cURL command line tool
Ffuf with seq (sequence tool) to generate number patterns for IDOR attacks
Filtering ffuf response codes with -fc
GCIH - lab 4.2 - command injection attack
Description:
In this lab you will continue to explore the Falsimentis Support Website to identify a command injection vulnerability. We will be using the command injection vulnerability to get a reverse TCP shell from the target system.
Information covered in this lab:
Command injection with semicolon (;), double ampersand (&&), double pipe (||), and single pipes (|)
GCIH - lab 4.3 - cross-site scripting attack
Description:
In this lab we will continue to explore the Falsimentis Customer Support portal. This time we will identify and exploit vulnerabilities relating to a Cross-Site Scripting (XSS) attack.
Information covered in this lab:
Creating alerts from an input field with javascript code exploiting a XSS vulnerability
GCIH - lab 4.4 - SQL injection attack
Description:
In this lab you will continue to explore the Falsimentis Customer Support portal to identify a SQL injection vulnerability. You will assess the vulnerability to determine what database information is accessible, then exploit the vulnerability to retrieve the contents of a database table with password hash information.
Information covered in this lab:
SQLmap
Database enumeration with sqlmap --dbs
Table enumeration with sqlmap -D and --tables
Data extraction with sqlmap -D, -T and, --dump
GCIH - lab 4.5 - cloud SSRF and IMDS attack
Description:
In this lab, you will evaluate the intern.falsimentis.com server, leveraging a Server-Side
Request Forgery (SSRF) attack to gain access to Instance Metadata Service (IMDS) data.
Information covered in this lab:
Use SSRF vulnerability to exfiltrate data from a server
GCIH - lab 4.6 - cloud bucket discovery
Description:
In this lab, you will use the simulated cloud environment to identify and assess the threat of misconfigured cloud storage buckets.
Information covered in this lab:
Create a bucket with aws s3 mb command
Copy a file to a bucket with aws s3 cp command
Lise buckets with asw s3 ls command
Bucket discovery with bucket_finder.rb
Bucket discovery using CeWL to create a word list
GCIH - lab 5.1 - application allowlist bypass
Description:
In this lab exercise you will evade Windows AppLocker, an application allowlist tool by creating a custom program and executing code using Living off the Land (LOL) techniques. After the lab you will examine the system for Indicators of Compromise (IOC) that you can use to detect this attack in a production environment.
Information covered in this lab:
Create custom exploit and run it using msfvenom csc.exe and InstallUtil.exe
GCIH - lab 5.2 - pivot exploitation
Description:
Using an initial compromise, attackers can pivot to previously inaccessible internal targets. In this lab exercise, you will use Metasploit to compromise an accessible host, then use the compromised system to pivot and access a secondary host that is not initially accessible.
Information covered in this lab:
Use msfconsole with the sshexec exploit to connect to a pivot point
Creating a route from a pivot point to target with the sshexec exploit
Use metasploit as a port scanner with the auxiliary/scanner/portscan/tcp exploit
GCIH - lab 5.3 - responder attack
Description:
In this lab you'll conduct a post-exploitation attack against multiple clients on the internal network using Responder.
Information covered in this lab:
responder.py -I
GCIH - lab 5.4 - establishing persistence with metasploit
Description:
In this lab exercise you'll work with the Slingshot Linux VM as an attacker, and the Windows 10 VM as a victim, using Metasploit to establish persistent access to the compromised system. After establishing persistence, you'll look at the analysis opportunities available as an incident responder to identify this adversary tactic.
Information covered in this lab:
Adding a local user on the target from meterpreter
Using persistence_service exploit
GCIH - lab 5.6 - cloud configuration assessment
Description:
In this lab, you will evaluate the Falsimentis AWS cloud assessment data generated by
CloudMapper and ScoutSuite
Information covered in this lab:
CloudMapper
ScoutSuite
GSEC - lab 1.1 - TCPDump
Information covered in this lab:
BPF filters
The following parameters: -n, -r, -i, -c, -#
GSEC - lab 1.2 - wireshark
Information covered in this lab:
Building a display filter
Examine a reassembled tcp stream
Capture traffic
Extract files from a packet capture
GSEC - lab 1.3 - AWS VPC flow Logs
Information covered in this lab:
Observe traffic summaries from AWS cloud instances
Identify outlier conversations
Compare and contrast observations with captures viewed in tcpdump and wireshark
GSEC - lab 2.1 - password auditing
Information covered in this lab:
Understand hash formats and Construction
Learn how to extract hashes for password cracking
Crack password hashes utilizing multiple approaches
Gain familiarity with two password cracking utilities: John and Hashcat Along with associated conversion utilities
GSEC - lab 2.1 - data loss prevention
Information covered in this lab:
Examine metadata and watermark information of a file to help determine who created it
Differentiate between overt, contextual, and hidden markers that could be present in a file
Grep
exiftool
GSEC - lab 2.3 - mobile device backup recovery
Information covered in this lab:
Use PowerShell to obtain the hash of any leaked company files
Understand the structure of iOS backup data
Get-filehash
Ibackupbot
GSEC - lab 3.1 - Network discovery
Information covered in this lab:
Discover host and services on a network
Determine what operating system is installed on discovered hosts
Identify service anomalies based on assigned service port numbers
Compare current scans to previous scans to help identify changes to system configuration
Nmap
The following parameters: -sT, -sS, -sV, -sU, -n, -p, -v, -oG
GSEC - lab 3.2 - binary file analysis and characterization
Information covered in this lab:
Analyze a potentially suspicious executable
Learn various techniques and tools for analysis
Learn how to use PowerShell to perform analysis from the command line
Strings command
Get-filehash
virustotal.com
GSEC - lab 3.3 - web app exploitation
Information covered in this lab:
Evaluate normal operation of a way of application
Understand common mistakes made in web applications in order to uncover unforeseen vulnerabilities
Attempt to inject SQL commands to extract data from a back end database
GSEC - lab 3.4 - SIEM log analysis
Information covered in this lab:
Elastic stack SIEM
Understand the value of centralized logging and how a SIEM can make large data sets more approachable
Identify evidence of attacker targeting and methodologies
Identify anomalies and logged data to generate investigative leads
GSEC - lab 4.1 - hashing and cryptographic validation
Information covered in this lab:
GPG (GNU Privacy Guard)
Understand how the hash of a file can be used to uniquely identify its contents
Create a cryptographic signature using a public key encryption algorithm
Use cryptographic signature validation to confirm content integrity and originator
GSEC - lab 4.2 - encryption and decryption
Information covered in this lab:
GPG (GNU Privacy Guard)
Demonstrate the value of encryption at rest as it protects store data
Compare and contrast symmetric versus asymmetric encryption
Decrypt a file
Encrypt and send a file
GSEC - lab 4.3 - intrusion detection and network security monitoring with Snort and Zeek
Information covered in this lab:
Use snort to process packet capture to generate alerts
Understand the structure of an alert message
Perform simple analysis of alert messages
Understand the structure of a snort rule
Creating rules to find interesting traffic
Generate Zeek logs from a packet capture
Perform correlation with snort and zeek
GSEC - lab 5.1 - windows process exploration
Information covered in this lab:
PowerShell
Use System Informer to review the extensive details of windows processes
Locate suspicious processes that exhibit behaviors that vary greatly from others
Review memory contents to find signs of network communications or associated files
GSEC - lab 5.2 - windows filesystem permissions
Information covered in this lab:
Understand the difference between share and file system permissions
Identify improperly set permissions in a standard windows location
Repair and remediate incorrect permissions
Get-Acl
Get-LocalGroupMember -name
Get-SmbShare
Get-SmbShareAccess -name
GSEC - lab 5.3 - applying windows system security policies
Information covered in this lab:
Understand the value of security templates in applying consistent security related settings to a windows system
Apply security related settings on a system to conform to a desired state
Validate security related settings on a system match a desired state
secedit.exe
GSEC - lab 5.4 - PowerShell for speed and scale
Information covered in this lab:
PowerShell ISE
Use PowerShell for general system configuration and evaluation
Query hosts for possible attack artifacts
Get-Process
Get-Service
Where-Object -Property
GSEC - lab 6.1 - Linux Permissions
Information covered in this lab:
Gain in understanding of Linux file permissions
Become familiar with the tools available to manipulate permissions
Examine the effects of the set-UID, set-GID, and sticky permissions
Umask
Chmod
GSEC - lab 6.2 - Linux containers
Information covered in this lab:
Gain a working understanding of accessing containers on Linux hosts
Gain an understanding of Docker logging for Linux based containers
Learn how to differentiate between local logging within a container and logging from a container to an external source, both local and remote
Docker exec -it
Docker command and -f parameter
GSEC - lab 6.3 - Linux logging and auditing
Information covered in this lab:
Examine artifacts of specific types of system activity found in common log evidence
Become familiar with the detailed auditd logs found in Linux
Leverage shared cyber threat intelligence in the form of Sigma log analysis rules
Aureport utility
Ausearch tool
Zircolite