My Review of the eCIR Exam & How to Prep for the Exam

Name: My Review of the eCIR Exam & How to Prep for the Exam
Uploaded: 2025-01-14T20:52:14.000Z
Duration: 3 h 30 min 12 s
Description: I forgot to say you only have a total of 4 days access for the exam. - 2 days for the labs - 2 days for the report

Introduction and Overview

Opening Remarks

Peaceful greeting and acknowledgment of the time since the last meeting. The speaker expresses being busy recently and invites questions from attendees.

Discussion on the "Okay" Certificate

Understanding the "Okay" Certificate

The "Okay" certificate is described as challenging, with a passing score set at 60 points. It requires significant effort to achieve this certification.

Dashboard Features

The dashboard includes a ready-made division for “X,” which helps users navigate through various technological classifications related to their tasks. Users can find specific hosts within this framework.

Domain Controllers Explained

Domain Structure

Explanation of domain controllers, including distinctions between parent (father) domains and child (son) domains, emphasizing their hierarchical relationship in network management.

Visual Aids and Screen Sharing

An apology for not sharing the screen earlier; reassurance that the session is recorded for later review, allowing participants to revisit explanations provided during the discussion.

Exam Preparation Insights

Exam Process Overview

Participants are guided on how to prepare for an exam by utilizing specific files once they reserve their spot, highlighting essential steps in navigating through exam requirements effectively.

Scenario Analysis

Discussion about different scenarios presented in exams, particularly focusing on understanding what constitutes success or failure based on given criteria (e.g., scenario 1). Emphasis on explaining these concepts clearly to others involved in the process.

Technical Aspects of Exam Execution

Utilizing Dashboard Tools

Instructions on using detection modes within dashboards during exams, including how to select hosts and execute queries effectively while taking screenshots as needed for documentation purposes.

VPN Configuration Considerations

How to Use OpenVPN in Egypt

Connecting to OpenVPN

To connect to OpenVPN in Egypt, a mediator is required due to its blockage. Windows Crypto is recommended as an effective VPN alternative.

Windows Crypto offers a simple connection process and provides 10 GB of free data, which is more than sufficient for the exam that typically requires only 1-2 GB.

If issues arise during connection, users should check server status; a green indicator signifies everything is functioning correctly.

Troubleshooting Connection Issues

Users are encouraged to verify their IP address after connecting to ensure it matches the expected output.

For Linux users, adjustments must be made in settings by changing the adapter to NAT mode for proper functionality with OpenVPN.

Setting Up on Linux

The NAT setting allows Linux systems to utilize the same block IP as Windows, ensuring compatibility with Windows Crypto VPN.

Confirming that both systems share the same IP indicates successful setup and connectivity.

Using OpenVPN Effectively

It’s crucial to configure network settings properly; if unsure about setup procedures, guidance can be sought from available resources.

Users should ensure they have the correct files needed for connection and understand how commands work within their operating system.

Exam Preparation Insights

The discussion emphasizes using specific commands like Sudo OpenVPN followed by file paths for establishing connections during exams.

How to Structure a Report on Machine Analysis

Steps for Reporting Findings

The report should include a clear explanation of the findings, such as file names and their relevance. It's important to document each step taken during the analysis.

Organizing steps in a non-linear fashion is acceptable; focus on capturing all relevant actions rather than strict order.

Emphasize extracting as much information from the machine as possible, including whether it functions as intended or not.

Key Elements of the Report

Include screenshots of significant findings, particularly those that demonstrate key functionalities or issues within the code.

Provide a summary description above conclusions, detailing what was discovered about the machine's operations and any notable behaviors observed.

Documenting Technical Details

After compiling your report, include specific queries used during analysis and any logs that were generated (e.g., MLIS).

Create tables summarizing critical data points like file names and MD5 hashes to provide clarity on what was analyzed.

Use tools like VirusTotal to verify file integrity by checking MD5 hashes against known databases for malicious content.

Handling IP Addresses

If an IP address is identified during analysis, document its public status and any open ports associated with it for further investigation.

Clearly state findings regarding open ports and firewall configurations related to devices under review in your report format.

Final Thoughts on Reporting

Acknowledge different machines involved in analysis (e.g., Windows 10 vs. Windows Server), ensuring comprehensive coverage in reports submitted for evaluation.

Confirm that all necessary components are included in your report template; this may vary across different machines but should maintain core elements consistently.

Be flexible with hash types documented (MD5 or SHA256), adapting based on what is most relevant for your analysis context.

Understanding Cybersecurity Stages

Overview of Cybersecurity

Cybersecurity involves various stages that a hacker goes through to gain access to a system and achieve their goals.

Stages of Cybersecurity

The first stage is Recon, where information gathering occurs. This is crucial for understanding the target system.

The second stage is Developing Access, which allows the hacker to penetrate the device or system effectively.

The third stage is Action, where commands are executed, such as downloading files or executing malicious tasks within the system. This includes attempts to escalate privileges, like becoming an administrator.

Techniques for Gaining Access

Hackers can create persistent access through techniques like scheduled tasks, which execute specific actions at defined intervals (e.g., every 50 seconds). This method ensures that malicious activities continue even after reboots.

Registry Manipulation

A key aspect of maintaining control over a compromised system involves manipulating the Windows registry, particularly using keys like "Run" and "RunOnce." These allow programs to start automatically when the device boots up. Understanding this process is essential for cybersecurity awareness and defense strategies.

Startup Management

Cybersecurity Techniques and Event Codes Overview

Understanding Cybersecurity Techniques

The speaker emphasizes the importance of mastering key cybersecurity techniques, including access methods and event code recognition. They highlight four critical techniques that should be well understood.

Event Code Detection

The discussion shifts to how detection can be achieved through event codes, with a focus on network activity access. The speaker mentions specific event codes like M4624 and others as essential for understanding system activities.

Detailed Knowledge of Event Codes

A deeper dive into various event codes is presented, indicating their relevance in cybersecurity practices. The speaker expresses confidence in their understanding of these codes and their application in different scenarios.

Practical Application in Labs

The speaker discusses solving labs related to cybersecurity, emphasizing the practical sessions designed to cover extensive topics within the field. These sessions are framed as crucial for hands-on learning.

Importance of Investigation Scenarios

An important resource is mentioned that provides written accounts or investigation scenarios relevant to cybersecurity challenges. This resource is described as beneficial for understanding complex situations like those involving secret operator groups.

Key Event Codes for Exams

Specific event codes are highlighted as vital for exam preparation, including 4104 and 4103. The speaker stresses the need to memorize these codes due to their frequent appearance in assessments.

Active Directory Attacks Focus

There’s a clarification regarding exam content focusing more on active directory attacks rather than general active attacks, suggesting a strategic approach to studying based on exam patterns.

Stages of Investigation

The stages involved in conducting investigations are outlined, with an emphasis on remote access commands and schematic representations that aid in understanding attack vectors.

Essential Commands and Codes

Various command codes are discussed that facilitate remote access operations within cybersecurity frameworks. These commands are deemed essential for effective practice.

Recap of Important Codes

Understanding SISM 13 and Command Line Techniques

Overview of SISM 13

The speaker discusses the log format for SISM 13, expressing a preference for it over other versions like 4000 due to its comprehensive information.

The command line tool "rigged DD" is introduced, which allows users to modify or delete registry entries effectively.

Registry Modifications

An example is given where a key named "run run and forget" was added with the value "Bad Wolf," indicating how modifications can be tracked through event codes.

The speaker confirms that they found evidence of the process "Bad Wolf" in Event Code Process Creation, linking it to PowerShell activities.

Techniques Used in Analysis

A technique called Hash and Packet is mentioned as a method for transferring data between devices within a domain.

The speaker emphasizes the importance of understanding report reading techniques to extract valuable insights from logs.

Event Codes and Detection Methods

Understanding Event Codes

Event Code 4624 is highlighted as significant for detecting new sessions or processes, referred to as Loop 9.

The concept of bookmarks for sites explaining attack vectors related to hashes is introduced, suggesting further research into these topics.

Local Security System Insights

Discussion on local security system services reveals that they store critical actions similar to databases but are not traditional databases themselves.

Password hashes are explained as being stored within active directory databases, crucial for understanding security measures.

Hashing Techniques and Resource Extraction

Hashing Mechanisms Explained

The process of creating password hashes using database resources is discussed, emphasizing their role in security protocols.

A detailed explanation follows on how successful extraction leads to resource access, highlighting the significance of hash manipulation in cybersecurity efforts.

Indicators of Compromise

Observations about attempts made during attacks are shared, noting specific indicators that suggest unusual activity within logs.

Hash Attacks and Techniques Overview

Understanding Hash Attacks

The discussion begins with an indicator on hash attacks, specifically mentioning "yb" as a key element. A log is referenced that contains important information related to the attack.

The speaker suggests postponing a detailed discussion on this technique, noting it has not appeared in exams previously. They emphasize focusing on more relevant techniques.

Key Techniques to Focus On

Three primary techniques are highlighted:

Golden Ticket Attack

Deek Tamam Attack

These are deemed easier and more likely to appear in examinations.

Analyzing Access Logs

The speaker encourages thorough analysis of logs, indicating that they can reveal whether access was granted or denied based on specific share names.

Emphasis is placed on understanding how data was accessed and manipulated through various commands and scripts.

Data Collection Methods

A program used for data collection is mentioned, which compiles information into a Zip file. This highlights the importance of understanding data aggregation methods during investigations.

The speaker discusses using command line tools to track actions taken during sessions, emphasizing the significance of monitoring event actions for security purposes.

Network Activity Insights

Network activity during investigations is analyzed, distinguishing between different types of network beacons (e.g., cable strike beacon vs. normal).

The role of domain controllers and file servers in communication processes is explained, providing context for their relevance in security assessments.

Resources for Exam Preparation

Advanced Attacks in Cybersecurity Exams

Overview of Advanced Attacks

The discussion begins with the introduction of advanced attacks that candidates may face during cybersecurity exams, specifically mentioning a tool called "Li Li of the Landy Pinner."

Understanding Windows Tools

The speaker explains that certain tools are inherently part of Windows, which attackers can exploit. These tools include CMD and PowerShell, which come pre-installed with the operating system.

Attackers can utilize these built-in tools to gather information about devices without needing additional installations, making them readily accessible for malicious purposes.

Command Line Utilities

The importance of command line utilities is highlighted; for instance, PowerShell scripts can be written to automate tasks such as gathering device information.

The speaker emphasizes that command line interfaces allow modification and interaction with system settings, which can be leveraged by attackers.

Practical Applications in Scenarios

An example is provided where an attacker might use these tools to execute commands that modify or delete system configurations without triggering security alerts.

It is noted that candidates will encounter scenarios involving these advanced attacks during their exams, particularly in scenario 1 where domain-hosted applications may be targeted.

Component Object Model (COM)

The discussion transitions to the PMI filter and double MI consumer concepts derived from Microsoft's Component Object Model (COM), explaining its role as a bridge between software processes.

Candidates will need to understand how these components interact within specific scenarios outlined in their exams, particularly focusing on event codes related to actions taken by attackers.

Event Codes and Conditions

A detailed explanation follows regarding how attackers set conditions using filters; for example, they might trigger actions based on whether certain processes are running or specific logs are generated.

Understanding Cyber Defense and Command Operations

Overview of Command Usage

The speaker discusses the importance of using specific commands to understand actions taken on a system, emphasizing that these commands can reveal operations such as defeats in cyber scenarios.

A mention of COM objects indicates that understanding these components is crucial for effective command execution within Windows environments.

Practical Application of Commands

The speaker highlights the practical aspect of using commands to retrieve information about running processes, suggesting a hands-on approach to learning.

An example is given regarding normal boot conditions and how they relate to system functionality, illustrating the need for awareness in operational states.

Exam Preparation Insights

Key actions that could impact exam performance are discussed, stressing the necessity of understanding action procedures and various codes like GT, TGS, DCA, and their relevance in cybersecurity contexts.

The speaker emphasizes studying event codes thoroughly as part of preparation for exams related to cyber defense.

Investigative Techniques

The process begins with investigating one machine at a time rather than multiple systems simultaneously. This methodical approach ensures thoroughness in analysis.

Focus is placed on identifying critical elements such as event IDs during investigations, which are essential for understanding system events and anomalies.

Utilizing Resources Effectively

The speaker encourages utilizing blogs or resources that compile event codes before exams to enhance understanding and retention.

Investigation of IP and File Drops

Understanding the Context

The speaker discusses having 5,000 logs but only five IDs, indicating a need to analyze data more effectively.

A public IP is identified for scanning; initial results suggest it may be clean, prompting further investigation into file drops associated with this IP.

Analyzing File Drops

The speaker notes that there are 500,000 events linked to the identified IP, suggesting potential communication with a Command Control (C2).

An image process related to the suspicious IP is examined; unusual naming conventions raise red flags about its legitimacy.

Confirming Suspicious Activity

The speaker confirms that the process name does not match typical expectations, reinforcing suspicions about malicious activity.

A screenshot of findings is suggested as a method for documentation and further analysis.

Investigative Techniques

When encountering missing information on a host, the speaker recommends using code to retrieve all logs related to the processor.

The importance of thorough searching within domain control systems is emphasized as part of effective investigation practices.

Final Steps in Investigation

The speaker highlights finding connections and paths related to suspicious files during their investigation.

Investigation Techniques Using Event Codes

Understanding Event Codes and Task Categories

The discussion begins with the importance of event codes in initiating investigations, specifically mentioning "event code 3" as a starting point for cyber detection.

The speaker introduces the concept of "task category," which indicates the type of activity occurring on a machine, such as network or login activities.

It is emphasized that task categories can reveal specific types of activities, like login attempts, which are crucial for understanding potential security incidents.

The speaker notes that task categories help identify file activities and suggests looking into these categories to uncover relevant logs or events related to suspicious actions.

A critical insight is shared about identifying remote command execution through specific event codes (e.g., 4104), highlighting how PowerShell can be used maliciously.

Investigative Steps and Analysis

The process of investigation involves examining hosts and analyzing traffic patterns associated with various event codes to determine their significance.

The speaker advises against rushing investigations; instead, one should carefully analyze each event code's relevance to ensure thoroughness in findings.

An example is given regarding event code 11 indicating file creation, suggesting that this could lead to discovering unauthorized files created via PowerShell commands.

There’s an emphasis on checking disk usage and file names during investigations to identify any anomalies or suspicious files present on the system.

The importance of hashing files for virus checks is discussed, along with the need to investigate registry modifications indicated by certain event codes.

Final Thoughts on Investigation Practices

The speaker reflects on the necessity of examining target file names closely during investigations for any unusual entries that may indicate malicious activity.

It’s noted that not finding a virus does not guarantee safety; further investigation into registry changes is essential for comprehensive analysis.

A warning about registry modifications (event code 13), which could signify harmful alterations made by attackers, highlights the need for vigilance in monitoring system integrity.

Training on the Best Platforms

Overview of Event Code and Training Platforms

The speaker discusses the importance of understanding event codes, specifically mentioning code 4104, which relates to a specific task. They encourage participants to ask questions if they have any.

The speaker emphasizes that there are no questions as long as participants understand the features being discussed. They recommend the Subar Defender platform as the best training resource for young people.