Incident Detection/Response

Incident Detection/Response

-----

Lockheed Martin Attribution Model
Reconnaissance - How they target and gather information
Weaponization - How they obscure the payload/exploit
Delivery - Method in which the payload/exploit is leveraged
Installation - Commonly used location on system(s) for backdoors/tools
Command & Control(C2) - Communication method employed to phone home and get orders
Actions on Intent - Habits of the adversary once a foothold is achieved

-----

posted by smettler
McAfee bup files can be extracted using "7z" and then xor the files (Details, File_0 etc.) with 0x6a/106

-----

Live Response on Cisco IOS

show version
show interfaces
show running-config
show tcp brief all
show startup-config
show ip sockets
show reload
show ip nat translations verbose
show ip route
show ip cache flow
show ip arp
show ip cef
show users
show snmp user
show logging
show snmp group
show ip interface

Compare hashes on configuration vs known good

-----