CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

Joe's Sandbox

Author: Stefan Waldvogel

Solve a BTLO challenge with Joe's sandbox

Overview
This article is about Joe's Sandbox, and we use a BTLO challenge to see a "real-world" malicious script. BTLO is a training platform for blue knowledge. If you want to become a SOC Analyst, you can use this platform to brush up your hands-on ability. 
​
You need a *.edu email or a corporate email to create an account at Joe's. If you do not have a professional email, you can still follow this guide with this link: www.joesandbox.com/analysis/416466/0/html


Let us get ready
First, you need a free login for BTLO. You get it here: blueteamlabs.online/ and we do a modified version of the "Malicious PowerShell Analysis" module.
Picture
If you want to do that lab with the questions as the main focus and you need help, you can use Bohan's guide (bohansec.com/2021/04/30/Maclious-Powershell-Analysis-Video-Only/).
This guide focuses on Joe's Sandbox, and we just take the provided Powershell script and compare it to the questions.

Create an account for Joe's Sandbox
​If you are a student, you do not have a problem creating an account. You can use your student email. Joe's Sandbox does not accept Gmail and other private accounts. The link to create an account is here: www.joesandbox.com/register
Picture
Now we have everything to start and we can go back to BTLO.

Download the file
Download the provided zip file and unzip it. The password is btlo.
Picture
​Do not run this thing on your machine!
The next step is to rename the file extension for the ps_script.txt file. Right now, the ending is txt, and it should be .ps1
The reason is, if we upload this file to Joe's sandbox as a txt, notepad will open the script and not PowerShell. We need PowerShell to see the cool features.
You might ask, why BTLO deliver it as txt? The reason is: This script contains Emotet, a dangerous banking Trojan.
Again, do not run this file on your machine!

Upload the file
Picture
Sign-In and upload the file (1) for a Windows machine (2). Joe's Sandbox offers a lot of features. Most of them are available in the free version.
The red headline shows the most active threats, and you can click these and learn more about malware.
Right now, you hear a lot about AgentTesla.

Scroll down and click "Analyze." This takes time; we have to wait at least 2 minutes.
Picture
During your waiting time, check the status. We use an up-to-date Windows10 machine with some software on it. With the pro version, you can change this, but for our purpose, this is fine.
Picture
The results
The result looks like the following picture. The first impression, it is malicious, it is a Trojan, and it has evader features. The score is 100/100, and therefore, this script is not lovely.
You can click IOCs, and you see some connections. Switch back to Engines.
Click "Full Report," and we see more details.
Picture
Let us go through the output. The Overview section gives you a bigger idea. On the left side, you have some data for a report. Under Infos, you see small items representing a feature. Connection, injections, and more.
​
The Detection area gives you an idea about the general behavior. A score of 100% and a confidence of 100% is a strong indicator for a malicious file.
Picture
The following two fields go a bit more in detail. We see the reason why Joe's sandbox thinks this is malicious.
Most red signatures are based on URLs and domains. This malware talks a lot, and it detects a long PowerShell command. Not all long PowerShell commands are malicious. An admin could use scripts to improve something.

The Classification is an excellent example of a high-level view. If you have to talk to an executive, take this picture and explain the situation in easy words.
An executive will make a decision and is usually not interested in all the technical details. He or she thinks about business impact/profit/consequences, and that is it.
-> What about PII? Are passwords compromised? What about credit card information? Is the business impacted, and if yes, how can you bring the company back (fast as possible)? Interruption? How long do you need to fix the problem?

You are most likely not a business person, but you work for a company whose primary goal is to make money. If you talk to your technical colleagues, you talk technical. If you speak to a boss, you might have to prepare and answer business or related legal questions.

As a beginner in Cybersecurity, you might not answer these questions but think about them because you have to answer those questions one day. You want to move up!
Picture
I will not talk about all areas, but some interesting things. If you work in Cybersecurity, you need to know more about the Mitre Att&ck Matrix. You can find the link here: attack.mitre.org/matrices/enterprise/
​

This matrix is interactive. You can click on "Process Injection" and learn more about the details. The Mitre framework gives you a big idea about all possible options and techniques. If you are a defender, you can use this matrix to improve your security. This script does a lot of things. Let us take "Command and Scripting Interpreter."
Click the field, and you see the related Mitre topic in detail. ​
Picture
Picture
Do you want to defend your company against this? The provided information is not enough, but the Mitre link gives you everything including an area for mitigation techniques.
Picture
We can dive a bit into this topic and pick "Code Signing".
Picture
Now, you can read more about code signing, and the "Use" field gives you a hint on how to fix this issue. In this case, Mitre suggests setting a PowerShell execution policy. This feature will improve the security, and the script cannot run anymore. You can enforce this change quickly via a policy, and all computers are protected.
Sounds good? Everything has a price. If you work with developers, this small change might be a bad idea because developers cannot work anymore. If you work with people in an office, this idea might work very well.
If you do a change, think about the consequences. This is one reason why Cybersecurity does have few entry-level jobs. Each change to improve security has an impact, and you need to know the risks before you enforce a change.

The following section is my favorite section:
Picture
This small picture (the original) is interactive and contains every single exciting feature of this malware. It is a visual analysis of the behavior. You see how many files are created and registry entries. You get malicious IPs and more.
This map is interactive. If you want to know more about a detail, just click on it. Try to look around.

Just for fun, we can try to find some BTLO answers.
Picture
We can use Joe's search feature (right corner).
Picture
The other answers are harder to find, and for some of them, we need the pro version. I do not have it, but we can use Cyberchef to decode the Powershell.

Conclusion
I hope you had fun with this small PowerShell and discovered more features. Did you see the difference between a lab like BTLO and a real sandbox?
The BTLO txt file was static, but we brought the file back to life. Now we see much more details, and you can watch a video about the behavior.
-> If you do labs, try to move on and get more out of it. There is so much more to discover. A lab is not about points, it is about getting knowledge.
Next: SIEM ELK Stack
© 2021. This work is licensed under a CC BY-SA 4.0 license​