CYBERSECURITY JOB HUNTING GUIDE
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  • Home
  • Introduction
    • Things you should know
    • The strategy
  • Paths into Cybersecurity
    • First steps
    • SWOT Analysis
    • How much time do you need?
    • Calculate& Evaluate Knowledge
    • Imposter syndrome
    • Time Management
    • Cybersecurity Domains
    • Cloud Security
    • Financial advice >
      • Credit score
    • The salary
    • Advocacy for underrepresented groups
  • Goal Setting & Career paths
    • Find your career in 5 steps
    • Cybersecurity career options
    • Career finding with LinkedIn
    • Transferable Skills (general)
    • Transferable IT Skills
    • Find a path with job descriptions
    • The I do not know path
    • Do you know “garbage” jobs?
    • “Bonus” knowledge
    • Learning & Motivation
    • Particular vs. any job
    • Pentester path (start)
    • Pen Testing as Career
    • SOC Analyst as career
    • Security Engineer as career
    • Compliance & Risk as career
    • How to find a career (IAM Engineer)
    • Find a company
  • Networking
    • Networking like a pro
    • LinkedIn
    • Referrals & Skills
    • LinkedIn Recruiters >
      • Working with a recruiter
    • Cyber Community
    • Networking University
    • Mentoring
    • Build your personal brand
    • Goal of Networking
  • Hands-on
    • The home lab >
      • Designing a home lab
      • Ways to create a home lab
      • Hypervisors >
        • VirtualBox
        • VMWare Player
        • QEMU/KVM
      • Docker
      • Operating Systems >
        • Kali Linux >
          • Installing Kali with VirtualBox
        • Parrot
        • BlackArch
        • Red Hat Enterprise Linux >
          • RHCSA
        • Security Onion >
          • Installation Security Onion
        • Metasploitable2
        • Ubuntu
        • Windows >
          • Windows in a VM
          • Windows with Virtual Machine Manager
          • Preparing Windows logging
          • John Strand's ADHD VM
      • Firewalls >
        • pfSense Installation
        • pfSense configuration for Security Onion
    • Volunteer Work
    • Note Taking
    • Red labs >
      • Cyberseclabs
      • HackTheBox >
        • HackTheBox Academy
      • INE red side
      • RangeForce
      • Offensive Security
      • TryHackMe
      • Virtual Hacking Labs
    • Red tools & techniques >
      • Atomic Red Team
      • DVWA
      • Metasploit
      • OSINT tools
      • OWASP Juice Shop
    • Blue labs >
      • Blue Team Labs Online
      • DetectionLab (free)
      • INE
      • Letsdefend >
        • LetsDefend password stealer
      • Opensecuritytraining (free)
      • PurpleLabs
      • RangeForce
    • Blue tools >
      • Install a Canary Token
      • CyberChef
      • EDR Lima Charlie installation
      • EDR LimaCharlie configuration
      • EDR Velociraptor (free)
      • EDR Bluespawn (free)
      • DeepBlueCLI (logs Powershell, free)
      • Raccine (ransomware protection, free)
      • Install RITA (detects C2 traffic, free)
      • Sandboxes >
        • Joe's Sandbox
      • SIEM ELK Stack
      • SIEM Graylog >
        • Getting started with Graylog
        • Install Graylog
        • Graylog Windows agent
        • Graylog Linux agent
        • Graylog as application
      • Suricata with RangeForce
      • Identifying IoCs with RangeForce
      • What2Log
  • Certifications, Degree & Courses
    • Overview
    • Free & Affordable Resources
    • Pick your cert
    • Skill Assessment
    • Get a cheap degree
  • (Employment) fraud & scams
    • Suspicious Offer
    • Second Offer
    • Certification Scams
    • Fraud with courses
  • Analyzing a job ad
    • The Header
    • Building a Bridge
    • The Responsibilities
    • Desired Skills
    • Preferred Qualification
    • Benefits
    • Own skills vs job ad
    • Dealing with poorly written job ads
  • Resume writing
    • Templates
    • Building a draft
    • Resume in Detail
    • Understand the company
    • ATS and tailoring
    • Last Step
  • Cover letter
    • Writing a cover letter
  • Preparation & Interview
    • Organize your job hunt
    • SWOT Again (interview)
    • Twitter
    • The interview
    • Interview Questions Designed To Trick You
    • Post interview tasks
  • I did it all, but...
    • You are not alone
    • Try Something New
    • Why You'll Fail in Cyber Security
  • Yes, I got a job!
    • Two, or more offers?
    • Continued learning
    • Moving up
    • Lessons learned
  • Conclusion
  • Additional things
    • Reviews (labs, courses, certs) >
      • CompTIA A+
      • CompTIA Network+
      • CompTIA Security+
      • CompTIA Server+
      • CompTIA PenTest+
      • DroneSec DSOC
      • Defensive-Security Purple Labs
      • FAA Part 107
      • INE eCPPT & PTP
      • Letsdefend review
      • Microsoft AZ-500
      • RangeForce SOC 1
      • RangeForce SOC 2
    • Work In A Different Country >
      • The Work Permit
      • Working in the US
      • Studying in the US
      • Studying in Germany
      • Work in a different country
    • Other Resources >
      • Useful Links >
        • All about careers
        • Red resources
        • Blue resources
      • YouTube
      • Twitch
      • Podcasts
      • Books
      • Udemy
      • Thanks
    • Contributors
  • Stefan Waldvogel, where can I help?
  CYBERSECURITY JOB HUNTING GUIDE

Rangeforce -Identifying Linux IOCs-

Author: Stefan Waldvogel

Use a RangeForce lab to brush up your blue skills

Introduction
Many people are moving into Cybersecurity or think about it. I am writing this article for people without blue knowledge but interested in Cybersecurity. I will show you one small part of doing a job as a Security Analyst (SOC) with a RangeForce lab. It is not a classic review.

What do you need to follow:
If you are a student, you can spend $150 (pricing is constantly changing) to sign-up for all RangeForce modules or purchase the SOC 2 battle path. The $150 looks pretty expensive, but you get access to over 420 similar modules and labs. 

Free alternative: 
free RangeForce Community Edition
This edition offers 21 free labs. I recommend to do these free modules first if you like the style; great. If not, pick an alternative like INE or Security Blue Team (Junior Analyst / BTL1).

Additional resources:
If you have questions about the module or RangeForce, you can find me here:
Unofficial RangeForce discord

Matching module name:
SOC 2 path – Identifying Linux IOCs
This module is part of the SOC 2 battle path.

The goal:
This article is an alternative to the official solution and shows advanced tools to get the most out of a Linux system. I have the skills to work as pentester; therefore, you see tools that I would use on the offensive side to find exciting things. On the blue side, you can use the same tools to reach your goal.
This is an important lesson. If you want to work in Cybersecurity, you can quickly transfer your knowledge between the red and the blue side. People are hyped about the red side, but switching is straightforward. If you have OSCP, eCPPT or you played with tryhack.me, HTB, etc.; this gives you an advantage on the blue side, too.

Hunting for IOCs (indication of compromise)
Task 1:
​The CrypominerA Crypominer needs many CPU power, and the system is low. This kind of “malware” is easy to find.
  • ssh student@server
We want to know more about the miner;
  • where is it, 
  • can we stop it and 
  • why is this miner on this machine?
Before we proceed, we have to switch to the root user on the server with the command: 
sudo su

My favorite tool is HTOP, because I like colors. I can sort via a mouse click and see the full path.
Picture
We have “two” miners with two different PIDs on this machine. We have to write down both PIDs and the path. If the VTA does not give you a green flag, try the second option.
HTOP allows you to kill the process right away, but that might not always work as expected. An intelligent hacker will restart the service. For this reason, we follow the official guide.
The VTA will ask you for the md5 hash. You can use VirusTotal to find out more about the file.
In this case, this will not work because the md5 hash is not known. With could work in a natural environment, you get more information about the software.

Task 2: The backdoor
The machine has a miner, and therefore an attacker had access to the machine. A miner is a big problem, but a backdoor is a bigger problem.

Bonus task, enumeration with LinEnum:
As a pentester, you start with enumeration, and the blue side is not very different. We are sitting on a machine, and we have no idea about it. We can use linenum to get more details about the system.

We can use the commands:
  • git clone https://github.com/rebootuser/LinEnum.git
  • cd LinEnum
  • ./LinEnum.sh -s -k xmrig -r report -e /home/student/LinEnum/ -t
The script needs a couple of minutes, and you will see many red entries. This machine is very vulnerable. One hint: tools like linenum, LinPEAS, and others are perfect for CTFs, but if you use them in a real environment -> Think or ask before you hit enter.
The script does not give you the things that we are looking for, but it is easy to see we have a vulnerable machine. We have access to ssh keys, the shadow file (stored password hashes), and much more.
​
Enumeration with linPEAS
To get more information, we can use LinPEAS. This tool is bigger and offers more data about the system and, most importantly, the network. Download LinPEAS to the server with:
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git
Switch the folder with:
  • cd privilege-escalation-awesome-scripts-suite/linPEAS
Start LinPEAS with:
  • ./linpeas.sh -a > /home/student/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.txt
This command will take a while, and you will see an error, but you can still read the file with:
  • less -r linpeas.txt
You can cat the file, but you will not see the coloring. As a beginner, the colors are beneficial. The output is a HUGE list, but we focus on the network part for our lab.
The relevant output looks like this:
Picture
Here, we see a lot of exciting things. The red ones are usually problems, but it could be a unique lab configuration. We ignore it. 
We know the miner’s name: xmrig
The line looks interesting:
  •  192.168.6.2:47496 54.37.7.208:3333 996/xmrig 
This output shows us the activity, and the miner is doing much more than expected. The miner has a connection, and we have an external IP address. The official lab solution does not mention this connection, but you should think about it as a blue-team member.
With Nmap, we can confirm the open port on 10348. If you want to try Nmap, you can install it on the lab machine with: 

sudo apt install nmap
Picture
Nmap is a very powerful scanner. Here we use the commands -p to set the ports, -T4 is fast speed, and -Pn gives us a better result if a port does not respond.
​
Investigation
We open port was connected to the PID 995, and linPEAS has some information about that:
Picture
The attacker was lazy and put everything together. The first line gives us more details about a running bash script. If we deal with malware, we have to investigate everything:
  • /etc/rc.local
  • /tmp/.junk
  • /usr/share/.xmrabbit
The name xmrabbit is unique, this can help you more, and you can search for it. Use the command updatedb to update the search library and search for xmrabbit with the command: locate xmrabbit
 You find more, and you can check the config file to see if you find more details about the malware. Here, it is a monero miner, and you see a username.
Picture
Finish the lab and if you do not get a green flag, make sure you removed the folders. Remove everything, but not too much.

Conclusion
You can do so much with the RangeForce labs. If you have access to the labs, do not rush. You will learn the most if you try new things and different paths. Technically, you can pick a random lab and try to get the most out of it. The labs are very open, and it is very convenient to use and practice new tools with internet access.
I am a massive fan of these labs, and to me, it is just fun.
If you do not have a job and access these labs, do the labs and write articles about them. The reason is simple. If you write a brief essay, you will remember things much better, and people see what you are doing. It is hard to get a job in Cybersecurity, but you have a higher chance of getting a job if you have hands-on.

Disclaimer:
RangeForce granted me free access to all modules, got the SOC 1 and the SOC 2 badge, and I did 112 modules so far.
Hint: You need permission to write such an article or a walk-through if you use RangeForce.
Next: What2Log
© 2021. This work is licensed under a CC BY-SA 4.0 license​