CyberSec Resources: FRAMEWORKS & STANDARDS; Pentesting Audits & Hacking; PURPLE TEAMING, AD, API, web, clouds & CTF

Cybersec FRAMEWORKS & STANDARDS:

PENTESTING STANDARDS:

(PTES) The Penetration Testing Execution Standard https://www.pentest-standard.org/

(OSSTMM) The Open Source Security Testing Methodology https://www.isecom.org/ https://www.isecom.org/OSSTMM.3.pdf

MITRE ATT&CK

MITRE ATT&CK framework by MITRE ATT&CK https://youtu.be/Yxv1suJYMI8

Putting MITRE ATT&CK into Action with What You Have, Where You Are (By Katie Nickels) https://youtu.be/bkfwMADar0M

MITRE room on TryHackMe: https://tryhackme.com/room/mitre

Cyber Kill Chain?Framework:

The Cyber Kill Chain??framework, developed by Lockheed Martin, is part of the?Intelligence Driven Defense??model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.

https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html

NIST:

NIST Cybersecurity Framework Explained - Kelly Hood, Thomas Conkle - RSA Conference https://youtu.be/nFUyCrSnR68

PCI Security Standards:

PCI Security Standards Council https://www.pcisecuritystandards.org/

ISO STANDARDS:

ISO 27000 Family of Standards by Aron Lange https://youtu.be/7PscOoWtR7g

ISO27001 Youtube playlist by risk3sixty https://www.youtube.com/c/risk3sixty

https://www.youtube.com/playlist?list=PLboNZ8lgLkUjg353Am3x4SytHme-XDL2N

Frameworks compared:

NIST Cybersecurity Framework vs ISO 27001/27002 vs NIST 800-53 vs Secure Controls Framework on Compliance Forge https://www.complianceforge.com/faq/nist-800-53-vs-iso-27002-vs-nist-csf-vs-scf

Mitre Attack vs Cyber Kill chain on blackberry.com https://www.blackberry.com/us/en/solutions/endpoint-security/mitre-attack/mitre-attack-vs-cyber-kill-chain

PENTEST reporting:

How to take NOTES:

CherryTree, a hierarchical note taking application. https://www.giuspen.com/cherrytree/

Joplin, an Open Source note-taking app. https://joplinapp.org/

KeepNote, a note taking application https://keepnote.org/

How to report your findings https://csbygb.gitbook.io/pentips/reporting/pentest-report

Writing Tips for IT Professionals (By Lenny Zeltser) https://zeltser.com/writing-tips-for-it-professionals/

How To Write A Penetration Testing Report by HackerSploit https://www.youtube.com/c/HackerSploit/

https://youtu.be/J34DnrX7dTo

REPORTING:

A list of public penetration test reports published by several consulting firms and academic security groups. https://github.com/juliocesarfort/public-pentesting-reports

A Directory of ethical hacking writeups including bug bounty, responsible disclosure and pentest writeups. https://pentester.land/writeups/

PENTEST AUTOMATION:

BlackStone Project by MicroJoan https://microjoan.com/

https://github.com/micro-joan/BlackStone

Pentext by https://www.radicallyopensecurity.com/

https://github.com/radicallyopensecurity/pentext

Web PENTEST:

Web Security Academy by PortSwigger: https://portswigger.net/web-security/learning-path

Rana Khalil Youtube channel https://www.youtube.com/c/RanaKhalil101

Wesley Thijs XSSrat’s Youtube channel https://www.youtube.com/c/TheXSSrat

The Pentesting Web Checklist on Pentest Book by six2dez https://pentestbook.six2dez.com/others/web-checklist

OWASP? Foundation Top 10:

https://owasp.org/www-project-top-ten/

Vulnerable Web Applications to practice: https://owasp.org/www-project-vulnerable-web-applications-directory/

API PENTEST:

API Hacking beginners guide by Dana Epp https://danaepp.com/beginners-guide-to-api-hacking

Corey J. Ball API workshop

https://sway.office.com/HVrL2AXUlWGNDHqy

https://github.com/hAPI-hacker/Hacking-APIs

API PENTEST ORGANIZING:

MalAPI by mrd0x https://malapi.io/

MindAPI by David Sopas https://dsopas.github.io/MindAPI/play/

API PENTESTING PRACTICE:

Hackxpert - OWASP top 10 API training https://hackxpert.com/API-testing.php

VAmPI by erev0s:

https://hakin9.org/vampi-vulnerable-rest-api-with-owasp-top-10-vulnerabilities-for-security-testing/

https://github.com/erev0s/VAmPI

API Pentest, videos and conferences:

APISecure Conference all their 2022 videos are available on their website https://www.apisecure.co/

Hacking mHealth Apps and APIs on KnightTV with Alissa Valentina Knight https://youtu.be/GLnhkf3JcL8

CLOUD PENTEST:

Get familiar with Cloud Security fundamentals with Learn to cloud by Gwyneth Pe?a-Siguenza and Dayspring Johnson https://learntocloud.guide/#/phase5/README

Hacking the cloud by Nick Frichette an encyclopedia of the techniques that offensive security professionals can use against cloud environments. https://hackingthe.cloud/

Cloud Security - Attacks by CyberSecurityUP

https://github.com/CyberSecurityUP/Cloud-Security-Attacks

Practice: Free lab from Pentester Academy

https://attackdefense.pentesteracademy.com/challengedetailsnoauth?cid=2074

https://attackdefense.pentesteracademy.com/

ACTIVE DIRECTORY Pentest:

AD Practice:

Building an Active Directory Lab by spookysec: https://blog.spookysec.net/ad-lab-1/

A script to set up a Vulnerable AD Lab by WazeHell https://github.com/WazeHell/vulnerable-AD

Collection of various common attack scenarios on Azure Active Directory by Cloud-Architekt:

https://github.com/Cloud-Architekt/AzureAD-Attack-Defense

A great document full of resources by Julien Provenzano: https://www.ralfkairos.com/

https://github.com/infosecn1nja/AD-Attack-Defense

An Active Directory Exploitation Cheat Sheet by Integration-IT https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet

CTF

HACKTHEBOX, A Massive Hacking Playground; CTF challenges: Fullpwn (based on vulnerable machines), Cryptographic, Forensic, Pwn (based on binary exploitation and memory corruption), Web, Reversing, Cloud cybersecurity (AWS, GCP, and Azure misconfigurations) and Hardware. https://www.hackthebox.com/

What is CTF in hacking? Tips & CTFs for beginners by HTB. https://www.hackthebox.com/blog/what-is-ctf

Learn to Hack with Hack The Box: The Beginner's Bible. https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Getting Into CTFs As a Web Developer. https://erichogue.ca/2022/03/GettingIntoCTFsAsADev

CTFs (Write-Ups and Resources)

https://github.com/ctfs

Root?Me https://www.root-me.org

TryHackMe https://tryhackme.com/

RingZer0 Team Online CTF https://ringzer0ctf.com/challenges

Cryptopals https://cryptopals.com/

CTF Time https://ctftime.org/

Marcelle Lee’s website reference sheet

https://info.marcellelee.com/

https://drive.google.com/drive/folders/1cfwjm_VqXwAFpFdBnUXkUi0-qT4_cpiJ

https://docs.google.com/spreadsheets/d/1AkczyGQbtabSMbxq1P-c7u3NSXlmXqqv3cDoVpTlSoM/edit#gid=0

PURPLE TEAM:

The Difference Between Red, Blue, and Purple Teams (By Daniel Miessler) https://danielmiessler.com/study/red-blue-purple-teams/

Purple Teaming for Dummies https://www.attackiq.com/lp/purple-teaming-for-dummies/

Purple Team Resources for Enterprise Purple Teaming: An Exploratory Qualitative Study by Xena Olsen. https://github.com/ch33r10/EnterprisePurpleTeaming

PURPLE TEAMING: Practice & Tips

Purple Team Exercise Framework

https://github.com/scythe-io/purple-team-exercise-framework/blob/master/PTEFv2.md

Actionable Purple Teaming: Why and How You Can (and Should) Go Purple

https://www.scythe.io/library/actionable-purple-teaming-why-and-how-you-can-and-should-go-purple

https://www.scythe.io/ptef

TOOLS:

Bloodhound for Blue and Purple Teams. https://github.com/PlumHound/PlumHound

PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments.

https://github.com/mvelazc0/PurpleSharp

* Compiled from the differents latest posts from Gabrielle B. https://github.com/CSbyGB

SHARE

Do you know other resources? Please share them in the comment