matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "Modules"

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-28 00:55:40 -05:00
parent cc9de49dba
commit 002467caed
5 changed files with 488 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
Modules/investigate.py Normal file
View File

@ -0,0 +1,15 @@
def get_investigate_content():
"""
Returns the content for the Investigate page.
"""
return {
"title": "Investigate",
"description": "Explore and analyze potential threats using the resources and tools provided.",
"resources": [
{"name": "Threat Intel", "url": "/investigate/threat"},
{"name": "IP", "url": "/investigate/ip"},
{"name": "Domain", "url": "/investigate/domain"},
{"name": "File Hash", "url": "/investigate/filehash"},
{"name": "Malware", "url": "/investigate/malware"}
]
}

153
Modules/linux.py Normal file
View File

@ -0,0 +1,153 @@
def get_linux_content():
return [
{
"title": "Common Malware Names",
"content": """
kworker
kinsing
xmrig
cryptonight
apache2 (unexpected locations)
mysql (unexpected locations)
""",
"resources": [
"https://www.trendmicro.com/vinfo/",
"https://unit42.paloaltonetworks.com/"
]
},
{
"title": "Common Malware Locations",
"content": """
/tmp
/var/tmp
/dev/shm
/etc/cron.*
/lib/systemd/system/
~/.ssh/
/usr/local/bin/
/usr/bin/
/var/spool/cron/crontabs/
""",
"resources": [
"https://www.linuxsecurity.com/",
"https://attack.mitre.org/"
]
},
{
"title": "Interesting Search Terms",
"content": """
### Shell Scripts
.sh, .bash
### Executable Files
.out, .bin, .elf
### Archives
.tar.gz, .zip, .xz, .bz2, .7z
### Strings in Logs
"sudo"
"su root"
"chmod 777"
"wget" or "curl"
"base64"
""",
"resources": []
},
{
"title": "Locations of Persistence",
"content": """
Cron Jobs
- `/etc/crontab`
- `/var/spool/cron/crontabs/`
Autostart
- `~/.config/autostart/`
System Services
- `/etc/systemd/system/`
- `/lib/systemd/system/`
Network Configuration Files
- `/etc/network/interfaces`
- `/etc/hosts`
SSH Keys
- `~/.ssh/`
- `/root/.ssh/`
""",
"resources": [
"https://www.tecmint.com/",
"https://www.cyberciti.biz/"
]
},
{
"title": "Types of Persistence",
"content": """
Cron Jobs
Modified SSH Keys
Custom Systemd Services
Kernel Module Hijacking
Backdoor Network Configurations
LD_PRELOAD Hijacking
""",
"resources": [
"https://www.linux.com/",
"https://redhat.com/"
]
},
{
"title": "Advanced Persistence",
"content": """
Rootkits
Live Kernel Patching
Custom Kernel Modules
Firmware Tampering
Hidden Partitions or Volumes
""",
"resources": [
"https://www.kernel.org/",
"https://www.sans.org/"
]
},
{
"title": "Event IDs to Watch",
"content": """
Monitor important Linux system logs:
/var/log/auth.log for authentication attempts
/var/log/secure for privileged access
/var/log/syslog for suspicious processes or activity
/var/log/messages for kernel-level logs
""",
"resources": [
"https://www.linuxjournal.com/",
"https://www.securityfocus.com/"
]
},
{
"title": "Memory Acquisition",
"content": """
### Tools for Live RAM Capture
- AVML (Azure Virtual Machine Live)
- LiME (Linux Memory Extractor)
### File Locations
- `/dev/mem` for memory dump
- `/proc/<pid>/maps` for process memory mapping
""",
"resources": [
"https://volatilityfoundation.org/",
"https://github.com/504ensicslabs/LiME"
]
},
{
"title": "Filesystem Artifacts",
"content": """
### Look for:
Recent Modifications: `find / -type f -mtime -1`
Hidden Files: `find / -name ".*"`
Unusual Permissions: `find / -perm 777`
Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
""",
"resources": [
"https://www.loggly.com/",
"https://splunk.com/"
]
},
]

50
Modules/methodology.py Normal file
View File

@ -0,0 +1,50 @@
def get_methodology_content():
"""
Returns the content for the Methodology page.
"""
return [
{
"title": "Baseline",
"description": "Baseline configurations here.",
"link": "https://docs.google.com/spreadsheets/d/1s2ggAq69Z5UcZen1Q-o8gBHBv6UiJHaeFW3QwtTLnq4/edit?usp=sharing"
},
{
"title": "MITRE TIE",
"description": "The Technique Inference Engine (TIE) suggests techniques an adversary is likely to have used based on a set of observed techniques.",
"link": "https://center-for-threat-informed-defense.github.io/technique-inference-engine/#/"
},
{
"title": "Linux Basics",
"content": """
- Understand typical file paths and permission settings.
- Monitor unexpected or unplanned cron jobs.
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
- Look for rogue or uncommon processes running as root.
- Analyze .bash_history for suspicious commands.
- Investigate `/var/log/auth.log` for failed or unauthorized access.
- Check for hidden files and directories using `find / -type f -name ".*"`.
""",
"resources": [
{"name": "Linux.org", "url": "https://www.linux.org/"},
{"name": "Cyberciti.biz", "url": "https://www.cyberciti.biz/"}
]
},
{
"title": "Windows Basics",
"content": """
- Look for file extensions.
- Initial access and lateral movement are the loudest.
- Understand how PID and PPID relate.
- Look for 1-2 character .exe (e.g., a.exe, ab.exe).
- C2 exploits are native in 32-bit.
- Files should not have read, write, and execute simultaneously
- Should be RW- ro --X.
- Know where attackers store files.
- C:\\windows\\system32: Exe files are not usually stored here.
""",
"resources": [
{"name": "Microsoft Security", "url": "https://www.microsoft.com/en-us/security"},
{"name": "MITRE ATT&CK", "url": "https://attack.mitre.org/"}
]
}
]

152
Modules/tips.py Normal file
View File

@ -0,0 +1,152 @@
import random
import re
TIPS = [
"🔐 Look for multiple failed login attempts followed by a success.",
"👥 Monitor for the creation of suspicious or unusual accounts.",
"🖋️ Keep an eye out for renamed files or sudden changes to file extensions.",
"🛡️ Always investigate signs of persistence mechanisms like scheduled tasks or services.",
"🔍 Check logs for lateral movement patterns within the network.",
"📂 Look for data exfiltration attempts during off-hours.",
"🕵️‍♂️ Watch for processes running in uncommon directories.",
"🗂️ Review changes to sensitive directories like /etc or C:\\Windows\\System32.",
"⚠️ Be alert to PowerShell scripts with obfuscation or base64 encoding.",
"📥 Investigate unusual inbound or outbound traffic patterns.",
"💻 Track the execution of unknown binaries or scripts.",
"📊 Analyze event logs for sequences that indicate privilege escalation.",
"🌐 Monitor for connections to known malicious IPs or domains.",
"📈 Look for unusual spikes in network activity or CPU usage.",
"🔑 Check for default or weak passwords in critical accounts.",
"🔗 Watch for newly created symbolic links or junction points.",
"🕒 Investigate task scheduler events outside of normal working hours.",
"📦 Look for recently installed software that wasnt approved.",
"🔓 Monitor for attempts to disable antivirus or EDR tools.",
"📜 Analyze browser history or bookmarks for connections to malicious sites.",
"📂 Look for files with double extensions like `.exe.pdf`.",
"🛠️ Check system startup items for unauthorized entries.",
"📤 Investigate signs of data compression and outbound transfer.",
"👀 Watch for registry modifications in persistence-related keys.",
"🔍 Scan for unsigned drivers or DLLs in system directories.",
"📡 Monitor DNS queries to unusual or high-risk domains.",
"💽 Look for rogue virtual machines or snapshots.",
"🖥️ Inspect remote desktop protocol (RDP) logs for unauthorized connections.",
"🛡️ Review firewall logs for changes in access rules or port scans.",
"📧 Analyze email headers for signs of phishing or spoofing.",
"📌 Monitor USB activity for unauthorized devices.",
"⚡ Look for processes with high privilege levels started by unprivileged users.",
"🔗 Watch for changes to trusted system binaries.",
"🛠️ Investigate event IDs related to new service installations.",
"📂 Check shadow copies for deleted or modified files.",
"🔍 Monitor account logins from unusual geographic locations.",
"📂 Investigate tampering with backup files or schedules.",
"🖥️ Look for signs of remote code execution (RCE) attempts.",
"🌐 Review web server logs for suspicious parameter tampering.",
"🚦 Monitor network flows for unusual traffic patterns or unexpected ports.",
"📡 Be suspicious of repeated DNS queries to non-existent domains.",
"🔒 Check for unauthorized changes to file or folder permissions.",
"📤 Look for encrypted or compressed outbound traffic to unknown hosts.",
"⚙️ Monitor changes in system startup configurations.",
"🔍 Search for PowerShell scripts that include encoded commands.",
"📁 Investigate files with zero-byte size in critical directories.",
"🕒 Check for processes running at scheduled intervals outside business hours.",
"📈 Review performance metrics for sudden resource spikes.",
"🚀 Look for signs of process injection into legitimate applications.",
"💻 Monitor for unauthorized changes to group memberships.",
"🔗 Watch for symbolic links pointing to unexpected locations.",
"🔍 Examine email attachments for hidden macros or scripts.",
"⚠️ Scan for privilege escalation techniques in event logs.",
"📦 Look for unexpected or unsigned updates to software packages.",
"💾 Review logs for signs of removable media usage.",
"🖥️ Investigate unusual usage of command-line utilities like `netstat` or `ipconfig`.",
"📤 Track unusual outbound connections to high-risk countries.",
"🔍 Look for registry keys with suspicious auto-start entries.",
"🔧 Investigate changes to WMI subscriptions or filters.",
"📊 Analyze account lockout patterns for brute-force attempts.",
"🛡️ Monitor processes using suspicious parent-child relationships.",
"📥 Investigate large file downloads from unusual IPs.",
"⚡ Check for unauthorized applications installed via package managers.",
"🔗 Look for SMB connections between unexpected hosts.",
"🔍 Search for processes masquerading as system utilities.",
"🖥️ Review logs for attempts to clear or disable event logging.",
"📂 Look for hidden files in critical directories.",
"🚦 Monitor outbound traffic for data transfers at odd hours.",
"🔓 Check for unauthorized access to sensitive configuration files.",
"🔧 Scan for unrecognized services or drivers in startup logs.",
"🌐 Review web application logs for unauthorized access attempts.",
"📜 Look for tampered audit logs or log file deletions.",
"💡 Investigate systems with unusual uptime patterns.",
"🕵️‍♂️ Monitor unusual changes to group policies.",
"📂 Investigate abnormal growth in specific file directories.",
"🛠️ Look for unusual process execution chains in forensic tools.",
"📋 Check for clipboard monitoring or keylogging behavior.",
"🚨 Monitor IDS/IPS alerts for common lateral movement patterns.",
"🌍 Correlate login activity with geolocation inconsistencies.",
"🔑 Investigate processes accessing security-critical files.",
"📤 Look for repeated failed data upload attempts to unknown servers.",
"🔍 Check for malicious scheduled tasks created recently.",
"🛡️ Watch for unusual changes to user password policies.",
"📈 Investigate sudden changes in user account activity levels.",
"🖥️ Review temporary files for evidence of script execution.",
"📦 Monitor endpoints for unauthorized package or library downloads.",
"📂 Look for anomalies in recently accessed files.",
"⚙️ Investigate mismatches in user-agent strings in web traffic.",
"🔍 Look for attackers leaving test artifacts like `1.txt` or `test.ps1`.",
"📜 Track file hashes for unauthorized changes to key binaries.",
"🚦 Review network traffic for abnormal TTL values."
]
# Cybersecurity jokes
JOKES = [
"🤖 Why did the hacker cross the road? To get to the other .NET.",
"❄️ Why was the computer cold? It left its Windows open.",
"🪥 How do hackers freshen their breath? With CyberTic Tac!",
"❤️‍🩹 Why don't hackers ever get into relationships? They're afraid of commitments.",
"🐾 What do you call a hacker who loves animals? A purr-sistence threat!",
"💸 Why did the server go broke? It lost all its cache.",
"😂 How do you make a malware laugh? Give it a worm joke!",
"📉 Why did the sysadmin go broke? Too many root expenses.",
"🥣 Whats a hackers favorite kind of cereal? Spy-ders!",
"🛡️ Why did the password break up with the hacker? It was too weak.",
"🔒 Why are cybersecurity experts bad at telling jokes? They always encrypt the punchline.",
"🎵 Whats a hackers favorite music genre? Phishing!",
"👓 Why do hackers wear glasses? Because they lost their focus.",
"📶 Why did the WiFi break up with the laptop? It found a stronger connection.",
"😌 Why was the antivirus program so relaxed? It knew how to quarantine stress.",
"🍁 Whats a hackers favorite season? Phall.",
"🌑 Why do programmers prefer dark mode? Because light attracts bugs.",
"🚩 Whats a hackers favorite game? Capture the flag!",
"☠️ Why dont hackers get along with pirates? Too many patches.",
"🎉 How do you throw a cybersecurity party? Invite everyone to the LAN!",
"🔥 Why was the firewall so happy? It finally blocked its ex.",
"🔑 Why was the keyboard locked out of the server room? Too many CAPS.",
"🍺 Whats a hackers least favorite drink? Root beer.",
"⚾ Why was the hacker bad at baseball? It couldnt handle the curve (encryption).",
"☕ How do cybersecurity experts like their coffee? Encrypted.",
"😭 Why did the antivirus cry? It couldnt handle the worm.",
"🤫 Why dont hackers tell secrets? Theyre worried about key-loggers.",
"🏕️ Why dont hackers go camping? Too many phishing attacks.",
"💃 Whats a hackers favorite dance? The worm.",
"🐴 Why was the Trojan horse so good at infiltration? It always had the write access.",
"🧗 Whats the cybersecurity experts favorite sport? Fire-wall climbing.",
"🕵️‍♂️ Why was the hacker great at hide-and-seek? It always hid in the registry.",
"🛜 What did the router say to the server? Youve got the bandwidth for this!",
"🍽️ Whats a phishing scammers favorite dish? Spam.",
"🌞 Why dont hackers get sunburned? They stay in the shadows.",
"🧑‍🔬 What do you call a group of math and science geeks at a party? Social engineers.",
"🌐 Whats the best way to catch a runaway robot? Use a botnet.",
"🐛 Why did the programmer leave the camping trip early? There were too many bugs."
]
ANSI_ESCAPE_REGEX = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
def get_random_tip_or_joke(clean=False):
# Pick a random tip or joke and assign a color
item = random.choice(TIPS + JOKES)
formatted_item = f"{item}"
if clean:
# Remove ANSI escape codes if clean output is requested
return ANSI_ESCAPE_REGEX.sub('', formatted_item)
return formatted_item

118
Modules/windows.py Normal file
View File

@ -0,0 +1,118 @@
from Modules.Persistence.persistence import get_persistence_menu
def get_windows_content():
persistence_menu = get_persistence_menu()
return [
{
"title": "Malware Names",
"content": """
- svchost.exe - misspelled
- iexplore.exe
- explorer.exe
- lsass.exe - should only be one
- win.exe
- winlogon.exe
- a.exe
- ab.exe - shorter names since mal devs are lazy
""",
"resources": [
"https://malwaredb.malwarebytes.com/",
"https://www.trendmicro.com/vinfo/us/security/definition/malware"
]
},
{
"title": "Malware Locations",
"content": """
- \\Temp
- C:\\Users\\*\\Downloads
- \\AppData
- C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent
- \\$Recycle.Bin
- \\ProgramData
- \\Windows
- \\Windows\\System32
- \\WinSxS
- \\System Volume Information
- \\Program Files
- \\Program Files (x86)
- [Added Directories by APTs]
""",
"resources": [
"https://www.microsoft.com/en-us/wdsi",
"https://www.bleepingcomputer.com/"
]
},
{
"title": "File Types",
"content": """
### Scripts
- `.ps1`, `.vbs`, `.py`, `.bat`
### Windows Binaries
- `.exe`, `.msi`, `.dll`
### Archives
- `.rar`, `.zip`, `.cab`, `.7z`, `.Eo1`, `.iso`, `.ova`, `.ovf`, `.vmdk`, `.vdk`
Other:
- `.eval`
- `.xls`
- `.doc`
- ActiveXObject
- CommandLineTemplate
- ScriptText
""",
"resources": [
]
},
{
"title": "Security Events",
"content": """
- 4698 A scheduled task was created
- 4720 A user account was created
- 4768 A Kerberos authentication ticket (TGT) was requested
- 4769 A Kerberos service ticket was requested
- 5140 A network share object was accessed
- 7045 A new service was installed in the system
- 4688 A new process has been created
- 7036 Service changed
- 7040 Service startup type changed
""",
"resources": [
"https://www.ultimatewindowssecurity.com/",
"https://www.splunk.com/en_us/blog.html"
]
},
{
"title": "Sysmon Events",
"content": """
1. **Event ID 1**: Process creation.
- Captures command-line arguments for every executed process.
2. **Event ID 3**: Network connections.
- Logs every TCP/UDP connection initiated by a monitored process.
3. **Event ID 6**: Driver loading.
- Tracks unsigned or unexpected kernel modules.
4. **Event ID 7**: Image loading.
- Detects DLLs or libraries loaded from unusual locations.
5. **Event ID 10**: WMI activity.
- Monitors suspicious or unauthorized WMI queries.
""",
"resources": [
"https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon",
"https://thedfirreport.com/"
]
},
{
"title": persistence_menu["title"],
"content": persistence_menu["description"],
"resources": [
"https://attack.mitre.org/",
"https://www.splunk.com/"
],
"links": [
{"name": method["name"], "url": method["url"]} for method in persistence_menu["methods"]
]
},
]