diff --git a/Modules/investigate.py b/Modules/investigate.py new file mode 100644 index 0000000..c01f36b --- /dev/null +++ b/Modules/investigate.py @@ -0,0 +1,15 @@ +def get_investigate_content(): + """ + Returns the content for the Investigate page. + """ + return { + "title": "Investigate", + "description": "Explore and analyze potential threats using the resources and tools provided.", + "resources": [ + {"name": "Threat Intel", "url": "/investigate/threat"}, + {"name": "IP", "url": "/investigate/ip"}, + {"name": "Domain", "url": "/investigate/domain"}, + {"name": "File Hash", "url": "/investigate/filehash"}, + {"name": "Malware", "url": "/investigate/malware"} + ] + } diff --git a/Modules/linux.py b/Modules/linux.py new file mode 100644 index 0000000..b8d68d4 --- /dev/null +++ b/Modules/linux.py @@ -0,0 +1,153 @@ +def get_linux_content(): + return [ + { + "title": "Common Malware Names", + "content": """ +kworker +kinsing +xmrig +cryptonight +apache2 (unexpected locations) +mysql (unexpected locations) + """, + "resources": [ + "https://www.trendmicro.com/vinfo/", + "https://unit42.paloaltonetworks.com/" + ] + }, + { + "title": "Common Malware Locations", + "content": """ +/tmp +/var/tmp +/dev/shm +/etc/cron.* +/lib/systemd/system/ +~/.ssh/ +/usr/local/bin/ +/usr/bin/ +/var/spool/cron/crontabs/ + """, + "resources": [ + "https://www.linuxsecurity.com/", + "https://attack.mitre.org/" + ] + }, + { + "title": "Interesting Search Terms", + "content": """ +### Shell Scripts +.sh, .bash + +### Executable Files +.out, .bin, .elf + +### Archives +.tar.gz, .zip, .xz, .bz2, .7z + +### Strings in Logs +"sudo" +"su root" +"chmod 777" +"wget" or "curl" +"base64" + """, + "resources": [] + }, + { + "title": "Locations of Persistence", + "content": """ +Cron Jobs + - `/etc/crontab` + - `/var/spool/cron/crontabs/` +Autostart + - `~/.config/autostart/` +System Services + - `/etc/systemd/system/` + - `/lib/systemd/system/` +Network Configuration Files + - `/etc/network/interfaces` + - `/etc/hosts` +SSH Keys + - `~/.ssh/` + - `/root/.ssh/` + """, + "resources": [ + "https://www.tecmint.com/", + "https://www.cyberciti.biz/" + ] + }, + { + "title": "Types of Persistence", + "content": """ +Cron Jobs +Modified SSH Keys +Custom Systemd Services +Kernel Module Hijacking +Backdoor Network Configurations +LD_PRELOAD Hijacking + """, + "resources": [ + "https://www.linux.com/", + "https://redhat.com/" + ] + }, + { + "title": "Advanced Persistence", + "content": """ +Rootkits +Live Kernel Patching +Custom Kernel Modules +Firmware Tampering +Hidden Partitions or Volumes + """, + "resources": [ + "https://www.kernel.org/", + "https://www.sans.org/" + ] + }, + { + "title": "Event IDs to Watch", + "content": """ +Monitor important Linux system logs: +/var/log/auth.log for authentication attempts +/var/log/secure for privileged access +/var/log/syslog for suspicious processes or activity +/var/log/messages for kernel-level logs + """, + "resources": [ + "https://www.linuxjournal.com/", + "https://www.securityfocus.com/" + ] + }, + { + "title": "Memory Acquisition", + "content": """ +### Tools for Live RAM Capture +- AVML (Azure Virtual Machine Live) +- LiME (Linux Memory Extractor) + +### File Locations +- `/dev/mem` for memory dump +- `/proc//maps` for process memory mapping + """, + "resources": [ + "https://volatilityfoundation.org/", + "https://github.com/504ensicslabs/LiME" + ] + }, + { + "title": "Filesystem Artifacts", + "content": """ +### Look for: +Recent Modifications: `find / -type f -mtime -1` +Hidden Files: `find / -name ".*"` +Unusual Permissions: `find / -perm 777` +Root-level Scripts or Configurations: `/etc/`, `/usr/local/` + """, + "resources": [ + "https://www.loggly.com/", + "https://splunk.com/" + ] + }, + ] diff --git a/Modules/methodology.py b/Modules/methodology.py new file mode 100644 index 0000000..befe3e1 --- /dev/null +++ b/Modules/methodology.py @@ -0,0 +1,50 @@ +def get_methodology_content(): + """ + Returns the content for the Methodology page. + """ + return [ + { + "title": "Baseline", + "description": "Baseline configurations here.", + "link": "https://docs.google.com/spreadsheets/d/1s2ggAq69Z5UcZen1Q-o8gBHBv6UiJHaeFW3QwtTLnq4/edit?usp=sharing" + }, + { + "title": "MITRE TIE", + "description": "The Technique Inference Engine (TIE) suggests techniques an adversary is likely to have used based on a set of observed techniques.", + "link": "https://center-for-threat-informed-defense.github.io/technique-inference-engine/#/" + }, + { + "title": "Linux Basics", + "content": """ +- Understand typical file paths and permission settings. +- Monitor unexpected or unplanned cron jobs. +- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`). +- Look for rogue or uncommon processes running as root. +- Analyze .bash_history for suspicious commands. +- Investigate `/var/log/auth.log` for failed or unauthorized access. +- Check for hidden files and directories using `find / -type f -name ".*"`. + """, + "resources": [ + {"name": "Linux.org", "url": "https://www.linux.org/"}, + {"name": "Cyberciti.biz", "url": "https://www.cyberciti.biz/"} + ] + }, + { + "title": "Windows Basics", + "content": """ +- Look for file extensions. +- Initial access and lateral movement are the loudest. +- Understand how PID and PPID relate. +- Look for 1-2 character .exe (e.g., a.exe, ab.exe). +- C2 exploits are native in 32-bit. +- Files should not have read, write, and execute simultaneously + - Should be RW- ro --X. +- Know where attackers store files. +- C:\\windows\\system32: Exe files are not usually stored here. + """, + "resources": [ + {"name": "Microsoft Security", "url": "https://www.microsoft.com/en-us/security"}, + {"name": "MITRE ATT&CK", "url": "https://attack.mitre.org/"} + ] + } + ] \ No newline at end of file diff --git a/Modules/tips.py b/Modules/tips.py new file mode 100644 index 0000000..7abf4fe --- /dev/null +++ b/Modules/tips.py @@ -0,0 +1,152 @@ +import random +import re + + +TIPS = [ + "πŸ” Look for multiple failed login attempts followed by a success.", + "πŸ‘₯ Monitor for the creation of suspicious or unusual accounts.", + "πŸ–‹οΈ Keep an eye out for renamed files or sudden changes to file extensions.", + "πŸ›‘οΈ Always investigate signs of persistence mechanisms like scheduled tasks or services.", + "πŸ” Check logs for lateral movement patterns within the network.", + "πŸ“‚ Look for data exfiltration attempts during off-hours.", + "πŸ•΅οΈβ€β™‚οΈ Watch for processes running in uncommon directories.", + "πŸ—‚οΈ Review changes to sensitive directories like /etc or C:\\Windows\\System32.", + "⚠️ Be alert to PowerShell scripts with obfuscation or base64 encoding.", + "πŸ“₯ Investigate unusual inbound or outbound traffic patterns.", + "πŸ’» Track the execution of unknown binaries or scripts.", + "πŸ“Š Analyze event logs for sequences that indicate privilege escalation.", + "🌐 Monitor for connections to known malicious IPs or domains.", + "πŸ“ˆ Look for unusual spikes in network activity or CPU usage.", + "πŸ”‘ Check for default or weak passwords in critical accounts.", + "πŸ”— Watch for newly created symbolic links or junction points.", + "πŸ•’ Investigate task scheduler events outside of normal working hours.", + "πŸ“¦ Look for recently installed software that wasn’t approved.", + "πŸ”“ Monitor for attempts to disable antivirus or EDR tools.", + "πŸ“œ Analyze browser history or bookmarks for connections to malicious sites.", + "πŸ“‚ Look for files with double extensions like `.exe.pdf`.", + "πŸ› οΈ Check system startup items for unauthorized entries.", + "πŸ“€ Investigate signs of data compression and outbound transfer.", + "πŸ‘€ Watch for registry modifications in persistence-related keys.", + "πŸ” Scan for unsigned drivers or DLLs in system directories.", + "πŸ“‘ Monitor DNS queries to unusual or high-risk domains.", + "πŸ’½ Look for rogue virtual machines or snapshots.", + "πŸ–₯️ Inspect remote desktop protocol (RDP) logs for unauthorized connections.", + "πŸ›‘οΈ Review firewall logs for changes in access rules or port scans.", + "πŸ“§ Analyze email headers for signs of phishing or spoofing.", + "πŸ“Œ Monitor USB activity for unauthorized devices.", + "⚑ Look for processes with high privilege levels started by unprivileged users.", + "πŸ”— Watch for changes to trusted system binaries.", + "πŸ› οΈ Investigate event IDs related to new service installations.", + "πŸ“‚ Check shadow copies for deleted or modified files.", + "πŸ” Monitor account logins from unusual geographic locations.", + "πŸ“‚ Investigate tampering with backup files or schedules.", + "πŸ–₯️ Look for signs of remote code execution (RCE) attempts.", + "🌐 Review web server logs for suspicious parameter tampering.", + "🚦 Monitor network flows for unusual traffic patterns or unexpected ports.", + "πŸ“‘ Be suspicious of repeated DNS queries to non-existent domains.", + "πŸ”’ Check for unauthorized changes to file or folder permissions.", + "πŸ“€ Look for encrypted or compressed outbound traffic to unknown hosts.", + "βš™οΈ Monitor changes in system startup configurations.", + "πŸ” Search for PowerShell scripts that include encoded commands.", + "πŸ“ Investigate files with zero-byte size in critical directories.", + "πŸ•’ Check for processes running at scheduled intervals outside business hours.", + "πŸ“ˆ Review performance metrics for sudden resource spikes.", + "πŸš€ Look for signs of process injection into legitimate applications.", + "πŸ’» Monitor for unauthorized changes to group memberships.", + "πŸ”— Watch for symbolic links pointing to unexpected locations.", + "πŸ” Examine email attachments for hidden macros or scripts.", + "⚠️ Scan for privilege escalation techniques in event logs.", + "πŸ“¦ Look for unexpected or unsigned updates to software packages.", + "πŸ’Ύ Review logs for signs of removable media usage.", + "πŸ–₯️ Investigate unusual usage of command-line utilities like `netstat` or `ipconfig`.", + "πŸ“€ Track unusual outbound connections to high-risk countries.", + "πŸ” Look for registry keys with suspicious auto-start entries.", + "πŸ”§ Investigate changes to WMI subscriptions or filters.", + "πŸ“Š Analyze account lockout patterns for brute-force attempts.", + "πŸ›‘οΈ Monitor processes using suspicious parent-child relationships.", + "πŸ“₯ Investigate large file downloads from unusual IPs.", + "⚑ Check for unauthorized applications installed via package managers.", + "πŸ”— Look for SMB connections between unexpected hosts.", + "πŸ” Search for processes masquerading as system utilities.", + "πŸ–₯️ Review logs for attempts to clear or disable event logging.", + "πŸ“‚ Look for hidden files in critical directories.", + "🚦 Monitor outbound traffic for data transfers at odd hours.", + "πŸ”“ Check for unauthorized access to sensitive configuration files.", + "πŸ”§ Scan for unrecognized services or drivers in startup logs.", + "🌐 Review web application logs for unauthorized access attempts.", + "πŸ“œ Look for tampered audit logs or log file deletions.", + "πŸ’‘ Investigate systems with unusual uptime patterns.", + "πŸ•΅οΈβ€β™‚οΈ Monitor unusual changes to group policies.", + "πŸ“‚ Investigate abnormal growth in specific file directories.", + "πŸ› οΈ Look for unusual process execution chains in forensic tools.", + "πŸ“‹ Check for clipboard monitoring or keylogging behavior.", + "🚨 Monitor IDS/IPS alerts for common lateral movement patterns.", + "🌍 Correlate login activity with geolocation inconsistencies.", + "πŸ”‘ Investigate processes accessing security-critical files.", + "πŸ“€ Look for repeated failed data upload attempts to unknown servers.", + "πŸ” Check for malicious scheduled tasks created recently.", + "πŸ›‘οΈ Watch for unusual changes to user password policies.", + "πŸ“ˆ Investigate sudden changes in user account activity levels.", + "πŸ–₯️ Review temporary files for evidence of script execution.", + "πŸ“¦ Monitor endpoints for unauthorized package or library downloads.", + "πŸ“‚ Look for anomalies in recently accessed files.", + "βš™οΈ Investigate mismatches in user-agent strings in web traffic.", + "πŸ” Look for attackers leaving test artifacts like `1.txt` or `test.ps1`.", + "πŸ“œ Track file hashes for unauthorized changes to key binaries.", + "🚦 Review network traffic for abnormal TTL values." +] + +# Cybersecurity jokes +JOKES = [ + "πŸ€– Why did the hacker cross the road? To get to the other .NET.", + "❄️ Why was the computer cold? It left its Windows open.", + "πŸͺ₯ How do hackers freshen their breath? With CyberTic Tac!", + "β€οΈβ€πŸ©Ή Why don't hackers ever get into relationships? They're afraid of commitments.", + "🐾 What do you call a hacker who loves animals? A purr-sistence threat!", + "πŸ’Έ Why did the server go broke? It lost all its cache.", + "πŸ˜‚ How do you make a malware laugh? Give it a worm joke!", + "πŸ“‰ Why did the sysadmin go broke? Too many root expenses.", + "πŸ₯£ What’s a hacker’s favorite kind of cereal? Spy-ders!", + "πŸ›‘οΈ Why did the password break up with the hacker? It was too weak.", + "πŸ”’ Why are cybersecurity experts bad at telling jokes? They always encrypt the punchline.", + "🎡 What’s a hacker’s favorite music genre? Phishing!", + "πŸ‘“ Why do hackers wear glasses? Because they lost their focus.", + "πŸ“Ά Why did the WiFi break up with the laptop? It found a stronger connection.", + "😌 Why was the antivirus program so relaxed? It knew how to quarantine stress.", + "🍁 What’s a hacker’s favorite season? Phall.", + "πŸŒ‘ Why do programmers prefer dark mode? Because light attracts bugs.", + "🚩 What’s a hacker’s favorite game? Capture the flag!", + "☠️ Why don’t hackers get along with pirates? Too many patches.", + "πŸŽ‰ How do you throw a cybersecurity party? Invite everyone to the LAN!", + "πŸ”₯ Why was the firewall so happy? It finally blocked its ex.", + "πŸ”‘ Why was the keyboard locked out of the server room? Too many CAPS.", + "🍺 What’s a hacker’s least favorite drink? Root beer.", + "⚾ Why was the hacker bad at baseball? It couldn’t handle the curve (encryption).", + "β˜• How do cybersecurity experts like their coffee? Encrypted.", + "😭 Why did the antivirus cry? It couldn’t handle the worm.", + "🀫 Why don’t hackers tell secrets? They’re worried about key-loggers.", + "πŸ•οΈ Why don’t hackers go camping? Too many phishing attacks.", + "πŸ’ƒ What’s a hacker’s favorite dance? The worm.", + "🐴 Why was the Trojan horse so good at infiltration? It always had the β€˜write’ access.", + "πŸ§— What’s the cybersecurity expert’s favorite sport? Fire-wall climbing.", + "πŸ•΅οΈβ€β™‚οΈ Why was the hacker great at hide-and-seek? It always hid in the registry.", + "πŸ›œ What did the router say to the server? You’ve got the bandwidth for this!", + "🍽️ What’s a phishing scammer’s favorite dish? Spam.", + "🌞 Why don’t hackers get sunburned? They stay in the shadows.", + "πŸ§‘β€πŸ”¬ What do you call a group of math and science geeks at a party? Social engineers.", + "🌐 What’s the best way to catch a runaway robot? Use a botnet.", + "πŸ› Why did the programmer leave the camping trip early? There were too many bugs." +] + +ANSI_ESCAPE_REGEX = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])') + +def get_random_tip_or_joke(clean=False): + # Pick a random tip or joke and assign a color + item = random.choice(TIPS + JOKES) + formatted_item = f"{item}" + + if clean: + # Remove ANSI escape codes if clean output is requested + return ANSI_ESCAPE_REGEX.sub('', formatted_item) + + return formatted_item \ No newline at end of file diff --git a/Modules/windows.py b/Modules/windows.py new file mode 100644 index 0000000..a3266fd --- /dev/null +++ b/Modules/windows.py @@ -0,0 +1,118 @@ +from Modules.Persistence.persistence import get_persistence_menu + +def get_windows_content(): + + persistence_menu = get_persistence_menu() + + return [ + { + "title": "Malware Names", + "content": """ + - svchost.exe - misspelled + - iexplore.exe + - explorer.exe + - lsass.exe - should only be one + - win.exe + - winlogon.exe + - a.exe + - ab.exe - shorter names since mal devs are lazy + """, + "resources": [ + "https://malwaredb.malwarebytes.com/", + "https://www.trendmicro.com/vinfo/us/security/definition/malware" + ] + }, + { + "title": "Malware Locations", + "content": """ + - \\Temp + - C:\\Users\\*\\Downloads + - \\AppData + - C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent + - \\$Recycle.Bin + - \\ProgramData + - \\Windows + - \\Windows\\System32 + - \\WinSxS + - \\System Volume Information + - \\Program Files + - \\Program Files (x86) + - [Added Directories by APTs] + """, + "resources": [ + "https://www.microsoft.com/en-us/wdsi", + "https://www.bleepingcomputer.com/" + ] + }, + { + "title": "File Types", + "content": """ + ### Scripts + - `.ps1`, `.vbs`, `.py`, `.bat` + + ### Windows Binaries + - `.exe`, `.msi`, `.dll` + + ### Archives + - `.rar`, `.zip`, `.cab`, `.7z`, `.Eo1`, `.iso`, `.ova`, `.ovf`, `.vmdk`, `.vdk` + + Other: + - `.eval` + - `.xls` + - `.doc` + - ActiveXObject + - CommandLineTemplate + - ScriptText + """, + "resources": [ + ] + }, + { + "title": "Security Events", + "content": """ + - 4698 A scheduled task was created + - 4720 A user account was created + - 4768 A Kerberos authentication ticket (TGT) was requested + - 4769 A Kerberos service ticket was requested + - 5140 A network share object was accessed + - 7045 A new service was installed in the system + - 4688 A new process has been created + - 7036 Service changed + - 7040 Service startup type changed + """, + "resources": [ + "https://www.ultimatewindowssecurity.com/", + "https://www.splunk.com/en_us/blog.html" + ] + }, + { + "title": "Sysmon Events", + "content": """ + 1. **Event ID 1**: Process creation. + - Captures command-line arguments for every executed process. + 2. **Event ID 3**: Network connections. + - Logs every TCP/UDP connection initiated by a monitored process. + 3. **Event ID 6**: Driver loading. + - Tracks unsigned or unexpected kernel modules. + 4. **Event ID 7**: Image loading. + - Detects DLLs or libraries loaded from unusual locations. + 5. **Event ID 10**: WMI activity. + - Monitors suspicious or unauthorized WMI queries. + """, + "resources": [ + "https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://thedfirreport.com/" + ] + }, + { + "title": persistence_menu["title"], + "content": persistence_menu["description"], + "resources": [ + "https://attack.mitre.org/", + "https://www.splunk.com/" + ], + "links": [ + {"name": method["name"], "url": method["url"]} for method in persistence_menu["methods"] + ] + }, + ]