matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "TTPs"

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-24 18:11:02 -05:00
parent b012a2aebb
commit 107db93a19
5 changed files with 443 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
TTPs/analysis.py Normal file
View File

@ -0,0 +1,15 @@
from Modules.submenu import build_submenu
from Modules.Imports.all_imports import *
def analysis_submenu():
"""
Submenu for analysis tools and options.
"""
actions = {
"1": {"description": "IP Analysis", "submenu": analysis_ip_submenu},
"2": {"description": "File Hash Analysis", "submenu": analysis_filehash_submenu},
"3": {"description": "Threat Intelligence", "submenu": analysis_threat_submenu},
"4": {"description": "Domain Analysis", "submenu": analysis_domain_submenu},
"5": {"description": "Malware Analysis", "submenu": analysis_malware_submenu},
}
build_submenu("Analysis Tools", actions)

188
TTPs/lin_ioc.py Normal file
View File

@ -0,0 +1,188 @@
from Modules.Imports.ttp_imports import *
def lin_ioc_submenu():
"""
Submenu for Linux Host Indicators.
"""
actions = {
"1": {"description": "Basics", "function": linux_basics},
"2": {"description": "Common Malware Names", "function": linux_common_malware_names},
"3": {"description": "Common Malware Locations", "function": linux_common_malware_locations},
"4": {"description": "Interesting Search Terms", "function": linux_interesting_search_terms},
"5": {"description": "Locations of Persistence", "function": linux_locations_of_persistence},
"6": {"description": "Types of Persistence", "function": linux_types_of_persistence},
"7": {"description": "Advanced Persistence", "function": linux_advanced_persistence},
"8": {"description": "Event IDs to Watch", "function": linux_event_ids_to_watch},
"9": {"description": "Memory Acquisition", "function": linux_memory_acquisition},
"10": {"description": "File System Artifacts", "function": linux_filesystem_artifacts},
"11": {"description": "Analysis Resources", "function": linux_analysis_resources},
"12": {"description": "All", "function": all_linux_iocs},
}
build_submenu("Linux Indicators of Compromise (IOCs)", actions)
### Functions for each submenu option
def linux_basics():
title = "Linux Basics"
content = """
- Understand typical file paths and permission settings.
- Monitor unexpected or unplanned cron jobs.
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
- Look for rogue or uncommon processes running as root.
- Analyze .bash_history for suspicious commands.
- Investigate `/var/log/auth.log` for failed or unauthorized access.
- Check for hidden files and directories using `find / -type f -name ".*"`.
"""
print_info(title, content)
def linux_common_malware_names():
title = "Common Malware Names"
content = """
- kworker
- kinsing
- xmrig
- cryptonight
- apache2 (unexpected locations)
- mysql (unexpected locations)
"""
print_info(title, content)
def linux_common_malware_locations():
title = "Common Malware Locations"
content = """
- /tmp
- /var/tmp
- /dev/shm
- /etc/cron.*
- /lib/systemd/system/
- ~/.ssh/
- /usr/local/bin/
- /usr/bin/
- /var/spool/cron/crontabs/
"""
print_info(title, content)
def linux_interesting_search_terms():
title = "Interesting Search Terms"
content = """
### Shell Scripts
- `.sh`, `.bash`
### Executable Files
- `.out`, `.bin`, `.elf`
### Archives
- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z`
### Strings in Logs
- "sudo"
- "su root"
- "chmod 777"
- "wget" or "curl"
- "base64"
"""
print_info(title, content)
def linux_locations_of_persistence():
title = "Locations of Persistence"
content = """
- Cron Jobs
- `/etc/crontab`
- `/var/spool/cron/crontabs/`
- Autostart
- `~/.config/autostart/`
- System Services
- `/etc/systemd/system/`
- `/lib/systemd/system/`
- Network Configuration Files
- `/etc/network/interfaces`
- `/etc/hosts`
- SSH Keys
- `~/.ssh/`
- `/root/.ssh/`
"""
print_info(title, content)
def linux_types_of_persistence():
title = "Types of Persistence"
content = """
- Cron Jobs
- Modified SSH Keys
- Custom Systemd Services
- Kernel Module Hijacking
- Backdoor Network Configurations
- LD_PRELOAD Hijacking
"""
print_info(title, content)
def linux_advanced_persistence():
title = "Advanced Persistence"
content = """
- Rootkits
- Live Kernel Patching
- Custom Kernel Modules
- Firmware Tampering
- Hidden Partitions or Volumes
"""
print_info(title, content)
def linux_event_ids_to_watch():
title = "Event IDs to Watch"
content = """
Monitor important Linux system logs:
- `/var/log/auth.log` for authentication attempts
- `/var/log/secure` for privileged access
- `/var/log/syslog` for suspicious processes or activity
- `/var/log/messages` for kernel-level logs
"""
print_info(title, content)
def linux_memory_acquisition():
title = "Memory Acquisition"
content = """
### Tools for Live RAM Capture
- AVML (Azure Virtual Machine Live)
- LiME (Linux Memory Extractor)
### File Locations
- `/dev/mem` for memory dump
- `/proc/<pid>/maps` for process memory mapping
"""
print_info(title, content)
def linux_filesystem_artifacts():
title = "Filesystem Artifacts"
content = """
### Look for:
- Recent Modifications: `find / -type f -mtime -1`
- Hidden Files: `find / -name ".*"`
- Unusual Permissions: `find / -perm 777`
- Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
"""
print_info(title, content)
def linux_analysis_resources():
title = "Analysis Resources"
content = """
- Check File Hashes: Use `sha256sum` or `md5sum`.
- Threat Intelligence: Search IPs and Domains on VirusTotal.
- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox.
- Log Analysis: Parse logs using tools like Logstash or Elastic.
"""
print_info(title, content)
def all_linux_iocs():
"""
Displays all Linux IOC content sequentially.
"""
linux_basics()
linux_common_malware_names()
linux_common_malware_locations()
linux_interesting_search_terms()
linux_locations_of_persistence()
linux_types_of_persistence()
linux_advanced_persistence()
linux_event_ids_to_watch()
linux_memory_acquisition()
linux_filesystem_artifacts()
linux_analysis_resources()

8
TTPs/menu.py
View File

@ -1,8 +1,8 @@
from Modules.Imports.all_imports import *
MENU_OPTIONS = {
"1": {"name": "Windows Indicators", "submenu": windows_indicators_submenu},
"2": {"name": "Linux Indicators", "submenu": linux_indicators_submenu},
"3": {"name": "Basic Threat Hunting", "submenu": basic_threat_hunting_submenu},
"4": {"name": "Persistence Detection", "submenu": persistence_detection_submenu},
"1": {"name": "Windows Indicators", "submenu": win_ioc_submenu},
"2": {"name": "Linux Indicators", "submenu": lin_ioc_submenu},
"3": {"name": "Persistence Detection", "submenu": persistence_submenu},
"4": {"name": "Analysis", "submenu": analysis_submenu},
}

19
TTPs/persistence.py Normal file
View File

@ -0,0 +1,19 @@
from Modules.submenu import build_submenu
from Modules.Imports.all_imports import *
def persistence_submenu():
actions = {
"1": {"description": "RDP", "submenu": rdp_submenu},
"2": {"description": "Scheduled Tasks", "submenu": schedule_tasks_submenu},
"3": {"description": "Services", "submenu": service_submenu},
"4": {"description": "WMI", "submenu": wmi_submenu},
"5": {"description": "Autostart", "submenu": autostart_submenu},
"6": {"description": "DLL Hijacking", "submenu": dll_hijacking_submenu},
"7": {"description": "Map Share", "submenu": map_share_submenu},
"8": {"description": "PowerShell Remoting", "submenu": powershell_remoting_submenu},
"9": {"description": "PsExec", "submenu": psexec_submenu},
"10": {"description": "DCOM", "submenu": dcom_submenu},
"11": {"description": "Advanced", "submenu": advanced_submenu},
"12": {"description": "Basic Persistence", "submenu": basic_persistence_submenu},
}
build_submenu("Persistence Detection", actions)

217
TTPs/win_ioc.py Normal file
View File

@ -0,0 +1,217 @@
from Modules.Imports.ttp_imports import *
def win_ioc_submenu():
"""
Submenu for Windows Host Indicators.
"""
actions = {
"1": {"description": "Basics", "function": basics},
"2": {"description": "Common Malware Names", "function": common_malware_names},
"3": {"description": "Common Malware Locations", "function": common_malware_locations},
"4": {"description": "Interesting Search Terms", "function": interesting_search_terms},
"5": {"description": "Locations of Persistence", "function": locations_of_persistence},
"6": {"description": "Types of Persistence", "function": types_of_persistence},
"7": {"description": "Advanced Persistence", "function": advanced_persistence},
"8": {"description": "Event IDs to Watch", "function": event_ids_to_watch},
"9": {"description": "Common False Positives", "function": common_false_positives},
"10": {"description": "Windows Directories", "function": windows_directories},
"11": {"description": "Analysis Resources", "function": analysis_resources},
"12": {"description": "All", "function": all_windows_iocs},
}
build_submenu("Windows Indicators of Compromise (IOCs)", actions)
def basics():
title = "Basics"
content = """
- Look for file extensions
- Initial access and lateral movement are the loudest
- Understand how PID and PPID relate
- Look for 1-2 character .exe (e.g., a.exe, ab.exe)
- C2 exploits are native in 32-bit
- Files should not have read, write, and execute simultaneously
- Should be RW- ro --X
- Know where attackers store files
- C:\\windows\\system32: Exe files are not usually stored here
"""
print_info(title, content)
def common_malware_names():
title = "Common Malware Names"
content = """
- svchost.exe
- iexplore.exe
- explorer.exe
- lsass.exe
- win.exe
- winlogon.exe
"""
print_info(title, content)
def common_malware_locations():
title = "Common Malware Locations"
content = """
- \\Temp
- C:\\Users\\*\\Downloads
- \\AppData
- C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent
- \\$Recycle.Bin
- \\ProgramData
- \\Windows
- \\Windows\\System32
- \\WinSxS
- \\System Volume Information
- \\Program Files
- \\Program Files (x86)
- [Added Directories by APTs]
"""
print_info(title, content)
def interesting_search_terms():
title = "Interesting Search Terms"
content = """
### Scripts
- `.ps1`, `.vbs`, `.py`, `.bat`
### Windows Binaries
- `.exe`, `.msi`, `.dll`
### Archives
- `.rar`, `.zip`, `.cab`, `.7z`, `.Eo1`, `.iso`, `.ova`, `.ovf`, `.vmdk`, `.vdk`
Other:
- `.eval`
- `.xls`
- `.doc`
- ActiveXObject
- CommandLineTemplate
- ScriptText
"""
print_info(title, content)
def locations_of_persistence():
title = "Locations of Persistence"
content = """
- C:\\windows\\system32 (Exe files are not usually stored here)
"""
print_info(title, content)
def types_of_persistence():
title = "Types of Persistence"
content = """
- Impacket Exec
- Services
- WMI
- Autostart
- DLL Hijacking
- Drivers
- Map Share
- Persistence Mechanisms
- Powershell Remoting
- PsExec
- Remote Desktop
- Run Keys
- Scheduled Tasks
- Registry
"""
print_info(title, content)
def advanced_persistence():
title = "Advanced Persistence"
content = """
- Bios Flashing
- Drivers
- Local Group Policy
- MS Office Add-In
"""
print_info(title, content)
def event_ids_to_watch():
title = "Event IDs to Watch"
content = """
- 4698 A scheduled task was created
- 4720 A user account was created
- 4768 A Kerberos authentication ticket (TGT) was requested
- 4769 A Kerberos service ticket was requested
- 5140 A network share object was accessed
- 7045 A new service was installed in the system
- 4648 A logon was attempted using explicit credentials
- 4656 A handle to an object was requested
- 4658 The handle to an object was closed
- 4660 An object was deleted
- 4663 An attempt was made to access an object
- 4672 Special privileges assigned to new logon
- 4673 A privileged service was called
- 4688 A new process has been created
- 4946 A change has been made to Windows Firewall exception list. A rule was added
- 5142 A network share object was added
- 5144 A network share object was deleted
- 5145 A network share object was checked to see whether the client can be granted desired access
- 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
- 5156 The Windows Filtering Platform has allowed a connection
- 5447 A Windows Filtering Platform filter has been changed
- 8222 Shadow copy has been created
- 7036 Service changed
- 7040 Service startup type changed
- 7045 PSExec
"""
print_info(title, content)
def common_false_positives():
title = "Common False Positives"
content = """
- SCM Event Log Consumer
- BVTFilter
- TSLogonEvents.vbs
- TSLogonFilter
- RAevent.vbs
- RMAssistEventFilter
- KernCap.vbs
- NTEventLogConsumer
- WSCEAA.exe (Dell)
"""
print_info(title, content)
def windows_directories():
title = "Windows Directories"
content = """
- C:\\Windows\\System32\\drivers\\etc\\hosts (DNS file)
- C:\\Windows\\System32\\drivers\\etc\\networks (Network config file)
- C:\\Windows\\System32\\config\\SAM (Usernames and passwords)
- C:\\Windows\\System32\\SECURITY (Security logs)
- C:\\Windows\\System32\\SOFTWARE (Software logs)
- C:\\Windows\\System32\\SYSTEM (System logs)
- C:\\Windows\\System32\\winevt\\ (Windows event logs)
- C:\\Windows\\repair\\SAM (Backup of usernames and passwords)
"""
print_info(title, content)
def analysis_resources():
title = "Analysis Resources"
content = """
- Check Filehash
- Analysis Threat Intel
- Analysis IP
- Analysis Malware
### Useful Links
- https://www.youtube.com/watch?v=NdwTeSi70SU
- https://youtu.be/7dEfKn70HCI?si=MP-u-n4FMHVgtmWf
- https://www.criticalstart.com/windows-security-event-logs-what-to-monitor/
"""
print_info(title, content)
def all_windows_iocs():
"""
Displays all Windows IOC content sequentially.
"""
basics()
common_malware_names()
common_malware_locations()
interesting_search_terms()
locations_of_persistence()
types_of_persistence()
advanced_persistence()
event_ids_to_watch()
common_false_positives()
windows_directories()
analysis_resources()