From 107db93a19cea007082d87a2285f5f93a2a74444 Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Sun, 24 Nov 2024 18:11:02 -0500 Subject: [PATCH] Upload files to "TTPs" --- TTPs/analysis.py | 15 +++ TTPs/lin_ioc.py | 188 ++++++++++++++++++++++++++++++++++++++ TTPs/menu.py | 8 +- TTPs/persistence.py | 19 ++++ TTPs/win_ioc.py | 217 ++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 443 insertions(+), 4 deletions(-) create mode 100644 TTPs/analysis.py create mode 100644 TTPs/lin_ioc.py create mode 100644 TTPs/persistence.py create mode 100644 TTPs/win_ioc.py diff --git a/TTPs/analysis.py b/TTPs/analysis.py new file mode 100644 index 0000000..d211994 --- /dev/null +++ b/TTPs/analysis.py @@ -0,0 +1,15 @@ +from Modules.submenu import build_submenu +from Modules.Imports.all_imports import * + +def analysis_submenu(): + """ + Submenu for analysis tools and options. + """ + actions = { + "1": {"description": "IP Analysis", "submenu": analysis_ip_submenu}, + "2": {"description": "File Hash Analysis", "submenu": analysis_filehash_submenu}, + "3": {"description": "Threat Intelligence", "submenu": analysis_threat_submenu}, + "4": {"description": "Domain Analysis", "submenu": analysis_domain_submenu}, + "5": {"description": "Malware Analysis", "submenu": analysis_malware_submenu}, + } + build_submenu("Analysis Tools", actions) \ No newline at end of file diff --git a/TTPs/lin_ioc.py b/TTPs/lin_ioc.py new file mode 100644 index 0000000..2989cb0 --- /dev/null +++ b/TTPs/lin_ioc.py @@ -0,0 +1,188 @@ +from Modules.Imports.ttp_imports import * + +def lin_ioc_submenu(): + """ + Submenu for Linux Host Indicators. + """ + actions = { + "1": {"description": "Basics", "function": linux_basics}, + "2": {"description": "Common Malware Names", "function": linux_common_malware_names}, + "3": {"description": "Common Malware Locations", "function": linux_common_malware_locations}, + "4": {"description": "Interesting Search Terms", "function": linux_interesting_search_terms}, + "5": {"description": "Locations of Persistence", "function": linux_locations_of_persistence}, + "6": {"description": "Types of Persistence", "function": linux_types_of_persistence}, + "7": {"description": "Advanced Persistence", "function": linux_advanced_persistence}, + "8": {"description": "Event IDs to Watch", "function": linux_event_ids_to_watch}, + "9": {"description": "Memory Acquisition", "function": linux_memory_acquisition}, + "10": {"description": "File System Artifacts", "function": linux_filesystem_artifacts}, + "11": {"description": "Analysis Resources", "function": linux_analysis_resources}, + "12": {"description": "All", "function": all_linux_iocs}, + } + build_submenu("Linux Indicators of Compromise (IOCs)", actions) + +### Functions for each submenu option + +def linux_basics(): + title = "Linux Basics" + content = """ +- Understand typical file paths and permission settings. +- Monitor unexpected or unplanned cron jobs. +- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`). +- Look for rogue or uncommon processes running as root. +- Analyze .bash_history for suspicious commands. +- Investigate `/var/log/auth.log` for failed or unauthorized access. +- Check for hidden files and directories using `find / -type f -name ".*"`. +""" + print_info(title, content) + +def linux_common_malware_names(): + title = "Common Malware Names" + content = """ +- kworker +- kinsing +- xmrig +- cryptonight +- apache2 (unexpected locations) +- mysql (unexpected locations) +""" + print_info(title, content) + +def linux_common_malware_locations(): + title = "Common Malware Locations" + content = """ +- /tmp +- /var/tmp +- /dev/shm +- /etc/cron.* +- /lib/systemd/system/ +- ~/.ssh/ +- /usr/local/bin/ +- /usr/bin/ +- /var/spool/cron/crontabs/ +""" + print_info(title, content) + +def linux_interesting_search_terms(): + title = "Interesting Search Terms" + content = """ +### Shell Scripts +- `.sh`, `.bash` + +### Executable Files +- `.out`, `.bin`, `.elf` + +### Archives +- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z` + +### Strings in Logs +- "sudo" +- "su root" +- "chmod 777" +- "wget" or "curl" +- "base64" +""" + print_info(title, content) + +def linux_locations_of_persistence(): + title = "Locations of Persistence" + content = """ +- Cron Jobs + - `/etc/crontab` + - `/var/spool/cron/crontabs/` +- Autostart + - `~/.config/autostart/` +- System Services + - `/etc/systemd/system/` + - `/lib/systemd/system/` +- Network Configuration Files + - `/etc/network/interfaces` + - `/etc/hosts` +- SSH Keys + - `~/.ssh/` + - `/root/.ssh/` +""" + print_info(title, content) + +def linux_types_of_persistence(): + title = "Types of Persistence" + content = """ +- Cron Jobs +- Modified SSH Keys +- Custom Systemd Services +- Kernel Module Hijacking +- Backdoor Network Configurations +- LD_PRELOAD Hijacking +""" + print_info(title, content) + +def linux_advanced_persistence(): + title = "Advanced Persistence" + content = """ +- Rootkits +- Live Kernel Patching +- Custom Kernel Modules +- Firmware Tampering +- Hidden Partitions or Volumes +""" + print_info(title, content) + +def linux_event_ids_to_watch(): + title = "Event IDs to Watch" + content = """ +Monitor important Linux system logs: +- `/var/log/auth.log` for authentication attempts +- `/var/log/secure` for privileged access +- `/var/log/syslog` for suspicious processes or activity +- `/var/log/messages` for kernel-level logs +""" + print_info(title, content) + +def linux_memory_acquisition(): + title = "Memory Acquisition" + content = """ +### Tools for Live RAM Capture +- AVML (Azure Virtual Machine Live) +- LiME (Linux Memory Extractor) + +### File Locations +- `/dev/mem` for memory dump +- `/proc//maps` for process memory mapping +""" + print_info(title, content) + +def linux_filesystem_artifacts(): + title = "Filesystem Artifacts" + content = """ +### Look for: +- Recent Modifications: `find / -type f -mtime -1` +- Hidden Files: `find / -name ".*"` +- Unusual Permissions: `find / -perm 777` +- Root-level Scripts or Configurations: `/etc/`, `/usr/local/` +""" + print_info(title, content) + +def linux_analysis_resources(): + title = "Analysis Resources" + content = """ +- Check File Hashes: Use `sha256sum` or `md5sum`. +- Threat Intelligence: Search IPs and Domains on VirusTotal. +- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox. +- Log Analysis: Parse logs using tools like Logstash or Elastic. +""" + print_info(title, content) + +def all_linux_iocs(): + """ + Displays all Linux IOC content sequentially. + """ + linux_basics() + linux_common_malware_names() + linux_common_malware_locations() + linux_interesting_search_terms() + linux_locations_of_persistence() + linux_types_of_persistence() + linux_advanced_persistence() + linux_event_ids_to_watch() + linux_memory_acquisition() + linux_filesystem_artifacts() + linux_analysis_resources() diff --git a/TTPs/menu.py b/TTPs/menu.py index ea3b43f..37fbcab 100644 --- a/TTPs/menu.py +++ b/TTPs/menu.py @@ -1,8 +1,8 @@ from Modules.Imports.all_imports import * MENU_OPTIONS = { - "1": {"name": "Windows Indicators", "submenu": windows_indicators_submenu}, - "2": {"name": "Linux Indicators", "submenu": linux_indicators_submenu}, - "3": {"name": "Basic Threat Hunting", "submenu": basic_threat_hunting_submenu}, - "4": {"name": "Persistence Detection", "submenu": persistence_detection_submenu}, + "1": {"name": "Windows Indicators", "submenu": win_ioc_submenu}, + "2": {"name": "Linux Indicators", "submenu": lin_ioc_submenu}, + "3": {"name": "Persistence Detection", "submenu": persistence_submenu}, + "4": {"name": "Analysis", "submenu": analysis_submenu}, } diff --git a/TTPs/persistence.py b/TTPs/persistence.py new file mode 100644 index 0000000..91c3e50 --- /dev/null +++ b/TTPs/persistence.py @@ -0,0 +1,19 @@ +from Modules.submenu import build_submenu +from Modules.Imports.all_imports import * + +def persistence_submenu(): + actions = { + "1": {"description": "RDP", "submenu": rdp_submenu}, + "2": {"description": "Scheduled Tasks", "submenu": schedule_tasks_submenu}, + "3": {"description": "Services", "submenu": service_submenu}, + "4": {"description": "WMI", "submenu": wmi_submenu}, + "5": {"description": "Autostart", "submenu": autostart_submenu}, + "6": {"description": "DLL Hijacking", "submenu": dll_hijacking_submenu}, + "7": {"description": "Map Share", "submenu": map_share_submenu}, + "8": {"description": "PowerShell Remoting", "submenu": powershell_remoting_submenu}, + "9": {"description": "PsExec", "submenu": psexec_submenu}, + "10": {"description": "DCOM", "submenu": dcom_submenu}, + "11": {"description": "Advanced", "submenu": advanced_submenu}, + "12": {"description": "Basic Persistence", "submenu": basic_persistence_submenu}, + } + build_submenu("Persistence Detection", actions) diff --git a/TTPs/win_ioc.py b/TTPs/win_ioc.py new file mode 100644 index 0000000..77131b0 --- /dev/null +++ b/TTPs/win_ioc.py @@ -0,0 +1,217 @@ +from Modules.Imports.ttp_imports import * + +def win_ioc_submenu(): + """ + Submenu for Windows Host Indicators. + """ + actions = { + "1": {"description": "Basics", "function": basics}, + "2": {"description": "Common Malware Names", "function": common_malware_names}, + "3": {"description": "Common Malware Locations", "function": common_malware_locations}, + "4": {"description": "Interesting Search Terms", "function": interesting_search_terms}, + "5": {"description": "Locations of Persistence", "function": locations_of_persistence}, + "6": {"description": "Types of Persistence", "function": types_of_persistence}, + "7": {"description": "Advanced Persistence", "function": advanced_persistence}, + "8": {"description": "Event IDs to Watch", "function": event_ids_to_watch}, + "9": {"description": "Common False Positives", "function": common_false_positives}, + "10": {"description": "Windows Directories", "function": windows_directories}, + "11": {"description": "Analysis Resources", "function": analysis_resources}, + "12": {"description": "All", "function": all_windows_iocs}, + } + build_submenu("Windows Indicators of Compromise (IOCs)", actions) + +def basics(): + title = "Basics" + content = """ +- Look for file extensions +- Initial access and lateral movement are the loudest +- Understand how PID and PPID relate +- Look for 1-2 character .exe (e.g., a.exe, ab.exe) +- C2 exploits are native in 32-bit +- Files should not have read, write, and execute simultaneously + - Should be RW- ro --X +- Know where attackers store files +- C:\\windows\\system32: Exe files are not usually stored here +""" + print_info(title, content) + +def common_malware_names(): + title = "Common Malware Names" + content = """ +- svchost.exe +- iexplore.exe +- explorer.exe +- lsass.exe +- win.exe +- winlogon.exe +""" + print_info(title, content) + +def common_malware_locations(): + title = "Common Malware Locations" + content = """ +- \\Temp +- C:\\Users\\*\\Downloads +- \\AppData + - C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent +- \\$Recycle.Bin +- \\ProgramData +- \\Windows +- \\Windows\\System32 +- \\WinSxS +- \\System Volume Information +- \\Program Files +- \\Program Files (x86) +- [Added Directories by APTs] +""" + print_info(title, content) + +def interesting_search_terms(): + title = "Interesting Search Terms" + content = """ +### Scripts +- `.ps1`, `.vbs`, `.py`, `.bat` + +### Windows Binaries +- `.exe`, `.msi`, `.dll` + +### Archives +- `.rar`, `.zip`, `.cab`, `.7z`, `.Eo1`, `.iso`, `.ova`, `.ovf`, `.vmdk`, `.vdk` + +Other: +- `.eval` +- `.xls` +- `.doc` +- ActiveXObject +- CommandLineTemplate +- ScriptText +""" + print_info(title, content) + +def locations_of_persistence(): + title = "Locations of Persistence" + content = """ +- C:\\windows\\system32 (Exe files are not usually stored here) +""" + print_info(title, content) + +def types_of_persistence(): + title = "Types of Persistence" + content = """ +- Impacket Exec +- Services +- WMI +- Autostart +- DLL Hijacking +- Drivers +- Map Share +- Persistence Mechanisms +- Powershell Remoting +- PsExec +- Remote Desktop +- Run Keys +- Scheduled Tasks +- Registry +""" + print_info(title, content) + +def advanced_persistence(): + title = "Advanced Persistence" + content = """ +- Bios Flashing +- Drivers +- Local Group Policy +- MS Office Add-In +""" + print_info(title, content) + +def event_ids_to_watch(): + title = "Event IDs to Watch" + content = """ +- 4698 A scheduled task was created +- 4720 A user account was created +- 4768 A Kerberos authentication ticket (TGT) was requested +- 4769 A Kerberos service ticket was requested +- 5140 A network share object was accessed +- 7045 A new service was installed in the system +- 4648 A logon was attempted using explicit credentials +- 4656 A handle to an object was requested +- 4658 The handle to an object was closed +- 4660 An object was deleted +- 4663 An attempt was made to access an object +- 4672 Special privileges assigned to new logon +- 4673 A privileged service was called +- 4688 A new process has been created +- 4946 A change has been made to Windows Firewall exception list. A rule was added +- 5142 A network share object was added +- 5144 A network share object was deleted +- 5145 A network share object was checked to see whether the client can be granted desired access +- 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections +- 5156 The Windows Filtering Platform has allowed a connection +- 5447 A Windows Filtering Platform filter has been changed +- 8222 Shadow copy has been created +- 7036 Service changed +- 7040 Service startup type changed +- 7045 PSExec +""" + print_info(title, content) + +def common_false_positives(): + title = "Common False Positives" + content = """ +- SCM Event Log Consumer +- BVTFilter +- TSLogonEvents.vbs +- TSLogonFilter +- RAevent.vbs +- RMAssistEventFilter +- KernCap.vbs +- NTEventLogConsumer +- WSCEAA.exe (Dell) +""" + print_info(title, content) + +def windows_directories(): + title = "Windows Directories" + content = """ +- C:\\Windows\\System32\\drivers\\etc\\hosts (DNS file) +- C:\\Windows\\System32\\drivers\\etc\\networks (Network config file) +- C:\\Windows\\System32\\config\\SAM (Usernames and passwords) +- C:\\Windows\\System32\\SECURITY (Security logs) +- C:\\Windows\\System32\\SOFTWARE (Software logs) +- C:\\Windows\\System32\\SYSTEM (System logs) +- C:\\Windows\\System32\\winevt\\ (Windows event logs) +- C:\\Windows\\repair\\SAM (Backup of usernames and passwords) +""" + print_info(title, content) + +def analysis_resources(): + title = "Analysis Resources" + content = """ +- Check Filehash +- Analysis Threat Intel +- Analysis IP +- Analysis Malware + +### Useful Links +- https://www.youtube.com/watch?v=NdwTeSi70SU +- https://youtu.be/7dEfKn70HCI?si=MP-u-n4FMHVgtmWf +- https://www.criticalstart.com/windows-security-event-logs-what-to-monitor/ +""" + print_info(title, content) + +def all_windows_iocs(): + """ + Displays all Windows IOC content sequentially. + """ + basics() + common_malware_names() + common_malware_locations() + interesting_search_terms() + locations_of_persistence() + types_of_persistence() + advanced_persistence() + event_ids_to_watch() + common_false_positives() + windows_directories() + analysis_resources() \ No newline at end of file