Upload files to "TTPs"

2024-11-24 18:11:02 -05:00
parent b012a2aebb
commit 107db93a19
5 changed files with 443 additions and 4 deletions
--- a/TTPs/lin_ioc.py
+++ b/TTPs/lin_ioc.py
@ -0,0 +1,188 @@
+from Modules.Imports.ttp_imports import *
+
+def lin_ioc_submenu():
+    """
+    Submenu for Linux Host Indicators.
+    """
+    actions = {
+        "1": {"description": "Basics", "function": linux_basics},
+        "2": {"description": "Common Malware Names", "function": linux_common_malware_names},
+        "3": {"description": "Common Malware Locations", "function": linux_common_malware_locations},
+        "4": {"description": "Interesting Search Terms", "function": linux_interesting_search_terms},
+        "5": {"description": "Locations of Persistence", "function": linux_locations_of_persistence},
+        "6": {"description": "Types of Persistence", "function": linux_types_of_persistence},
+        "7": {"description": "Advanced Persistence", "function": linux_advanced_persistence},
+        "8": {"description": "Event IDs to Watch", "function": linux_event_ids_to_watch},
+        "9": {"description": "Memory Acquisition", "function": linux_memory_acquisition},
+        "10": {"description": "File System Artifacts", "function": linux_filesystem_artifacts},
+        "11": {"description": "Analysis Resources", "function": linux_analysis_resources},
+        "12": {"description": "All", "function": all_linux_iocs},
+    }
+    build_submenu("Linux Indicators of Compromise (IOCs)", actions)
+
+### Functions for each submenu option
+
+def linux_basics():
+    title = "Linux Basics"
+    content = """
+- Understand typical file paths and permission settings.
+- Monitor unexpected or unplanned cron jobs.
+- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
+- Look for rogue or uncommon processes running as root.
+- Analyze .bash_history for suspicious commands.
+- Investigate `/var/log/auth.log` for failed or unauthorized access.
+- Check for hidden files and directories using `find / -type f -name ".*"`.
+"""
+    print_info(title, content)
+
+def linux_common_malware_names():
+    title = "Common Malware Names"
+    content = """
+- kworker
+- kinsing
+- xmrig
+- cryptonight
+- apache2 (unexpected locations)
+- mysql (unexpected locations)
+"""
+    print_info(title, content)
+
+def linux_common_malware_locations():
+    title = "Common Malware Locations"
+    content = """
+- /tmp
+- /var/tmp
+- /dev/shm
+- /etc/cron.*
+- /lib/systemd/system/
+- ~/.ssh/
+- /usr/local/bin/
+- /usr/bin/
+- /var/spool/cron/crontabs/
+"""
+    print_info(title, content)
+
+def linux_interesting_search_terms():
+    title = "Interesting Search Terms"
+    content = """
+### Shell Scripts
+- `.sh`, `.bash`
+
+### Executable Files
+- `.out`, `.bin`, `.elf`
+
+### Archives
+- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z`
+
+### Strings in Logs
+- "sudo"
+- "su root"
+- "chmod 777"
+- "wget" or "curl"
+- "base64"
+"""
+    print_info(title, content)
+
+def linux_locations_of_persistence():
+    title = "Locations of Persistence"
+    content = """
+- Cron Jobs
+    - `/etc/crontab`
+    - `/var/spool/cron/crontabs/`
+- Autostart
+    - `~/.config/autostart/`
+- System Services
+    - `/etc/systemd/system/`
+    - `/lib/systemd/system/`
+- Network Configuration Files
+    - `/etc/network/interfaces`
+    - `/etc/hosts`
+- SSH Keys
+    - `~/.ssh/`
+    - `/root/.ssh/`
+"""
+    print_info(title, content)
+
+def linux_types_of_persistence():
+    title = "Types of Persistence"
+    content = """
+- Cron Jobs
+- Modified SSH Keys
+- Custom Systemd Services
+- Kernel Module Hijacking
+- Backdoor Network Configurations
+- LD_PRELOAD Hijacking
+"""
+    print_info(title, content)
+
+def linux_advanced_persistence():
+    title = "Advanced Persistence"
+    content = """
+- Rootkits
+- Live Kernel Patching
+- Custom Kernel Modules
+- Firmware Tampering
+- Hidden Partitions or Volumes
+"""
+    print_info(title, content)
+
+def linux_event_ids_to_watch():
+    title = "Event IDs to Watch"
+    content = """
+Monitor important Linux system logs:
+- `/var/log/auth.log` for authentication attempts
+- `/var/log/secure` for privileged access
+- `/var/log/syslog` for suspicious processes or activity
+- `/var/log/messages` for kernel-level logs
+"""
+    print_info(title, content)
+
+def linux_memory_acquisition():
+    title = "Memory Acquisition"
+    content = """
+### Tools for Live RAM Capture
+- AVML (Azure Virtual Machine Live)
+- LiME (Linux Memory Extractor)
+
+### File Locations
+- `/dev/mem` for memory dump
+- `/proc/<pid>/maps` for process memory mapping
+"""
+    print_info(title, content)
+
+def linux_filesystem_artifacts():
+    title = "Filesystem Artifacts"
+    content = """
+### Look for:
+- Recent Modifications: `find / -type f -mtime -1`
+- Hidden Files: `find / -name ".*"`
+- Unusual Permissions: `find / -perm 777`
+- Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
+"""
+    print_info(title, content)
+
+def linux_analysis_resources():
+    title = "Analysis Resources"
+    content = """
+- Check File Hashes: Use `sha256sum` or `md5sum`.
+- Threat Intelligence: Search IPs and Domains on VirusTotal.
+- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox.
+- Log Analysis: Parse logs using tools like Logstash or Elastic.
+"""
+    print_info(title, content)
+
+def all_linux_iocs():
+    """
+    Displays all Linux IOC content sequentially.
+    """
+    linux_basics()
+    linux_common_malware_names()
+    linux_common_malware_locations()
+    linux_interesting_search_terms()
+    linux_locations_of_persistence()
+    linux_types_of_persistence()
+    linux_advanced_persistence()
+    linux_event_ids_to_watch()
+    linux_memory_acquisition()
+    linux_filesystem_artifacts()
+    linux_analysis_resources()