diff --git a/TTPs/lin_ioc.py b/TTPs/lin_ioc.py deleted file mode 100644 index 64b6480..0000000 --- a/TTPs/lin_ioc.py +++ /dev/null @@ -1,158 +0,0 @@ -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - - -def lin_ioc_submenu(): - """Linux Indicators of Compromise""" - build_submenu("Linux Indicators of Compromise (IOCs)", module=globals()) - -### Functions for each submenu option - -def linux_basics(): - title = "Linux Basics" - content = """ -- Understand typical file paths and permission settings. -- Monitor unexpected or unplanned cron jobs. -- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`). -- Look for rogue or uncommon processes running as root. -- Analyze .bash_history for suspicious commands. -- Investigate `/var/log/auth.log` for failed or unauthorized access. -- Check for hidden files and directories using `find / -type f -name ".*"`. -""" - print_info(title, content) - -def linux_common_malware_names(): - title = "Common Malware Names" - content = """ -- kworker -- kinsing -- xmrig -- cryptonight -- apache2 (unexpected locations) -- mysql (unexpected locations) -""" - print_info(title, content) - -def linux_common_malware_locations(): - title = "Common Malware Locations" - content = """ -- /tmp -- /var/tmp -- /dev/shm -- /etc/cron.* -- /lib/systemd/system/ -- ~/.ssh/ -- /usr/local/bin/ -- /usr/bin/ -- /var/spool/cron/crontabs/ -""" - print_info(title, content) - -def linux_interesting_search_terms(): - title = "Interesting Search Terms" - content = """ -### Shell Scripts -- `.sh`, `.bash` - -### Executable Files -- `.out`, `.bin`, `.elf` - -### Archives -- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z` - -### Strings in Logs -- "sudo" -- "su root" -- "chmod 777" -- "wget" or "curl" -- "base64" -""" - print_info(title, content) - -def linux_locations_of_persistence(): - title = "Locations of Persistence" - content = """ -- Cron Jobs - - `/etc/crontab` - - `/var/spool/cron/crontabs/` -- Autostart - - `~/.config/autostart/` -- System Services - - `/etc/systemd/system/` - - `/lib/systemd/system/` -- Network Configuration Files - - `/etc/network/interfaces` - - `/etc/hosts` -- SSH Keys - - `~/.ssh/` - - `/root/.ssh/` -""" - print_info(title, content) - -def linux_types_of_persistence(): - title = "Types of Persistence" - content = """ -- Cron Jobs -- Modified SSH Keys -- Custom Systemd Services -- Kernel Module Hijacking -- Backdoor Network Configurations -- LD_PRELOAD Hijacking -""" - print_info(title, content) - -def linux_advanced_persistence(): - title = "Advanced Persistence" - content = """ -- Rootkits -- Live Kernel Patching -- Custom Kernel Modules -- Firmware Tampering -- Hidden Partitions or Volumes -""" - print_info(title, content) - -def linux_event_ids_to_watch(): - title = "Event IDs to Watch" - content = """ -Monitor important Linux system logs: -- `/var/log/auth.log` for authentication attempts -- `/var/log/secure` for privileged access -- `/var/log/syslog` for suspicious processes or activity -- `/var/log/messages` for kernel-level logs -""" - print_info(title, content) - -def linux_memory_acquisition(): - title = "Memory Acquisition" - content = """ -### Tools for Live RAM Capture -- AVML (Azure Virtual Machine Live) -- LiME (Linux Memory Extractor) - -### File Locations -- `/dev/mem` for memory dump -- `/proc//maps` for process memory mapping -""" - print_info(title, content) - -def linux_filesystem_artifacts(): - title = "Filesystem Artifacts" - content = """ -### Look for: -- Recent Modifications: `find / -type f -mtime -1` -- Hidden Files: `find / -name ".*"` -- Unusual Permissions: `find / -perm 777` -- Root-level Scripts or Configurations: `/etc/`, `/usr/local/` -""" - print_info(title, content) - -def linux_analysis_resources(): - title = "Analysis Resources" - content = """ -- Check File Hashes: Use `sha256sum` or `md5sum`. -- Threat Intelligence: Search IPs and Domains on VirusTotal. -- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox. -- Log Analysis: Parse logs using tools like Logstash or Elastic. -""" - print_info(title, content) \ No newline at end of file