Delete TTPs/lin_ioc.py
This commit is contained in:
158
TTPs/lin_ioc.py
158
TTPs/lin_ioc.py
@ -1,158 +0,0 @@
|
|||||||
from Modules.Imports.ttp_imports import *
|
|
||||||
from Modules.submenu import build_submenu
|
|
||||||
|
|
||||||
|
|
||||||
def lin_ioc_submenu():
|
|
||||||
"""Linux Indicators of Compromise"""
|
|
||||||
build_submenu("Linux Indicators of Compromise (IOCs)", module=globals())
|
|
||||||
|
|
||||||
### Functions for each submenu option
|
|
||||||
|
|
||||||
def linux_basics():
|
|
||||||
title = "Linux Basics"
|
|
||||||
content = """
|
|
||||||
- Understand typical file paths and permission settings.
|
|
||||||
- Monitor unexpected or unplanned cron jobs.
|
|
||||||
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
|
|
||||||
- Look for rogue or uncommon processes running as root.
|
|
||||||
- Analyze .bash_history for suspicious commands.
|
|
||||||
- Investigate `/var/log/auth.log` for failed or unauthorized access.
|
|
||||||
- Check for hidden files and directories using `find / -type f -name ".*"`.
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_common_malware_names():
|
|
||||||
title = "Common Malware Names"
|
|
||||||
content = """
|
|
||||||
- kworker
|
|
||||||
- kinsing
|
|
||||||
- xmrig
|
|
||||||
- cryptonight
|
|
||||||
- apache2 (unexpected locations)
|
|
||||||
- mysql (unexpected locations)
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_common_malware_locations():
|
|
||||||
title = "Common Malware Locations"
|
|
||||||
content = """
|
|
||||||
- /tmp
|
|
||||||
- /var/tmp
|
|
||||||
- /dev/shm
|
|
||||||
- /etc/cron.*
|
|
||||||
- /lib/systemd/system/
|
|
||||||
- ~/.ssh/
|
|
||||||
- /usr/local/bin/
|
|
||||||
- /usr/bin/
|
|
||||||
- /var/spool/cron/crontabs/
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_interesting_search_terms():
|
|
||||||
title = "Interesting Search Terms"
|
|
||||||
content = """
|
|
||||||
### Shell Scripts
|
|
||||||
- `.sh`, `.bash`
|
|
||||||
|
|
||||||
### Executable Files
|
|
||||||
- `.out`, `.bin`, `.elf`
|
|
||||||
|
|
||||||
### Archives
|
|
||||||
- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z`
|
|
||||||
|
|
||||||
### Strings in Logs
|
|
||||||
- "sudo"
|
|
||||||
- "su root"
|
|
||||||
- "chmod 777"
|
|
||||||
- "wget" or "curl"
|
|
||||||
- "base64"
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_locations_of_persistence():
|
|
||||||
title = "Locations of Persistence"
|
|
||||||
content = """
|
|
||||||
- Cron Jobs
|
|
||||||
- `/etc/crontab`
|
|
||||||
- `/var/spool/cron/crontabs/`
|
|
||||||
- Autostart
|
|
||||||
- `~/.config/autostart/`
|
|
||||||
- System Services
|
|
||||||
- `/etc/systemd/system/`
|
|
||||||
- `/lib/systemd/system/`
|
|
||||||
- Network Configuration Files
|
|
||||||
- `/etc/network/interfaces`
|
|
||||||
- `/etc/hosts`
|
|
||||||
- SSH Keys
|
|
||||||
- `~/.ssh/`
|
|
||||||
- `/root/.ssh/`
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_types_of_persistence():
|
|
||||||
title = "Types of Persistence"
|
|
||||||
content = """
|
|
||||||
- Cron Jobs
|
|
||||||
- Modified SSH Keys
|
|
||||||
- Custom Systemd Services
|
|
||||||
- Kernel Module Hijacking
|
|
||||||
- Backdoor Network Configurations
|
|
||||||
- LD_PRELOAD Hijacking
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_advanced_persistence():
|
|
||||||
title = "Advanced Persistence"
|
|
||||||
content = """
|
|
||||||
- Rootkits
|
|
||||||
- Live Kernel Patching
|
|
||||||
- Custom Kernel Modules
|
|
||||||
- Firmware Tampering
|
|
||||||
- Hidden Partitions or Volumes
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_event_ids_to_watch():
|
|
||||||
title = "Event IDs to Watch"
|
|
||||||
content = """
|
|
||||||
Monitor important Linux system logs:
|
|
||||||
- `/var/log/auth.log` for authentication attempts
|
|
||||||
- `/var/log/secure` for privileged access
|
|
||||||
- `/var/log/syslog` for suspicious processes or activity
|
|
||||||
- `/var/log/messages` for kernel-level logs
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_memory_acquisition():
|
|
||||||
title = "Memory Acquisition"
|
|
||||||
content = """
|
|
||||||
### Tools for Live RAM Capture
|
|
||||||
- AVML (Azure Virtual Machine Live)
|
|
||||||
- LiME (Linux Memory Extractor)
|
|
||||||
|
|
||||||
### File Locations
|
|
||||||
- `/dev/mem` for memory dump
|
|
||||||
- `/proc/<pid>/maps` for process memory mapping
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_filesystem_artifacts():
|
|
||||||
title = "Filesystem Artifacts"
|
|
||||||
content = """
|
|
||||||
### Look for:
|
|
||||||
- Recent Modifications: `find / -type f -mtime -1`
|
|
||||||
- Hidden Files: `find / -name ".*"`
|
|
||||||
- Unusual Permissions: `find / -perm 777`
|
|
||||||
- Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def linux_analysis_resources():
|
|
||||||
title = "Analysis Resources"
|
|
||||||
content = """
|
|
||||||
- Check File Hashes: Use `sha256sum` or `md5sum`.
|
|
||||||
- Threat Intelligence: Search IPs and Domains on VirusTotal.
|
|
||||||
- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox.
|
|
||||||
- Log Analysis: Parse logs using tools like Logstash or Elastic.
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
Reference in New Issue
Block a user