Delete TTPs/lin_ioc.py

2024-11-28 00:53:05 -05:00
parent ea8dd134bc
commit 17b56dc43c
1 changed files with 0 additions and 158 deletions
--- a/TTPs/lin_ioc.py
+++ b/TTPs/lin_ioc.py
@ -1,158 +0,0 @@
-from Modules.Imports.ttp_imports import *
-from Modules.submenu import build_submenu
-
-
-def lin_ioc_submenu():
-    """Linux Indicators of Compromise"""
-    build_submenu("Linux Indicators of Compromise (IOCs)", module=globals())
-
-### Functions for each submenu option
-
-def linux_basics():
-    title = "Linux Basics"
-    content = """
- Understand typical file paths and permission settings.
- Monitor unexpected or unplanned cron jobs.
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
- Look for rogue or uncommon processes running as root.
- Analyze .bash_history for suspicious commands.
- Investigate `/var/log/auth.log` for failed or unauthorized access.
- Check for hidden files and directories using `find / -type f -name ".*"`.
-"""
-    print_info(title, content)
-
-def linux_common_malware_names():
-    title = "Common Malware Names"
-    content = """
- kworker
- kinsing
- xmrig
- cryptonight
- apache2 (unexpected locations)
- mysql (unexpected locations)
-"""
-    print_info(title, content)
-
-def linux_common_malware_locations():
-    title = "Common Malware Locations"
-    content = """
- /tmp
- /var/tmp
- /dev/shm
- /etc/cron.*
- /lib/systemd/system/
- ~/.ssh/
- /usr/local/bin/
- /usr/bin/
- /var/spool/cron/crontabs/
-"""
-    print_info(title, content)
-
-def linux_interesting_search_terms():
-    title = "Interesting Search Terms"
-    content = """
-### Shell Scripts
- `.sh`, `.bash`
-
-### Executable Files
- `.out`, `.bin`, `.elf`
-
-### Archives
- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z`
-
-### Strings in Logs
- "sudo"
- "su root"
- "chmod 777"
- "wget" or "curl"
- "base64"
-"""
-    print_info(title, content)
-
-def linux_locations_of_persistence():
-    title = "Locations of Persistence"
-    content = """
- Cron Jobs
-    - `/etc/crontab`
-    - `/var/spool/cron/crontabs/`
- Autostart
-    - `~/.config/autostart/`
- System Services
-    - `/etc/systemd/system/`
-    - `/lib/systemd/system/`
- Network Configuration Files
-    - `/etc/network/interfaces`
-    - `/etc/hosts`
- SSH Keys
-    - `~/.ssh/`
-    - `/root/.ssh/`
-"""
-    print_info(title, content)
-
-def linux_types_of_persistence():
-    title = "Types of Persistence"
-    content = """
- Cron Jobs
- Modified SSH Keys
- Custom Systemd Services
- Kernel Module Hijacking
- Backdoor Network Configurations
- LD_PRELOAD Hijacking
-"""
-    print_info(title, content)
-
-def linux_advanced_persistence():
-    title = "Advanced Persistence"
-    content = """
- Rootkits
- Live Kernel Patching
- Custom Kernel Modules
- Firmware Tampering
- Hidden Partitions or Volumes
-"""
-    print_info(title, content)
-
-def linux_event_ids_to_watch():
-    title = "Event IDs to Watch"
-    content = """
-Monitor important Linux system logs:
- `/var/log/auth.log` for authentication attempts
- `/var/log/secure` for privileged access
- `/var/log/syslog` for suspicious processes or activity
- `/var/log/messages` for kernel-level logs
-"""
-    print_info(title, content)
-
-def linux_memory_acquisition():
-    title = "Memory Acquisition"
-    content = """
-### Tools for Live RAM Capture
- AVML (Azure Virtual Machine Live)
- LiME (Linux Memory Extractor)
-
-### File Locations
- `/dev/mem` for memory dump
- `/proc/<pid>/maps` for process memory mapping
-"""
-    print_info(title, content)
-
-def linux_filesystem_artifacts():
-    title = "Filesystem Artifacts"
-    content = """
-### Look for:
- Recent Modifications: `find / -type f -mtime -1`
- Hidden Files: `find / -name ".*"`
- Unusual Permissions: `find / -perm 777`
- Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
-"""
-    print_info(title, content)
-
-def linux_analysis_resources():
-    title = "Analysis Resources"
-    content = """
- Check File Hashes: Use `sha256sum` or `md5sum`.
- Threat Intelligence: Search IPs and Domains on VirusTotal.
- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox.
- Log Analysis: Parse logs using tools like Logstash or Elastic.
-"""
-    print_info(title, content)