From b05644f3263ffc1231bc7df3f73bc7b035a7d9d3 Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Sun, 24 Nov 2024 18:11:52 -0500
Subject: [PATCH] Upload files to "TTPs/Analysis"

---
 TTPs/Analysis/analysis_domain.py   | 57 ++++++++++++++++++++++++++
 TTPs/Analysis/analysis_filehash.py | 58 ++++++++++++++++++++++++++
 TTPs/Analysis/analysis_ip.py       | 62 ++++++++++++++++++++++++++++
 TTPs/Analysis/analysis_malware.py  | 65 ++++++++++++++++++++++++++++++
 TTPs/Analysis/analysis_threat.py   | 65 ++++++++++++++++++++++++++++++
 5 files changed, 307 insertions(+)
 create mode 100644 TTPs/Analysis/analysis_domain.py
 create mode 100644 TTPs/Analysis/analysis_filehash.py
 create mode 100644 TTPs/Analysis/analysis_ip.py
 create mode 100644 TTPs/Analysis/analysis_malware.py
 create mode 100644 TTPs/Analysis/analysis_threat.py

diff --git a/TTPs/Analysis/analysis_domain.py b/TTPs/Analysis/analysis_domain.py
new file mode 100644
index 0000000..ef0e39b
--- /dev/null
+++ b/TTPs/Analysis/analysis_domain.py
@@ -0,0 +1,57 @@
+import webbrowser
+from Modules.submenu import build_submenu
+
+def analysis_domain_submenu():
+    """
+    Submenu for domain analysis tools and resources.
+    """
+    actions = {
+        "1": {"description": "UrlScan", "function": open_urlscan},
+        "2": {"description": "Wannabrowser", "function": open_wannabrowser},
+        "3": {"description": "Browserling", "function": open_browserling},
+        "4": {"description": "Kasm", "function": open_kasm},
+        "5": {"description": "URL2PNG", "function": open_url2png},
+    }
+    build_submenu("Domain Analysis Tools", actions)
+
+# Functions to open each link
+def open_urlscan():
+    """
+    Open UrlScan website.
+    """
+    url = "https://urlscan.io/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_wannabrowser():
+    """
+    Open Wannabrowser website.
+    """
+    url = "https://www.wannabrowser.net/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_browserling():
+    """
+    Open Browserling website.
+    """
+    url = "https://www.browserling.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_kasm():
+    """
+    Open Kasm website.
+    """
+    url = "https://www.kasmweb.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_url2png():
+    """
+    Open URL2PNG website.
+    """
+    url = "https://www.url2png.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
diff --git a/TTPs/Analysis/analysis_filehash.py b/TTPs/Analysis/analysis_filehash.py
new file mode 100644
index 0000000..44db15f
--- /dev/null
+++ b/TTPs/Analysis/analysis_filehash.py
@@ -0,0 +1,58 @@
+import os
+import subprocess
+import webbrowser
+from Modules.submenu import build_submenu
+
+def analysis_filehash_submenu():
+    """
+    Submenu for file hash analysis tools and methods.
+    """
+    actions = {
+        "1": {"description": "Get File Hash (MD5)", "function": get_file_hash_md5},
+        "2": {"description": "Check File Hash on VirusTotal", "function": check_virustotal},
+        "3": {"description": "Other Hash Algorithms (SHA1/SHA256)", "function": get_file_hash_other},
+    }
+    build_submenu("File Hash Analysis", actions)
+
+# Functions for file hash analysis
+
+def get_file_hash_md5():
+    """
+    Run a PowerShell command to get the MD5 hash of a file.
+    """
+    file_path = input("Enter the full file path: ").strip()
+    try:
+        if os.name == 'nt':  # Check if running on Windows
+            command = f'powershell.exe Get-FileHash -Algorithm MD5 "{file_path}"'
+            subprocess.run(command, shell=True)
+        else:
+            print("This command is only available on Windows with PowerShell.")
+    except Exception as e:
+        print(f"Error running PowerShell command: {e}")
+
+def check_virustotal():
+    """
+    Open VirusTotal to check the file hash.
+    """
+    file_hash = input("Enter the file hash (MD5, SHA1, or SHA256): ").strip()
+    url = f"https://www.virustotal.com/gui/search/{file_hash}"
+    webbrowser.open(url)
+    print(f"Opening VirusTotal for hash: {file_hash}")
+
+def get_file_hash_other():
+    """
+    Run a PowerShell command to get SHA1 or SHA256 hash of a file.
+    """
+    file_path = input("Enter the full file path: ").strip()
+    algorithm = input("Enter the hash algorithm (SHA1 or SHA256): ").strip().upper()
+    if algorithm not in ["SHA1", "SHA256"]:
+        print("Invalid algorithm. Please choose SHA1 or SHA256.")
+        return
+    try:
+        if os.name == 'nt':  # Check if running on Windows
+            command = f'powershell.exe Get-FileHash -Algorithm {algorithm} "{file_path}"'
+            subprocess.run(command, shell=True)
+        else:
+            print("This command is only available on Windows with PowerShell.")
+    except Exception as e:
+        print(f"Error running PowerShell command: {e}")
diff --git a/TTPs/Analysis/analysis_ip.py b/TTPs/Analysis/analysis_ip.py
new file mode 100644
index 0000000..24a2467
--- /dev/null
+++ b/TTPs/Analysis/analysis_ip.py
@@ -0,0 +1,62 @@
+import webbrowser
+from Modules.submenu import build_submenu
+from Modules.Imports.ttp_imports import *
+
+def analysis_ip_submenu():
+    """
+    Submenu for IP analysis resources and tools.
+    """
+    actions = {
+        "1": {"description": "Open Censys", "function": open_censys},
+        "2": {"description": "Open Shodan", "function": open_shodan},
+        "3": {"description": "Open Feodo Tracker", "function": open_feodo},
+        "4": {"description": "Open IBM X-Force", "function": open_ibm_xforce},
+        "5": {"description": "Open Greynoise", "function": open_greynoise},
+        "6": {"description": "Open IP Void", "function": open_ipvoid},
+        "7": {"description": "Open URL Scan", "function": open_urlscan},
+        "8": {"description": "Open VirusTotal", "function": open_virustotal},
+        "9": {"description": "Open DNS Dumpster", "function": open_dnsdumpster},
+        "10": {"description": "Open BGP Tools", "function": open_bgptools},
+    }
+    build_submenu("IP Analysis Resources", actions)
+
+# Functions to open each resource in the default web browser
+def open_censys():
+    webbrowser.open("https://search.censys.io/")
+    print("Opening Censys in your browser...")
+
+def open_shodan():
+    webbrowser.open("https://www.shodan.io/")
+    print("Opening Shodan in your browser...")
+
+def open_feodo():
+    webbrowser.open("https://feodotracker.abuse.ch/browse/")
+    print("Opening Feodo Tracker in your browser...")
+
+def open_ibm_xforce():
+    webbrowser.open("https://exchange.xforce.ibmcloud.com/")
+    print("Opening IBM X-Force in your browser...")
+
+def open_greynoise():
+    webbrowser.open("https://viz.greynoise.io/")
+    print("Opening Greynoise in your browser...")
+
+def open_ipvoid():
+    webbrowser.open("https://www.ipvoid.com/")
+    print("Opening IP Void in your browser...")
+
+def open_urlscan():
+    webbrowser.open("https://urlscan.io/")
+    print("Opening URL Scan in your browser...")
+
+def open_virustotal():
+    webbrowser.open("https://www.virustotal.com/gui/")
+    print("Opening VirusTotal in your browser...")
+
+def open_dnsdumpster():
+    webbrowser.open("https://dnsdumpster.com/")
+    print("Opening DNS Dumpster in your browser...")
+
+def open_bgptools():
+    webbrowser.open("https://bgp.tools/")
+    print("Opening BGP Tools in your browser...")
\ No newline at end of file
diff --git a/TTPs/Analysis/analysis_malware.py b/TTPs/Analysis/analysis_malware.py
new file mode 100644
index 0000000..1a7a7e6
--- /dev/null
+++ b/TTPs/Analysis/analysis_malware.py
@@ -0,0 +1,65 @@
+import webbrowser
+from Modules.submenu import build_submenu
+
+def analysis_malware_submenu():
+    """
+    Submenu for malware analysis tools and resources.
+    """
+    actions = {
+        "1": {"description": "Virus Total", "function": open_virus_total},
+        "2": {"description": "INTEZER", "function": open_intezer},
+        "3": {"description": "Any Run", "function": open_any_run},
+        "4": {"description": "Joe Security", "function": open_joe_security},
+        "5": {"description": "Hybrid Analysis", "function": open_hybrid_analysis},
+        "6": {"description": "OTX Alienvault", "function": open_otx_alienvault},
+    }
+    build_submenu("Malware Analysis Tools", actions)
+
+# Functions to open each link
+def open_virus_total():
+    """
+    Open Virus Total website.
+    """
+    url = "https://www.virustotal.com/gui/home/upload"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_intezer():
+    """
+    Open Intezer website.
+    """
+    url = "https://analyze.intezer.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_any_run():
+    """
+    Open Any Run website.
+    """
+    url = "https://any.run/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_joe_security():
+    """
+    Open Joe Security website.
+    """
+    url = "https://www.joesecurity.org/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_hybrid_analysis():
+    """
+    Open Hybrid Analysis website.
+    """
+    url = "https://www.hybrid-analysis.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_otx_alienvault():
+    """
+    Open OTX Alienvault website.
+    """
+    url = "https://otx.alienvault.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
diff --git a/TTPs/Analysis/analysis_threat.py b/TTPs/Analysis/analysis_threat.py
new file mode 100644
index 0000000..c0027b1
--- /dev/null
+++ b/TTPs/Analysis/analysis_threat.py
@@ -0,0 +1,65 @@
+import webbrowser
+from Modules.submenu import build_submenu
+
+def analysis_threat_submenu():
+    """
+    Submenu for threat intelligence tools and resources.
+    """
+    actions = {
+        "1": {"description": "Threat Intel - MyDFIR (YouTube)", "function": open_mydfir},
+        "2": {"description": "Threat View", "function": open_threatview},
+        "3": {"description": "Threat Miner", "function": open_threatminer},
+        "4": {"description": "Pulsedive", "function": open_pulsedive},
+        "5": {"description": "OTX Alienvault", "function": open_otx_alienvault},
+        "6": {"description": "Pyramid of Pain", "function": open_pyramid_of_pain},
+    }
+    build_submenu("Threat Intelligence Resources", actions)
+
+# Functions to open each link
+def open_mydfir():
+    """
+    Open Threat Intel - MyDFIR YouTube video.
+    """
+    url = "https://youtu.be/PyWKOG3q4P4?si=eh4Dl_40ZscQa9n8"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_threatview():
+    """
+    Open Threat View website.
+    """
+    url = "https://threatview.io/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_threatminer():
+    """
+    Open Threat Miner website.
+    """
+    url = "https://www.threatminer.org/index.php"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_pulsedive():
+    """
+    Open Pulsedive website.
+    """
+    url = "https://pulsedive.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_otx_alienvault():
+    """
+    Open OTX Alienvault website.
+    """
+    url = "https://otx.alienvault.com/"
+    webbrowser.open(url)
+    print(f"Opening: {url}")
+
+def open_pyramid_of_pain():
+    """
+    Open Pyramid of Pain resource.
+    """
+    url = "https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html"
+    webbrowser.open(url)
+    print(f"Opening: {url}")