Delete TTPs/Persistence/dll_hijacking.py
This commit is contained in:
@ -1,78 +0,0 @@
|
||||
import sys
|
||||
from Modules.Imports.ttp_imports import *
|
||||
from Modules.submenu import build_submenu
|
||||
|
||||
def dll_hijacking_submenu():
|
||||
"""
|
||||
Submenu for DLL Hijacking detection techniques.
|
||||
"""
|
||||
actions = {
|
||||
"1": {"description": "File System Analysis", "function": file_system_analysis},
|
||||
"2": {"description": "Memory Analysis", "function": memory_analysis},
|
||||
"3": {"description": "Command Line Analysis", "function": command_line_analysis},
|
||||
"4": {"description": "SANS DFIR Insights", "function": sans_dfir_insights},
|
||||
}
|
||||
build_submenu("DLL Hijacking Detection", actions)
|
||||
|
||||
# Individual submenu functions
|
||||
|
||||
def file_system_analysis():
|
||||
"""
|
||||
Displays information about file system analysis for DLL hijacking detection.
|
||||
"""
|
||||
title = "DLL Hijacking File System Analysis"
|
||||
content = """
|
||||
- Look for new or unsigned `.exe` and `.dll` files in unusual locations.
|
||||
- Example Indicators:
|
||||
- Timestamp: 2021-02-18 03:42:31
|
||||
- Impact: -
|
||||
- Method: mach Meta
|
||||
- File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824)
|
||||
- File: `c:/ProgramData/McUtil.dll` (size: 131072)
|
||||
"""
|
||||
print_info(title, content)
|
||||
|
||||
def memory_analysis():
|
||||
"""
|
||||
Displays memory analysis techniques for DLL hijacking detection.
|
||||
"""
|
||||
title = "DLL Hijacking Memory Analysis"
|
||||
content = """
|
||||
- Identify system processes or DLLs loaded from unusual locations.
|
||||
- Pay attention to:
|
||||
- Processes running unexpected code.
|
||||
- DLLs loaded from locations outside expected directories.
|
||||
- Newly created DLLs and executables can indicate malicious activity.
|
||||
"""
|
||||
print_info(title, content)
|
||||
|
||||
def command_line_analysis():
|
||||
"""
|
||||
Displays command-line analysis techniques for DLL hijacking detection.
|
||||
"""
|
||||
title = "DLL Hijacking Command-Line Analysis"
|
||||
content = """
|
||||
- Review suspicious command-line execution patterns.
|
||||
- Example:
|
||||
- Command: `C:\\ProgramData\\ncoenchy.exe 0x4`
|
||||
- Method: mach Meta
|
||||
- Check for signs of injection or other manipulation.
|
||||
"""
|
||||
print_info(title, content)
|
||||
|
||||
def sans_dfir_insights():
|
||||
"""
|
||||
Displays insights from SANS DFIR training for DLL hijacking detection.
|
||||
"""
|
||||
title = "DLL Hijacking Insights from SANS DFIR"
|
||||
content = """
|
||||
- Nearly all DLL hijacks require placing a new DLL or executable onto the file system.
|
||||
- Investigative Techniques:
|
||||
- **File Timeline Analysis**:
|
||||
- Focus on newly created files during times of interest.
|
||||
- **Memory Forensics**:
|
||||
- Analyze running processes for unexpected DLL locations.
|
||||
- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory.
|
||||
- Other anomalous actions like network beaconing or named pipe creation can lead to detection.
|
||||
"""
|
||||
print_info(title, content)
|
||||
Reference in New Issue
Block a user