Upload files to "Modules"
This commit is contained in:
143
Modules/tips.py
143
Modules/tips.py
@ -3,6 +3,56 @@ import re
|
||||
|
||||
|
||||
TIPS = [
|
||||
"🚀 Be sure to check sysmon RuleName field for T-Codes"
|
||||
"🛠️ Investigate newly installed software that wasn't authorized by IT.",
|
||||
"🕵️♂️ Look for rogue processes running with elevated privileges.",
|
||||
"🌍 Monitor for unusual geolocation patterns in login attempts.",
|
||||
"📈 Analyze network traffic for unexpected spikes during off-hours.",
|
||||
"🔗 Check for changes in DNS configurations pointing to malicious servers.",
|
||||
"👾 Look for executables disguised as common file types like `.doc.exe`.",
|
||||
"📂 Investigate files with unusual double extensions like `report.pdf.exe`.",
|
||||
"🚦 Monitor ICMP traffic for unexpected usage, often used in C2.",
|
||||
"🔧 Scan for unauthorized modifications to firewall configurations.",
|
||||
"🕒 Investigate scheduled tasks that trigger outside working hours.",
|
||||
"🌐 Watch for connections to known threat actor infrastructure.",
|
||||
"📜 Look for tampered audit logs, especially around the incident timeline.",
|
||||
"🔗 Monitor changes to symbolic links or hard links on critical files.",
|
||||
"📤 Investigate large outbound data transfers to unknown domains.",
|
||||
"🛡️ Look for registry changes in startup or run keys.",
|
||||
"📡 Monitor DNS TXT record queries, which might be used for data exfiltration.",
|
||||
"📁 Check temp directories for unexpected executable files.",
|
||||
"💾 Look for removable media usage on high-security systems.",
|
||||
"🖥️ Monitor remote desktop sessions for unusual activity.",
|
||||
"📶 Watch for unusual patterns in Wi-Fi connections from endpoints.",
|
||||
"🚀 Look for process injection techniques in legitimate binaries.",
|
||||
"🔍 Investigate binaries running directly from `Downloads` folders.",
|
||||
"🛠️ Review new service creations for suspicious patterns.",
|
||||
"📜 Analyze event logs for sequences indicating privilege escalation.",
|
||||
"🔒 Track unusual access to encryption keys or keystores.",
|
||||
"📊 Monitor changes in user account privileges or roles.",
|
||||
"🌐 Review outbound HTTP POST requests for signs of exfiltration.",
|
||||
"🛡️ Scan for new PowerShell scripts in sensitive directories.",
|
||||
"📂 Look for altered timestamps on key system binaries.",
|
||||
"📡 Monitor inbound SSH connections from unknown IP addresses.",
|
||||
"📥 Investigate bulk email activity from user accounts.",
|
||||
"🔗 Look for network shares with changed permissions.",
|
||||
"🚦 Track internal traffic for lateral movement across VLANs.",
|
||||
"📋 Analyze clipboard activity for copied sensitive data.",
|
||||
"🖋️ Examine document metadata for unexpected embedded payloads.",
|
||||
"📈 Monitor CPU and RAM usage for resource-intensive attacks.",
|
||||
"🕵️♂️ Check for unrecognized browser extensions on user systems.",
|
||||
"🔗 Monitor SMB connections between unusual pairs of endpoints.",
|
||||
"📂 Investigate folders with an unusually large number of hidden files.",
|
||||
"🔧 Look for changes in application whitelisting policies.",
|
||||
"📶 Watch for rogue access points spoofing legitimate Wi-Fi networks.",
|
||||
"🖥️ Analyze usage of utilities like `certutil` or `powershell` for abuse.",
|
||||
"📜 Search for anomalies in VPN connection patterns.",
|
||||
"🚦 Monitor TCP retransmissions for hidden data channels.",
|
||||
"🔍 Investigate suspicious `.lnk` files in commonly accessed directories.",
|
||||
"📂 Check for unauthorized mounts of external file systems.",
|
||||
"🌐 Review HTTP request headers for automated browsing patterns.",
|
||||
"📡 Look for unauthorized use of tunneling protocols like SSH or RDP.",
|
||||
"🛠️ Investigate sandbox evasion techniques in malware samples.",
|
||||
"💻 Make sure your Host Agents are not disabled by the APT/Red Team.",
|
||||
"🛡️ Ensure EDR and antivirus solutions are actively monitoring all endpoints.",
|
||||
"🔒 Monitor for unusual attempts to disable or uninstall security agents.",
|
||||
@ -243,11 +293,102 @@ JOKES = [
|
||||
"🐛 Why did the programmer leave the camping trip early? There were too many bugs."
|
||||
]
|
||||
|
||||
TCODES = [
|
||||
"🛡️ T1003: Credential Dumping - Monitor for attempts to access LSASS or SAM files to extract credentials.",
|
||||
"📜 T1021: Remote Services - Review logs for suspicious RDP or SSH connections from unknown sources.",
|
||||
"🔍 T1059: Command and Scripting Interpreter - Look for PowerShell, bash, or Python commands running unusual scripts.",
|
||||
"🖥️ T1078: Valid Accounts - Check for legitimate credentials being used in unusual ways, such as geographic anomalies.",
|
||||
"📂 T1105: Ingress Tool Transfer - Investigate downloads of suspicious files from external IPs.",
|
||||
"🚦 T1071: Application Layer Protocol - Monitor for unexpected use of protocols like HTTP or DNS for command and control.",
|
||||
"📡 T1136: Create Account - Look for unauthorized user account creation on critical systems.",
|
||||
"🛠️ T1566: Phishing - Analyze email headers and attachments for signs of phishing attempts.",
|
||||
"🔧 T1113: Screen Capture - Investigate processes accessing screen-capturing APIs or creating screenshots.",
|
||||
"📊 T1046: Network Service Scanning - Track scans for open ports or services from internal or external sources.",
|
||||
"📤 T1041: Exfiltration Over C2 Channel - Monitor encrypted outbound traffic for unusual data size or frequency.",
|
||||
"🔍 T1218: Signed Binary Proxy Execution - Look for legitimate binaries like msbuild.exe or regsvr32.exe being used for execution.",
|
||||
"📈 T1053: Scheduled Task/Job - Review task scheduler logs for new or altered tasks.",
|
||||
"📂 T1106: Execution via API - Look for applications calling APIs like CreateProcess or ShellExecute suspiciously.",
|
||||
"🛡️ T1055: Process Injection - Monitor for signs of one process injecting code into another, such as DLL injection.",
|
||||
"📜 T1562: Impair Defenses - Look for attempts to disable antivirus, EDR, or firewalls.",
|
||||
"🕵️ T1082: System Information Discovery - Check for commands like systeminfo or uname executed by unrecognized users.",
|
||||
"🌐 T1203: Exploitation for Client Execution - Review crash or error logs for signs of exploitation attempts.",
|
||||
"🔗 T1098: Account Manipulation - Look for changes to user accounts, such as password resets or role changes.",
|
||||
"📂 T1547: Boot or Logon Autostart Execution - Monitor registry keys and startup folders for new entries.",
|
||||
"🔍 T1210: Exploitation of Remote Services - Look for brute force or vulnerability exploitation on RDP, SMB, or SSH.",
|
||||
"📡 T1571: Non-Standard Port - Monitor traffic on uncommon ports used for potential C2 communication.",
|
||||
"🚦 T1573: Encrypted Channel - Analyze TLS traffic to detect abnormal certificate usage or destinations.",
|
||||
"📋 T1543: Create or Modify System Process - Investigate creation of new services or changes to existing ones.",
|
||||
"🖥️ T1008: Fallback Channels - Look for changes in traffic patterns during primary C2 disruption.",
|
||||
"🔒 T1217: Browser Credential Theft - Check for access to browser profile directories or credential stores.",
|
||||
"📤 T1048: Exfiltration Over Alternative Protocol - Monitor file uploads using FTP, SCP, or similar tools.",
|
||||
"🛠️ T1056: Input Capture - Look for keylogger activity or suspicious hooks into input APIs.",
|
||||
"📊 T1016: System Network Configuration Discovery - Track execution of ipconfig, ifconfig, or network enumeration tools.",
|
||||
"🚨 T1129: Shared Module - Monitor shared libraries or modules loaded from unexpected paths.",
|
||||
"📊 T1083: File and Directory Discovery - Investigate processes enumerating sensitive files or directories.",
|
||||
"📦 T1095: Non-Application Layer Protocol - Check for unusual protocols used for data exfiltration.",
|
||||
"📜 T1027: Obfuscated Files or Information - Look for scripts or files with unusual encoding or compression.",
|
||||
"🛡️ T1107: File Deletion - Monitor for tools or commands used to delete logs or forensic evidence.",
|
||||
"🔧 T1070: Indicator Removal on Host - Investigate tampering with logs, disabling of EDR, or clearing event logs.",
|
||||
"📋 T1010: Application Window Discovery - Look for processes querying open window titles or processes.",
|
||||
"📂 T1050: New Service - Investigate the creation of new services as a persistence mechanism.",
|
||||
"🚦 T1134: Access Token Manipulation - Detect unusual impersonation or privilege escalation via tokens.",
|
||||
"🌐 T1204: User Execution - Monitor for users executing attachments, scripts, or software directly from emails.",
|
||||
"🔑 T1176: Browser Extensions - Investigate unauthorized or malicious extensions added to browsers.",
|
||||
"🔧 T1074: Data Staged - Check for large volumes of data being staged in temporary directories.",
|
||||
"📤 T1560: Archive Collected Data - Look for compressed files being prepared for exfiltration.",
|
||||
"🖋️ T1486: Data Encrypted for Impact - Monitor for ransomware-like encryption of files.",
|
||||
"🕵️ T1057: Process Discovery - Investigate commands or tools listing running processes.",
|
||||
"📁 T1132: Data Encoding - Check for unusual base64, hex, or XOR encoding in files or logs.",
|
||||
"📦 T1102: Web Service - Look for suspicious use of cloud services for C2 or exfiltration.",
|
||||
"🛠️ T1059.001: PowerShell - Analyze PowerShell logs for unusual or obfuscated commands.",
|
||||
"📈 T1049: System Network Connections Discovery - Investigate commands like netstat or scripts enumerating network connections.",
|
||||
"📂 T1216: Signed Scripts - Check for scripts signed by trusted certificates but used maliciously.",
|
||||
"🌐 T1104: Multi-Stage Channels - Monitor traffic for multiple hops or relays indicative of advanced attacks.",
|
||||
"🔍 T1555: Credentials from Password Stores - Investigate access to password managers or browser-stored credentials.",
|
||||
"📤 T1074.001: Remote Data Staging - Look for large data collections transferred to external hosts.",
|
||||
"🔧 T1574: Hijack Execution Flow - Check for modifications in binary execution flow like DLL search order hijacking.",
|
||||
"🔒 T1080: Taint Shared Content - Monitor for tampered shared files or directories in collaborative environments.",
|
||||
"📈 T1090: Proxy - Investigate unexpected use of VPNs or anonymization tools.",
|
||||
"🖋️ T1497: Virtualization/Sandbox Evasion - Detect attempts to identify and evade virtualized or sandboxed environments.",
|
||||
"🚦 T1108: Redundant Access - Monitor for backdoor creation or redundant persistence mechanisms.",
|
||||
"📜 T1485: Data Destruction - Track attempts to overwrite or corrupt critical files.",
|
||||
"📂 T1542: Pre-OS Boot - Investigate bootkits or changes to boot configurations.",
|
||||
"📡 T1558: Steal or Forge Kerberos Tickets - Look for tools like Mimikatz accessing Kerberos tickets.",
|
||||
"🔗 T1020: Automated Exfiltration - Monitor scripted data transfers to external servers.",
|
||||
"📥 T1123: Audio Capture - Check for processes accessing audio devices without user consent.",
|
||||
"🛠️ T1570: Lateral Tool Transfer - Look for file transfers to other hosts via SMB, SCP, or similar protocols.",
|
||||
"📤 T1040: Network Sniffing - Detect unauthorized packet capture or network monitoring tools.",
|
||||
"🔧 T1052: Exfiltration Over Physical Medium - Investigate large file transfers to USB drives or other external media.",
|
||||
"🔍 T1052.001: Exfiltration Over Bluetooth - Monitor Bluetooth activity for unexpected file transfers.",
|
||||
"🌐 T1018: Remote System Discovery - Investigate attempts to enumerate network-connected devices.",
|
||||
"📂 T1484: Domain Policy Modification - Check for changes to group policies or domain configurations.",
|
||||
"🔒 T1548: Abuse Elevation Control Mechanism - Look for processes bypassing UAC or sudo permissions.",
|
||||
"📜 T1552: Unsecured Credentials - Investigate plaintext or weakly protected credentials in configuration files.",
|
||||
"🖥️ T1546: Event Triggered Execution - Monitor for unusual triggers tied to task scheduling or logon events.",
|
||||
"📥 T1125: Video Capture - Look for processes using webcam APIs or recording software.",
|
||||
"🔧 T1012: Query Registry - Investigate registry queries for persistence-related keys.",
|
||||
"📈 T1018: System Network Connections Discovery - Look for reconnaissance attempts enumerating active connections.",
|
||||
"📂 T1120: Peripheral Device Discovery - Check logs for unexpected enumeration of hardware devices.",
|
||||
"🛡️ T1036: Masquerading - Detect renamed executables mimicking legitimate system files.",
|
||||
"🚦 T1048: Exfiltration Over Alternative Protocol - Monitor FTP, SCP, or non-standard protocols for data transfer.",
|
||||
"📦 T1074.002: Local Data Staging - Investigate large files being prepared in temporary directories.",
|
||||
"🔗 T1021.001: Remote Desktop Protocol - Review RDP logs for unusual connection patterns.",
|
||||
"📡 T1553: Subvert Trust Controls - Monitor attempts to bypass or forge trust certificates.",
|
||||
"📥 T1039: Data from Network Shared Drive - Look for unauthorized access to shared drives.",
|
||||
"🔧 T1033: System Owner/User Discovery - Investigate processes attempting to identify logged-in users.",
|
||||
"📂 T1552.004: Container Credential Dumping - Monitor container runtime logs for credential access attempts.",
|
||||
"🔍 T1568: Dynamic Resolution - Investigate use of domain generation algorithms or DNS tunneling for C2.",
|
||||
"🖋️ T1134.003: Token Impersonation/Theft - Detect impersonation of user tokens for privilege escalation.",
|
||||
"📜 T1014: Rootkit - Look for signs of kernel module tampering or hidden processes.",
|
||||
"📤 T1089: Disabling Security Tools - Track attempts to disable security tools via registry edits or system commands.",
|
||||
"🔒 T1087: Account Discovery - Investigate attempts to enumerate user accounts in local or domain environments."
|
||||
]
|
||||
|
||||
ANSI_ESCAPE_REGEX = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
|
||||
|
||||
def get_random_tip_or_joke(clean=False):
|
||||
# Pick a random tip or joke and assign a color
|
||||
item = random.choice(TIPS + JOKES)
|
||||
item = random.choice(TIPS + JOKES + TCODES)
|
||||
formatted_item = f"{item}"
|
||||
|
||||
if clean:
|
||||
|
||||
Reference in New Issue
Block a user