From d66572f5540e71cd220f48579e719363a94662ca Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 10:50:31 -0500 Subject: [PATCH] Upload files to "Modules" --- Modules/tips.py | 143 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 142 insertions(+), 1 deletion(-) diff --git a/Modules/tips.py b/Modules/tips.py index 9e689a5..4bbbe3a 100644 --- a/Modules/tips.py +++ b/Modules/tips.py @@ -3,6 +3,56 @@ import re TIPS = [ + "🚀 Be sure to check sysmon RuleName field for T-Codes" + "🛠️ Investigate newly installed software that wasn't authorized by IT.", + "🕵️‍♂️ Look for rogue processes running with elevated privileges.", + "🌍 Monitor for unusual geolocation patterns in login attempts.", + "📈 Analyze network traffic for unexpected spikes during off-hours.", + "🔗 Check for changes in DNS configurations pointing to malicious servers.", + "👾 Look for executables disguised as common file types like `.doc.exe`.", + "📂 Investigate files with unusual double extensions like `report.pdf.exe`.", + "🚦 Monitor ICMP traffic for unexpected usage, often used in C2.", + "🔧 Scan for unauthorized modifications to firewall configurations.", + "🕒 Investigate scheduled tasks that trigger outside working hours.", + "🌐 Watch for connections to known threat actor infrastructure.", + "📜 Look for tampered audit logs, especially around the incident timeline.", + "🔗 Monitor changes to symbolic links or hard links on critical files.", + "📤 Investigate large outbound data transfers to unknown domains.", + "🛡️ Look for registry changes in startup or run keys.", + "📡 Monitor DNS TXT record queries, which might be used for data exfiltration.", + "📁 Check temp directories for unexpected executable files.", + "💾 Look for removable media usage on high-security systems.", + "🖥️ Monitor remote desktop sessions for unusual activity.", + "📶 Watch for unusual patterns in Wi-Fi connections from endpoints.", + "🚀 Look for process injection techniques in legitimate binaries.", + "🔍 Investigate binaries running directly from `Downloads` folders.", + "🛠️ Review new service creations for suspicious patterns.", + "📜 Analyze event logs for sequences indicating privilege escalation.", + "🔒 Track unusual access to encryption keys or keystores.", + "📊 Monitor changes in user account privileges or roles.", + "🌐 Review outbound HTTP POST requests for signs of exfiltration.", + "🛡️ Scan for new PowerShell scripts in sensitive directories.", + "📂 Look for altered timestamps on key system binaries.", + "📡 Monitor inbound SSH connections from unknown IP addresses.", + "📥 Investigate bulk email activity from user accounts.", + "🔗 Look for network shares with changed permissions.", + "🚦 Track internal traffic for lateral movement across VLANs.", + "📋 Analyze clipboard activity for copied sensitive data.", + "🖋️ Examine document metadata for unexpected embedded payloads.", + "📈 Monitor CPU and RAM usage for resource-intensive attacks.", + "🕵️‍♂️ Check for unrecognized browser extensions on user systems.", + "🔗 Monitor SMB connections between unusual pairs of endpoints.", + "📂 Investigate folders with an unusually large number of hidden files.", + "🔧 Look for changes in application whitelisting policies.", + "📶 Watch for rogue access points spoofing legitimate Wi-Fi networks.", + "🖥️ Analyze usage of utilities like `certutil` or `powershell` for abuse.", + "📜 Search for anomalies in VPN connection patterns.", + "🚦 Monitor TCP retransmissions for hidden data channels.", + "🔍 Investigate suspicious `.lnk` files in commonly accessed directories.", + "📂 Check for unauthorized mounts of external file systems.", + "🌐 Review HTTP request headers for automated browsing patterns.", + "📡 Look for unauthorized use of tunneling protocols like SSH or RDP.", + "🛠️ Investigate sandbox evasion techniques in malware samples.", "💻 Make sure your Host Agents are not disabled by the APT/Red Team.", "🛡️ Ensure EDR and antivirus solutions are actively monitoring all endpoints.", "🔒 Monitor for unusual attempts to disable or uninstall security agents.", @@ -243,11 +293,102 @@ JOKES = [ "🐛 Why did the programmer leave the camping trip early? There were too many bugs." ] +TCODES = [ + "🛡️ T1003: Credential Dumping - Monitor for attempts to access LSASS or SAM files to extract credentials.", + "📜 T1021: Remote Services - Review logs for suspicious RDP or SSH connections from unknown sources.", + "🔍 T1059: Command and Scripting Interpreter - Look for PowerShell, bash, or Python commands running unusual scripts.", + "🖥️ T1078: Valid Accounts - Check for legitimate credentials being used in unusual ways, such as geographic anomalies.", + "📂 T1105: Ingress Tool Transfer - Investigate downloads of suspicious files from external IPs.", + "🚦 T1071: Application Layer Protocol - Monitor for unexpected use of protocols like HTTP or DNS for command and control.", + "📡 T1136: Create Account - Look for unauthorized user account creation on critical systems.", + "🛠️ T1566: Phishing - Analyze email headers and attachments for signs of phishing attempts.", + "🔧 T1113: Screen Capture - Investigate processes accessing screen-capturing APIs or creating screenshots.", + "📊 T1046: Network Service Scanning - Track scans for open ports or services from internal or external sources.", + "📤 T1041: Exfiltration Over C2 Channel - Monitor encrypted outbound traffic for unusual data size or frequency.", + "🔍 T1218: Signed Binary Proxy Execution - Look for legitimate binaries like msbuild.exe or regsvr32.exe being used for execution.", + "📈 T1053: Scheduled Task/Job - Review task scheduler logs for new or altered tasks.", + "📂 T1106: Execution via API - Look for applications calling APIs like CreateProcess or ShellExecute suspiciously.", + "🛡️ T1055: Process Injection - Monitor for signs of one process injecting code into another, such as DLL injection.", + "📜 T1562: Impair Defenses - Look for attempts to disable antivirus, EDR, or firewalls.", + "🕵️ T1082: System Information Discovery - Check for commands like systeminfo or uname executed by unrecognized users.", + "🌐 T1203: Exploitation for Client Execution - Review crash or error logs for signs of exploitation attempts.", + "🔗 T1098: Account Manipulation - Look for changes to user accounts, such as password resets or role changes.", + "📂 T1547: Boot or Logon Autostart Execution - Monitor registry keys and startup folders for new entries.", + "🔍 T1210: Exploitation of Remote Services - Look for brute force or vulnerability exploitation on RDP, SMB, or SSH.", + "📡 T1571: Non-Standard Port - Monitor traffic on uncommon ports used for potential C2 communication.", + "🚦 T1573: Encrypted Channel - Analyze TLS traffic to detect abnormal certificate usage or destinations.", + "📋 T1543: Create or Modify System Process - Investigate creation of new services or changes to existing ones.", + "🖥️ T1008: Fallback Channels - Look for changes in traffic patterns during primary C2 disruption.", + "🔒 T1217: Browser Credential Theft - Check for access to browser profile directories or credential stores.", + "📤 T1048: Exfiltration Over Alternative Protocol - Monitor file uploads using FTP, SCP, or similar tools.", + "🛠️ T1056: Input Capture - Look for keylogger activity or suspicious hooks into input APIs.", + "📊 T1016: System Network Configuration Discovery - Track execution of ipconfig, ifconfig, or network enumeration tools.", + "🚨 T1129: Shared Module - Monitor shared libraries or modules loaded from unexpected paths.", + "📊 T1083: File and Directory Discovery - Investigate processes enumerating sensitive files or directories.", + "📦 T1095: Non-Application Layer Protocol - Check for unusual protocols used for data exfiltration.", + "📜 T1027: Obfuscated Files or Information - Look for scripts or files with unusual encoding or compression.", + "🛡️ T1107: File Deletion - Monitor for tools or commands used to delete logs or forensic evidence.", + "🔧 T1070: Indicator Removal on Host - Investigate tampering with logs, disabling of EDR, or clearing event logs.", + "📋 T1010: Application Window Discovery - Look for processes querying open window titles or processes.", + "📂 T1050: New Service - Investigate the creation of new services as a persistence mechanism.", + "🚦 T1134: Access Token Manipulation - Detect unusual impersonation or privilege escalation via tokens.", + "🌐 T1204: User Execution - Monitor for users executing attachments, scripts, or software directly from emails.", + "🔑 T1176: Browser Extensions - Investigate unauthorized or malicious extensions added to browsers.", + "🔧 T1074: Data Staged - Check for large volumes of data being staged in temporary directories.", + "📤 T1560: Archive Collected Data - Look for compressed files being prepared for exfiltration.", + "🖋️ T1486: Data Encrypted for Impact - Monitor for ransomware-like encryption of files.", + "🕵️ T1057: Process Discovery - Investigate commands or tools listing running processes.", + "📁 T1132: Data Encoding - Check for unusual base64, hex, or XOR encoding in files or logs.", + "📦 T1102: Web Service - Look for suspicious use of cloud services for C2 or exfiltration.", + "🛠️ T1059.001: PowerShell - Analyze PowerShell logs for unusual or obfuscated commands.", + "📈 T1049: System Network Connections Discovery - Investigate commands like netstat or scripts enumerating network connections.", + "📂 T1216: Signed Scripts - Check for scripts signed by trusted certificates but used maliciously.", + "🌐 T1104: Multi-Stage Channels - Monitor traffic for multiple hops or relays indicative of advanced attacks.", + "🔍 T1555: Credentials from Password Stores - Investigate access to password managers or browser-stored credentials.", + "📤 T1074.001: Remote Data Staging - Look for large data collections transferred to external hosts.", + "🔧 T1574: Hijack Execution Flow - Check for modifications in binary execution flow like DLL search order hijacking.", + "🔒 T1080: Taint Shared Content - Monitor for tampered shared files or directories in collaborative environments.", + "📈 T1090: Proxy - Investigate unexpected use of VPNs or anonymization tools.", + "🖋️ T1497: Virtualization/Sandbox Evasion - Detect attempts to identify and evade virtualized or sandboxed environments.", + "🚦 T1108: Redundant Access - Monitor for backdoor creation or redundant persistence mechanisms.", + "📜 T1485: Data Destruction - Track attempts to overwrite or corrupt critical files.", + "📂 T1542: Pre-OS Boot - Investigate bootkits or changes to boot configurations.", + "📡 T1558: Steal or Forge Kerberos Tickets - Look for tools like Mimikatz accessing Kerberos tickets.", + "🔗 T1020: Automated Exfiltration - Monitor scripted data transfers to external servers.", + "📥 T1123: Audio Capture - Check for processes accessing audio devices without user consent.", + "🛠️ T1570: Lateral Tool Transfer - Look for file transfers to other hosts via SMB, SCP, or similar protocols.", + "📤 T1040: Network Sniffing - Detect unauthorized packet capture or network monitoring tools.", + "🔧 T1052: Exfiltration Over Physical Medium - Investigate large file transfers to USB drives or other external media.", + "🔍 T1052.001: Exfiltration Over Bluetooth - Monitor Bluetooth activity for unexpected file transfers.", + "🌐 T1018: Remote System Discovery - Investigate attempts to enumerate network-connected devices.", + "📂 T1484: Domain Policy Modification - Check for changes to group policies or domain configurations.", + "🔒 T1548: Abuse Elevation Control Mechanism - Look for processes bypassing UAC or sudo permissions.", + "📜 T1552: Unsecured Credentials - Investigate plaintext or weakly protected credentials in configuration files.", + "🖥️ T1546: Event Triggered Execution - Monitor for unusual triggers tied to task scheduling or logon events.", + "📥 T1125: Video Capture - Look for processes using webcam APIs or recording software.", + "🔧 T1012: Query Registry - Investigate registry queries for persistence-related keys.", + "📈 T1018: System Network Connections Discovery - Look for reconnaissance attempts enumerating active connections.", + "📂 T1120: Peripheral Device Discovery - Check logs for unexpected enumeration of hardware devices.", + "🛡️ T1036: Masquerading - Detect renamed executables mimicking legitimate system files.", + "🚦 T1048: Exfiltration Over Alternative Protocol - Monitor FTP, SCP, or non-standard protocols for data transfer.", + "📦 T1074.002: Local Data Staging - Investigate large files being prepared in temporary directories.", + "🔗 T1021.001: Remote Desktop Protocol - Review RDP logs for unusual connection patterns.", + "📡 T1553: Subvert Trust Controls - Monitor attempts to bypass or forge trust certificates.", + "📥 T1039: Data from Network Shared Drive - Look for unauthorized access to shared drives.", + "🔧 T1033: System Owner/User Discovery - Investigate processes attempting to identify logged-in users.", + "📂 T1552.004: Container Credential Dumping - Monitor container runtime logs for credential access attempts.", + "🔍 T1568: Dynamic Resolution - Investigate use of domain generation algorithms or DNS tunneling for C2.", + "🖋️ T1134.003: Token Impersonation/Theft - Detect impersonation of user tokens for privilege escalation.", + "📜 T1014: Rootkit - Look for signs of kernel module tampering or hidden processes.", + "📤 T1089: Disabling Security Tools - Track attempts to disable security tools via registry edits or system commands.", + "🔒 T1087: Account Discovery - Investigate attempts to enumerate user accounts in local or domain environments." +] + ANSI_ESCAPE_REGEX = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])') def get_random_tip_or_joke(clean=False): # Pick a random tip or joke and assign a color - item = random.choice(TIPS + JOKES) + item = random.choice(TIPS + JOKES + TCODES) formatted_item = f"{item}" if clean: