diff --git a/Modules/tips.py b/Modules/tips.py index 7abf4fe..eaf556b 100644 --- a/Modules/tips.py +++ b/Modules/tips.py @@ -93,7 +93,97 @@ TIPS = [ "⚙️ Investigate mismatches in user-agent strings in web traffic.", "🔍 Look for attackers leaving test artifacts like `1.txt` or `test.ps1`.", "📜 Track file hashes for unauthorized changes to key binaries.", - "🚦 Review network traffic for abnormal TTL values." + "🚦 Review network traffic for abnormal TTL values.", + "🛡️ Identify rare parent-child process relationships in your environment.", + "🔍 Investigate long-running processes, especially with elevated privileges.", + "📊 Analyze PowerShell logs for encoded or obfuscated commands.", + "🌐 Review TLS/SSL traffic for connections to self-signed certificates.", + "📁 Monitor for temporary files with sensitive data remnants.", + "🚦 Analyze unusual ICMP traffic patterns, often used in C2 communications.", + "🔗 Watch for new shares created on file servers.", + "🕵️‍♂️ Search for suspicious DNS TXT record queries.", + "🔍 Investigate commands executed by `cmd.exe` or `bash`.", + "🖥️ Look for abnormal usage of tools like `certutil` or `wget`.", + "🔓 Monitor for attempted privilege escalation via sudo or su.", + "📂 Search for files with names mimicking system executables.", + "🚨 Look for multiple simultaneous logins to a single account.", + "🛡️ Track binaries executed directly from the browser download folder.", + "🌐 Monitor HTTP POST requests to unknown domains.", + "📊 Analyze VPN connections for anomalies in duration or frequency.", + "🔍 Check for DLLs loaded from unexpected directories.", + "📂 Monitor `.tmp` files in system directories.", + "🖋️ Look for encoded payloads in commonly abused file formats like `.docx`.", + "🚦 Watch for network traffic containing known C2 patterns.", + "🔧 Investigate changes to Local Security Authority (LSA) configuration.", + "📈 Analyze system uptime for anomalies indicating potential reboots.", + "🌐 Monitor unusual redirects in web server logs.", + "📂 Investigate changes to `/etc/passwd` or SAM files.", + "🛡️ Look for unauthorized modifications to PAM modules.", + "🖋️ Examine email forwarding rules set by attackers for persistence.", + "🚦 Analyze protocol mismatches in encrypted traffic.", + "🔍 Search for executables or scripts hidden with spaces or special characters.", + "📂 Look for ZIP/RAR archives with embedded malicious scripts.", + "🌐 Monitor user-agent strings for indicators of automation.", + "🚦 Watch for port scanning or unusual sequential connections.", + "🔒 Track processes that directly modify system logs.", + "📂 Monitor suspicious changes to file ownership or permissions.", + "🛡️ Investigate suspicious network shares with modified permissions.", + "🚀 Look for scripts invoking unauthorized API calls.", + "🔧 Monitor changes to firewall rules allowing external access.", + "🌍 Correlate suspicious geolocation patterns in remote logins.", + "🖥️ Analyze command history for unusual usage.", + "📤 Watch for data egress in unconventional formats.", + "📊 Investigate mismatches between file metadata and actual content.", + "🔍 Search for execution of commands like `nc` or `netcat`.", + "🚨 Track endpoints with repeated failed DNS lookups.", + "📂 Monitor files compressed using password protection.", + "📡 Look for inbound SSH connections from unknown sources.", + "🖋️ Investigate office documents with unusual macros.", + "🚦 Watch for packet size anomalies in encrypted traffic.", + "🔍 Analyze event logs for attempts to tamper with security settings.", + "🛡️ Monitor software installations from untrusted certificates.", + "📥 Investigate repeated connections to IPs without associated domains.", + "📊 Look for binary downloads from suspicious URLs.", + "🕵️‍♂️ Monitor registry changes related to persistence mechanisms.", + "🛠️ Analyze anomalous changes in group memberships.", + "📂 Investigate tampered antivirus exclusions or policies.", + "📈 Search for inconsistencies in time-stamped files.", + "🔧 Monitor default admin shares for unusual access.", + "📜 Look for signs of log tampering in security audit logs.", + "📡 Check SMB traffic for unauthorized access attempts.", + "🖋️ Investigate PDFs with hidden payloads or JavaScript.", + "🌐 Analyze web server headers for outdated or misconfigured software.", + "📊 Look for modified or unexpected system images.", + "🖥️ Monitor endpoint connections to public paste sites.", + "🚦 Watch for stealthy TCP retransmissions in packet captures.", + "📂 Investigate newly created service accounts with high privileges.", + "🔧 Analyze processes creating non-standard network connections.", + "📈 Monitor CPU and memory spikes during off-hours.", + "🚀 Investigate scripts executed from uncommon locations.", + "🌍 Correlate network traffic against threat intelligence sources.", + "📤 Look for encrypted or compressed outbound data at odd times.", + "📂 Monitor endpoints for large, unexpected file deletions.", + "📡 Look for reverse shell attempts in network logs.", + "🛡️ Investigate unusual browser plugins or extensions.", + "📊 Search for unexplained registry run keys.", + "🔧 Investigate unusual file naming conventions in backup locations.", + "🖥️ Monitor desktop activity for unscheduled screenshots or keylogging.", + "📜 Investigate systems with missing or altered critical files.", + "🚦 Correlate failed authentications with brute-force patterns.", + "📂 Analyze temporary folders for suspicious script files.", + "🔍 Look for attackers testing connectivity via `ping` or traceroute.", + "📊 Track spikes in file-sharing activity.", + "🌐 Review web traffic logs for possible data leakage.", + "🖋️ Investigate documents with high entropy in their metadata.", + "📤 Look for staging directories with suspicious files.", + "🕵️‍♂️ Monitor access logs for unauthorized application startups.", + "📂 Investigate tampered scheduled jobs or cron entries.", + "🛡️ Analyze unauthorized password resets or account creations.", + "🔧 Search for hidden tasks in task scheduler or cron jobs.", + "📡 Investigate unusual or repeated ARP requests.", + "🌍 Correlate IoT device traffic patterns with known exploits.", + "🚦 Monitor DNS requests with large or binary-like payloads.", + "📈 Look for repeated HTTP 401 (Unauthorized) responses." ] # Cybersecurity jokes