matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "Modules/Knowledge/SANS"

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-30 00:53:02 -05:00
parent 74c0aaafcf
commit fb30aeb51f
8 changed files with 302 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
Modules/Knowledge/SANS/DFIR.py Normal file
View File

@ -0,0 +1,59 @@
def get_dfir_content():
return [
{
"title": "PICERL Framework",
"content": """
- Phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned.
- Example: Containment using decoys or monitoring tools.
""",
"resources": [
"https://www.sans.org/",
"https://www.cisa.gov/"
]
},
{
"title": "Containment Challenges",
"content": """
- Rapid containment avoids losing critical intelligence.
- No containment leads to prolonged adversary presence (whack-a-mole).
""",
"resources": [
"https://www.ncsc.gov.uk/",
"https://attack.mitre.org/"
]
},
{
"title": "Hunt vs. Reactive Teams",
"content": """
- Reactive (Incident Response): Firefighting approach, putting out fires.
- Hunt Teams: Proactive, leveraging threat intelligence to predict and disrupt.
""",
"resources": [
"https://www.fireeye.com/",
"https://www.mandiant.com/"
]
},
{
"title": "Detection Engineering",
"content": """
- Focus on enabling actionable and collaborative processes.
- Outsource or automate repetitive tasks while maintaining oversight of critical alerts.
""",
"resources": [
"https://redcanary.com/",
"https://www.crowdstrike.com/"
]
},
{
"title": "Advanced Forensic Tools",
"content": """
- Volatility: Memory analysis.
- Splunk and Loggly: Advanced log analysis and monitoring.
- MFT Analysis: Tools like MFTECmd for NTFS evidence.
""",
"resources": [
"https://volatilityfoundation.org/",
"https://www.splunk.com/"
]
}
]

33
Modules/Knowledge/SANS/client_side_exploits.py Normal file
View File

@ -0,0 +1,33 @@
def get_content():
"""
Returns structured content for client-side exploitation techniques.
"""
return [
{
"title": "Common Client-Side Attack Vectors",
"content": """
- Web browsers, browser extensions.
- Document and image rendering applications.
"""
},
{
"title": "Common File Format Attacks",
"content": """
- Exploits weaknesses in how applications handle file requests.
- Examples: PDF, DOC(X), RTF, WMF.
"""
},
{
"title": "Malvertising",
"content": """
- Injecting malicious code into trusted websites.
"""
},
{
"title": "Phishing",
"content": """
- Goals: Click a link, open an attachment.
- Vectors: Emails with malicious attachments (e.g., PDF, DOC(X), WMF).
"""
}
]

57
Modules/Knowledge/SANS/event_analysis.py Normal file
View File

@ -0,0 +1,57 @@
def get_content():
"""
Returns structured content for Windows event log analysis.
"""
return [
{
"title": "Important Event IDs",
"content": """
- Logon Events: 4624, 4634, 4672.
- Administrative Shares: 5140.
- RDP Session Events: 4778, 4779.
"""
},
{
"title": "PowerShell Logs",
"content": """
- 4104: Script block logging.
- Transcript logs: Logs all commands and their output.
"""
},
{
"title": "System Logs for Analysis",
"content": """
- Security Logs: Detect process execution.
- Application Logs: Identify crashes and anomalies.
"""
},
{
"title": "Key Event IDs",
"content": """
- 4624: Logon method (e.g., console, network, RDP).
- 4672: Logon with admin privileges.
- 5140: Identifies administrative shares potentially mounted by attackers.
"""
},
{
"title": "RDP Events",
"content": """
- TerminalServices-RDPClient: Logs destination hostname/IP for outgoing RDP sessions.
- 4778/4779: Tracks reconnect and disconnect events, including remote machine IP and hostname.
"""
},
{
"title": "System and Application Logs",
"content": """
- Useful for identifying malware execution through warning and error events.
- Security Logs: Can track process execution, file access, and PsExec usage.
"""
},
{
"title": "PowerShell Event Logs",
"content": """
- Event 4104: Logs PowerShell script block execution.
- Transcript logs: Capture all commands typed and their output.
"""
}
]

35
Modules/Knowledge/SANS/file_system_artifacts.py Normal file
View File

@ -0,0 +1,35 @@
def get_content():
"""
Returns structured content for NTFS, journaling, and anti-forensics artifacts.
"""
return [
{
"title": "NTFS Metadata and Attributes",
"content": """
- MFT Attributes: Tracks MAC timestamps, $File_Name, $Data (resident or non-resident).
- $LogFile and $UsnJrnl: Log file changes and deletions.
"""
},
{
"title": "Timeline Analysis",
"content": """
- $SI and $FN timestamps: Can indicate timestomping or anti-forensic techniques.
- Exiftool: Verifies discrepancies in timestamps and metadata.
"""
},
{
"title": "Advanced Analysis Tools",
"content": """
- LogfileParser: Extracts NTFS transactional logs.
- Mftecmd: Parses MFT entries and supports Volume Shadow Copies.
- Icat: Extracts data streams like Zone.Identifier for ADS.
"""
},
{
"title": "Deleted File Evidence",
"content": """
- MFT metadata persists even after deletion.
- $INDEX_ROOT and $INDEX_ALLOCATION track directory changes.
"""
}
]

34
Modules/Knowledge/SANS/gmon.py Normal file
View File

@ -0,0 +1,34 @@
def get_content():
"""
Returns structured content for GMON security insights.
"""
return [
{
"title": "511.1.1 - Botnet Evolution",
"content": """
- Botnets mark the transition from traditional to modern attack techniques.
- Emphasis on denying adversaries' goals by understanding key organizational priorities.
"""
},
{
"title": "511.1.4 - New Security Paradigm",
"content": """
- Detect adversaries and respond rapidly.
- Define desired outcomes to act effectively.
"""
},
{
"title": "511.1.5 - Decline of Server Exploits",
"content": """
- Modern attacks favor client-side over server-side exploits.
- Early malware primarily focused on spreading, with newer approaches targeting credentials and persistence.
"""
},
{
"title": "511.2.1 - People and Processes",
"content": """
- Emphasizing processes over tools: Prevent -> Detect -> Respond.
- Telemetry and behavioral analysis as foundational elements of modern security.
"""
}
]

25
Modules/Knowledge/SANS/incident_case_studies.py Normal file
View File

@ -0,0 +1,25 @@
def get_content():
"""
Returns structured content for case studies and specific incidents.
"""
return [
{
"title": "Golden Ticket Attack",
"content": """
- Resolution: Change `krbtgt` account password twice.
"""
},
{
"title": "SQL Injection Defense",
"content": """
- Parameterized queries as the most effective mitigation.
"""
},
{
"title": "Cloud Security Issues",
"content": """
- Misconfigured buckets: Files can be enumerated and downloaded.
- IMDSv2: Mitigates SSRF exploitation.
"""
}
]

32
Modules/Knowledge/SANS/memory_forensics_tools.py Normal file
View File

@ -0,0 +1,32 @@
def get_content():
"""
Returns structured content for memory forensics and tools.
"""
return [
{
"title": "Live Memory Capture Tools",
"content": """
- WinPmem: Memory acquisition.
- Magnet RAM Capture: Free tool for acquiring live memory.
- Belkasoft RAM Capturer: Simplifies RAM imaging.
- F-Response: Advanced forensic data acquisition.
"""
},
{
"title": "Memory Artifacts",
"content": """
- Hibernation Files: Compressed RAM image located at %SystemDrive%\\hiberfil.sys.
- Page File/Swap Space: Located at %SystemDrive%\\pagefile.sys or %SystemDrive%\\swapfile.sys.
- Kernel-Mode Dump Files: Located at %SystemRoot%\\MEMORY.DMP.
"""
},
{
"title": "Volatility Plugins",
"content": """
- PsList/PsScan: Identifies processes.
- Malfind: Scans process memory sections for hidden code.
- LdrModules: Detects unlinked DLLs or injected code.
- SSDT: Identifies hooked system API functions.
"""
}
]

27
Modules/Knowledge/SANS/network_defense.py Normal file
View File

@ -0,0 +1,27 @@
def get_content():
"""
Returns structured content for network defense strategies and tools.
"""
return [
{
"title": "Web Proxy Types",
"content": """
- Open Source: Squid, Nginx, Apache Traffic Server.
- Commercial: Symantec Web Filter, Forcepoint, Zscaler.
"""
},
{
"title": "NetFlow and IPFIX",
"content": """
- Session data for L3/L4 troubleshooting.
- Enables rapid detection without full packet captures.
"""
},
{
"title": "SOC Essentials",
"content": """
- Functions: Detection, Auditing, Response, Operations/Maintenance.
- Outsourcing vs. internal teams: Benefits and trade-offs.
"""
}
]