From fb30aeb51fc38798335b7dd2296a2a579e9c8277 Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Sat, 30 Nov 2024 00:53:02 -0500 Subject: [PATCH] Upload files to "Modules/Knowledge/SANS" --- Modules/Knowledge/SANS/DFIR.py | 59 +++++++++++++++++++ .../Knowledge/SANS/client_side_exploits.py | 33 +++++++++++ Modules/Knowledge/SANS/event_analysis.py | 57 ++++++++++++++++++ .../Knowledge/SANS/file_system_artifacts.py | 35 +++++++++++ Modules/Knowledge/SANS/gmon.py | 34 +++++++++++ .../Knowledge/SANS/incident_case_studies.py | 25 ++++++++ .../Knowledge/SANS/memory_forensics_tools.py | 32 ++++++++++ Modules/Knowledge/SANS/network_defense.py | 27 +++++++++ 8 files changed, 302 insertions(+) create mode 100644 Modules/Knowledge/SANS/DFIR.py create mode 100644 Modules/Knowledge/SANS/client_side_exploits.py create mode 100644 Modules/Knowledge/SANS/event_analysis.py create mode 100644 Modules/Knowledge/SANS/file_system_artifacts.py create mode 100644 Modules/Knowledge/SANS/gmon.py create mode 100644 Modules/Knowledge/SANS/incident_case_studies.py create mode 100644 Modules/Knowledge/SANS/memory_forensics_tools.py create mode 100644 Modules/Knowledge/SANS/network_defense.py diff --git a/Modules/Knowledge/SANS/DFIR.py b/Modules/Knowledge/SANS/DFIR.py new file mode 100644 index 0000000..bf3285e --- /dev/null +++ b/Modules/Knowledge/SANS/DFIR.py @@ -0,0 +1,59 @@ +def get_dfir_content(): + return [ + { + "title": "PICERL Framework", + "content": """ +- Phases: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. +- Example: Containment using decoys or monitoring tools. + """, + "resources": [ + "https://www.sans.org/", + "https://www.cisa.gov/" + ] + }, + { + "title": "Containment Challenges", + "content": """ +- Rapid containment avoids losing critical intelligence. +- No containment leads to prolonged adversary presence (whack-a-mole). + """, + "resources": [ + "https://www.ncsc.gov.uk/", + "https://attack.mitre.org/" + ] + }, + { + "title": "Hunt vs. Reactive Teams", + "content": """ +- Reactive (Incident Response): Firefighting approach, putting out fires. +- Hunt Teams: Proactive, leveraging threat intelligence to predict and disrupt. + """, + "resources": [ + "https://www.fireeye.com/", + "https://www.mandiant.com/" + ] + }, + { + "title": "Detection Engineering", + "content": """ +- Focus on enabling actionable and collaborative processes. +- Outsource or automate repetitive tasks while maintaining oversight of critical alerts. + """, + "resources": [ + "https://redcanary.com/", + "https://www.crowdstrike.com/" + ] + }, + { + "title": "Advanced Forensic Tools", + "content": """ +- Volatility: Memory analysis. +- Splunk and Loggly: Advanced log analysis and monitoring. +- MFT Analysis: Tools like MFTECmd for NTFS evidence. + """, + "resources": [ + "https://volatilityfoundation.org/", + "https://www.splunk.com/" + ] + } + ] diff --git a/Modules/Knowledge/SANS/client_side_exploits.py b/Modules/Knowledge/SANS/client_side_exploits.py new file mode 100644 index 0000000..3c325d7 --- /dev/null +++ b/Modules/Knowledge/SANS/client_side_exploits.py @@ -0,0 +1,33 @@ +def get_content(): + """ + Returns structured content for client-side exploitation techniques. + """ + return [ + { + "title": "Common Client-Side Attack Vectors", + "content": """ +- Web browsers, browser extensions. +- Document and image rendering applications. + """ + }, + { + "title": "Common File Format Attacks", + "content": """ +- Exploits weaknesses in how applications handle file requests. +- Examples: PDF, DOC(X), RTF, WMF. + """ + }, + { + "title": "Malvertising", + "content": """ +- Injecting malicious code into trusted websites. + """ + }, + { + "title": "Phishing", + "content": """ +- Goals: Click a link, open an attachment. +- Vectors: Emails with malicious attachments (e.g., PDF, DOC(X), WMF). + """ + } + ] diff --git a/Modules/Knowledge/SANS/event_analysis.py b/Modules/Knowledge/SANS/event_analysis.py new file mode 100644 index 0000000..1b5155c --- /dev/null +++ b/Modules/Knowledge/SANS/event_analysis.py @@ -0,0 +1,57 @@ +def get_content(): + """ + Returns structured content for Windows event log analysis. + """ + return [ + { + "title": "Important Event IDs", + "content": """ +- Logon Events: 4624, 4634, 4672. +- Administrative Shares: 5140. +- RDP Session Events: 4778, 4779. + """ + }, + { + "title": "PowerShell Logs", + "content": """ +- 4104: Script block logging. +- Transcript logs: Logs all commands and their output. + """ + }, + { + "title": "System Logs for Analysis", + "content": """ +- Security Logs: Detect process execution. +- Application Logs: Identify crashes and anomalies. + """ + }, + { + "title": "Key Event IDs", + "content": """ +- 4624: Logon method (e.g., console, network, RDP). +- 4672: Logon with admin privileges. +- 5140: Identifies administrative shares potentially mounted by attackers. + """ + }, + { + "title": "RDP Events", + "content": """ +- TerminalServices-RDPClient: Logs destination hostname/IP for outgoing RDP sessions. +- 4778/4779: Tracks reconnect and disconnect events, including remote machine IP and hostname. + """ + }, + { + "title": "System and Application Logs", + "content": """ +- Useful for identifying malware execution through warning and error events. +- Security Logs: Can track process execution, file access, and PsExec usage. + """ + }, + { + "title": "PowerShell Event Logs", + "content": """ +- Event 4104: Logs PowerShell script block execution. +- Transcript logs: Capture all commands typed and their output. + """ + } + ] diff --git a/Modules/Knowledge/SANS/file_system_artifacts.py b/Modules/Knowledge/SANS/file_system_artifacts.py new file mode 100644 index 0000000..31aabf4 --- /dev/null +++ b/Modules/Knowledge/SANS/file_system_artifacts.py @@ -0,0 +1,35 @@ +def get_content(): + """ + Returns structured content for NTFS, journaling, and anti-forensics artifacts. + """ + return [ + { + "title": "NTFS Metadata and Attributes", + "content": """ +- MFT Attributes: Tracks MAC timestamps, $File_Name, $Data (resident or non-resident). +- $LogFile and $UsnJrnl: Log file changes and deletions. + """ + }, + { + "title": "Timeline Analysis", + "content": """ +- $SI and $FN timestamps: Can indicate timestomping or anti-forensic techniques. +- Exiftool: Verifies discrepancies in timestamps and metadata. + """ + }, + { + "title": "Advanced Analysis Tools", + "content": """ +- LogfileParser: Extracts NTFS transactional logs. +- Mftecmd: Parses MFT entries and supports Volume Shadow Copies. +- Icat: Extracts data streams like Zone.Identifier for ADS. + """ + }, + { + "title": "Deleted File Evidence", + "content": """ +- MFT metadata persists even after deletion. +- $INDEX_ROOT and $INDEX_ALLOCATION track directory changes. + """ + } + ] diff --git a/Modules/Knowledge/SANS/gmon.py b/Modules/Knowledge/SANS/gmon.py new file mode 100644 index 0000000..32bbfb8 --- /dev/null +++ b/Modules/Knowledge/SANS/gmon.py @@ -0,0 +1,34 @@ +def get_content(): + """ + Returns structured content for GMON security insights. + """ + return [ + { + "title": "511.1.1 - Botnet Evolution", + "content": """ +- Botnets mark the transition from traditional to modern attack techniques. +- Emphasis on denying adversaries' goals by understanding key organizational priorities. + """ + }, + { + "title": "511.1.4 - New Security Paradigm", + "content": """ +- Detect adversaries and respond rapidly. +- Define desired outcomes to act effectively. + """ + }, + { + "title": "511.1.5 - Decline of Server Exploits", + "content": """ +- Modern attacks favor client-side over server-side exploits. +- Early malware primarily focused on spreading, with newer approaches targeting credentials and persistence. + """ + }, + { + "title": "511.2.1 - People and Processes", + "content": """ +- Emphasizing processes over tools: Prevent -> Detect -> Respond. +- Telemetry and behavioral analysis as foundational elements of modern security. + """ + } + ] diff --git a/Modules/Knowledge/SANS/incident_case_studies.py b/Modules/Knowledge/SANS/incident_case_studies.py new file mode 100644 index 0000000..9ed2068 --- /dev/null +++ b/Modules/Knowledge/SANS/incident_case_studies.py @@ -0,0 +1,25 @@ +def get_content(): + """ + Returns structured content for case studies and specific incidents. + """ + return [ + { + "title": "Golden Ticket Attack", + "content": """ +- Resolution: Change `krbtgt` account password twice. + """ + }, + { + "title": "SQL Injection Defense", + "content": """ +- Parameterized queries as the most effective mitigation. + """ + }, + { + "title": "Cloud Security Issues", + "content": """ +- Misconfigured buckets: Files can be enumerated and downloaded. +- IMDSv2: Mitigates SSRF exploitation. + """ + } + ] diff --git a/Modules/Knowledge/SANS/memory_forensics_tools.py b/Modules/Knowledge/SANS/memory_forensics_tools.py new file mode 100644 index 0000000..565c18d --- /dev/null +++ b/Modules/Knowledge/SANS/memory_forensics_tools.py @@ -0,0 +1,32 @@ +def get_content(): + """ + Returns structured content for memory forensics and tools. + """ + return [ + { + "title": "Live Memory Capture Tools", + "content": """ +- WinPmem: Memory acquisition. +- Magnet RAM Capture: Free tool for acquiring live memory. +- Belkasoft RAM Capturer: Simplifies RAM imaging. +- F-Response: Advanced forensic data acquisition. + """ + }, + { + "title": "Memory Artifacts", + "content": """ +- Hibernation Files: Compressed RAM image located at %SystemDrive%\\hiberfil.sys. +- Page File/Swap Space: Located at %SystemDrive%\\pagefile.sys or %SystemDrive%\\swapfile.sys. +- Kernel-Mode Dump Files: Located at %SystemRoot%\\MEMORY.DMP. + """ + }, + { + "title": "Volatility Plugins", + "content": """ +- PsList/PsScan: Identifies processes. +- Malfind: Scans process memory sections for hidden code. +- LdrModules: Detects unlinked DLLs or injected code. +- SSDT: Identifies hooked system API functions. + """ + } + ] diff --git a/Modules/Knowledge/SANS/network_defense.py b/Modules/Knowledge/SANS/network_defense.py new file mode 100644 index 0000000..9641ee1 --- /dev/null +++ b/Modules/Knowledge/SANS/network_defense.py @@ -0,0 +1,27 @@ +def get_content(): + """ + Returns structured content for network defense strategies and tools. + """ + return [ + { + "title": "Web Proxy Types", + "content": """ +- Open Source: Squid, Nginx, Apache Traffic Server. +- Commercial: Symantec Web Filter, Forcepoint, Zscaler. + """ + }, + { + "title": "NetFlow and IPFIX", + "content": """ +- Session data for L3/L4 troubleshooting. +- Enables rapid detection without full packet captures. + """ + }, + { + "title": "SOC Essentials", + "content": """ +- Functions: Detection, Auditing, Response, Operations/Maintenance. +- Outsourcing vs. internal teams: Benefits and trade-offs. + """ + } + ]