from Modules.Imports.ttp_imports import *

def win_ioc_submenu():
    build_submenu("Windows Indicators of Compromise (IOCs)", module=globals())

def basics():
    title = "Basics"
    content = """
- Look for file extensions
- Initial access and lateral movement are the loudest
- Understand how PID and PPID relate
- Look for 1-2 character .exe (e.g., a.exe, ab.exe)
- C2 exploits are native in 32-bit
- Files should not have read, write, and execute simultaneously
    - Should be RW- ro --X
- Know where attackers store files
- C:\\windows\\system32: Exe files are not usually stored here
"""
    print_info(title, content)

def common_malware_names():
    title = "Common Malware Names"
    content = """
- svchost.exe
- iexplore.exe
- explorer.exe
- lsass.exe
- win.exe
- winlogon.exe
"""
    print_info(title, content)

def common_malware_locations():
    title = "Common Malware Locations"
    content = """
- \\Temp
- C:\\Users\\*\\Downloads
- \\AppData
  - C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent
- \\$Recycle.Bin
- \\ProgramData
- \\Windows
- \\Windows\\System32
- \\WinSxS
- \\System Volume Information
- \\Program Files
- \\Program Files (x86)
- [Added Directories by APTs]
"""
    print_info(title, content)

def interesting_search_terms():
    title = "Interesting Search Terms"
    content = """
### Scripts
- `.ps1`, `.vbs`, `.py`, `.bat`

### Windows Binaries
- `.exe`, `.msi`, `.dll`

### Archives
- `.rar`, `.zip`, `.cab`, `.7z`, `.Eo1`, `.iso`, `.ova`, `.ovf`, `.vmdk`, `.vdk`

Other:
- `.eval`
- `.xls`
- `.doc`
- ActiveXObject
- CommandLineTemplate
- ScriptText
"""
    print_info(title, content)

def locations_of_persistence():
    title = "Locations of Persistence"
    content = """
- C:\\windows\\system32 (Exe files are not usually stored here)
"""
    print_info(title, content)

def types_of_persistence():
    title = "Types of Persistence"
    content = """
- Impacket Exec
- Services
- WMI
- Autostart
- DLL Hijacking
- Drivers
- Map Share
- Persistence Mechanisms
- Powershell Remoting
- PsExec
- Remote Desktop
- Run Keys
- Scheduled Tasks
- Registry
"""
    print_info(title, content)

def advanced_persistence():
    title = "Advanced Persistence"
    content = """
- Bios Flashing
- Drivers
- Local Group Policy
- MS Office Add-In
"""
    print_info(title, content)

def event_ids_to_watch():
    title = "Event IDs to Watch"
    content = """
- 4698 A scheduled task was created
- 4720 A user account was created
- 4768 A Kerberos authentication ticket (TGT) was requested
- 4769 A Kerberos service ticket was requested
- 5140 A network share object was accessed
- 7045 A new service was installed in the system
- 4648 A logon was attempted using explicit credentials
- 4656 A handle to an object was requested
- 4658 The handle to an object was closed
- 4660 An object was deleted
- 4663 An attempt was made to access an object
- 4672 Special privileges assigned to new logon
- 4673 A privileged service was called
- 4688 A new process has been created
- 4946 A change has been made to Windows Firewall exception list. A rule was added
- 5142 A network share object was added
- 5144 A network share object was deleted
- 5145 A network share object was checked to see whether the client can be granted desired access
- 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
- 5156 The Windows Filtering Platform has allowed a connection
- 5447 A Windows Filtering Platform filter has been changed
- 8222 Shadow copy has been created
- 7036 Service changed
- 7040 Service startup type changed
- 7045 PSExec
"""
    print_info(title, content)

def common_false_positives():
    title = "Common False Positives"
    content = """
- SCM Event Log Consumer
- BVTFilter
- TSLogonEvents.vbs
- TSLogonFilter
- RAevent.vbs
- RMAssistEventFilter
- KernCap.vbs
- NTEventLogConsumer
- WSCEAA.exe (Dell)
"""
    print_info(title, content)

def windows_directories():
    title = "Windows Directories"
    content = """
- C:\\Windows\\System32\\drivers\\etc\\hosts (DNS file)
- C:\\Windows\\System32\\drivers\\etc\\networks (Network config file)
- C:\\Windows\\System32\\config\\SAM (Usernames and passwords)
- C:\\Windows\\System32\\SECURITY (Security logs)
- C:\\Windows\\System32\\SOFTWARE (Software logs)
- C:\\Windows\\System32\\SYSTEM (System logs)
- C:\\Windows\\System32\\winevt\\ (Windows event logs)
- C:\\Windows\\repair\\SAM (Backup of usernames and passwords)
"""
    print_info(title, content)

def analysis_resources():
    title = "Analysis Resources"
    content = """
- Check Filehash
- Analysis Threat Intel
- Analysis IP
- Analysis Malware

### Useful Links
- https://www.youtube.com/watch?v=NdwTeSi70SU
- https://youtu.be/7dEfKn70HCI?si=MP-u-n4FMHVgtmWf
- https://www.criticalstart.com/windows-security-event-logs-what-to-monitor/
"""
    print_info(title, content)

def all_windows_iocs():
    """
    Displays all Windows IOC content sequentially.
    """
    basics()
    common_malware_names()
    common_malware_locations()
    interesting_search_terms()
    locations_of_persistence()
    types_of_persistence()
    advanced_persistence()
    event_ids_to_watch()
    common_false_positives()
    windows_directories()
    analysis_resources()