from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def lin_ioc_submenu(): """Linux Indicators of Compromise""" build_submenu("Linux Indicators of Compromise (IOCs)", module=globals()) ### Functions for each submenu option def linux_basics(): title = "Linux Basics" content = """ - Understand typical file paths and permission settings. - Monitor unexpected or unplanned cron jobs. - Investigate binaries with SUID or SGID bits set (`find / -perm -4000`). - Look for rogue or uncommon processes running as root. - Analyze .bash_history for suspicious commands. - Investigate `/var/log/auth.log` for failed or unauthorized access. - Check for hidden files and directories using `find / -type f -name ".*"`. """ print_info(title, content) def linux_common_malware_names(): title = "Common Malware Names" content = """ - kworker - kinsing - xmrig - cryptonight - apache2 (unexpected locations) - mysql (unexpected locations) """ print_info(title, content) def linux_common_malware_locations(): title = "Common Malware Locations" content = """ - /tmp - /var/tmp - /dev/shm - /etc/cron.* - /lib/systemd/system/ - ~/.ssh/ - /usr/local/bin/ - /usr/bin/ - /var/spool/cron/crontabs/ """ print_info(title, content) def linux_interesting_search_terms(): title = "Interesting Search Terms" content = """ ### Shell Scripts - `.sh`, `.bash` ### Executable Files - `.out`, `.bin`, `.elf` ### Archives - `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z` ### Strings in Logs - "sudo" - "su root" - "chmod 777" - "wget" or "curl" - "base64" """ print_info(title, content) def linux_locations_of_persistence(): title = "Locations of Persistence" content = """ - Cron Jobs - `/etc/crontab` - `/var/spool/cron/crontabs/` - Autostart - `~/.config/autostart/` - System Services - `/etc/systemd/system/` - `/lib/systemd/system/` - Network Configuration Files - `/etc/network/interfaces` - `/etc/hosts` - SSH Keys - `~/.ssh/` - `/root/.ssh/` """ print_info(title, content) def linux_types_of_persistence(): title = "Types of Persistence" content = """ - Cron Jobs - Modified SSH Keys - Custom Systemd Services - Kernel Module Hijacking - Backdoor Network Configurations - LD_PRELOAD Hijacking """ print_info(title, content) def linux_advanced_persistence(): title = "Advanced Persistence" content = """ - Rootkits - Live Kernel Patching - Custom Kernel Modules - Firmware Tampering - Hidden Partitions or Volumes """ print_info(title, content) def linux_event_ids_to_watch(): title = "Event IDs to Watch" content = """ Monitor important Linux system logs: - `/var/log/auth.log` for authentication attempts - `/var/log/secure` for privileged access - `/var/log/syslog` for suspicious processes or activity - `/var/log/messages` for kernel-level logs """ print_info(title, content) def linux_memory_acquisition(): title = "Memory Acquisition" content = """ ### Tools for Live RAM Capture - AVML (Azure Virtual Machine Live) - LiME (Linux Memory Extractor) ### File Locations - `/dev/mem` for memory dump - `/proc//maps` for process memory mapping """ print_info(title, content) def linux_filesystem_artifacts(): title = "Filesystem Artifacts" content = """ ### Look for: - Recent Modifications: `find / -type f -mtime -1` - Hidden Files: `find / -name ".*"` - Unusual Permissions: `find / -perm 777` - Root-level Scripts or Configurations: `/etc/`, `/usr/local/` """ print_info(title, content) def linux_analysis_resources(): title = "Analysis Resources" content = """ - Check File Hashes: Use `sha256sum` or `md5sum`. - Threat Intelligence: Search IPs and Domains on VirusTotal. - Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox. - Log Analysis: Parse logs using tools like Logstash or Elastic. """ print_info(title, content)