matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
51d33144aad8ae60ccc99ac4bf01d889b7322888
Hunt-AI/TTPs/lin_ioc.py

158 lines
3.9 KiB
Python
Raw Blame History

from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def lin_ioc_submenu():
"""Linux Indicators of Compromise"""
build_submenu("Linux Indicators of Compromise (IOCs)", module=globals())
### Functions for each submenu option
def linux_basics():
title = "Linux Basics"
content = """
- Understand typical file paths and permission settings.
- Monitor unexpected or unplanned cron jobs.
- Investigate binaries with SUID or SGID bits set (`find / -perm -4000`).
- Look for rogue or uncommon processes running as root.
- Analyze .bash_history for suspicious commands.
- Investigate `/var/log/auth.log` for failed or unauthorized access.
- Check for hidden files and directories using `find / -type f -name ".*"`.
"""
print_info(title, content)
def linux_common_malware_names():
title = "Common Malware Names"
content = """
- kworker
- kinsing
- xmrig
- cryptonight
- apache2 (unexpected locations)
- mysql (unexpected locations)
"""
print_info(title, content)
def linux_common_malware_locations():
title = "Common Malware Locations"
content = """
- /tmp
- /var/tmp
- /dev/shm
- /etc/cron.*
- /lib/systemd/system/
- ~/.ssh/
- /usr/local/bin/
- /usr/bin/
- /var/spool/cron/crontabs/
"""
print_info(title, content)
def linux_interesting_search_terms():
title = "Interesting Search Terms"
content = """
### Shell Scripts
- `.sh`, `.bash`
### Executable Files
- `.out`, `.bin`, `.elf`
### Archives
- `.tar.gz`, `.zip`, `.xz`, `.bz2`, `.7z`
### Strings in Logs
- "sudo"
- "su root"
- "chmod 777"
- "wget" or "curl"
- "base64"
"""
print_info(title, content)
def linux_locations_of_persistence():
title = "Locations of Persistence"
content = """
- Cron Jobs
- `/etc/crontab`
- `/var/spool/cron/crontabs/`
- Autostart
- `~/.config/autostart/`
- System Services
- `/etc/systemd/system/`
- `/lib/systemd/system/`
- Network Configuration Files
- `/etc/network/interfaces`
- `/etc/hosts`
- SSH Keys
- `~/.ssh/`
- `/root/.ssh/`
"""
print_info(title, content)
def linux_types_of_persistence():
title = "Types of Persistence"
content = """
- Cron Jobs
- Modified SSH Keys
- Custom Systemd Services
- Kernel Module Hijacking
- Backdoor Network Configurations
- LD_PRELOAD Hijacking
"""
print_info(title, content)
def linux_advanced_persistence():
title = "Advanced Persistence"
content = """
- Rootkits
- Live Kernel Patching
- Custom Kernel Modules
- Firmware Tampering
- Hidden Partitions or Volumes
"""
print_info(title, content)
def linux_event_ids_to_watch():
title = "Event IDs to Watch"
content = """
Monitor important Linux system logs:
- `/var/log/auth.log` for authentication attempts
- `/var/log/secure` for privileged access
- `/var/log/syslog` for suspicious processes or activity
- `/var/log/messages` for kernel-level logs
"""
print_info(title, content)
def linux_memory_acquisition():
title = "Memory Acquisition"
content = """
### Tools for Live RAM Capture
- AVML (Azure Virtual Machine Live)
- LiME (Linux Memory Extractor)
### File Locations
- `/dev/mem` for memory dump
- `/proc/<pid>/maps` for process memory mapping
"""
print_info(title, content)
def linux_filesystem_artifacts():
title = "Filesystem Artifacts"
content = """
### Look for:
- Recent Modifications: `find / -type f -mtime -1`
- Hidden Files: `find / -name ".*"`
- Unusual Permissions: `find / -perm 777`
- Root-level Scripts or Configurations: `/etc/`, `/usr/local/`
"""
print_info(title, content)
def linux_analysis_resources():
title = "Analysis Resources"
content = """
- Check File Hashes: Use `sha256sum` or `md5sum`.
- Threat Intelligence: Search IPs and Domains on VirusTotal.
- Malware Analysis: Analyze suspicious files with tools like Cuckoo Sandbox.
- Log Analysis: Parse logs using tools like Logstash or Elastic.
"""
print_info(title, content)
Reference in New Issue View Git Blame Copy Permalink