200 lines
5.2 KiB
Python
200 lines
5.2 KiB
Python
from Modules.Imports.ttp_imports import *
|
|
|
|
def win_ioc_submenu():
|
|
build_submenu("Windows Indicators of Compromise (IOCs)", module=globals())
|
|
|
|
def basics():
|
|
title = "Basics"
|
|
content = """
|
|
- Look for file extensions
|
|
- Initial access and lateral movement are the loudest
|
|
- Understand how PID and PPID relate
|
|
- Look for 1-2 character .exe (e.g., a.exe, ab.exe)
|
|
- C2 exploits are native in 32-bit
|
|
- Files should not have read, write, and execute simultaneously
|
|
- Should be RW- ro --X
|
|
- Know where attackers store files
|
|
- C:\\windows\\system32: Exe files are not usually stored here
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def common_malware_names():
|
|
title = "Common Malware Names"
|
|
content = """
|
|
- svchost.exe
|
|
- iexplore.exe
|
|
- explorer.exe
|
|
- lsass.exe
|
|
- win.exe
|
|
- winlogon.exe
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def common_malware_locations():
|
|
title = "Common Malware Locations"
|
|
content = """
|
|
- \\Temp
|
|
- C:\\Users\\*\\Downloads
|
|
- \\AppData
|
|
- C:\\Users\\*\\AppData\\Roaming\\Microsoft\\Windows\\Recent
|
|
- \\$Recycle.Bin
|
|
- \\ProgramData
|
|
- \\Windows
|
|
- \\Windows\\System32
|
|
- \\WinSxS
|
|
- \\System Volume Information
|
|
- \\Program Files
|
|
- \\Program Files (x86)
|
|
- [Added Directories by APTs]
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def interesting_search_terms():
|
|
title = "Interesting Search Terms"
|
|
content = """
|
|
### Scripts
|
|
- `.ps1`, `.vbs`, `.py`, `.bat`
|
|
|
|
### Windows Binaries
|
|
- `.exe`, `.msi`, `.dll`
|
|
|
|
### Archives
|
|
- `.rar`, `.zip`, `.cab`, `.7z`, `.Eo1`, `.iso`, `.ova`, `.ovf`, `.vmdk`, `.vdk`
|
|
|
|
Other:
|
|
- `.eval`
|
|
- `.xls`
|
|
- `.doc`
|
|
- ActiveXObject
|
|
- CommandLineTemplate
|
|
- ScriptText
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def locations_of_persistence():
|
|
title = "Locations of Persistence"
|
|
content = """
|
|
- C:\\windows\\system32 (Exe files are not usually stored here)
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def types_of_persistence():
|
|
title = "Types of Persistence"
|
|
content = """
|
|
- Impacket Exec
|
|
- Services
|
|
- WMI
|
|
- Autostart
|
|
- DLL Hijacking
|
|
- Drivers
|
|
- Map Share
|
|
- Persistence Mechanisms
|
|
- Powershell Remoting
|
|
- PsExec
|
|
- Remote Desktop
|
|
- Run Keys
|
|
- Scheduled Tasks
|
|
- Registry
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def advanced_persistence():
|
|
title = "Advanced Persistence"
|
|
content = """
|
|
- Bios Flashing
|
|
- Drivers
|
|
- Local Group Policy
|
|
- MS Office Add-In
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def event_ids_to_watch():
|
|
title = "Event IDs to Watch"
|
|
content = """
|
|
- 4698 A scheduled task was created
|
|
- 4720 A user account was created
|
|
- 4768 A Kerberos authentication ticket (TGT) was requested
|
|
- 4769 A Kerberos service ticket was requested
|
|
- 5140 A network share object was accessed
|
|
- 7045 A new service was installed in the system
|
|
- 4648 A logon was attempted using explicit credentials
|
|
- 4656 A handle to an object was requested
|
|
- 4658 The handle to an object was closed
|
|
- 4660 An object was deleted
|
|
- 4663 An attempt was made to access an object
|
|
- 4672 Special privileges assigned to new logon
|
|
- 4673 A privileged service was called
|
|
- 4688 A new process has been created
|
|
- 4946 A change has been made to Windows Firewall exception list. A rule was added
|
|
- 5142 A network share object was added
|
|
- 5144 A network share object was deleted
|
|
- 5145 A network share object was checked to see whether the client can be granted desired access
|
|
- 5154 The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
|
|
- 5156 The Windows Filtering Platform has allowed a connection
|
|
- 5447 A Windows Filtering Platform filter has been changed
|
|
- 8222 Shadow copy has been created
|
|
- 7036 Service changed
|
|
- 7040 Service startup type changed
|
|
- 7045 PSExec
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def common_false_positives():
|
|
title = "Common False Positives"
|
|
content = """
|
|
- SCM Event Log Consumer
|
|
- BVTFilter
|
|
- TSLogonEvents.vbs
|
|
- TSLogonFilter
|
|
- RAevent.vbs
|
|
- RMAssistEventFilter
|
|
- KernCap.vbs
|
|
- NTEventLogConsumer
|
|
- WSCEAA.exe (Dell)
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def windows_directories():
|
|
title = "Windows Directories"
|
|
content = """
|
|
- C:\\Windows\\System32\\drivers\\etc\\hosts (DNS file)
|
|
- C:\\Windows\\System32\\drivers\\etc\\networks (Network config file)
|
|
- C:\\Windows\\System32\\config\\SAM (Usernames and passwords)
|
|
- C:\\Windows\\System32\\SECURITY (Security logs)
|
|
- C:\\Windows\\System32\\SOFTWARE (Software logs)
|
|
- C:\\Windows\\System32\\SYSTEM (System logs)
|
|
- C:\\Windows\\System32\\winevt\\ (Windows event logs)
|
|
- C:\\Windows\\repair\\SAM (Backup of usernames and passwords)
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def analysis_resources():
|
|
title = "Analysis Resources"
|
|
content = """
|
|
- Check Filehash
|
|
- Analysis Threat Intel
|
|
- Analysis IP
|
|
- Analysis Malware
|
|
|
|
### Useful Links
|
|
- https://www.youtube.com/watch?v=NdwTeSi70SU
|
|
- https://youtu.be/7dEfKn70HCI?si=MP-u-n4FMHVgtmWf
|
|
- https://www.criticalstart.com/windows-security-event-logs-what-to-monitor/
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def all_windows_iocs():
|
|
"""
|
|
Displays all Windows IOC content sequentially.
|
|
"""
|
|
basics()
|
|
common_malware_names()
|
|
common_malware_locations()
|
|
interesting_search_terms()
|
|
locations_of_persistence()
|
|
types_of_persistence()
|
|
advanced_persistence()
|
|
event_ids_to_watch()
|
|
common_false_positives()
|
|
windows_directories()
|
|
analysis_resources() |