Skip to content

Commit 89fc6d2

Browse files
redteamreciperedteamrecipe
committed
add lsms script
1 parent 319453e commit 89fc6d2

File tree

2 files changed

+115
-0
lines changed

2 files changed

+115
-0
lines changed

docs/operate/monitoring.md

Lines changed: 102 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -990,5 +990,107 @@ events
990990
```
991991

992992

993+
## Monitoring cron files
993994

994995

996+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_cron.py
997+
998+
999+
1000+
## Monitoring /etc/hosts file
1001+
1002+
1003+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_hosts_file.py
1004+
1005+
1006+
## Monitoring /etc/ld.so.preload file
1007+
1008+
1009+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_ld_preload.py
1010+
1011+
1012+
## Monitoring /etc/passwd file
1013+
1014+
1015+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_passwd.py
1016+
1017+
1018+
## Monitoring modules
1019+
1020+
1021+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_modules.py
1022+
1023+
1024+
## Monitoring SSH authorized_keys files
1025+
1026+
1027+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_ssh_authorized_keys.py
1028+
1029+
1030+
## Monitoring systemd unit files
1031+
1032+
1033+
https://github.com/sqall01/LSMS/blob/main/scripts/monitor_systemd_units.py
1034+
1035+
1036+
## Search executables in /dev/shm
1037+
1038+
1039+
https://github.com/sqall01/LSMS/blob/main/scripts/search_dev_shm.py
1040+
1041+
1042+
## Search fileless programs (memfd_create)
1043+
1044+
1045+
https://github.com/sqall01/LSMS/blob/main/scripts/search_memfd_create.py
1046+
1047+
1048+
## Search hidden ELF files
1049+
1050+
1051+
https://github.com/sqall01/LSMS/blob/main/scripts/search_hidden_exe.py
1052+
1053+
1054+
1055+
## Search immutable files
1056+
1057+
1058+
https://github.com/sqall01/LSMS/blob/main/scripts/search_immutable_files.py
1059+
1060+
1061+
1062+
1063+
## Search kernel thread impersonations
1064+
1065+
1066+
https://github.com/sqall01/LSMS/blob/main/scripts/search_non_kthreads.py
1067+
1068+
1069+
1070+
## Search processes that were started by a now disconnected SSH session
1071+
1072+
1073+
https://github.com/sqall01/LSMS/blob/main/scripts/search_ssh_leftover_processes.py
1074+
1075+
1076+
1077+
1078+
## Search running deleted programs
1079+
1080+
1081+
https://github.com/sqall01/LSMS/blob/main/scripts/search_deleted_exe.py
1082+
1083+
1084+
1085+
## Test script to check if alerting works
1086+
1087+
1088+
https://github.com/sqall01/LSMS/blob/main/scripts/test_alert.py
1089+
1090+
1091+
1092+
## Verify integrity of installed .deb packages
1093+
1094+
1095+
https://github.com/sqall01/LSMS/blob/main/scripts/verify_deb_packages.py
1096+

docs/resources/resources.md

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -179,6 +179,19 @@ Proven guidance and best practices that help you confidently adopt the cloud and
179179
[Granular, Actionable Adversary Emulation for the Cloud](https://github.com/Datadog/stratus-red-team/){: .btn .btn-purple .mr-2 }
180180

181181

182+
### AWS Threat Simulation and Detection
183+
184+
[sbasu7241 AWS Threat Simulation and Detection ](https://github.com/sbasu7241/AWS-Threat-Simulation-and-Detection/tree/main){: .btn .btn-purple .mr-2 }
185+
186+
187+
### Hunting queries and detections
188+
189+
[FalconForceTeam FalconFriday](https://github.com/FalconForceTeam/FalconFriday/){: .btn .btn-purple .mr-2 }
190+
191+
192+
193+
194+
182195

183196
## Threats
184197

0 commit comments

Comments
 (0)