matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update TTPs/Persistence/rdp.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-24 11:32:41 -05:00
parent 8c8baa91fe
commit 056205178c
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
TTPs/Persistence/rdp.py
View File

@ -34,7 +34,7 @@ def source_event_logs():
def destination_event_logs():
title = "RDP Destination Event Logs"
content = """
- **Security Event Log** `security.evtx`
- **Security Event Log** - `security.evtx`
- `4624` Logon Type 10
- Source IP/Logon User Name
- `4778/4779`
@ -62,17 +62,17 @@ def source_registry():
content = """
- Remote desktop destinations are tracked per-user
- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
- [[ShimCache]] SYSTEM
- [[ShimCache]] - SYSTEM
- `mstsc.exe` Remote Desktop Client
- [[BAM_DAM]] SYSTEM Last Time Executed
- [[BAM_DAM]] - SYSTEM - Last Time Executed
- `mstsc.exe` Remote Desktop Client
- [[AmCache.hve]] - First Time Executed
- `mstsc.exe`
- UserAssist `NTUSER.DAT`
- UserAssist - `NTUSER.DAT`
- `mstsc.exe` Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentApps `NTUSER.DAT`
- RecentApps - `NTUSER.DAT`
- `mstsc.exe`
- Remote Desktop Client execution
- Last Time Executed
@ -100,12 +100,12 @@ def source_artifacts():
- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
- `{MSTSC-APPID}-automaticDestinations-ms`
- Tracks remote desktop connection destination and times
- [[Prefetch]] `C:\\Windows\\Prefetch\\`
- [[Prefetch]] - `C:\\Windows\\Prefetch\\`
- `mstsc.exe-{hash}.pf`
- [[Bitmap_Cache]] `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
- [[Bitmap_Cache]] - `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
- bcache##.bmc
- cache####.bin
- Default.rdp file
- Default.rdp file -
- `C:\\Users\\<Username>\\Documents\\`
"""
print_info(title, content)
@ -114,7 +114,7 @@ def source_artifacts():
def destination_artifacts():
title = "RDP Destination File System Artifacts"
content = """
- Prefetch `C:\\Windows\\Prefetch\\`
- Prefetch - `C:\\Windows\\Prefetch\\`
- `rdpclip.exe-{hash}.pf`
- `tstheme.exe-{hash}.pf`
"""