diff --git a/TTPs/Persistence/rdp.py b/TTPs/Persistence/rdp.py index 7a4eefe..1acb8d2 100644 --- a/TTPs/Persistence/rdp.py +++ b/TTPs/Persistence/rdp.py @@ -34,7 +34,7 @@ def source_event_logs(): def destination_event_logs(): title = "RDP Destination Event Logs" content = """ -- **Security Event Log** – `security.evtx` +- **Security Event Log** - `security.evtx` - `4624` Logon Type 10 - Source IP/Logon User Name - `4778/4779` @@ -62,17 +62,17 @@ def source_registry(): content = """ - Remote desktop destinations are tracked per-user - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers` -- [[ShimCache]] – SYSTEM +- [[ShimCache]] - SYSTEM - `mstsc.exe` Remote Desktop Client -- [[BAM_DAM]] – SYSTEM – Last Time Executed +- [[BAM_DAM]] - SYSTEM - Last Time Executed - `mstsc.exe` Remote Desktop Client - [[AmCache.hve]] - First Time Executed - `mstsc.exe` -- UserAssist – `NTUSER.DAT` +- UserAssist - `NTUSER.DAT` - `mstsc.exe` Remote Desktop Client execution - Last Time Executed - Number of Times Executed -- RecentApps – `NTUSER.DAT` +- RecentApps - `NTUSER.DAT` - `mstsc.exe` - Remote Desktop Client execution - Last Time Executed @@ -100,12 +100,12 @@ def source_artifacts(): - Jumplists - `C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\` - `{MSTSC-APPID}-automaticDestinations-ms` - Tracks remote desktop connection destination and times -- [[Prefetch]] – `C:\\Windows\\Prefetch\\` +- [[Prefetch]] - `C:\\Windows\\Prefetch\\` - `mstsc.exe-{hash}.pf` -- [[Bitmap_Cache]] – `C:\\Users\\\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache` +- [[Bitmap_Cache]] - `C:\\Users\\\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache` - bcache##.bmc - cache####.bin -- Default.rdp file – +- Default.rdp file - - `C:\\Users\\\\Documents\\` """ print_info(title, content) @@ -114,7 +114,7 @@ def source_artifacts(): def destination_artifacts(): title = "RDP Destination File System Artifacts" content = """ -- Prefetch – `C:\\Windows\\Prefetch\\` +- Prefetch - `C:\\Windows\\Prefetch\\` - `rdpclip.exe-{hash}.pf` - `tstheme.exe-{hash}.pf` """