matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update TTPs/Persistence/rdp.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-24 11:32:41 -05:00
parent 8c8baa91fe
commit 056205178c
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
TTPs/Persistence/rdp.py
View File

@ -34,7 +34,7 @@ def source_event_logs():
def destination_event_logs(): def destination_event_logs():
title = "RDP Destination Event Logs" title = "RDP Destination Event Logs"
content = """ content = """
- **Security Event Log** `security.evtx` - **Security Event Log** - `security.evtx`
- `4624` Logon Type 10 - `4624` Logon Type 10
- Source IP/Logon User Name - Source IP/Logon User Name
- `4778/4779` - `4778/4779`
@ -62,17 +62,17 @@ def source_registry():
content = """ content = """
- Remote desktop destinations are tracked per-user - Remote desktop destinations are tracked per-user
- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers` - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
- [[ShimCache]] SYSTEM - [[ShimCache]] - SYSTEM
- `mstsc.exe` Remote Desktop Client - `mstsc.exe` Remote Desktop Client
- [[BAM_DAM]] SYSTEM Last Time Executed - [[BAM_DAM]] - SYSTEM - Last Time Executed
- `mstsc.exe` Remote Desktop Client - `mstsc.exe` Remote Desktop Client
- [[AmCache.hve]] - First Time Executed - [[AmCache.hve]] - First Time Executed
- `mstsc.exe` - `mstsc.exe`
- UserAssist `NTUSER.DAT` - UserAssist - `NTUSER.DAT`
- `mstsc.exe` Remote Desktop Client execution - `mstsc.exe` Remote Desktop Client execution
- Last Time Executed - Last Time Executed
- Number of Times Executed - Number of Times Executed
- RecentApps `NTUSER.DAT` - RecentApps - `NTUSER.DAT`
- `mstsc.exe` - `mstsc.exe`
- Remote Desktop Client execution - Remote Desktop Client execution
- Last Time Executed - Last Time Executed
@ -100,12 +100,12 @@ def source_artifacts():
- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\` - Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
- `{MSTSC-APPID}-automaticDestinations-ms` - `{MSTSC-APPID}-automaticDestinations-ms`
- Tracks remote desktop connection destination and times - Tracks remote desktop connection destination and times
- [[Prefetch]] `C:\\Windows\\Prefetch\\` - [[Prefetch]] - `C:\\Windows\\Prefetch\\`
- `mstsc.exe-{hash}.pf` - `mstsc.exe-{hash}.pf`
- [[Bitmap_Cache]] `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache` - [[Bitmap_Cache]] - `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
- bcache##.bmc - bcache##.bmc
- cache####.bin - cache####.bin
- Default.rdp file - Default.rdp file -
- `C:\\Users\\<Username>\\Documents\\` - `C:\\Users\\<Username>\\Documents\\`
""" """
print_info(title, content) print_info(title, content)
@ -114,7 +114,7 @@ def source_artifacts():
def destination_artifacts(): def destination_artifacts():
title = "RDP Destination File System Artifacts" title = "RDP Destination File System Artifacts"
content = """ content = """
- Prefetch `C:\\Windows\\Prefetch\\` - Prefetch - `C:\\Windows\\Prefetch\\`
- `rdpclip.exe-{hash}.pf` - `rdpclip.exe-{hash}.pf`
- `tstheme.exe-{hash}.pf` - `tstheme.exe-{hash}.pf`
""" """