matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "Modules/Persistence"

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-28 00:56:00 -05:00
parent 002467caed
commit 0911fc4e4f
14 changed files with 1412 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
Modules/Persistence/advanced.py Normal file
View File

@ -0,0 +1,69 @@
def get_content():
"""
Returns structured content for the Advanced persistence method.
"""
return [
{
"title": "BIOS Flashing",
"content": """
### BIOS Flashing
Advanced persistence through BIOS flashing involves modifying firmware to execute malicious code before the operating system loads.
#### Detection Techniques:
1. **Registry Key**:
- Check for tools/scripts associated with flashing (e.g., `HKCU\\Software\\OEM\\FirmwareTools`).
2. **Event IDs**:
- Monitor Event ID `1100` (Windows Audit Log Cleared) before suspected flashing activity.
3. **Artifacts**:
- Examine for mismatched firmware versions compared to vendor-provided firmware binaries.
"""
},
{
"title": "Drivers",
"content": """
### Drivers
Malicious drivers can be used to escalate privileges or maintain persistence.
#### Detection Techniques:
1. **Registry Key**:
- `HKLM\\SYSTEM\\CurrentControlSet\\Services\\<DriverName>`
- Look for unsigned or newly installed drivers.
2. **Event IDs**:
- Event ID `7045` (Service Installed): Tracks driver installation.
3. **Artifacts**:
- Examine `C:\\Windows\\System32\\drivers` for unauthorized or unsigned drivers.
"""
},
{
"title": "Local Group Policy",
"content": """
### Local Group Policy
Manipulating group policies can enable persistence by enforcing malicious configurations.
#### Detection Techniques:
1. **Registry Key**:
- `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\<PolicyKey>`
- Look for suspicious changes in security policy settings.
2. **Artifacts**:
- Review the `C:\\Windows\\System32\\GroupPolicy\\Machine` directory for unauthorized changes.
3. **Event IDs**:
- Event ID `4719` (System Audit Policy Changed): Tracks group policy changes.
"""
},
{
"title": "MS Office Add-In",
"content": """
### MS Office Add-In
Persistence via MS Office add-ins involves placing malicious macros or scripts that execute when Office applications are opened.
#### Detection Techniques:
1. **Registry Key**:
- `HKCU\\Software\\Microsoft\\Office\\<Version>\\AddIns\\<AddInName>`
- Monitor for unusual add-in registrations.
2. **Artifacts**:
- Inspect the `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\AddIns` directory for unknown files.
3. **Event IDs**:
- Event ID `800` (PowerShell Script Block Logging): Detects execution of scripts, potentially related to add-ins.
"""
}
]

49
Modules/Persistence/autostart.py Normal file
View File

@ -0,0 +1,49 @@
def get_content():
"""
Returns structured content for the Autostart persistence method.
"""
return [
{
"title": "Registry Run Keys",
"content": """
The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys:
- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms.
"""
},
{
"title": "Winlogon Userinit",
"content": """
The Winlogon Userinit key can be used to maintain persistence:
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit
This key typically contains:
- C:\\Windows\\system32\\userinit.exe
However, it can be modified to include malicious binaries:
- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe
"""
},
{
"title": "Startup Folder",
"content": """
The Startup folder allows for persistence by placing shortcuts in this folder:
- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence.
"""
},
{
"title": "Investigative Notes",
"content": """
Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes:
- ASEPs are numerous and diverse, requiring thorough examination.
- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
- Analyzing data across systems may reveal outliers indicative of malicious activity.
"""
}
]

88
Modules/Persistence/basic_persistence.py Normal file
View File

@ -0,0 +1,88 @@
def get_content():
"""
Returns structured content for Basic Persistence Mechanisms.
"""
return [
{
"title": "BootExecute Key",
"content": r"""
### BootExecute Key
The BootExecute registry key launches processes before the subsystem initializes.
**Key Path**:
- `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session`
"""
},
{
"title": "WinLogon Process Keys",
"content": r"""
### WinLogon Process Keys
1. **Userinit Key**:
- Launches login scripts during the user logon process.
- **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`
2. **Notify Key**:
- Handles the `Ctrl+Alt+Del` event.
- **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify`
3. **Explorer.exe Key**:
- Points to `explorer.exe` and can be abused for persistence.
- **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell`
"""
},
{
"title": "Startup Keys",
"content": r"""
### Startup Keys
Startup keys allow programs to launch when a user logs on.
**Key Paths**:
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders`
"""
},
{
"title": "Services Keys",
"content": r"""
### Services Keys
Services keys enable services to boot automatically at startup.
**Key Paths**:
- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services`
- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce`
- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices`
"""
},
{
"title": "Browser Helper Objects",
"content": r"""
### Browser Helper Objects
Browser Helper Objects can be used for persistence or malicious activity.
**Key Path**:
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects`
"""
},
{
"title": "AppInit_DLLs",
"content": r"""
### AppInit_DLLs
The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`.
**Key Path**:
- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs`
"""
},
{
"title": "Persistence Using Global Flags",
"content": r"""
### Persistence Using Global Flags
Global flags in the Image File Execution Options registry key can be abused for persistence.
**Example Commands**:
- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512`
- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1`
- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"`
"""
}
]

80
Modules/Persistence/dcom.py Normal file
View File

@ -0,0 +1,80 @@
def get_content():
"""
Returns structured content for the DCOM-based persistence method.
"""
return [
{
"title": "DCOM Execution Overview",
"content": """
### DCOM Execution (dcomexec.py):
- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command`
- Specify a command to run or leave blank for shell.
- Executes a semi-interactive shell using DCOM objects.
- Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter.
- Uses the first 5 digits of the UNIX Epoch Time in commands.
**Features**:
- Not detected or blocked by Windows Defender by default.
"""
},
{
"title": "Windows Event Log Residue",
"content": """
### Event Log Residue:
- Two rounds of:
- Event ID `4776` in Security on target (for user specified in command).
- Event ID `4672` in Security on target (for user specified in command).
- Event ID `4624` Type 3 in Security on target (for user specified in command).
#### If Enabled:
- Event ID `4688` in Security on target:
- `svchost.exe → mmc.exe -Embedding`.
- `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time).
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
#### User Specified Commands:
- Event ID `4688` in Security on target:
- `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
- Two rounds of:
- Event ID `4634` Type 3 in Security on target (for user specified in command).
"""
},
{
"title": "Analysis of Commands Executed via DCOM",
"content": """
### Command Execution Details:
- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects.
- Commands use `mmc.exe` and `cmd.exe`:
- `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
- The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution.
**Key Indicators**:
- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`.
- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag.
"""
},
{
"title": "Detection and Mitigation",
"content": """
### Detection:
- Monitor `security.evtx` and `system.evtx` for:
- Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments.
- Event ID `4624` and `4672` indicating logon attempts.
- Event ID `4634` showing logoff events.
- Use tools like Sysmon to log detailed command-line activity:
- Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`.
- Look for suspicious command-line parameters, such as the `-Embedding` flag.
### Mitigation:
- Restrict DCOM usage via GPO:
- Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`.
- Disable DCOM or restrict to trusted applications.
- Regularly audit temporary files in ADMIN$ shares.
- Use endpoint protection solutions to detect unusual DCOM activity.
"""
}
]

55
Modules/Persistence/dll_hijacking.py Normal file
View File

@ -0,0 +1,55 @@
def get_content():
"""
Returns structured content for the DLL Hijacking persistence method.
"""
return [
{
"title": "File System Analysis",
"content": """
### File System Analysis
- Look for new or unsigned `.exe` and `.dll` files in unusual locations.
- Example Indicators:
- Timestamp: 2021-02-18 03:42:31
- Impact: -
- Method: mach Meta
- File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824)
- File: `c:/ProgramData/McUtil.dll` (size: 131072)
"""
},
{
"title": "Memory Analysis",
"content": """
### Memory Analysis
- Identify system processes or DLLs loaded from unusual locations.
- Pay attention to:
- Processes running unexpected code.
- DLLs loaded from locations outside expected directories.
- Newly created DLLs and executables can indicate malicious activity.
"""
},
{
"title": "Command Line Analysis",
"content": """
### Command Line Analysis
- Review suspicious command-line execution patterns.
- Example:
- Command: `C:\\ProgramData\\ncoenchy.exe 0x4`
- Method: mach Meta
- Check for signs of injection or other manipulation.
"""
},
{
"title": "SANS DFIR Insights",
"content": """
### SANS DFIR Insights
- Nearly all DLL hijacks require placing a new DLL or executable onto the file system.
- Investigative Techniques:
- **File Timeline Analysis**:
- Focus on newly created files during times of interest.
- **Memory Forensics**:
- Analyze running processes for unexpected DLL locations.
- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory.
- Other anomalous actions like network beaconing or named pipe creation can lead to detection.
"""
}
]

102
Modules/Persistence/map_share.py Normal file
View File

@ -0,0 +1,102 @@
def get_content():
"""
Returns structured content for the Map Share persistence method.
"""
return [
{
"title": "Map Share Source Event Logs",
"content": """
### Source Event Logs
- `security.evtx`
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- `Microsoft-Windows-SmbClient\\Security.evtx`
- `31001` Failed logon to destination
- Destination Host Name
- User Name for failed logon
- Reason code for failed destination logon (e.g., bad password)
"""
},
{
"title": "Map Share Destination Event Logs",
"content": """
### Destination Event Logs
- **Security Event Log `security.evtx`**
- `4624`
- Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by user with administrative rights
- Requirement for accessing default shares such as **C$** and **ADMIN$**
- `4776` - NTLM if authenticating to Local System
- Source Host Name/Logon User Name
- `4768` - TGT Granted
- Source Host Name/Logon User Name
- Available only on domain controller
- `4769` - Service Ticket Granted if authenticating to Domain Controller
- Destination Host Name/Logon User Name
- Source IP
- Available only on domain controller
- `5140`
- Share Access
- `5145`
- Auditing of shared files **NOISY**!
"""
},
{
"title": "Map Share Source Registry",
"content": """
### Source Registry
- **MountPoints2** - Remotely mapped shares
- `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
- **Shellbags** - USRCLASS.DAT
- Remote folders accessed inside an interactive session via Explorer by attackers.
- **ShimCache** SYSTEM
- `net.exe`
- `net1.exe`
- **BAM_DAM** NTUSER.DAT Last Time Executed
- `net.exe`
- `net1.exe`
- **AmCache.hve** - First Time Executed
- `net.exe`
- `net1.exe`
"""
},
{
"title": "Map Share Destination Registry",
"content": """
### Destination Registry
- N/A
"""
},
{
"title": "Map Share Source File System",
"content": """
### Source File System
- **Prefetch** - `C:\\Windows\\Prefetch\\`
- `net.exe-{hash}.pf`
- `net1.exe-{hash}.pf`
- **User Profile Artifacts**
- Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
"""
},
{
"title": "Map Share Destination File System",
"content": """
### Destination File System
- **File Creation**
- Attacker's files (malware) copied to the destination system.
- Look for Modified Time before Creation Time.
- Creation Time is the time of file copy.
- **User Access Logging (Servers Only)**
- `C:\\Windows\\System32\\LogFiles\\Sum`
- User Name
- Source IP Address
- First and Last Access Time
"""
}
]

26
Modules/Persistence/persistence.py Normal file
View File

@ -0,0 +1,26 @@
from flask import url_for
def get_persistence_menu():
"""
Returns the submenu for persistence methods.
Each method will link to its corresponding content page.
"""
return {
"title": "Persistence Methods",
"description": "Explore various persistence methods used by adversaries to maintain access.",
"methods": [
{"name": "Autostart", "url": url_for("persistence_method", method="autostart")},
{"name": "Basic Persistence", "url": url_for("persistence_method", method="basic_persistence")},
{"name": "DCOM", "url": url_for("persistence_method", method="dcom")},
{"name": "DLL Hijacking", "url": url_for("persistence_method", method="dll_hijacking")},
{"name": "Map Share", "url": url_for("persistence_method", method="map_share")},
{"name": "PowerShell Remoting", "url": url_for("persistence_method", method="powershell_remoting")},
{"name": "PsExec", "url": url_for("persistence_method", method="psexec")},
{"name": "RDP", "url": url_for("persistence_method", method="rdp")},
{"name": "Scheduled Tasks", "url": url_for("persistence_method", method="scheduled_tasks")},
{"name": "Services", "url": url_for("persistence_method", method="services")},
{"name": "SMBExec", "url": url_for("persistence_method", method="smbexec")},
{"name": "WMI", "url": url_for("persistence_method", method="wmi")},
{"name": "Advanced", "url": url_for("persistence_method", method="advanced")}
]
}

108
Modules/Persistence/powershell_remoting.py Normal file
View File

@ -0,0 +1,108 @@
def get_content():
"""
Returns structured content for the PowerShell Remoting persistence method.
"""
return [
{
"title": "PowerShell Remoting Source Event Logs",
"content": """
### Source Event Logs
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- **Microsoft-Windows-WinRM/Operational.evtx**
- `161` - Remote Authentication Error
- `6` - WSMan Session initialize
- Session created
- Destination Host Name or IP
- Current logged-on User Name
- `8`, `15`, `16`, `33` - WSMan Session deinitialization
- Closing of WSMan session
- Current logged-on User Name
- **Microsoft-Windows-PowerShell/Operational.evtx**
- `40961`, `40962`
- Records the local initiation of powershell.exe and associated user account
- `8193` & `8194` - Session created
- `8197` - Connect
- Session closed
"""
},
{
"title": "PowerShell Remoting Source Registry",
"content": """
### Source Registry
- **ShimCache** SYSTEM
- powershell.exe
- **BAM_DAM** SYSTEM Last Time Executed
- powershell.exe
- **AmCache.hve** First Time Executed
- powershell.exe
"""
},
{
"title": "PowerShell Remoting Source File System Artifacts",
"content": """
### Source File System Artifacts
- **Prefetch** C:\\Windows\\Prefetch\\
- powershell.exe-{hash}.pf
- PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
- **Command history**
- C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
- With PS v5+, a history file with previous 4096 commands is maintained per user
"""
},
{
"title": "PowerShell Remoting Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- **Microsoft-Windows-PowerShell%4Operational.evtx**
- `4103`, `4104` Script Block logging
- Logs suspicious scripts by default in PS v5
- Logs all scripts if configured
- `53504` - Records the authenticating user
- **Windows PowerShell.evtx**
- `400/403` - "ServerRemoteHost" indicates start/end of remoting session
- `800` - Includes partial script code
- **Microsoft-Windows-WinRM/Operational.evtx**
- `91` Session creation
- `142` WSMan Operation Failure
- `169` Records the authenticating user
"""
},
{
"title": "PowerShell Remoting Destination Registry",
"content": """
### Destination Registry
- **ShimCache** SYSTEM
- wsmprovhost.exe
- evil.exe
- **SOFTWARE**
- Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
- Attacker may change execution policy to a less restrictive setting, such as "bypass"
- **AmCache.hve** First Time Executed
- wsmprovhost.exe
- evil.exe
"""
},
{
"title": "PowerShell Remoting Destination File System Artifacts",
"content": """
### Destination File System Artifacts
- **File Creation**
- evil.exe
- With Enter-PSSession, a user profile directory may be created
- **Prefetch** C:\\Windows\\Prefetch\\
- evil.exe-{hash}.pf
- wsmprovhost.exe-{hash}.pf
"""
}
]

178
Modules/Persistence/psexec.py Normal file
View File

@ -0,0 +1,178 @@
def get_content():
"""
Returns structured content for the PsExec persistence method.
"""
return [
{
"title": "Source Event Logs",
"content": """
### Source Event Logs
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4648` Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for access default shares such as **C$** and **ADMIN$**
- `5140` Share Access
- **ADMIN$** share used by PsExec
- **system.evtx**
- `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
- %systemroot%\\xxxxxxxx.exe
- `7036` Service start/stop events
- **If Enabled**:
- `4688` in Security: tracks service and cmd.exe execution
"""
},
{
"title": "Source Registry",
"content": """
### Source Registry
- **NTUSER.DAT**
- Software\\SysInternals\\PsExec\\EulaAccepted
- **ShimCache** SYSTEM
- psexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- psexec.exe
- **AmCache.hve** First Time Executed
- psexec.exe
"""
},
{
"title": "Destination Registry",
"content": """
### Destination Registry
- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
- “-r” option can allow attacker to rename service
- **ShimCache** SYSTEM
- psexesvc.exe
- **AmCache.hve**
- First Time Executed
- psexesvc.exe
"""
},
{
"title": "Source File System",
"content": """
### Source File System
- **Prefetch** C:\\Windows\\Prefetch\\
- psexec.exe-{hash}.pf
- Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
- **File Creation**
- psexec.exe file downloaded and created on the local host as the file is not native to Windows
"""
},
{
"title": "Destination File System",
"content": """
### Destination File System
- **Prefetch** C:\\Windows\\Prefetch\\
- psexesvc.exe-{hash}.pf
- evil.exe-{hash}.pf
- **File Creation**
- User profile directory structure created unless "-e" option used
- psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
- **User Access Logging (Servers only)**
- C:\\Windows\\System32\\LogFiles\\Sum
- User Name
- Source IP Address
- First and Last Access Time
"""
},
{
"title": "Service Installation Details",
"content": """
### Service Installation Details
- PsExec creates a temporary Windows service for execution:
- Service name: Random 4-character mixed-case alpha name
- Executable: Random 8-character mixed-case alpha .exe file
- Registry Path:
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Event Log Evidence:
- Event ID 7045 in `system.evtx` logs the service installation.
- Includes:
- Service Name
- Executable Path
- Service Type and Start Mode
- Forensic Insights:
- Compare service names and paths across multiple systems to detect outliers.
- Look for services with short, random names.
"""
},
{
"title": "Network Artifacts",
"content": """
### Network Artifacts
- **Network Connections**:
- PsExec uses SMB for communication and file transfer.
- Ports:
- 445 (SMB over TCP/IP)
- 139 (NetBIOS over TCP/IP)
- **Shared Resources**:
- Default shares such as **ADMIN$** and **C$** are utilized.
- Logs in `security.evtx`:
- Event ID 5140: Share access.
- Event ID 5145: Access to specific shared files.
- **Forensic Tips**:
- Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
- Analyze SMB traffic for PsExec file transfers.
"""
},
{
"title": "Eviction Techniques",
"content": """
### Eviction Techniques
- **Detection**:
- Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
- Enable advanced audit policies to log service and process creation events.
- **Eviction**:
- Audit and remove unauthorized services under:
- SYSTEM\\CurrentControlSet\\Services\\
- Verify the integrity of executables in:
- C:\\Windows\\System32
- C:\\Windows\\Prefetch
- Block unauthorized access to default shares like ADMIN$ and C$.
- **Prevention**:
- Use endpoint protection tools to block PsExec executables.
- Restrict access to administrative shares to trusted hosts and accounts only.
"""
},
{
"title": "Malware Case Study",
"content": """
### Malware Case Study
- **Real-World Example**:
- Malware Name: Emotet
- Attack Vector: Lateral Movement
- Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
- **Tactics**:
- Copied malicious payloads to ADMIN$ share.
- Used PsExec to execute payloads on remote systems.
- Cleaned up by removing PsExec artifacts (e.g., services and files).
- **Forensic Indicators**:
- Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
- Unusual services with short, random names.
- Files with mismatched creation and modification times in ADMIN$.
"""
}
]

125
Modules/Persistence/rdp.py Normal file
View File

@ -0,0 +1,125 @@
def get_content():
"""
Returns structured content for the RDP persistence method.
"""
return [
{
"title": "Source Event Logs",
"content": """
### Source Event Logs
- `security.evtx`
- `4648` - Logon specifying alternate credentials - if NLA enabled on destination
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
- `1024`
- Destination Host Name
- `1102`
- Destination IP Address
"""
},
{
"title": "Destination Event Logs",
"content": """
### Destination Event Logs
- **Security Event Log** - `security.evtx`
- `4624` Logon Type 10
- Source IP/Logon User Name
- `4778/4779`
- IP Address of Source/Source System Name
- Logon User Name
- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`
- `131` - Connection Attempts
- Source IP
- `98` - Successful Connections
- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`
- `1149`
- Source IP/Logon User Name
- Blank user name may indicate use of Sticky Keys
- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
- 21, 22, 25
- Source IP/Logon User Name
- 41
- Logon User Name
"""
},
{
"title": "Source Registry",
"content": """
### Source Registry
- Remote desktop destinations are tracked per-user
- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
- [[ShimCache]] - SYSTEM
- `mstsc.exe` Remote Desktop Client
- [[BAM_DAM]] - SYSTEM - Last Time Executed
- `mstsc.exe` Remote Desktop Client
- [[AmCache.hve]] - First Time Executed
- `mstsc.exe`
- UserAssist - `NTUSER.DAT`
- `mstsc.exe` Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentApps - `NTUSER.DAT`
- `mstsc.exe`
- Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentItems subkey tracks connection destinations and times
"""
},
{
"title": "Destination Registry",
"content": """
### Destination Registry
- [[ShimCache]] - SYSTEM
- `rdpclip.exe`
- `tstheme.exe`
- [[AmCache.hve]] - First Time Executed
- `rdpclip.exe`
- `tstheme.exe`
"""
},
{
"title": "Source Artifacts",
"content": """
### Source File System Artifacts
- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
- `{MSTSC-APPID}-automaticDestinations-ms`
- Tracks remote desktop connection destination and times
- [[Prefetch]] - `C:\\Windows\\Prefetch\\`
- `mstsc.exe-{hash}.pf`
- [[Bitmap_Cache]] - `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
- bcache##.bmc
- cache####.bin
- Default.rdp file -
- `C:\\Users\\<Username>\\Documents\\`
"""
},
{
"title": "Destination Artifacts",
"content": """
### Destination File System Artifacts
- Prefetch - `C:\\Windows\\Prefetch\\`
- `rdpclip.exe-{hash}.pf`
- `tstheme.exe-{hash}.pf`
"""
},
{
"title": "Extra Information",
"content": """
### Extra Information
# RDP Authentication vs. Authorization
- RDP authentication happens prior to session establishment (NLA).
- Know when authentication can fail and authorization can succeed.
# RDP Event Flow
1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22
- 1149: Authentication succeeded
- 4624: Account successfully logged on
- 21: Session logon succeeded
- 22: Shell start notification received
"""
}
]

133
Modules/Persistence/scheduled_tasks.py Normal file
View File

@ -0,0 +1,133 @@
def get_content():
"""
Returns structured content for the Scheduled Tasks persistence method.
"""
return [
{
"title": "Scheduled Tasks Source Event Logs",
"content": """
### Source Event Logs
- `security.evtx`
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "Scheduled Tasks Destination Event Logs",
"content": """
### Destination Event Logs
- `security.evtx`
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for accessing default shares such as **C$** and **ADMIN$**
- `4698` - Scheduled task created
- `4702` - Scheduled task updated
- `4699` - Scheduled task deleted
- `4700/4701` - Scheduled task enabled/disabled
- `Microsoft-Windows-TaskScheduler%4Operational.evtx`
- `106` - Scheduled task created
- `140` - Scheduled task updated
- `141` - Scheduled task deleted
- `200/201` - Scheduled task executed/completed
"""
},
{
"title": "Scheduled Tasks Source Registry",
"content": """
### Source Registry
- **ShimCache** SYSTEM
- at.exe
- schtasks.exe
- **BAM/DAM** SYSTEM Last Time Executed
- at.exe
- schtasks.exe
- **AmCache.hve** First Time Executed
- at.exe
- schtasks.exe
"""
},
{
"title": "Scheduled Tasks Destination Registry",
"content": """
### Destination Registry
- SOFTWARE
- `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks`
- `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\`
- **ShimCache** SYSTEM
- evil.exe
- **AmCache.hve** First Time Executed
- evil.exe
"""
},
{
"title": "Scheduled Tasks Source File System Artifacts",
"content": """
### Source File System Artifacts
- **Prefetch** `C:\\Windows\\Prefetch\\`
- at.exe-{hash}.pf
- schtasks.exe-{hash}.pf
"""
},
{
"title": "Scheduled Tasks Destination File System Artifacts",
"content": """
### Destination File System Artifacts
- **File Creation**
- evil.exe
- Job files created in
- `C:\\Windows\\Tasks`
- XML task files created in
- `C:\\Windows\\System32\\Tasks`
- `C:\\Windows\\SysWOW64\\Tasks`
- **Author tag** can identify:
- Source system name
- Creator username
- **Prefetch** `C:\\Windows\\Prefetch\\`
- evil.exe-{hash}.pf
"""
},
{
"title": "Atexec Analysis",
"content": """
### Atexec Analysis
#### Command Syntax:
- `atexec.py domain/username:password@[hostname | IP] command`
#### Characteristics:
- Executes commands remotely but does not provide shell access.
- Creates a Scheduled Task with a random 8-character mixed-case alpha string.
- Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\<random>.tmp` before deleting the file.
- **NOT detected and blocked by Windows Defender by default**.
#### Windows Event Log Residue:
1. Event IDs in `Security.evtx`:
- `4776` - NTLM Authentication
- `4672` - Special privileges assigned to logon.
- `4624` - Successful logon (Type 3).
2. `Microsoft-Windows-TaskScheduler/Operational`:
- `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle).
3. **IF ENABLED**:
- `4688` - Process creation (`cmd.exe` spawning tasks or executing commands).
- `4698` - Scheduled task created.
- `4699` - Scheduled task deleted.
#### Example Detection Indicators:
- Multiple rounds of Event IDs (`4776`, `4672`, `4624`).
- Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output.
"""
},
{
"title": "Scheduled Tasks Extra Information",
"content": """
### Scheduled Tasks Commands
- `at \\\\host 13:00 "c:\\temp\\evil.exe"`
- `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username`
"""
}
]

140
Modules/Persistence/services.py Normal file
View File

@ -0,0 +1,140 @@
def get_content():
"""
Returns structured content for the Service-based persistence method.
"""
return [
{
"title": "Source Event Logs",
"content": """
No specific source event logs are generated for service-based persistence.
"""
},
{
"title": "Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4697`
- Records service installation (non-default)
- Useful for centralized log monitoring.
- **system.evtx**
- `7034` - Service crashed unexpectedly.
- `7035` - Service sent a Start/Stop control.
- `7036` - Service started or stopped.
- `7040` - Start type changed (Boot | On Request | Disabled).
- `7045` - A service was installed on the system.
"""
},
{
"title": "Source Registry",
"content": """
### Source Registry
Registry Artifacts:
- [[ShimCache]] - SYSTEM
- Tracks `sc.exe`.
- [[BAM_DAM]] - SYSTEM - Last Time Executed
- Tracks `sc.exe`.
- [[AmCache.hve]]
- Tracks first execution of `sc.exe`.
"""
},
{
"title": "Destination Registry",
"content": """
### Destination Registry
Registry Artifacts:
- SYSTEM
- `\\CurrentControlSet\\Services\\` - New service creation.
- [[ShimCache]] - SYSTEM
- Tracks `evil.exe`.
- [[AmCache.hve]] - First Time Executed
- Tracks `evil.exe`.
"""
},
{
"title": "Source File System",
"content": """
### Source File System
Prefetch Artifacts:
- Prefetch - `C:\\Windows\\Prefetch\\`
- `sc.exe-{hash}.pf`.
"""
},
{
"title": "Destination File System",
"content": """
### Destination File System
File Creation Artifacts:
- Malicious executables or DLLs:
- `evil.exe` or `evil.dll`.
- Prefetch - `C:\\Windows\\Prefetch\\`
- Tracks execution of `evil.exe` or service DLLs.
"""
},
{
"title": "Service Replacement Examples",
"content": """
### Service Replacement Examples
Service replacement involves modifying legitimate services to execute malicious payloads.
#### Example 1: Binary Path Manipulation
Modify the `ImagePath` registry key to point to a malicious executable:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\ImagePath`
- New Value: `C:\\temp\\evil.exe`
#### Example 2: DLL Hijacking in Services
Replace a legitimate service DLL with a malicious one:
- Locate service DLL in `\\CurrentControlSet\\Services\\<ServiceName>\\Parameters\\ServiceDll`.
- Replace the file with `evil.dll`.
#### Example 3: Startup Type Abuse
Change the `Start` registry key to automatically start a malicious service:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\Start`
- Value: `2` (Automatic Start).
#### Example 4: Service Install Command
Use `sc` to create and start a malicious service:
- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"`
"""
},
{
"title": "Exploitation of Windows Services",
"content": """
### Exploitation of Windows Services
Windows services can be exploited in the following ways:
#### 1. Privilege Escalation via Insecure Permissions
- Services with weak `DACL` permissions can be reconfigured by low-privileged users.
- Example: Modify `ImagePath` to point to a malicious binary.
#### 2. DLL Search Order Hijacking
- Service executable dynamically loads a DLL without specifying a full path.
- Place a malicious DLL in the service's working directory.
#### 3. Service Control Abuse
- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations.
#### 4. Unquoted Service Paths
- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path.
- Example:
- Path: `C:\\Program Files\\Legitimate Service\\binary.exe`.
- Malicious executable: `C:\\Program.exe`.
#### 5. Creating New Services
- Install a new malicious service using `sc` or `psexec`.
- Example:
- `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto`
#### 6. Abusing Trusted Services
- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services.
#### Detection Tips:
- Monitor `system.evtx` for service start/stop events.
- Check `security.evtx` for suspicious service creation.
- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries.
"""
}
]

139
Modules/Persistence/smbexec.py Normal file
View File

@ -0,0 +1,139 @@
def get_content():
"""
Returns structured content for the SMBExec persistence method.
"""
return [
{
"title": "SMBExec Source Event Logs",
"content": """
### Source Event Logs
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "SMBExec Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- `4634` Type 3 (session end)
- **system.evtx**
- `7045` - Service installation
- Default service name: "BTOBTO" or a random 8-character mixed-case string.
- `7036` Service start/stop events
"""
},
{
"title": "SMBExec Source Registry",
"content": """
### Source Registry
- **NTUSER.DAT**
- Software\\SysInternals\\SMBExec\\EulaAccepted
- **ShimCache** SYSTEM
- smbexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- smbexec.exe
- **AmCache.hve** First Time Executed
- smbexec.exe
"""
},
{
"title": "SMBExec Destination Registry",
"content": """
### Destination Registry
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Default: "BTOBTO" or random 8-character string.
- **ShimCache** SYSTEM
- smbexecsvc.exe
- **AmCache.hve**
- First Time Executed
- smbexecsvc.exe
"""
},
{
"title": "SMBExec Source File System",
"content": """
### Source File System
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexec.exe-{hash}.pf
- **File Creation**
- smbexec.exe file downloaded and created on the local host.
"""
},
{
"title": "SMBExec Destination File System",
"content": """
### Destination File System
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexecsvc.exe-{hash}.pf
- execute.bat-{hash}.pf
- **File Creation**
- `execute.bat` created in C:\\Windows\\TEMP\\
- User-specified commands echoed to `execute.bat`.
- Temporary batch file removed after execution.
"""
},
{
"title": "SMBExec Service Creation Details",
"content": """
### Service Creation Details
- Service Name:
- Default: "BTOBTO"
- Updated to a random 8-character mixed-case string in May 2023.
- Executable: `execute.bat` created for every command.
- Event Log Evidence:
- `7045` in `system.evtx` logs service creation.
- Command executed via:
- `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`.
"""
},
{
"title": "SMBExec Network Artifacts",
"content": """
### Network Artifacts
- **Network Connections**:
- SMB protocol communication with the target.
- Evidence of ADMIN$ share access.
- **Network Traffic Analysis**:
- Monitor for suspicious SMB traffic to/from servers.
- Detect repeated connections with new service creation.
"""
},
{
"title": "SMBExec Eviction Techniques",
"content": """
### Eviction Techniques
- Remove temporary files:
- `execute.bat` is deleted after execution.
- Service cleanup:
- Services created for each command are removed after execution.
"""
},
{
"title": "SMBExec Malware Case Study",
"content": """
### Malware Case Study
- **Case Study**:
- Malware using SMBExec for lateral movement.
- Leveraged temporary service creation for executing commands.
- Indicators:
- Random service names.
- Temporary batch files in `C:\\Windows\\TEMP`.
- **Detection**:
- Monitor Event ID 7045 for abnormal service names.
- Correlate with batch file creation and execution in `TEMP` directory.
"""
}
]

120
Modules/Persistence/wmi.py Normal file
View File

@ -0,0 +1,120 @@
def get_content():
"""
Returns structured content for the WMI persistence method.
"""
return [
{
"title": "WMI Source Event Logs",
"content": """
### Source Event Logs
`security.evtx`:
- `4648` Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "WMI Destination Event Logs",
"content": """
### Destination Event Logs
`security.evtx`:
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
`Microsoft-Windows-WMI-Activity/Operational.evtx`:
- `5857`
- Indicates time of wmiprvse execution and path to provider DLL attackers sometimes install malicious WMI provider DLLs.
- `5860`, `5861`
- Registration of Temporary (5860) and Permanent (5861) Event Consumers.
- Typically used for persistence, but can also be used for remote execution.
"""
},
{
"title": "WMI Source Registry",
"content": """
### Source Registry
- **ShimCache** SYSTEM
- `wmic.exe`
- **BAM_DAM** SYSTEM Last Time Executed
- `wmic.exe`
- **AmCache.hve** First Time Executed
- `wmic.exe`
"""
},
{
"title": "WMI Destination Registry",
"content": """
### Destination Registry
- **ShimCache** SYSTEM
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
- **AmCache.hve** First Time Executed
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
"""
},
{
"title": "WMI Source File System",
"content": """
### Source File System
- **Prefetch**:
- `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf`
"""
},
{
"title": "WMI Destination File System",
"content": """
### Destination File System
- **File Creation**:
- `evil.exe`
- `evil.mof` - .mof files can be used to manage the WMI Repository.
- **Prefetch**:
- `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf`
- **Unauthorized changes to the WMI Repository**:
- `C:\\Windows\\System32\\wbem\\Repository`
"""
},
{
"title": "WMI Event Consumer Backdoors",
"content": """
### WMI Event Consumer Backdoors
- **Event Filters**: Define conditions under which events trigger (e.g., process starts).
- **Event Consumers**: Define actions for triggered events (e.g., execute a script).
- **Event Bindings**: Link filters and consumers.
"""
},
{
"title": "WMIEXEC Analysis",
"content": """
### WMIEXEC Analysis
- **Command Example**: `wmiexec.py domain/username:password@[hostname | IP] command`
- **Logs**:
- Event ID `4648`, `4624`, `4672`, `5857`, `5861` indicate WMI activity.
- **Detection**:
- Monitor commands triggering `wmiprvse.exe` and subsequent processes.
"""
},
{
"title": "Additional WMI Detection Tips",
"content": """
### Additional Detection Tips
- Enable verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log.
- Correlate WMI activity with file system or registry changes.
- Research WMI use by known APTs or malware families.
"""
}
]