From 0911fc4e4f6ba746394d39ab274f03e63d00fe02 Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 00:56:00 -0500 Subject: [PATCH] Upload files to "Modules/Persistence" --- Modules/Persistence/advanced.py | 69 ++++++++ Modules/Persistence/autostart.py | 49 ++++++ Modules/Persistence/basic_persistence.py | 88 ++++++++++ Modules/Persistence/dcom.py | 80 +++++++++ Modules/Persistence/dll_hijacking.py | 55 +++++++ Modules/Persistence/map_share.py | 102 ++++++++++++ Modules/Persistence/persistence.py | 26 +++ Modules/Persistence/powershell_remoting.py | 108 +++++++++++++ Modules/Persistence/psexec.py | 178 +++++++++++++++++++++ Modules/Persistence/rdp.py | 125 +++++++++++++++ Modules/Persistence/scheduled_tasks.py | 133 +++++++++++++++ Modules/Persistence/services.py | 140 ++++++++++++++++ Modules/Persistence/smbexec.py | 139 ++++++++++++++++ Modules/Persistence/wmi.py | 120 ++++++++++++++ 14 files changed, 1412 insertions(+) create mode 100644 Modules/Persistence/advanced.py create mode 100644 Modules/Persistence/autostart.py create mode 100644 Modules/Persistence/basic_persistence.py create mode 100644 Modules/Persistence/dcom.py create mode 100644 Modules/Persistence/dll_hijacking.py create mode 100644 Modules/Persistence/map_share.py create mode 100644 Modules/Persistence/persistence.py create mode 100644 Modules/Persistence/powershell_remoting.py create mode 100644 Modules/Persistence/psexec.py create mode 100644 Modules/Persistence/rdp.py create mode 100644 Modules/Persistence/scheduled_tasks.py create mode 100644 Modules/Persistence/services.py create mode 100644 Modules/Persistence/smbexec.py create mode 100644 Modules/Persistence/wmi.py diff --git a/Modules/Persistence/advanced.py b/Modules/Persistence/advanced.py new file mode 100644 index 0000000..ff12017 --- /dev/null +++ b/Modules/Persistence/advanced.py @@ -0,0 +1,69 @@ +def get_content(): + """ + Returns structured content for the Advanced persistence method. + """ + return [ + { + "title": "BIOS Flashing", + "content": """ +### BIOS Flashing +Advanced persistence through BIOS flashing involves modifying firmware to execute malicious code before the operating system loads. + +#### Detection Techniques: +1. **Registry Key**: + - Check for tools/scripts associated with flashing (e.g., `HKCU\\Software\\OEM\\FirmwareTools`). +2. **Event IDs**: + - Monitor Event ID `1100` (Windows Audit Log Cleared) before suspected flashing activity. +3. **Artifacts**: + - Examine for mismatched firmware versions compared to vendor-provided firmware binaries. +""" + }, + { + "title": "Drivers", + "content": """ +### Drivers +Malicious drivers can be used to escalate privileges or maintain persistence. + +#### Detection Techniques: +1. **Registry Key**: + - `HKLM\\SYSTEM\\CurrentControlSet\\Services\\` + - Look for unsigned or newly installed drivers. +2. **Event IDs**: + - Event ID `7045` (Service Installed): Tracks driver installation. +3. **Artifacts**: + - Examine `C:\\Windows\\System32\\drivers` for unauthorized or unsigned drivers. +""" + }, + { + "title": "Local Group Policy", + "content": """ +### Local Group Policy +Manipulating group policies can enable persistence by enforcing malicious configurations. + +#### Detection Techniques: +1. **Registry Key**: + - `HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\` + - Look for suspicious changes in security policy settings. +2. **Artifacts**: + - Review the `C:\\Windows\\System32\\GroupPolicy\\Machine` directory for unauthorized changes. +3. **Event IDs**: + - Event ID `4719` (System Audit Policy Changed): Tracks group policy changes. +""" + }, + { + "title": "MS Office Add-In", + "content": """ +### MS Office Add-In +Persistence via MS Office add-ins involves placing malicious macros or scripts that execute when Office applications are opened. + +#### Detection Techniques: +1. **Registry Key**: + - `HKCU\\Software\\Microsoft\\Office\\\\AddIns\\` + - Monitor for unusual add-in registrations. +2. **Artifacts**: + - Inspect the `C:\\Users\\\\AppData\\Roaming\\Microsoft\\AddIns` directory for unknown files. +3. **Event IDs**: + - Event ID `800` (PowerShell Script Block Logging): Detects execution of scripts, potentially related to add-ins. +""" + } + ] diff --git a/Modules/Persistence/autostart.py b/Modules/Persistence/autostart.py new file mode 100644 index 0000000..b33d4b6 --- /dev/null +++ b/Modules/Persistence/autostart.py @@ -0,0 +1,49 @@ +def get_content(): + """ + Returns structured content for the Autostart persistence method. + """ + return [ + { + "title": "Registry Run Keys", + "content": """ +The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys: +- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run +- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce +- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce +- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run + +These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms. +""" + }, + { + "title": "Winlogon Userinit", + "content": """ +The Winlogon Userinit key can be used to maintain persistence: +- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit + +This key typically contains: +- C:\\Windows\\system32\\userinit.exe + +However, it can be modified to include malicious binaries: +- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe +""" + }, + { + "title": "Startup Folder", + "content": """ +The Startup folder allows for persistence by placing shortcuts in this folder: +- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup + +Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence. +""" + }, + { + "title": "Investigative Notes", + "content": """ +Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes: +- ASEPs are numerous and diverse, requiring thorough examination. +- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. +- Analyzing data across systems may reveal outliers indicative of malicious activity. +""" + } + ] diff --git a/Modules/Persistence/basic_persistence.py b/Modules/Persistence/basic_persistence.py new file mode 100644 index 0000000..92dad9d --- /dev/null +++ b/Modules/Persistence/basic_persistence.py @@ -0,0 +1,88 @@ +def get_content(): + """ + Returns structured content for Basic Persistence Mechanisms. + """ + return [ + { + "title": "BootExecute Key", + "content": r""" +### BootExecute Key +The BootExecute registry key launches processes before the subsystem initializes. + +**Key Path**: +- `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session` + """ + }, + { + "title": "WinLogon Process Keys", + "content": r""" +### WinLogon Process Keys +1. **Userinit Key**: + - Launches login scripts during the user logon process. + - **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon` +2. **Notify Key**: + - Handles the `Ctrl+Alt+Del` event. + - **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify` +3. **Explorer.exe Key**: + - Points to `explorer.exe` and can be abused for persistence. + - **Key Path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell` + """ + }, + { + "title": "Startup Keys", + "content": r""" +### Startup Keys +Startup keys allow programs to launch when a user logs on. + +**Key Paths**: +- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` +- `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders` +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders` +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders` + """ + }, + { + "title": "Services Keys", + "content": r""" +### Services Keys +Services keys enable services to boot automatically at startup. + +**Key Paths**: +- `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` +- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce` +- `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices` + """ + }, + { + "title": "Browser Helper Objects", + "content": r""" +### Browser Helper Objects +Browser Helper Objects can be used for persistence or malicious activity. + +**Key Path**: +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects` + """ + }, + { + "title": "AppInit_DLLs", + "content": r""" +### AppInit_DLLs +The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`. + +**Key Path**: +- `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs` + """ + }, + { + "title": "Persistence Using Global Flags", + "content": r""" +### Persistence Using Global Flags +Global flags in the Image File Execution Options registry key can be abused for persistence. + +**Example Commands**: +- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512` +- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1` +- `reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"` + """ + } + ] diff --git a/Modules/Persistence/dcom.py b/Modules/Persistence/dcom.py new file mode 100644 index 0000000..7e4d030 --- /dev/null +++ b/Modules/Persistence/dcom.py @@ -0,0 +1,80 @@ +def get_content(): + """ + Returns structured content for the DCOM-based persistence method. + """ + return [ + { + "title": "DCOM Execution Overview", + "content": """ +### DCOM Execution (dcomexec.py): +- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command` + - Specify a command to run or leave blank for shell. + - Executes a semi-interactive shell using DCOM objects. + - Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter. + - Uses the first 5 digits of the UNIX Epoch Time in commands. + +**Features**: +- Not detected or blocked by Windows Defender by default. + """ + }, + { + "title": "Windows Event Log Residue", + "content": """ +### Event Log Residue: +- Two rounds of: + - Event ID `4776` in Security on target (for user specified in command). + - Event ID `4672` in Security on target (for user specified in command). + - Event ID `4624` Type 3 in Security on target (for user specified in command). + +#### If Enabled: +- Event ID `4688` in Security on target: + - `svchost.exe → mmc.exe -Embedding`. + - `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time). + - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. + +#### User Specified Commands: +- Event ID `4688` in Security on target: + - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. + - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. + +- Two rounds of: + - Event ID `4634` Type 3 in Security on target (for user specified in command). + """ + }, + { + "title": "Analysis of Commands Executed via DCOM", + "content": """ +### Command Execution Details: +- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects. +- Commands use `mmc.exe` and `cmd.exe`: + - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. + - The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution. + +**Key Indicators**: +- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`. +- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag. + """ + }, + { + "title": "Detection and Mitigation", + "content": """ +### Detection: +- Monitor `security.evtx` and `system.evtx` for: + - Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments. + - Event ID `4624` and `4672` indicating logon attempts. + - Event ID `4634` showing logoff events. + +- Use tools like Sysmon to log detailed command-line activity: + - Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`. + - Look for suspicious command-line parameters, such as the `-Embedding` flag. + +### Mitigation: +- Restrict DCOM usage via GPO: + - Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`. + - Disable DCOM or restrict to trusted applications. + +- Regularly audit temporary files in ADMIN$ shares. +- Use endpoint protection solutions to detect unusual DCOM activity. + """ + } + ] diff --git a/Modules/Persistence/dll_hijacking.py b/Modules/Persistence/dll_hijacking.py new file mode 100644 index 0000000..97fe06d --- /dev/null +++ b/Modules/Persistence/dll_hijacking.py @@ -0,0 +1,55 @@ +def get_content(): + """ + Returns structured content for the DLL Hijacking persistence method. + """ + return [ + { + "title": "File System Analysis", + "content": """ +### File System Analysis +- Look for new or unsigned `.exe` and `.dll` files in unusual locations. +- Example Indicators: + - Timestamp: 2021-02-18 03:42:31 + - Impact: - + - Method: mach Meta + - File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824) + - File: `c:/ProgramData/McUtil.dll` (size: 131072) + """ + }, + { + "title": "Memory Analysis", + "content": """ +### Memory Analysis +- Identify system processes or DLLs loaded from unusual locations. +- Pay attention to: + - Processes running unexpected code. + - DLLs loaded from locations outside expected directories. +- Newly created DLLs and executables can indicate malicious activity. + """ + }, + { + "title": "Command Line Analysis", + "content": """ +### Command Line Analysis +- Review suspicious command-line execution patterns. + - Example: + - Command: `C:\\ProgramData\\ncoenchy.exe 0x4` + - Method: mach Meta +- Check for signs of injection or other manipulation. + """ + }, + { + "title": "SANS DFIR Insights", + "content": """ +### SANS DFIR Insights +- Nearly all DLL hijacks require placing a new DLL or executable onto the file system. +- Investigative Techniques: + - **File Timeline Analysis**: + - Focus on newly created files during times of interest. + - **Memory Forensics**: + - Analyze running processes for unexpected DLL locations. +- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory. +- Other anomalous actions like network beaconing or named pipe creation can lead to detection. + """ + } + ] diff --git a/Modules/Persistence/map_share.py b/Modules/Persistence/map_share.py new file mode 100644 index 0000000..20140bc --- /dev/null +++ b/Modules/Persistence/map_share.py @@ -0,0 +1,102 @@ +def get_content(): + """ + Returns structured content for the Map Share persistence method. + """ + return [ + { + "title": "Map Share Source Event Logs", + "content": """ +### Source Event Logs +- `security.evtx` + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +- `Microsoft-Windows-SmbClient\\Security.evtx` + - `31001` – Failed logon to destination + - Destination Host Name + - User Name for failed logon + - Reason code for failed destination logon (e.g., bad password) + """ + }, + { + "title": "Map Share Destination Event Logs", + "content": """ +### Destination Event Logs +- **Security Event Log – `security.evtx`** + - `4624` + - Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by user with administrative rights + - Requirement for accessing default shares such as **C$** and **ADMIN$** + - `4776` - NTLM if authenticating to Local System + - Source Host Name/Logon User Name + - `4768` - TGT Granted + - Source Host Name/Logon User Name + - Available only on domain controller + - `4769` - Service Ticket Granted if authenticating to Domain Controller + - Destination Host Name/Logon User Name + - Source IP + - Available only on domain controller + - `5140` + - Share Access + - `5145` + - Auditing of shared files – **NOISY**! + """ + }, + { + "title": "Map Share Source Registry", + "content": """ +### Source Registry +- **MountPoints2** - Remotely mapped shares + - `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2` +- **Shellbags** - USRCLASS.DAT + - Remote folders accessed inside an interactive session via Explorer by attackers. +- **ShimCache** – SYSTEM + - `net.exe` + - `net1.exe` +- **BAM_DAM** – NTUSER.DAT – Last Time Executed + - `net.exe` + - `net1.exe` +- **AmCache.hve** - First Time Executed + - `net.exe` + - `net1.exe` + """ + }, + { + "title": "Map Share Destination Registry", + "content": """ +### Destination Registry +- N/A + """ + }, + { + "title": "Map Share Source File System", + "content": """ +### Source File System +- **Prefetch** - `C:\\Windows\\Prefetch\\` + - `net.exe-{hash}.pf` + - `net1.exe-{hash}.pf` +- **User Profile Artifacts** + - Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP). + """ + }, + { + "title": "Map Share Destination File System", + "content": """ +### Destination File System +- **File Creation** + - Attacker's files (malware) copied to the destination system. + - Look for Modified Time before Creation Time. + - Creation Time is the time of file copy. +- **User Access Logging (Servers Only)** + - `C:\\Windows\\System32\\LogFiles\\Sum` + - User Name + - Source IP Address + - First and Last Access Time + """ + } + ] diff --git a/Modules/Persistence/persistence.py b/Modules/Persistence/persistence.py new file mode 100644 index 0000000..9d060e5 --- /dev/null +++ b/Modules/Persistence/persistence.py @@ -0,0 +1,26 @@ +from flask import url_for + +def get_persistence_menu(): + """ + Returns the submenu for persistence methods. + Each method will link to its corresponding content page. + """ + return { + "title": "Persistence Methods", + "description": "Explore various persistence methods used by adversaries to maintain access.", + "methods": [ + {"name": "Autostart", "url": url_for("persistence_method", method="autostart")}, + {"name": "Basic Persistence", "url": url_for("persistence_method", method="basic_persistence")}, + {"name": "DCOM", "url": url_for("persistence_method", method="dcom")}, + {"name": "DLL Hijacking", "url": url_for("persistence_method", method="dll_hijacking")}, + {"name": "Map Share", "url": url_for("persistence_method", method="map_share")}, + {"name": "PowerShell Remoting", "url": url_for("persistence_method", method="powershell_remoting")}, + {"name": "PsExec", "url": url_for("persistence_method", method="psexec")}, + {"name": "RDP", "url": url_for("persistence_method", method="rdp")}, + {"name": "Scheduled Tasks", "url": url_for("persistence_method", method="scheduled_tasks")}, + {"name": "Services", "url": url_for("persistence_method", method="services")}, + {"name": "SMBExec", "url": url_for("persistence_method", method="smbexec")}, + {"name": "WMI", "url": url_for("persistence_method", method="wmi")}, + {"name": "Advanced", "url": url_for("persistence_method", method="advanced")} + ] + } diff --git a/Modules/Persistence/powershell_remoting.py b/Modules/Persistence/powershell_remoting.py new file mode 100644 index 0000000..90977c0 --- /dev/null +++ b/Modules/Persistence/powershell_remoting.py @@ -0,0 +1,108 @@ +def get_content(): + """ + Returns structured content for the PowerShell Remoting persistence method. + """ + return [ + { + "title": "PowerShell Remoting Source Event Logs", + "content": """ +### Source Event Logs +- **security.evtx** + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +- **Microsoft-Windows-WinRM/Operational.evtx** + - `161` - Remote Authentication Error + - `6` - WSMan Session initialize + - Session created + - Destination Host Name or IP + - Current logged-on User Name + - `8`, `15`, `16`, `33` - WSMan Session deinitialization + - Closing of WSMan session + - Current logged-on User Name +- **Microsoft-Windows-PowerShell/Operational.evtx** + - `40961`, `40962` + - Records the local initiation of powershell.exe and associated user account + - `8193` & `8194` - Session created + - `8197` - Connect + - Session closed + """ + }, + { + "title": "PowerShell Remoting Source Registry", + "content": """ +### Source Registry +- **ShimCache** – SYSTEM + - powershell.exe +- **BAM_DAM** – SYSTEM – Last Time Executed + - powershell.exe +- **AmCache.hve** – First Time Executed + - powershell.exe + """ + }, + { + "title": "PowerShell Remoting Source File System Artifacts", + "content": """ +### Source File System Artifacts +- **Prefetch** – C:\\Windows\\Prefetch\\ + - powershell.exe-{hash}.pf + - PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file +- **Command history** + - C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt + - With PS v5+, a history file with previous 4096 commands is maintained per user + """ + }, + { + "title": "PowerShell Remoting Destination Event Logs", + "content": """ +### Destination Event Logs +- **security.evtx** + - `4624` – Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights +- **Microsoft-Windows-PowerShell%4Operational.evtx** + - `4103`, `4104` – Script Block logging + - Logs suspicious scripts by default in PS v5 + - Logs all scripts if configured + - `53504` - Records the authenticating user +- **Windows PowerShell.evtx** + - `400/403` - "ServerRemoteHost" indicates start/end of remoting session + - `800` - Includes partial script code +- **Microsoft-Windows-WinRM/Operational.evtx** + - `91` – Session creation + - `142` – WSMan Operation Failure + - `169` – Records the authenticating user + """ + }, + { + "title": "PowerShell Remoting Destination Registry", + "content": """ +### Destination Registry +- **ShimCache** – SYSTEM + - wsmprovhost.exe + - evil.exe +- **SOFTWARE** + - Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy + - Attacker may change execution policy to a less restrictive setting, such as "bypass" +- **AmCache.hve** – First Time Executed + - wsmprovhost.exe + - evil.exe + """ + }, + { + "title": "PowerShell Remoting Destination File System Artifacts", + "content": """ +### Destination File System Artifacts +- **File Creation** + - evil.exe + - With Enter-PSSession, a user profile directory may be created +- **Prefetch** – C:\\Windows\\Prefetch\\ + - evil.exe-{hash}.pf + - wsmprovhost.exe-{hash}.pf + """ + } + ] diff --git a/Modules/Persistence/psexec.py b/Modules/Persistence/psexec.py new file mode 100644 index 0000000..6ab2819 --- /dev/null +++ b/Modules/Persistence/psexec.py @@ -0,0 +1,178 @@ +def get_content(): + """ + Returns structured content for the PsExec persistence method. + """ + return [ + { + "title": "Source Event Logs", + "content": """ +### Source Event Logs +- **security.evtx** + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name + """ + }, + { + "title": "Destination Event Logs", + "content": """ +### Destination Event Logs +- **security.evtx** + - `4648` Logon specifying alternate credentials + - Connecting User Name + - Process Name + - `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights + - Requirement for access default shares such as **C$** and **ADMIN$** + - `5140` – Share Access + - **ADMIN$** share used by PsExec +- **system.evtx** + - `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file + - %systemroot%\\xxxxxxxx.exe + - `7036` Service start/stop events +- **If Enabled**: + - `4688` in Security: tracks service and cmd.exe execution + """ + }, + { + "title": "Source Registry", + "content": """ +### Source Registry +- **NTUSER.DAT** + - Software\\SysInternals\\PsExec\\EulaAccepted +- **ShimCache** – SYSTEM + - psexec.exe +- **BAM_DAM** – SYSTEM – Last Time Executed + - psexec.exe +- **AmCache.hve** – First Time Executed + - psexec.exe + """ + }, + { + "title": "Destination Registry", + "content": """ +### Destination Registry +- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC` + - “-r” option can allow attacker to rename service +- **ShimCache** – SYSTEM + - psexesvc.exe +- **AmCache.hve** + - First Time Executed + - psexesvc.exe + """ + }, + { + "title": "Source File System", + "content": """ +### Source File System +- **Prefetch** – C:\\Windows\\Prefetch\\ + - psexec.exe-{hash}.pf + - Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option +- **File Creation** + - psexec.exe file downloaded and created on the local host as the file is not native to Windows + """ + }, + { + "title": "Destination File System", + "content": """ +### Destination File System +- **Prefetch** – C:\\Windows\\Prefetch\\ + - psexesvc.exe-{hash}.pf + - evil.exe-{hash}.pf +- **File Creation** + - User profile directory structure created unless "-e" option used + - psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec +- **User Access Logging (Servers only)** + - C:\\Windows\\System32\\LogFiles\\Sum + - User Name + - Source IP Address + - First and Last Access Time + """ + }, + { + "title": "Service Installation Details", + "content": """ +### Service Installation Details +- PsExec creates a temporary Windows service for execution: + - Service name: Random 4-character mixed-case alpha name + - Executable: Random 8-character mixed-case alpha .exe file +- Registry Path: + - SYSTEM\\CurrentControlSet\\Services\\ +- Event Log Evidence: + - Event ID 7045 in `system.evtx` logs the service installation. + - Includes: + - Service Name + - Executable Path + - Service Type and Start Mode +- Forensic Insights: + - Compare service names and paths across multiple systems to detect outliers. + - Look for services with short, random names. + """ + }, + { + "title": "Network Artifacts", + "content": """ +### Network Artifacts +- **Network Connections**: + - PsExec uses SMB for communication and file transfer. + - Ports: + - 445 (SMB over TCP/IP) + - 139 (NetBIOS over TCP/IP) +- **Shared Resources**: + - Default shares such as **ADMIN$** and **C$** are utilized. + - Logs in `security.evtx`: + - Event ID 5140: Share access. + - Event ID 5145: Access to specific shared files. + +- **Forensic Tips**: + - Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts. + - Analyze SMB traffic for PsExec file transfers. + """ + }, + { + "title": "Eviction Techniques", + "content": """ +### Eviction Techniques +- **Detection**: + - Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems. + - Enable advanced audit policies to log service and process creation events. + +- **Eviction**: + - Audit and remove unauthorized services under: + - SYSTEM\\CurrentControlSet\\Services\\ + - Verify the integrity of executables in: + - C:\\Windows\\System32 + - C:\\Windows\\Prefetch + - Block unauthorized access to default shares like ADMIN$ and C$. + +- **Prevention**: + - Use endpoint protection tools to block PsExec executables. + - Restrict access to administrative shares to trusted hosts and accounts only. + """ + }, + { + "title": "Malware Case Study", + "content": """ +### Malware Case Study +- **Real-World Example**: + - Malware Name: Emotet + - Attack Vector: Lateral Movement + - Emotet leveraged PsExec to deploy secondary payloads across compromised networks. + +- **Tactics**: + - Copied malicious payloads to ADMIN$ share. + - Used PsExec to execute payloads on remote systems. + - Cleaned up by removing PsExec artifacts (e.g., services and files). + +- **Forensic Indicators**: + - Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems. + - Unusual services with short, random names. + - Files with mismatched creation and modification times in ADMIN$. + """ + } + ] diff --git a/Modules/Persistence/rdp.py b/Modules/Persistence/rdp.py new file mode 100644 index 0000000..36a5aaa --- /dev/null +++ b/Modules/Persistence/rdp.py @@ -0,0 +1,125 @@ +def get_content(): + """ + Returns structured content for the RDP persistence method. + """ + return [ + { + "title": "Source Event Logs", + "content": """ +### Source Event Logs +- `security.evtx` + - `4648` - Logon specifying alternate credentials - if NLA enabled on destination + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx` + - `1024` + - Destination Host Name + - `1102` + - Destination IP Address + """ + }, + { + "title": "Destination Event Logs", + "content": """ +### Destination Event Logs +- **Security Event Log** - `security.evtx` + - `4624` Logon Type 10 + - Source IP/Logon User Name + - `4778/4779` + - IP Address of Source/Source System Name + - Logon User Name +- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx` + - `131` - Connection Attempts + - Source IP + - `98` - Successful Connections +- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx` + - `1149` + - Source IP/Logon User Name + - Blank user name may indicate use of Sticky Keys +- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` + - 21, 22, 25 + - Source IP/Logon User Name + - 41 + - Logon User Name + """ + }, + { + "title": "Source Registry", + "content": """ +### Source Registry +- Remote desktop destinations are tracked per-user + - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers` +- [[ShimCache]] - SYSTEM + - `mstsc.exe` Remote Desktop Client +- [[BAM_DAM]] - SYSTEM - Last Time Executed + - `mstsc.exe` Remote Desktop Client +- [[AmCache.hve]] - First Time Executed + - `mstsc.exe` +- UserAssist - `NTUSER.DAT` + - `mstsc.exe` Remote Desktop Client execution + - Last Time Executed + - Number of Times Executed +- RecentApps - `NTUSER.DAT` + - `mstsc.exe` + - Remote Desktop Client execution + - Last Time Executed + - Number of Times Executed + - RecentItems subkey tracks connection destinations and times + """ + }, + { + "title": "Destination Registry", + "content": """ +### Destination Registry +- [[ShimCache]] - SYSTEM + - `rdpclip.exe` + - `tstheme.exe` +- [[AmCache.hve]] - First Time Executed + - `rdpclip.exe` + - `tstheme.exe` + """ + }, + { + "title": "Source Artifacts", + "content": """ +### Source File System Artifacts +- Jumplists - `C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\` + - `{MSTSC-APPID}-automaticDestinations-ms` + - Tracks remote desktop connection destination and times +- [[Prefetch]] - `C:\\Windows\\Prefetch\\` + - `mstsc.exe-{hash}.pf` +- [[Bitmap_Cache]] - `C:\\Users\\\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache` + - bcache##.bmc + - cache####.bin +- Default.rdp file - + - `C:\\Users\\\\Documents\\` + """ + }, + { + "title": "Destination Artifacts", + "content": """ +### Destination File System Artifacts +- Prefetch - `C:\\Windows\\Prefetch\\` +- `rdpclip.exe-{hash}.pf` +- `tstheme.exe-{hash}.pf` + """ + }, + { + "title": "Extra Information", + "content": """ +### Extra Information +# RDP Authentication vs. Authorization +- RDP authentication happens prior to session establishment (NLA). +- Know when authentication can fail and authorization can succeed. + +# RDP Event Flow +1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22 +- 1149: Authentication succeeded +- 4624: Account successfully logged on +- 21: Session logon succeeded +- 22: Shell start notification received + """ + } + ] diff --git a/Modules/Persistence/scheduled_tasks.py b/Modules/Persistence/scheduled_tasks.py new file mode 100644 index 0000000..ccb9146 --- /dev/null +++ b/Modules/Persistence/scheduled_tasks.py @@ -0,0 +1,133 @@ +def get_content(): + """ + Returns structured content for the Scheduled Tasks persistence method. + """ + return [ + { + "title": "Scheduled Tasks Source Event Logs", + "content": """ +### Source Event Logs +- `security.evtx` + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name + """ + }, + { + "title": "Scheduled Tasks Destination Event Logs", + "content": """ +### Destination Event Logs +- `security.evtx` + - `4624` Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights + - Requirement for accessing default shares such as **C$** and **ADMIN$** + - `4698` - Scheduled task created + - `4702` - Scheduled task updated + - `4699` - Scheduled task deleted + - `4700/4701` - Scheduled task enabled/disabled +- `Microsoft-Windows-TaskScheduler%4Operational.evtx` + - `106` - Scheduled task created + - `140` - Scheduled task updated + - `141` - Scheduled task deleted + - `200/201` - Scheduled task executed/completed + """ + }, + { + "title": "Scheduled Tasks Source Registry", + "content": """ +### Source Registry +- **ShimCache** – SYSTEM + - at.exe + - schtasks.exe +- **BAM/DAM** – SYSTEM – Last Time Executed + - at.exe + - schtasks.exe +- **AmCache.hve** – First Time Executed + - at.exe + - schtasks.exe + """ + }, + { + "title": "Scheduled Tasks Destination Registry", + "content": """ +### Destination Registry +- SOFTWARE + - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks` + - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\` +- **ShimCache** – SYSTEM + - evil.exe +- **AmCache.hve** – First Time Executed + - evil.exe + """ + }, + { + "title": "Scheduled Tasks Source File System Artifacts", + "content": """ +### Source File System Artifacts +- **Prefetch** – `C:\\Windows\\Prefetch\\` + - at.exe-{hash}.pf + - schtasks.exe-{hash}.pf + """ + }, + { + "title": "Scheduled Tasks Destination File System Artifacts", + "content": """ +### Destination File System Artifacts +- **File Creation** + - evil.exe +- Job files created in + - `C:\\Windows\\Tasks` +- XML task files created in + - `C:\\Windows\\System32\\Tasks` + - `C:\\Windows\\SysWOW64\\Tasks` + - **Author tag** can identify: + - Source system name + - Creator username +- **Prefetch** – `C:\\Windows\\Prefetch\\` + - evil.exe-{hash}.pf + """ + }, + { + "title": "Atexec Analysis", + "content": """ +### Atexec Analysis +#### Command Syntax: +- `atexec.py domain/username:password@[hostname | IP] command` + +#### Characteristics: +- Executes commands remotely but does not provide shell access. +- Creates a Scheduled Task with a random 8-character mixed-case alpha string. +- Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\.tmp` before deleting the file. +- **NOT detected and blocked by Windows Defender by default**. + +#### Windows Event Log Residue: +1. Event IDs in `Security.evtx`: + - `4776` - NTLM Authentication + - `4672` - Special privileges assigned to logon. + - `4624` - Successful logon (Type 3). +2. `Microsoft-Windows-TaskScheduler/Operational`: + - `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle). +3. **IF ENABLED**: + - `4688` - Process creation (`cmd.exe` spawning tasks or executing commands). + - `4698` - Scheduled task created. + - `4699` - Scheduled task deleted. + +#### Example Detection Indicators: +- Multiple rounds of Event IDs (`4776`, `4672`, `4624`). +- Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output. + """ + }, + { + "title": "Scheduled Tasks Extra Information", + "content": """ +### Scheduled Tasks Commands +- `at \\\\host 13:00 "c:\\temp\\evil.exe"` +- `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username` + """ + } + ] diff --git a/Modules/Persistence/services.py b/Modules/Persistence/services.py new file mode 100644 index 0000000..a289014 --- /dev/null +++ b/Modules/Persistence/services.py @@ -0,0 +1,140 @@ +def get_content(): + """ + Returns structured content for the Service-based persistence method. + """ + return [ + { + "title": "Source Event Logs", + "content": """ +No specific source event logs are generated for service-based persistence. + """ + }, + { + "title": "Destination Event Logs", + "content": """ +### Destination Event Logs +- **security.evtx** + - `4624` Logon Type 3 + - Source IP/Logon User Name + - `4697` + - Records service installation (non-default) + - Useful for centralized log monitoring. + +- **system.evtx** + - `7034` - Service crashed unexpectedly. + - `7035` - Service sent a Start/Stop control. + - `7036` - Service started or stopped. + - `7040` - Start type changed (Boot | On Request | Disabled). + - `7045` - A service was installed on the system. + """ + }, + { + "title": "Source Registry", + "content": """ +### Source Registry +Registry Artifacts: +- [[ShimCache]] - SYSTEM + - Tracks `sc.exe`. +- [[BAM_DAM]] - SYSTEM - Last Time Executed + - Tracks `sc.exe`. +- [[AmCache.hve]] + - Tracks first execution of `sc.exe`. + """ + }, + { + "title": "Destination Registry", + "content": """ +### Destination Registry +Registry Artifacts: +- SYSTEM + - `\\CurrentControlSet\\Services\\` - New service creation. +- [[ShimCache]] - SYSTEM + - Tracks `evil.exe`. +- [[AmCache.hve]] - First Time Executed + - Tracks `evil.exe`. + """ + }, + { + "title": "Source File System", + "content": """ +### Source File System +Prefetch Artifacts: +- Prefetch - `C:\\Windows\\Prefetch\\` + - `sc.exe-{hash}.pf`. + """ + }, + { + "title": "Destination File System", + "content": """ +### Destination File System +File Creation Artifacts: +- Malicious executables or DLLs: + - `evil.exe` or `evil.dll`. +- Prefetch - `C:\\Windows\\Prefetch\\` + - Tracks execution of `evil.exe` or service DLLs. + """ + }, + { + "title": "Service Replacement Examples", + "content": """ +### Service Replacement Examples +Service replacement involves modifying legitimate services to execute malicious payloads. + +#### Example 1: Binary Path Manipulation +Modify the `ImagePath` registry key to point to a malicious executable: +- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\ImagePath` +- New Value: `C:\\temp\\evil.exe` + +#### Example 2: DLL Hijacking in Services +Replace a legitimate service DLL with a malicious one: +- Locate service DLL in `\\CurrentControlSet\\Services\\\\Parameters\\ServiceDll`. +- Replace the file with `evil.dll`. + +#### Example 3: Startup Type Abuse +Change the `Start` registry key to automatically start a malicious service: +- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\Start` +- Value: `2` (Automatic Start). + +#### Example 4: Service Install Command +Use `sc` to create and start a malicious service: +- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"` + """ + }, + { + "title": "Exploitation of Windows Services", + "content": """ +### Exploitation of Windows Services +Windows services can be exploited in the following ways: + +#### 1. Privilege Escalation via Insecure Permissions +- Services with weak `DACL` permissions can be reconfigured by low-privileged users. +- Example: Modify `ImagePath` to point to a malicious binary. + +#### 2. DLL Search Order Hijacking +- Service executable dynamically loads a DLL without specifying a full path. +- Place a malicious DLL in the service's working directory. + +#### 3. Service Control Abuse +- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations. + +#### 4. Unquoted Service Paths +- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path. +- Example: + - Path: `C:\\Program Files\\Legitimate Service\\binary.exe`. + - Malicious executable: `C:\\Program.exe`. + +#### 5. Creating New Services +- Install a new malicious service using `sc` or `psexec`. +- Example: + - `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto` + +#### 6. Abusing Trusted Services +- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services. + +#### Detection Tips: +- Monitor `system.evtx` for service start/stop events. +- Check `security.evtx` for suspicious service creation. +- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries. + """ + } + ] diff --git a/Modules/Persistence/smbexec.py b/Modules/Persistence/smbexec.py new file mode 100644 index 0000000..86ddfd9 --- /dev/null +++ b/Modules/Persistence/smbexec.py @@ -0,0 +1,139 @@ +def get_content(): + """ + Returns structured content for the SMBExec persistence method. + """ + return [ + { + "title": "SMBExec Source Event Logs", + "content": """ +### Source Event Logs +- **security.evtx** + - `4776` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name + """ + }, + { + "title": "SMBExec Destination Event Logs", + "content": """ +### Destination Event Logs +- **security.evtx** + - `4776` - Logon specifying alternate credentials + - Connecting User Name + - Process Name + - `4624` Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights + - `4634` Type 3 (session end) +- **system.evtx** + - `7045` - Service installation + - Default service name: "BTOBTO" or a random 8-character mixed-case string. + - `7036` Service start/stop events + """ + }, + { + "title": "SMBExec Source Registry", + "content": """ +### Source Registry +- **NTUSER.DAT** + - Software\\SysInternals\\SMBExec\\EulaAccepted +- **ShimCache** – SYSTEM + - smbexec.exe +- **BAM_DAM** – SYSTEM – Last Time Executed + - smbexec.exe +- **AmCache.hve** – First Time Executed + - smbexec.exe + """ + }, + { + "title": "SMBExec Destination Registry", + "content": """ +### Destination Registry +- SYSTEM\\CurrentControlSet\\Services\\ + - Default: "BTOBTO" or random 8-character string. +- **ShimCache** – SYSTEM + - smbexecsvc.exe +- **AmCache.hve** + - First Time Executed + - smbexecsvc.exe + """ + }, + { + "title": "SMBExec Source File System", + "content": """ +### Source File System +- **Prefetch** – C:\\Windows\\Prefetch\\ + - smbexec.exe-{hash}.pf +- **File Creation** + - smbexec.exe file downloaded and created on the local host. + """ + }, + { + "title": "SMBExec Destination File System", + "content": """ +### Destination File System +- **Prefetch** – C:\\Windows\\Prefetch\\ + - smbexecsvc.exe-{hash}.pf + - execute.bat-{hash}.pf +- **File Creation** + - `execute.bat` created in C:\\Windows\\TEMP\\ + - User-specified commands echoed to `execute.bat`. + - Temporary batch file removed after execution. + """ + }, + { + "title": "SMBExec Service Creation Details", + "content": """ +### Service Creation Details +- Service Name: + - Default: "BTOBTO" + - Updated to a random 8-character mixed-case string in May 2023. +- Executable: `execute.bat` created for every command. +- Event Log Evidence: + - `7045` in `system.evtx` logs service creation. + - Command executed via: + - `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`. + """ + }, + { + "title": "SMBExec Network Artifacts", + "content": """ +### Network Artifacts +- **Network Connections**: + - SMB protocol communication with the target. + - Evidence of ADMIN$ share access. +- **Network Traffic Analysis**: + - Monitor for suspicious SMB traffic to/from servers. + - Detect repeated connections with new service creation. + """ + }, + { + "title": "SMBExec Eviction Techniques", + "content": """ +### Eviction Techniques +- Remove temporary files: + - `execute.bat` is deleted after execution. +- Service cleanup: + - Services created for each command are removed after execution. + """ + }, + { + "title": "SMBExec Malware Case Study", + "content": """ +### Malware Case Study +- **Case Study**: + - Malware using SMBExec for lateral movement. + - Leveraged temporary service creation for executing commands. + - Indicators: + - Random service names. + - Temporary batch files in `C:\\Windows\\TEMP`. +- **Detection**: + - Monitor Event ID 7045 for abnormal service names. + - Correlate with batch file creation and execution in `TEMP` directory. + """ + } + ] diff --git a/Modules/Persistence/wmi.py b/Modules/Persistence/wmi.py new file mode 100644 index 0000000..bb1ec76 --- /dev/null +++ b/Modules/Persistence/wmi.py @@ -0,0 +1,120 @@ +def get_content(): + """ + Returns structured content for the WMI persistence method. + """ + return [ + { + "title": "WMI Source Event Logs", + "content": """ +### Source Event Logs +`security.evtx`: +- `4648` – Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name + """ + }, + { + "title": "WMI Destination Event Logs", + "content": """ +### Destination Event Logs +`security.evtx`: +- `4624` Logon Type 3 + - Source IP/Logon User Name +- `4672` + - Logon User Name + - Logon by a user with administrative rights + +`Microsoft-Windows-WMI-Activity/Operational.evtx`: +- `5857` + - Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs. +- `5860`, `5861` + - Registration of Temporary (5860) and Permanent (5861) Event Consumers. + - Typically used for persistence, but can also be used for remote execution. + """ + }, + { + "title": "WMI Source Registry", + "content": """ +### Source Registry +- **ShimCache** – SYSTEM + - `wmic.exe` +- **BAM_DAM** – SYSTEM – Last Time Executed + - `wmic.exe` +- **AmCache.hve** – First Time Executed + - `wmic.exe` + """ + }, + { + "title": "WMI Destination Registry", + "content": """ +### Destination Registry +- **ShimCache** – SYSTEM + - `scrcons.exe` + - `mofcomp.exe` + - `wmiprvse.exe` + - `evil.exe` +- **AmCache.hve** – First Time Executed + - `scrcons.exe` + - `mofcomp.exe` + - `wmiprvse.exe` + - `evil.exe` + """ + }, + { + "title": "WMI Source File System", + "content": """ +### Source File System +- **Prefetch**: + - `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf` + """ + }, + { + "title": "WMI Destination File System", + "content": """ +### Destination File System +- **File Creation**: + - `evil.exe` + - `evil.mof` - .mof files can be used to manage the WMI Repository. + +- **Prefetch**: + - `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf` + - `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf` + - `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf` + - `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf` + +- **Unauthorized changes to the WMI Repository**: + - `C:\\Windows\\System32\\wbem\\Repository` + """ + }, + { + "title": "WMI Event Consumer Backdoors", + "content": """ +### WMI Event Consumer Backdoors +- **Event Filters**: Define conditions under which events trigger (e.g., process starts). +- **Event Consumers**: Define actions for triggered events (e.g., execute a script). +- **Event Bindings**: Link filters and consumers. + """ + }, + { + "title": "WMIEXEC Analysis", + "content": """ +### WMIEXEC Analysis +- **Command Example**: `wmiexec.py domain/username:password@[hostname | IP] command` +- **Logs**: + - Event ID `4648`, `4624`, `4672`, `5857`, `5861` indicate WMI activity. +- **Detection**: + - Monitor commands triggering `wmiprvse.exe` and subsequent processes. + """ + }, + { + "title": "Additional WMI Detection Tips", + "content": """ +### Additional Detection Tips +- Enable verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log. +- Correlate WMI activity with file system or registry changes. +- Research WMI use by known APTs or malware families. + """ + } + ]