Upload files to "Modules/Persistence"

Modules/Persistence/map_share.py

@@ -0,0 +1,102 @@
+def get_content():
+    """
+    Returns structured content for the Map Share persistence method.
+    """
+    return [
+        {
+            "title": "Map Share Source Event Logs",
+            "content": """
+### Source Event Logs
+- `security.evtx`
+    - `4648` - Logon specifying alternate credentials
+        - Current logged-on User Name
+        - Alternate User Name
+        - Destination Host Name/IP
+        - Process Name 
+- `Microsoft-Windows-SmbClient\\Security.evtx`
+    - `31001` – Failed logon to destination
+        - Destination Host Name
+        - User Name for failed logon
+        - Reason code for failed destination logon (e.g., bad password)
+            """
+        },
+        {
+            "title": "Map Share Destination Event Logs",
+            "content": """
+### Destination Event Logs
+- **Security Event Log – `security.evtx`**
+    - `4624`
+        - Logon Type 3
+        - Source IP/Logon User Name
+    - `4672`
+        - Logon User Name
+        - Logon by user with administrative rights
+        - Requirement for accessing default shares such as **C$** and **ADMIN$**
+    - `4776` - NTLM if authenticating to Local System
+        - Source Host Name/Logon User Name
+    - `4768` - TGT Granted
+        - Source Host Name/Logon User Name
+        - Available only on domain controller
+    - `4769` - Service Ticket Granted if authenticating to Domain Controller
+        - Destination Host Name/Logon User Name
+        - Source IP
+        - Available only on domain controller
+    - `5140`
+        - Share Access
+    - `5145`
+        - Auditing of shared files – **NOISY**!
+            """
+        },
+        {
+            "title": "Map Share Source Registry",
+            "content": """
+### Source Registry
+- **MountPoints2** - Remotely mapped shares
+    - `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
+- **Shellbags** - USRCLASS.DAT
+    - Remote folders accessed inside an interactive session via Explorer by attackers.
+- **ShimCache** – SYSTEM
+    - `net.exe`
+    - `net1.exe`
+- **BAM_DAM** – NTUSER.DAT – Last Time Executed
+    - `net.exe`
+    - `net1.exe`
+- **AmCache.hve** - First Time Executed
+    - `net.exe`
+    - `net1.exe`
+            """
+        },
+        {
+            "title": "Map Share Destination Registry",
+            "content": """
+### Destination Registry
+- N/A
+            """
+        },
+        {
+            "title": "Map Share Source File System",
+            "content": """
+### Source File System
+- **Prefetch** - `C:\\Windows\\Prefetch\\`
+    - `net.exe-{hash}.pf`
+    - `net1.exe-{hash}.pf`
+- **User Profile Artifacts**
+    - Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
+            """
+        },
+        {
+            "title": "Map Share Destination File System",
+            "content": """
+### Destination File System
+- **File Creation**
+    - Attacker's files (malware) copied to the destination system.
+    - Look for Modified Time before Creation Time.
+    - Creation Time is the time of file copy.
+- **User Access Logging (Servers Only)**
+    - `C:\\Windows\\System32\\LogFiles\\Sum`
+        - User Name
+        - Source IP Address
+        - First and Last Access Time
+            """
+        }
+    ]