matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "Modules/Persistence"

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-28 00:56:00 -05:00
parent 002467caed
commit 0911fc4e4f
14 changed files with 1412 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
Modules/Persistence/psexec.py Normal file
View File

@ -0,0 +1,178 @@
def get_content():
"""
Returns structured content for the PsExec persistence method.
"""
return [
{
"title": "Source Event Logs",
"content": """
### Source Event Logs
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4648` Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for access default shares such as **C$** and **ADMIN$**
- `5140` Share Access
- **ADMIN$** share used by PsExec
- **system.evtx**
- `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
- %systemroot%\\xxxxxxxx.exe
- `7036` Service start/stop events
- **If Enabled**:
- `4688` in Security: tracks service and cmd.exe execution
"""
},
{
"title": "Source Registry",
"content": """
### Source Registry
- **NTUSER.DAT**
- Software\\SysInternals\\PsExec\\EulaAccepted
- **ShimCache** SYSTEM
- psexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- psexec.exe
- **AmCache.hve** First Time Executed
- psexec.exe
"""
},
{
"title": "Destination Registry",
"content": """
### Destination Registry
- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
- “-r” option can allow attacker to rename service
- **ShimCache** SYSTEM
- psexesvc.exe
- **AmCache.hve**
- First Time Executed
- psexesvc.exe
"""
},
{
"title": "Source File System",
"content": """
### Source File System
- **Prefetch** C:\\Windows\\Prefetch\\
- psexec.exe-{hash}.pf
- Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
- **File Creation**
- psexec.exe file downloaded and created on the local host as the file is not native to Windows
"""
},
{
"title": "Destination File System",
"content": """
### Destination File System
- **Prefetch** C:\\Windows\\Prefetch\\
- psexesvc.exe-{hash}.pf
- evil.exe-{hash}.pf
- **File Creation**
- User profile directory structure created unless "-e" option used
- psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
- **User Access Logging (Servers only)**
- C:\\Windows\\System32\\LogFiles\\Sum
- User Name
- Source IP Address
- First and Last Access Time
"""
},
{
"title": "Service Installation Details",
"content": """
### Service Installation Details
- PsExec creates a temporary Windows service for execution:
- Service name: Random 4-character mixed-case alpha name
- Executable: Random 8-character mixed-case alpha .exe file
- Registry Path:
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Event Log Evidence:
- Event ID 7045 in `system.evtx` logs the service installation.
- Includes:
- Service Name
- Executable Path
- Service Type and Start Mode
- Forensic Insights:
- Compare service names and paths across multiple systems to detect outliers.
- Look for services with short, random names.
"""
},
{
"title": "Network Artifacts",
"content": """
### Network Artifacts
- **Network Connections**:
- PsExec uses SMB for communication and file transfer.
- Ports:
- 445 (SMB over TCP/IP)
- 139 (NetBIOS over TCP/IP)
- **Shared Resources**:
- Default shares such as **ADMIN$** and **C$** are utilized.
- Logs in `security.evtx`:
- Event ID 5140: Share access.
- Event ID 5145: Access to specific shared files.
- **Forensic Tips**:
- Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
- Analyze SMB traffic for PsExec file transfers.
"""
},
{
"title": "Eviction Techniques",
"content": """
### Eviction Techniques
- **Detection**:
- Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
- Enable advanced audit policies to log service and process creation events.
- **Eviction**:
- Audit and remove unauthorized services under:
- SYSTEM\\CurrentControlSet\\Services\\
- Verify the integrity of executables in:
- C:\\Windows\\System32
- C:\\Windows\\Prefetch
- Block unauthorized access to default shares like ADMIN$ and C$.
- **Prevention**:
- Use endpoint protection tools to block PsExec executables.
- Restrict access to administrative shares to trusted hosts and accounts only.
"""
},
{
"title": "Malware Case Study",
"content": """
### Malware Case Study
- **Real-World Example**:
- Malware Name: Emotet
- Attack Vector: Lateral Movement
- Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
- **Tactics**:
- Copied malicious payloads to ADMIN$ share.
- Used PsExec to execute payloads on remote systems.
- Cleaned up by removing PsExec artifacts (e.g., services and files).
- **Forensic Indicators**:
- Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
- Unusual services with short, random names.
- Files with mismatched creation and modification times in ADMIN$.
"""
}
]