Delete TTPs/Persistence/wmi.py

TTPs/Persistence/wmi.py

@@ -1,188 +0,0 @@
-from Modules.Imports.ttp_imports import *
-from Modules.submenu import build_submenu
-
-def wmi_submenu():
-    """
-    Submenu for Windows Management Instrumentation (WMI) Persistence Indicators.
-    """
-    actions = {
-        "1": {"description": "Source Event Logs", "function": source_event_logs},
-        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
-        "3": {"description": "Source Registry", "function": source_registry},
-        "4": {"description": "Destination Registry", "function": destination_registry},
-        "5": {"description": "Source File System", "function": source_file_system},
-        "6": {"description": "Destination File System", "function": destination_file_system},
-        "7": {"description": "WMI Event Consumer Backdoors", "function": wmi_event_backdoors},
-        "8": {"description": "WMIEXEC Analysis", "function": wmiexec_analysis},
-        "9": {"description": "Additional Detection Tips", "function": additional_detection_tips},
-    }
-    build_submenu("WMI Persistence", actions)
-
-# Individual submenu functions
-
-def source_event_logs():
-    title = "WMI Source Event Logs"
-    content = """
-`security.evtx`:
-- `4648` – Logon specifying alternate credentials
-    - Current logged-on User Name
-    - Alternate User Name
-    - Destination Host Name/IP
-    - Process Name
-"""
-    print_info(title, content)
-
-def destination_event_logs():
-    title = "WMI Destination Event Logs"
-    content = """
-`security.evtx`:
-- `4624` Logon Type 3
-    - Source IP/Logon User Name
-- `4672`
-    - Logon User Name
-    - Logon by a user with administrative rights
-
-`Microsoft-Windows-WMI-Activity/Operational.evtx`:
-- `5857`
-    - Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs.
-- `5860`, `5861`
-    - Registration of Temporary (5860) and Permanent (5861) Event Consumers.
-    - Typically used for persistence, but can also be used for remote execution.
-"""
-    print_info(title, content)
-
-def source_registry():
-    title = "WMI Source Registry"
-    content = """
-- **ShimCache** – SYSTEM
-    - `wmic.exe`
-- **BAM_DAM** – SYSTEM – Last Time Executed
-    - `wmic.exe`
-- **AmCache.hve** – First Time Executed
-    - `wmic.exe`
-"""
-    print_info(title, content)
-
-def destination_registry():
-    title = "WMI Destination Registry"
-    content = """
-- **ShimCache** – SYSTEM
-    - `scrcons.exe`
-    - `mofcomp.exe`
-    - `wmiprvse.exe`
-    - `evil.exe`
-- **AmCache.hve** – First Time Executed
-    - `scrcons.exe`
-    - `mofcomp.exe`
-    - `wmiprvse.exe`
-    - `evil.exe`
-"""
-    print_info(title, content)
-
-def source_file_system():
-    title = "WMI Source File System"
-    content = """
-- **Prefetch**:
-    - `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf`
-"""
-    print_info(title, content)
-
-def destination_file_system():
-    title = "WMI Destination File System"
-    content = """
-- **File Creation**:
-    - `evil.exe`
-    - `evil.mof` - .mof files can be used to manage the WMI Repository.
-
-- **Prefetch**:
-    - `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf`
-    - `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf`
-    - `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf`
-    - `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf`
-
-- **Unauthorized changes to the WMI Repository**:
-    - `C:\\Windows\\System32\\wbem\\Repository`
-"""
-    print_info(title, content)
-
-def wmi_event_backdoors():
-    title = "WMI Event Consumer Backdoors"
-    content = """
-### WMI Event Triggers:
-- Event triggers can be used to execute arbitrary code when specific conditions are met.
-
-### WMI Event Filters:
-- Define conditions under which events trigger.
-- Example: Trigger on process start.
-
-### WMI Event Consumers:
-- Define actions for triggered events.
-- Example: Execute a script.
-
-### WMI Event Bindings:
-- Link filters and consumers.
-- Example: Detect process start and execute a script.
-
-### Example Malicious MOF File:
-
-#PRAGMA AUTORECOVER #PRAGMA NAMESPACE("\\.\root\subscription")
-
-instance of __EventFilter as $Filter { Name = "SCM Event Filter"; QueryLanguage = "WQL"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='sens'"; };
-
-instance of CommandLineEventConsumer as $Consumer { Name = "SCM Event Consumer"; ExecutablePath = "c:\windows\system32\cmd.exe"; CommandLineTemplate = "net stop sens && net start sens"; };
-
-instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; };
-
-
-### Detection and Mitigation:
-- Use tools like Sysmon or Autoruns to monitor WMI activity.
-- Regular audits of WMI filters and consumers can identify unauthorized entries.
-"""
-    print_info(title, content)
-
-def wmiexec_analysis():
-    title = "WMIEXEC Analysis"
-    content = """
-`wmiexec.py` Usage:
-- **Command**: `wmiexec.py domain/username:password@[hostname | IP] command`
-- Executes a semi-interactive shell using WMI.
-- Uses UNIX Epoch Time in commands.
-- NOT detected and blocked by Windows Defender by default.
-
-### Windows Event Log Residue:
-- **Multiple rounds**:
-    - Event ID `4776` in Security on target (for user specified in command).
-    - Event ID `4672` in Security on target (for user specified in command).
-    - Event ID `4624` Type 3 in Security on target (for user specified in command).
-
-- **Always present**:
-    - Event ID `4688` in Security on target:
-        - `wmiprvse.exe` → `cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__ssssssssss.sssssss 2>&1`.
-    - Event ID `4688` in Security on target:
-        - `cmd.exe` → `conhost.exe 0xffffffff -ForceV1`.
-
-- **If Enabled**:
-    - Event ID `5857/5858` in Microsoft-Windows-WMI-Activity\Operational on target.
-
-### Detection Tips:
-- Monitor for WMI commands triggering `wmiprvse.exe` and subsequent processes.
-- Look for unusual Event ID patterns tied to administrative privileges.
-"""
-    print_info(title, content)
-
-def additional_detection_tips():
-    title = "Additional WMI Detection Tips"
-    content = """
-### Advanced Detection:
-- Enable and monitor verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log.
-- Use Sysmon Event IDs `20` (WMI Activity) and `21` (WMI Consumer/Filter) for detection.
-
-### Correlation:
-- Correlate WMI activity with unusual file system or registry changes.
-- Watch for newly created `.mof` files or suspicious DLLs loaded by `wmiprvse.exe`.
-
-### Threat Intelligence:
-- Understand common TTPs for WMI abuse from frameworks like MITRE ATT&CK.
-- Research WMI use by known APTs or malware families.
-"""
-    print_info(title, content)