From 1d90a08a2f92b25cb838762b5483328ffb75ccaa Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Thu, 28 Nov 2024 00:54:12 -0500
Subject: [PATCH] Delete TTPs/Persistence/schedule_task.py

---
 TTPs/Persistence/schedule_task.py | 146 ------------------------------
 1 file changed, 146 deletions(-)
 delete mode 100644 TTPs/Persistence/schedule_task.py

diff --git a/TTPs/Persistence/schedule_task.py b/TTPs/Persistence/schedule_task.py
deleted file mode 100644
index cdeb9b8..0000000
--- a/TTPs/Persistence/schedule_task.py
+++ /dev/null
@@ -1,146 +0,0 @@
-from Modules.Imports.ttp_imports import *
-from Modules.submenu import build_submenu
-
-def schedule_tasks_submenu():
-    """
-    Submenu for Scheduled Tasks Persistence Indicators.
-    """
-    actions = {
-        "1": {"description": "Source Event Logs", "function": source_event_logs},
-        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
-        "3": {"description": "Source Registry", "function": source_registry},
-        "4": {"description": "Destination Registry", "function": destination_registry},
-        "5": {"description": "Source Artifacts", "function": source_artifacts},
-        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
-        "7": {"description": "Atexec Analysis", "function": atexec_analysis},
-        "8": {"description": "Extra", "function": extra_scheduled_tasks_info},
-    }
-    build_submenu("Scheduled Tasks Persistence", actions)
-
-def source_event_logs():
-    title = "Scheduled Tasks Source Event Logs"
-    content = """
-- `security.evtx`
-    - `4648` - Logon specifying alternate credentials
-        - Current logged-on User Name
-        - Alternate User Name
-        - Destination Host Name/IP
-        - Process Name
-"""
-    print_info(title, content)
-
-def destination_event_logs():
-    title = "Scheduled Tasks Destination Event Logs"
-    content = """
-- `security.evtx`
-    - `4624` Logon Type 3
-        - Source IP/Logon User Name
-    - `4672`
-        - Logon User Name
-        - Logon by a user with administrative rights
-        - Requirement for accessing default shares such as **C$** and **ADMIN$**
-    - `4698` - Scheduled task created
-    - `4702` - Scheduled task updated
-    - `4699` - Scheduled task deleted
-    - `4700/4701` - Scheduled task enabled/disabled
-- `Microsoft-Windows-TaskScheduler%4Operational.evtx`
-    - `106` - Scheduled task created
-    - `140` - Scheduled task updated
-    - `141` - Scheduled task deleted
-    - `200/201` - Scheduled task executed/completed
-"""
-    print_info(title, content)
-
-def source_registry():
-    title = "Scheduled Tasks Source Registry"
-    content = """
-- [[ShimCache]] - SYSTEM
-    - at.exe
-    - schtasks.exe
-- [[BAM|DAM]] - SYSTEM - Last Time Executed
-    - at.exe
-    - schtasks.exe
-- [[AmCache.hve]] - First Time Executed
-    - at.exe
-    - schtasks.exe
-"""
-    print_info(title, content)
-
-def destination_registry():
-    title = "Scheduled Tasks Destination Registry"
-    content = """
-- SOFTWARE
-    - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks`
-    - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\`
-- [[ShimCache]] – SYSTEM
-    - evil.exe
-- [[AmCache.hve]] - First Time Executed
-    - evil.exe
-"""
-    print_info(title, content)
-
-def source_artifacts():
-    title = "Scheduled Tasks Source File System Artifacts"
-    content = """
-- [[Prefetch]] - C:\\Windows\\Prefetch\\
-    - at.exe-{hash}.pf
-    - schtasks.exe-{hash}.pf
-"""
-    print_info(title, content)
-
-def destination_artifacts():
-    title = "Scheduled Tasks Destination File System Artifacts"
-    content = """
-- File Creation
-    - evil.exe
-- Job files created in
-    - `C:\\Windows\\Tasks`
-- XML task files created in
-    - `C:\\Windows\\System32\\Tasks`
-    - `C:\\Windows\\SysWOW64\\Tasks`
-    - Author tag can identify:
-        - Source system name
-        - Creator username
-- [[Prefetch]] – `C:\\Windows\\Prefetch\\`
-    - evil.exe-{hash}.pf
-"""
-    print_info(title, content)
-
-def atexec_analysis():
-    title = "Atexec Analysis"
-    content = """
-### Command Syntax:
-- `atexec.py domain/username:password@[hostname | IP] command`
-
-### Characteristics:
-- Executes commands remotely but does not provide shell access.
-- Creates a Scheduled Task with a random 8-character mixed-case alpha string.
-- Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\<random>.tmp` before deleting the file.
-- **NOT detected and blocked by Windows Defender by default**.
-
-### Windows Event Log Residue:
-1. Event IDs in `Security.evtx`:
-    - `4776` - NTLM Authentication
-    - `4672` - Special privileges assigned to logon.
-    - `4624` - Successful logon (Type 3).
-2. Microsoft-Windows-TaskScheduler/Operational:
-    - `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle).
-3. **IF ENABLED**:
-    - `4688` - Process creation (`cmd.exe` spawning tasks or executing commands).
-    - `4698` - Scheduled task created.
-    - `4699` - Scheduled task deleted.
-
-### Example Detection Indicators:
-- Multiple rounds of Event IDs (4776, 4672, 4624).
-- Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output.
-"""
-    print_info(title, content)
-
-def extra_scheduled_tasks_info():
-    title = "Scheduled Tasks Extra Information"
-    content = """
-# Scheduled Tasks Commands
-- `at \\\\host 13:00 "c:\\temp\\evil.exe"`
-- `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username`
-"""
-    print_info(title, content)