Delete TTPs/Persistence/schedule_task.py

2024-11-28 00:54:12 -05:00
parent fe02979652
commit 1d90a08a2f
1 changed files with 0 additions and 146 deletions
--- a/TTPs/Persistence/schedule_task.py
+++ b/TTPs/Persistence/schedule_task.py
@ -1,146 +0,0 @@
 from Modules.Imports.ttp_imports import *
 from Modules.submenu import build_submenu
 def schedule_tasks_submenu():
    """
    Submenu for Scheduled Tasks Persistence Indicators.
    """
    actions = {
        "1": {"description": "Source Event Logs", "function": source_event_logs},
        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
        "3": {"description": "Source Registry", "function": source_registry},
        "4": {"description": "Destination Registry", "function": destination_registry},
        "5": {"description": "Source Artifacts", "function": source_artifacts},
        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
        "7": {"description": "Atexec Analysis", "function": atexec_analysis},
        "8": {"description": "Extra", "function": extra_scheduled_tasks_info},
    }
    build_submenu("Scheduled Tasks Persistence", actions)
 def source_event_logs():
    title = "Scheduled Tasks Source Event Logs"
    content = """
 - `security.evtx`
    - `4648` - Logon specifying alternate credentials
        - Current logged-on User Name
        - Alternate User Name
        - Destination Host Name/IP
        - Process Name
 """
    print_info(title, content)
 def destination_event_logs():
    title = "Scheduled Tasks Destination Event Logs"
    content = """
 - `security.evtx`
    - `4624` Logon Type 3
        - Source IP/Logon User Name
    - `4672`
        - Logon User Name
        - Logon by a user with administrative rights
        - Requirement for accessing default shares such as **C$** and **ADMIN$**
    - `4698` - Scheduled task created
    - `4702` - Scheduled task updated
    - `4699` - Scheduled task deleted
    - `4700/4701` - Scheduled task enabled/disabled
 - `Microsoft-Windows-TaskScheduler%4Operational.evtx`
    - `106` - Scheduled task created
    - `140` - Scheduled task updated
    - `141` - Scheduled task deleted
    - `200/201` - Scheduled task executed/completed
 """
    print_info(title, content)
 def source_registry():
    title = "Scheduled Tasks Source Registry"
    content = """
 - [[ShimCache]] - SYSTEM
    - at.exe
    - schtasks.exe
 - [[BAM|DAM]] - SYSTEM - Last Time Executed
    - at.exe
    - schtasks.exe
 - [[AmCache.hve]] - First Time Executed
    - at.exe
    - schtasks.exe
 """
    print_info(title, content)
 def destination_registry():
    title = "Scheduled Tasks Destination Registry"
    content = """
 - SOFTWARE
    - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks`
    - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\`
 - [[ShimCache]] – SYSTEM
    - evil.exe
 - [[AmCache.hve]] - First Time Executed
    - evil.exe
 """
    print_info(title, content)
 def source_artifacts():
    title = "Scheduled Tasks Source File System Artifacts"
    content = """
 - [[Prefetch]] - C:\\Windows\\Prefetch\\
    - at.exe-{hash}.pf
    - schtasks.exe-{hash}.pf
 """
    print_info(title, content)
 def destination_artifacts():
    title = "Scheduled Tasks Destination File System Artifacts"
    content = """
 - File Creation
    - evil.exe
 - Job files created in
    - `C:\\Windows\\Tasks`
 - XML task files created in
    - `C:\\Windows\\System32\\Tasks`
    - `C:\\Windows\\SysWOW64\\Tasks`
    - Author tag can identify:
        - Source system name
        - Creator username
 - [[Prefetch]] – `C:\\Windows\\Prefetch\\`
    - evil.exe-{hash}.pf
 """
    print_info(title, content)
 def atexec_analysis():
    title = "Atexec Analysis"
    content = """
 ### Command Syntax:
 - `atexec.py domain/username:password@[hostname | IP] command`
 ### Characteristics:
 - Executes commands remotely but does not provide shell access.
 - Creates a Scheduled Task with a random 8-character mixed-case alpha string.
 - Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\<random>.tmp` before deleting the file.
 - **NOT detected and blocked by Windows Defender by default**.
 ### Windows Event Log Residue:
 1. Event IDs in `Security.evtx`:
    - `4776` - NTLM Authentication
    - `4672` - Special privileges assigned to logon.
    - `4624` - Successful logon (Type 3).
 2. Microsoft-Windows-TaskScheduler/Operational:
    - `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle).
 3. **IF ENABLED**:
    - `4688` - Process creation (`cmd.exe` spawning tasks or executing commands).
    - `4698` - Scheduled task created.
    - `4699` - Scheduled task deleted.
 ### Example Detection Indicators:
 - Multiple rounds of Event IDs (4776, 4672, 4624).
 - Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output.
 """
    print_info(title, content)
 def extra_scheduled_tasks_info():
    title = "Scheduled Tasks Extra Information"
    content = """
 # Scheduled Tasks Commands
 - `at \\\\host 13:00 "c:\\temp\\evil.exe"`
 - `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username`
 """
    print_info(title, content)