From 1e1b7dd2ed6f5a03204dc8b9cea5caed255ca3ab Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 00:53:53 -0500 Subject: [PATCH] Delete TTPs/Persistence/basic_persistence.py --- TTPs/Persistence/basic_persistence.py | 153 -------------------------- 1 file changed, 153 deletions(-) delete mode 100644 TTPs/Persistence/basic_persistence.py diff --git a/TTPs/Persistence/basic_persistence.py b/TTPs/Persistence/basic_persistence.py deleted file mode 100644 index abe9e5b..0000000 --- a/TTPs/Persistence/basic_persistence.py +++ /dev/null @@ -1,153 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def basic_persistence_submenu(): - """ - Submenu for Basic Persistence Mechanisms. - """ - actions = { - "1": {"description": "BootExecute Key", "function": boot_execute_key}, - "2": {"description": "WinLogon Process Keys", "submenu": winlogon_keys_submenu}, - "3": {"description": "Startup Keys", "function": startup_keys}, - "4": {"description": "Services", "function": services_keys}, - "5": {"description": "Browser Helper Objects", "function": browser_helper_objects}, - "6": {"description": "AppInit_DLLs", "function": appinit_dlls}, - "7": {"description": "Persistence Using Global Flags", "function": persistence_global_flags}, - } - build_submenu("Basic Persistence Mechanisms", actions) - -def boot_execute_key(): - """ - Displays information about the BootExecute Key. - """ - title = "BootExecute Key" - content = r""" -The BootExecute registry key launches processes before the subsystem initializes. - -Key Path: -- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session -""" - print_info(title, content) - -def winlogon_keys_submenu(): - """ - Submenu for WinLogon Process Keys. - """ - actions = { - "1": {"description": "Userinit Key", "function": userinit_key}, - "2": {"description": "Notify Key", "function": notify_key}, - "3": {"description": "Explorer.exe Key", "function": explorer_key}, - } - build_submenu("WinLogon Process Keys", actions) - -def userinit_key(): - """ - Displays information about the Userinit Key. - """ - title = "Userinit Key" - content = r""" -The Userinit Key launches login scripts during the user logon process. - -Key Path: -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -""" - print_info(title, content) - -def notify_key(): - """ - Displays information about the Notify Key. - """ - title = "Notify Key" - content = r""" -The Notify Key is used for handling the `Ctrl+Alt+Del` event. - -Key Path: -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify -""" - print_info(title, content) - -def explorer_key(): - """ - Displays information about the Explorer.exe Key. - """ - title = "Explorer.exe Key" - content = r""" -This key points to `explorer.exe` and can be abused for persistence. - -Key Path: -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell -""" - print_info(title, content) - -def startup_keys(): - """ - Displays information about Startup Keys. - """ - title = "Startup Keys" - content = r""" -Startup Keys allow programs to launch when a user logs on. - -Key Paths: -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders -""" - print_info(title, content) - -def services_keys(): - """ - Displays information about Services Keys. - """ - title = "Services Keys" - content = r""" -Services keys enable services to boot automatically at startup. - -Key Paths: -- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce -- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices -""" - print_info(title, content) - -def browser_helper_objects(): - """ - Displays information about Browser Helper Objects. - """ - title = "Browser Helper Objects" - content = r""" -Browser Helper Objects can be used for persistence or malicious activity. - -Key Path: -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects -""" - print_info(title, content) - -def appinit_dlls(): - """ - Displays information about AppInit_DLLs. - """ - title = "AppInit_DLLs" - content = r""" -The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`. - -Key Path: -- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs -""" - print_info(title, content) - -def persistence_global_flags(): - """ - Displays information about persistence using global flags. - """ - title = "Persistence Using Global Flags" - content = r""" -Global flags in the Image File Execution Options registry key can be abused for persistence. - -Example Commands: -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 -reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe" -""" - print_info(title, content)