matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Delete TTPs/Persistence/basic_persistence.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-28 00:53:53 -05:00
parent 10833bacc7
commit 1e1b7dd2ed
1 changed files with 0 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

153
TTPs/Persistence/basic_persistence.py
View File

@ -1,153 +0,0 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def basic_persistence_submenu():
"""
Submenu for Basic Persistence Mechanisms.
"""
actions = {
"1": {"description": "BootExecute Key", "function": boot_execute_key},
"2": {"description": "WinLogon Process Keys", "submenu": winlogon_keys_submenu},
"3": {"description": "Startup Keys", "function": startup_keys},
"4": {"description": "Services", "function": services_keys},
"5": {"description": "Browser Helper Objects", "function": browser_helper_objects},
"6": {"description": "AppInit_DLLs", "function": appinit_dlls},
"7": {"description": "Persistence Using Global Flags", "function": persistence_global_flags},
}
build_submenu("Basic Persistence Mechanisms", actions)
def boot_execute_key():
"""
Displays information about the BootExecute Key.
"""
title = "BootExecute Key"
content = r"""
The BootExecute registry key launches processes before the subsystem initializes.
Key Path:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session
"""
print_info(title, content)
def winlogon_keys_submenu():
"""
Submenu for WinLogon Process Keys.
"""
actions = {
"1": {"description": "Userinit Key", "function": userinit_key},
"2": {"description": "Notify Key", "function": notify_key},
"3": {"description": "Explorer.exe Key", "function": explorer_key},
}
build_submenu("WinLogon Process Keys", actions)
def userinit_key():
"""
Displays information about the Userinit Key.
"""
title = "Userinit Key"
content = r"""
The Userinit Key launches login scripts during the user logon process.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"""
print_info(title, content)
def notify_key():
"""
Displays information about the Notify Key.
"""
title = "Notify Key"
content = r"""
The Notify Key is used for handling the `Ctrl+Alt+Del` event.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"""
print_info(title, content)
def explorer_key():
"""
Displays information about the Explorer.exe Key.
"""
title = "Explorer.exe Key"
content = r"""
This key points to `explorer.exe` and can be abused for persistence.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
"""
print_info(title, content)
def startup_keys():
"""
Displays information about Startup Keys.
"""
title = "Startup Keys"
content = r"""
Startup Keys allow programs to launch when a user logs on.
Key Paths:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
"""
print_info(title, content)
def services_keys():
"""
Displays information about Services Keys.
"""
title = "Services Keys"
content = r"""
Services keys enable services to boot automatically at startup.
Key Paths:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"""
print_info(title, content)
def browser_helper_objects():
"""
Displays information about Browser Helper Objects.
"""
title = "Browser Helper Objects"
content = r"""
Browser Helper Objects can be used for persistence or malicious activity.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"""
print_info(title, content)
def appinit_dlls():
"""
Displays information about AppInit_DLLs.
"""
title = "AppInit_DLLs"
content = r"""
The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
"""
print_info(title, content)
def persistence_global_flags():
"""
Displays information about persistence using global flags.
"""
title = "Persistence Using Global Flags"
content = r"""
Global flags in the Image File Execution Options registry key can be abused for persistence.
Example Commands:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
"""
print_info(title, content)