From 47590b84dfa78eb27f2601b4fda41bff3072707a Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 00:54:01 -0500 Subject: [PATCH] Delete TTPs/Persistence/map_share.py --- TTPs/Persistence/map_share.py | 133 ---------------------------------- 1 file changed, 133 deletions(-) delete mode 100644 TTPs/Persistence/map_share.py diff --git a/TTPs/Persistence/map_share.py b/TTPs/Persistence/map_share.py deleted file mode 100644 index e598fdc..0000000 --- a/TTPs/Persistence/map_share.py +++ /dev/null @@ -1,133 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def map_share_submenu(): - """ - Submenu for Map Share detection techniques. - """ - actions = { - "1": {"description": "Source Event Logs", "function": source_event_logs}, - "2": {"description": "Destination Event Logs", "function": destination_event_logs}, - "3": {"description": "Source Registry", "function": source_registry}, - "4": {"description": "Destination Registry", "function": destination_registry}, - "5": {"description": "Source File System", "function": source_file_system}, - "6": {"description": "Destination File System", "function": destination_file_system}, - } - build_submenu("Map Share Persistence", actions) - -# Individual submenu functions - -def source_event_logs(): - """ - Displays source event logs related to map shares. - """ - title = "Map Share Source Event Logs" - content = """ -- `security.evtx` - - `4648` - Logon specifying alternate credentials - - Current logged-on User Name - - Alternate User Name - - Destination Host Name/IP - - Process Name -- `Microsoft-Windows-SmbClient\\Security.evtx` - - `31001` – Failed logon to destination - - Destination Host Name - - User Name for failed logon - - Reason code for failed destination logon (e.g., bad password) -""" - print_info(title, content) - -def destination_event_logs(): - """ - Displays destination event logs related to map shares. - """ - title = "Map Share Destination Event Logs" - content = """ -- **Security Event Log – `security.evtx`** - - `4624` - - Logon Type 3 - - Source IP/Logon User Name - - `4672` - - Logon User Name - - Logon by user with administrative rights - - Requirement for accessing default shares such as **C$** and **ADMIN$** - - `4776` - NTLM if authenticating to Local System - - Source Host Name/Logon User Name - - `4768` - TGT Granted - - Source Host Name/Logon User Name - - Available only on domain controller - - `4769` - Service Ticket Granted if authenticating to Domain Controller - - Destination Host Name/Logon User Name - - Source IP - - Available only on domain controller - - `5140` - - Share Access - - `5145` - - Auditing of shared files – **NOISY**! -""" - print_info(title, content) - -def source_registry(): - """ - Displays source registry information related to map shares. - """ - title = "Map Share Source Registry" - content = """ -- **MountPoints2** - Remotely mapped shares - - `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2` -- **Shellbags** - USRCLASS.DAT - - Remote folders accessed inside an interactive session via Explorer by attackers. -- **ShimCache** – SYSTEM - - `net.exe` - - `net1.exe` -- **BAM_DAM** – NTUSER.DAT – Last Time Executed - - `net.exe` - - `net1.exe` -- **AmCache.hve** - First Time Executed - - `net.exe` - - `net1.exe` -""" - print_info(title, content) - -def destination_registry(): - """ - Displays destination registry information related to map shares. - """ - title = "Map Share Destination Registry" - content = """ -- N/A -""" - print_info(title, content) - -def source_file_system(): - """ - Displays source file system artifacts related to map shares. - """ - title = "Map Share Source File System" - content = """ -- **Prefetch** - `C:\\Windows\\Prefetch\\` - - `net.exe-{hash}.pf` - - `net1.exe-{hash}.pf` -- **User Profile Artifacts** - - Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP). -""" - print_info(title, content) - -def destination_file_system(): - """ - Displays destination file system artifacts related to map shares. - """ - title = "Map Share Destination File System" - content = """ -- **File Creation** - - Attacker's files (malware) copied to the destination system. - - Look for Modified Time before Creation Time. - - Creation Time is the time of file copy. -- **User Access Logging (Servers Only)** - - `C:\\Windows\\System32\\LogFiles\\Sum` - - User Name - - Source IP Address - - First and Last Access Time -""" - print_info(title, content)