Delete TTPs/Persistence/map_share.py
This commit is contained in:
@ -1,133 +0,0 @@
|
|||||||
import sys
|
|
||||||
from Modules.Imports.ttp_imports import *
|
|
||||||
from Modules.submenu import build_submenu
|
|
||||||
|
|
||||||
def map_share_submenu():
|
|
||||||
"""
|
|
||||||
Submenu for Map Share detection techniques.
|
|
||||||
"""
|
|
||||||
actions = {
|
|
||||||
"1": {"description": "Source Event Logs", "function": source_event_logs},
|
|
||||||
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
|
|
||||||
"3": {"description": "Source Registry", "function": source_registry},
|
|
||||||
"4": {"description": "Destination Registry", "function": destination_registry},
|
|
||||||
"5": {"description": "Source File System", "function": source_file_system},
|
|
||||||
"6": {"description": "Destination File System", "function": destination_file_system},
|
|
||||||
}
|
|
||||||
build_submenu("Map Share Persistence", actions)
|
|
||||||
|
|
||||||
# Individual submenu functions
|
|
||||||
|
|
||||||
def source_event_logs():
|
|
||||||
"""
|
|
||||||
Displays source event logs related to map shares.
|
|
||||||
"""
|
|
||||||
title = "Map Share Source Event Logs"
|
|
||||||
content = """
|
|
||||||
- `security.evtx`
|
|
||||||
- `4648` - Logon specifying alternate credentials
|
|
||||||
- Current logged-on User Name
|
|
||||||
- Alternate User Name
|
|
||||||
- Destination Host Name/IP
|
|
||||||
- Process Name
|
|
||||||
- `Microsoft-Windows-SmbClient\\Security.evtx`
|
|
||||||
- `31001` – Failed logon to destination
|
|
||||||
- Destination Host Name
|
|
||||||
- User Name for failed logon
|
|
||||||
- Reason code for failed destination logon (e.g., bad password)
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def destination_event_logs():
|
|
||||||
"""
|
|
||||||
Displays destination event logs related to map shares.
|
|
||||||
"""
|
|
||||||
title = "Map Share Destination Event Logs"
|
|
||||||
content = """
|
|
||||||
- **Security Event Log – `security.evtx`**
|
|
||||||
- `4624`
|
|
||||||
- Logon Type 3
|
|
||||||
- Source IP/Logon User Name
|
|
||||||
- `4672`
|
|
||||||
- Logon User Name
|
|
||||||
- Logon by user with administrative rights
|
|
||||||
- Requirement for accessing default shares such as **C$** and **ADMIN$**
|
|
||||||
- `4776` - NTLM if authenticating to Local System
|
|
||||||
- Source Host Name/Logon User Name
|
|
||||||
- `4768` - TGT Granted
|
|
||||||
- Source Host Name/Logon User Name
|
|
||||||
- Available only on domain controller
|
|
||||||
- `4769` - Service Ticket Granted if authenticating to Domain Controller
|
|
||||||
- Destination Host Name/Logon User Name
|
|
||||||
- Source IP
|
|
||||||
- Available only on domain controller
|
|
||||||
- `5140`
|
|
||||||
- Share Access
|
|
||||||
- `5145`
|
|
||||||
- Auditing of shared files – **NOISY**!
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def source_registry():
|
|
||||||
"""
|
|
||||||
Displays source registry information related to map shares.
|
|
||||||
"""
|
|
||||||
title = "Map Share Source Registry"
|
|
||||||
content = """
|
|
||||||
- **MountPoints2** - Remotely mapped shares
|
|
||||||
- `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
|
|
||||||
- **Shellbags** - USRCLASS.DAT
|
|
||||||
- Remote folders accessed inside an interactive session via Explorer by attackers.
|
|
||||||
- **ShimCache** – SYSTEM
|
|
||||||
- `net.exe`
|
|
||||||
- `net1.exe`
|
|
||||||
- **BAM_DAM** – NTUSER.DAT – Last Time Executed
|
|
||||||
- `net.exe`
|
|
||||||
- `net1.exe`
|
|
||||||
- **AmCache.hve** - First Time Executed
|
|
||||||
- `net.exe`
|
|
||||||
- `net1.exe`
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def destination_registry():
|
|
||||||
"""
|
|
||||||
Displays destination registry information related to map shares.
|
|
||||||
"""
|
|
||||||
title = "Map Share Destination Registry"
|
|
||||||
content = """
|
|
||||||
- N/A
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def source_file_system():
|
|
||||||
"""
|
|
||||||
Displays source file system artifacts related to map shares.
|
|
||||||
"""
|
|
||||||
title = "Map Share Source File System"
|
|
||||||
content = """
|
|
||||||
- **Prefetch** - `C:\\Windows\\Prefetch\\`
|
|
||||||
- `net.exe-{hash}.pf`
|
|
||||||
- `net1.exe-{hash}.pf`
|
|
||||||
- **User Profile Artifacts**
|
|
||||||
- Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def destination_file_system():
|
|
||||||
"""
|
|
||||||
Displays destination file system artifacts related to map shares.
|
|
||||||
"""
|
|
||||||
title = "Map Share Destination File System"
|
|
||||||
content = """
|
|
||||||
- **File Creation**
|
|
||||||
- Attacker's files (malware) copied to the destination system.
|
|
||||||
- Look for Modified Time before Creation Time.
|
|
||||||
- Creation Time is the time of file copy.
|
|
||||||
- **User Access Logging (Servers Only)**
|
|
||||||
- `C:\\Windows\\System32\\LogFiles\\Sum`
|
|
||||||
- User Name
|
|
||||||
- Source IP Address
|
|
||||||
- First and Last Access Time
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
Reference in New Issue
Block a user