Delete TTPs/Persistence/map_share.py

2024-11-28 00:54:01 -05:00
parent f134383b9a
commit 47590b84df
1 changed files with 0 additions and 133 deletions
--- a/TTPs/Persistence/map_share.py
+++ b/TTPs/Persistence/map_share.py
@ -1,133 +0,0 @@
-import sys
-from Modules.Imports.ttp_imports import *
-from Modules.submenu import build_submenu
-
-def map_share_submenu():
-    """
-    Submenu for Map Share detection techniques.
-    """
-    actions = {
-        "1": {"description": "Source Event Logs", "function": source_event_logs},
-        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
-        "3": {"description": "Source Registry", "function": source_registry},
-        "4": {"description": "Destination Registry", "function": destination_registry},
-        "5": {"description": "Source File System", "function": source_file_system},
-        "6": {"description": "Destination File System", "function": destination_file_system},
-    }
-    build_submenu("Map Share Persistence", actions)
-
-# Individual submenu functions
-
-def source_event_logs():
-    """
-    Displays source event logs related to map shares.
-    """
-    title = "Map Share Source Event Logs"
-    content = """
- `security.evtx`
-    - `4648` - Logon specifying alternate credentials
-        - Current logged-on User Name
-        - Alternate User Name
-        - Destination Host Name/IP
-        - Process Name 
- `Microsoft-Windows-SmbClient\\Security.evtx`
-    - `31001` – Failed logon to destination
-        - Destination Host Name
-        - User Name for failed logon
-        - Reason code for failed destination logon (e.g., bad password)
-"""
-    print_info(title, content)
-
-def destination_event_logs():
-    """
-    Displays destination event logs related to map shares.
-    """
-    title = "Map Share Destination Event Logs"
-    content = """
- **Security Event Log – `security.evtx`**
-    - `4624`
-        - Logon Type 3
-        - Source IP/Logon User Name
-    - `4672`
-        - Logon User Name
-        - Logon by user with administrative rights
-        - Requirement for accessing default shares such as **C$** and **ADMIN$**
-    - `4776` - NTLM if authenticating to Local System
-        - Source Host Name/Logon User Name
-    - `4768` - TGT Granted
-        - Source Host Name/Logon User Name
-        - Available only on domain controller
-    - `4769` - Service Ticket Granted if authenticating to Domain Controller
-        - Destination Host Name/Logon User Name
-        - Source IP
-        - Available only on domain controller
-    - `5140`
-        - Share Access
-    - `5145`
-        - Auditing of shared files – **NOISY**!
-"""
-    print_info(title, content)
-
-def source_registry():
-    """
-    Displays source registry information related to map shares.
-    """
-    title = "Map Share Source Registry"
-    content = """
- **MountPoints2** - Remotely mapped shares
-    - `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
- **Shellbags** - USRCLASS.DAT
-    - Remote folders accessed inside an interactive session via Explorer by attackers.
- **ShimCache** – SYSTEM
-    - `net.exe`
-    - `net1.exe`
- **BAM_DAM** – NTUSER.DAT – Last Time Executed
-    - `net.exe`
-    - `net1.exe`
- **AmCache.hve** - First Time Executed
-    - `net.exe`
-    - `net1.exe`
-"""
-    print_info(title, content)
-
-def destination_registry():
-    """
-    Displays destination registry information related to map shares.
-    """
-    title = "Map Share Destination Registry"
-    content = """
- N/A
-"""
-    print_info(title, content)
-
-def source_file_system():
-    """
-    Displays source file system artifacts related to map shares.
-    """
-    title = "Map Share Source File System"
-    content = """
- **Prefetch** - `C:\\Windows\\Prefetch\\`
-    - `net.exe-{hash}.pf`
-    - `net1.exe-{hash}.pf`
- **User Profile Artifacts**
-    - Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
-"""
-    print_info(title, content)
-
-def destination_file_system():
-    """
-    Displays destination file system artifacts related to map shares.
-    """
-    title = "Map Share Destination File System"
-    content = """
- **File Creation**
-    - Attacker's files (malware) copied to the destination system.
-    - Look for Modified Time before Creation Time.
-    - Creation Time is the time of file copy.
- **User Access Logging (Servers Only)**
-    - `C:\\Windows\\System32\\LogFiles\\Sum`
-        - User Name
-        - Source IP Address
-        - First and Last Access Time
-"""
-    print_info(title, content)