Update TTPs/Persistence/rdp.py

TTPs/Persistence/rdp.py

@@ -31,92 +31,117 @@ def source_event_logs():
 """
     print_info(title, content)
 
-def destination_event_logs(target_ip, open_ports):
+def destination_event_logs():
-    title = "Destination Event Logs"
+    title = "RDP Destination Event Logs"
-    content = (
+    content = """
-        f"- **Security Event Log** – `security.evtx`\n"
+- **Security Event Log** – `security.evtx`
-        f"  - 4624: Logon Type 10\n"
+    - `4624` Logon Type 10
-        f"    - Source IP/Logon User Name\n"
+        - Source IP/Logon User Name
-        f"  - 4778/4779\n"
+    - `4778/4779`
-        f"    - IP Address of Source/Source System Name\n"
+        - IP Address of Source/Source System Name
-        f"    - Logon User Name\n"
+        - Logon User Name
-        f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n"
+- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`
-        f"  - 131: Connection Attempts (Source IP)\n"
+    - `131` - Connection Attempts
-        f"  - 98: Successful Connections\n"
+        - Source IP
-        f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n"
+    - `98` - Successful Connections
-        f"  - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n"
+- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`
-        f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n"
+    - `1149` 
-        f"  - 21, 22, 25: Source IP/Logon User Name\n"
+        - Source IP/Logon User Name
-        f"  - 41: Logon User Name"
+            - Blank user name may indicate use of Sticky Keys
-    )
+- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
-    run_command(title, content, target_ip, open_ports)
+    - 21, 22, 25
+        - Source IP/Logon User Name
+    - 41
+        - Logon User Name
+"""
+    print_info(title, content)
 
-def source_registry(target_ip, open_ports):
-    title = "Source Registry"
-    content = (
-        f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
-        f"- `ShimCache` – SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
-        f"- `BAM_DAM` – SYSTEM: Last Time Executed (`mstsc.exe`)\n"
-        f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
-        f"- `UserAssist` – `NTUSER.DAT`\n"
-        f"  - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
-        f"- `RecentApps` – `NTUSER.DAT`\n"
-        f"  - Tracks `mstsc.exe` and connection destinations"
-    )
-    run_command(title, content, target_ip, open_ports)
 
-def destination_registry(target_ip, open_ports):
+def source_registry():
-    title = "Destination Registry"
+    title = "RDP Source Registry"
-    content = (
+    content = """
-        f"- `ShimCache` - SYSTEM\n"
+- Remote desktop destinations are tracked per-user
-        f"  - Tracks `rdpclip.exe` and `tstheme.exe`\n"
+    - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
-        f"- `AmCache.hve`: First Time Executed\n"
+- [[ShimCache]] – SYSTEM
-        f"  - Tracks `rdpclip.exe` and `tstheme.exe`"
+    - `mstsc.exe` Remote Desktop Client
-    )
+- [[BAM_DAM]] – SYSTEM – Last Time Executed
-    run_command(title, content, target_ip, open_ports)
+    - `mstsc.exe` Remote Desktop Client
+- [[AmCache.hve]] - First Time Executed
+    - `mstsc.exe`
+- UserAssist – `NTUSER.DAT`
+    - `mstsc.exe` Remote Desktop Client execution
+    - Last Time Executed
+    - Number of Times Executed
+- RecentApps – `NTUSER.DAT`
+    - `mstsc.exe`
+    - Remote Desktop Client execution
+    - Last Time Executed
+    - Number of Times Executed
+    - RecentItems subkey tracks connection destinations and times
+"""
+    print_info(title, content)
 
-def source_artifacts(target_ip, open_ports):
+def destination_registry():
-    title = "Source File System Artifacts"
+    title = "RDP Destination Registry"
-    content = (
+    content = """
-        f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n"
+- [[ShimCache]] - SYSTEM
-        f"  - Tracks remote desktop connection destinations and times\n"
+    - `rdpclip.exe`
-        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
+    - `tstheme.exe`
-        f"  - Tracks execution of `mstsc.exe`\n"
+- [[AmCache.hve]] - First Time Executed
-        f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n"
+    - `rdpclip.exe`
-        f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`"
+    - `tstheme.exe`
-    )
+"""
-    run_command(title, content, target_ip, open_ports)
+    print_info(title, content)
 
-def destination_artifacts(target_ip, open_ports):
-    title = "Destination File System Artifacts"
-    content = (
-        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
-        f"  - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
-    )
-    run_command(title, content, target_ip, open_ports)
 
-def extra_info(target_ip, open_ports):
+def source_artifacts():
-    title = "Extra Information"
+    title = "RDP Source File System Artifacts"
-    content = (
+    content = """
-        f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n"
+- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
-        f"- Key Concepts:\n"
+    - `{MSTSC-APPID}-automaticDestinations-ms`
-        f"  - RDP_NLA (Network Level Authentication)\n"
+    - Tracks remote desktop connection destination and times
-        f"  - RDP_successful_logon event codes\n"
+- [[Prefetch]] – `C:\\Windows\\Prefetch\\`
-        f"    - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n"
+    - `mstsc.exe-{hash}.pf`
-        f"  - Understand authentication failures vs. authorization successes"
+- [[Bitmap_Cache]] – `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
-    )
+    - bcache##.bmc
-    run_command(title, content, target_ip, open_ports)
+    - cache####.bin
+- Default.rdp file –
+    - `C:\\Users\\<Username>\\Documents\\`
+"""
+    print_info(title, content)
 
-def run_all_rdp_checks(target_ip, open_ports):
-    title = "Run All RDP Checks"
-    content = "Executing all RDP persistence checks. Please wait..."
-    run_command(title, content, target_ip, open_ports)
 
-    # Sequentially run all functions
+def destination_artifacts():
-    source_event_logs(target_ip, open_ports)
+    title = "RDP Destination File System Artifacts"
-    destination_event_logs(target_ip, open_ports)
+    content = """
-    source_registry(target_ip, open_ports)
+- Prefetch – `C:\\Windows\\Prefetch\\`
-    destination_registry(target_ip, open_ports)
+- `rdpclip.exe-{hash}.pf`
-    source_artifacts(target_ip, open_ports)
+- `tstheme.exe-{hash}.pf`
-    destination_artifacts(target_ip, open_ports)
+"""
-    extra_info(target_ip, open_ports)
+    print_info(title, content)
+
+
+def extra_rdp_info():
+    title = "RDP Extra Information"
+    content = """
+# RDP Authentication vs. Authorization
+- RDP authentication happens prior to session establishment (NLA).
+- Know when authentication can fail and authorization can succeed.
+
+# RDP Event Flow
+1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22
+- 1149: Authentication succeeded
+- 4624: Account successfully logged on
+- 21: Session logon succeeded
+- 22: Shell start notification received
+"""
+    print_info(title, content)
+
+def all_rdp_info():
+    source_event_logs()
+    destination_event_logs()
+    source_registry()
+    destination_registry()
+    source_artifacts()
+    destination_artifacts()
+    extra_rdp_info()