matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update TTPs/Persistence/rdp.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-24 11:31:57 -05:00
parent aa19188a4a
commit 8c8baa91fe
1 changed files with 107 additions and 82 deletions
Download Patch File Download Diff File Expand all files Collapse all files

189
TTPs/Persistence/rdp.py
View File

@ -31,92 +31,117 @@ def source_event_logs():
""" """
print_info(title, content) print_info(title, content)
def destination_event_logs(target_ip, open_ports): def destination_event_logs():
title = "Destination Event Logs" title = "RDP Destination Event Logs"
content = ( content = """
f"- **Security Event Log** `security.evtx`\n" - **Security Event Log** `security.evtx`
f" - 4624: Logon Type 10\n" - `4624` Logon Type 10
f" - Source IP/Logon User Name\n" - Source IP/Logon User Name
f" - 4778/4779\n" - `4778/4779`
f" - IP Address of Source/Source System Name\n" - IP Address of Source/Source System Name
f" - Logon User Name\n" - Logon User Name
f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n" - `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`
f" - 131: Connection Attempts (Source IP)\n" - `131` - Connection Attempts
f" - 98: Successful Connections\n" - Source IP
f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n" - `98` - Successful Connections
f" - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n" - `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`
f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n" - `1149`
f" - 21, 22, 25: Source IP/Logon User Name\n" - Source IP/Logon User Name
f" - 41: Logon User Name" - Blank user name may indicate use of Sticky Keys
) - `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
run_command(title, content, target_ip, open_ports) - 21, 22, 25
- Source IP/Logon User Name
- 41
- Logon User Name
"""
print_info(title, content)
def source_registry(target_ip, open_ports):
title = "Source Registry"
content = (
f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
f"- `ShimCache` SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
f"- `BAM_DAM` SYSTEM: Last Time Executed (`mstsc.exe`)\n"
f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
f"- `UserAssist` `NTUSER.DAT`\n"
f" - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
f"- `RecentApps` `NTUSER.DAT`\n"
f" - Tracks `mstsc.exe` and connection destinations"
)
run_command(title, content, target_ip, open_ports)
def destination_registry(target_ip, open_ports): def source_registry():
title = "Destination Registry" title = "RDP Source Registry"
content = ( content = """
f"- `ShimCache` - SYSTEM\n" - Remote desktop destinations are tracked per-user
f" - Tracks `rdpclip.exe` and `tstheme.exe`\n" - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
f"- `AmCache.hve`: First Time Executed\n" - [[ShimCache]] SYSTEM
f" - Tracks `rdpclip.exe` and `tstheme.exe`" - `mstsc.exe` Remote Desktop Client
) - [[BAM_DAM]] SYSTEM Last Time Executed
run_command(title, content, target_ip, open_ports) - `mstsc.exe` Remote Desktop Client
- [[AmCache.hve]] - First Time Executed
- `mstsc.exe`
- UserAssist `NTUSER.DAT`
- `mstsc.exe` Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentApps `NTUSER.DAT`
- `mstsc.exe`
- Remote Desktop Client execution
- Last Time Executed
- Number of Times Executed
- RecentItems subkey tracks connection destinations and times
"""
print_info(title, content)
def source_artifacts(target_ip, open_ports): def destination_registry():
title = "Source File System Artifacts" title = "RDP Destination Registry"
content = ( content = """
f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n" - [[ShimCache]] - SYSTEM
f" - Tracks remote desktop connection destinations and times\n" - `rdpclip.exe`
f"- Prefetch: `C:\\Windows\\Prefetch\\`\n" - `tstheme.exe`
f" - Tracks execution of `mstsc.exe`\n" - [[AmCache.hve]] - First Time Executed
f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n" - `rdpclip.exe`
f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`" - `tstheme.exe`
) """
run_command(title, content, target_ip, open_ports) print_info(title, content)
def destination_artifacts(target_ip, open_ports):
title = "Destination File System Artifacts"
content = (
f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
f" - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
)
run_command(title, content, target_ip, open_ports)
def extra_info(target_ip, open_ports): def source_artifacts():
title = "Extra Information" title = "RDP Source File System Artifacts"
content = ( content = """
f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n" - Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
f"- Key Concepts:\n" - `{MSTSC-APPID}-automaticDestinations-ms`
f" - RDP_NLA (Network Level Authentication)\n" - Tracks remote desktop connection destination and times
f" - RDP_successful_logon event codes\n" - [[Prefetch]] `C:\\Windows\\Prefetch\\`
f" - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n" - `mstsc.exe-{hash}.pf`
f" - Understand authentication failures vs. authorization successes" - [[Bitmap_Cache]] `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
) - bcache##.bmc
run_command(title, content, target_ip, open_ports) - cache####.bin
- Default.rdp file
- `C:\\Users\\<Username>\\Documents\\`
"""
print_info(title, content)
def run_all_rdp_checks(target_ip, open_ports):
title = "Run All RDP Checks"
content = "Executing all RDP persistence checks. Please wait..."
run_command(title, content, target_ip, open_ports)
# Sequentially run all functions def destination_artifacts():
source_event_logs(target_ip, open_ports) title = "RDP Destination File System Artifacts"
destination_event_logs(target_ip, open_ports) content = """
source_registry(target_ip, open_ports) - Prefetch `C:\\Windows\\Prefetch\\`
destination_registry(target_ip, open_ports) - `rdpclip.exe-{hash}.pf`
source_artifacts(target_ip, open_ports) - `tstheme.exe-{hash}.pf`
destination_artifacts(target_ip, open_ports) """
extra_info(target_ip, open_ports) print_info(title, content)
def extra_rdp_info():
title = "RDP Extra Information"
content = """
# RDP Authentication vs. Authorization
- RDP authentication happens prior to session establishment (NLA).
- Know when authentication can fail and authorization can succeed.
# RDP Event Flow
1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22
- 1149: Authentication succeeded
- 4624: Account successfully logged on
- 21: Session logon succeeded
- 22: Shell start notification received
"""
print_info(title, content)
def all_rdp_info():
source_event_logs()
destination_event_logs()
source_registry()
destination_registry()
source_artifacts()
destination_artifacts()
extra_rdp_info()