matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Delete TTPs/Persistence/smbexec.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-28 00:53:45 -05:00
parent f7b50f0344
commit 8df44fbd46
1 changed files with 0 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

186
TTPs/Persistence/smbexec.py
View File

@ -1,186 +0,0 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def smbexec_submenu():
"""
Submenu for SMBExec detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "Service Creation Details", "function": smbexec_service_creation},
"8": {"description": "Network Artifacts", "function": smbexec_network_artifacts},
"9": {"description": "Eviction Techniques", "function": smbexec_eviction_techniques},
"10": {"description": "Malware Case Study", "function": smbexec_malware_case_study},
}
build_submenu("SMBExec Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to SMBExec.
"""
title = "SMBExec Source Event Logs"
content = """
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to SMBExec.
"""
title = "SMBExec Destination Event Logs"
content = """
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- `4634` Type 3 (session end)
- **system.evtx**
- `7045` - Service installation
- Default service name: "BTOBTO" or a random 8-character mixed-case string.
- `7036` Service start/stop events
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to SMBExec.
"""
title = "SMBExec Source Registry"
content = """
- **NTUSER.DAT**
- Software\\SysInternals\\SMBExec\\EulaAccepted
- **ShimCache** SYSTEM
- smbexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- smbexec.exe
- **AmCache.hve** First Time Executed
- smbexec.exe
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to SMBExec.
"""
title = "SMBExec Destination Registry"
content = """
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Default: "BTOBTO" or random 8-character string.
- **ShimCache** SYSTEM
- smbexecsvc.exe
- **AmCache.hve**
- First Time Executed
- smbexecsvc.exe
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to SMBExec.
"""
title = "SMBExec Source File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexec.exe-{hash}.pf
- **File Creation**
- smbexec.exe file downloaded and created on the local host.
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to SMBExec.
"""
title = "SMBExec Destination File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexecsvc.exe-{hash}.pf
- execute.bat-{hash}.pf
- **File Creation**
- `execute.bat` created in C:\\Windows\\TEMP\\
- User-specified commands echoed to `execute.bat`.
- Temporary batch file removed after execution.
"""
print_info(title, content)
def smbexec_service_creation():
"""
Displays details about SMBExec service creation events.
"""
title = "SMBExec Service Creation Details"
content = """
- Service Name:
- Default: "BTOBTO"
- Updated to a random 8-character mixed-case string in May 2023.
- Executable: `execute.bat` created for every command.
- Event Log Evidence:
- `7045` in `system.evtx` logs service creation.
- Command executed via:
- `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`.
"""
print_info(title, content)
def smbexec_network_artifacts():
"""
Displays network artifacts related to SMBExec activity.
"""
title = "SMBExec Network Artifacts"
content = """
- **Network Connections**:
- SMB protocol communication with the target.
- Evidence of ADMIN$ share access.
- **Network Traffic Analysis**:
- Monitor for suspicious SMB traffic to/from servers.
- Detect repeated connections with new service creation.
"""
print_info(title, content)
def smbexec_eviction_techniques():
"""
Displays information about SMBExec eviction techniques.
"""
title = "SMBExec Eviction Techniques"
content = """
- Remove temporary files:
- `execute.bat` is deleted after execution.
- Service cleanup:
- Services created for each command are removed after execution.
"""
print_info(title, content)
def smbexec_malware_case_study():
"""
Displays a malware case study involving SMBExec.
"""
title = "SMBExec Malware Case Study"
content = """
- **Case Study**:
- Malware using SMBExec for lateral movement.
- Leveraged temporary service creation for executing commands.
- Indicators:
- Random service names.
- Temporary batch files in `C:\\Windows\\TEMP`.
- **Detection**:
- Monitor Event ID 7045 for abnormal service names.
- Correlate with batch file creation and execution in `TEMP` directory.
"""
print_info(title, content)