diff --git a/TTPs/Persistence/smbexec.py b/TTPs/Persistence/smbexec.py deleted file mode 100644 index c49158e..0000000 --- a/TTPs/Persistence/smbexec.py +++ /dev/null @@ -1,186 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def smbexec_submenu(): - """ - Submenu for SMBExec detection techniques. - """ - actions = { - "1": {"description": "Source Event Logs", "function": source_event_logs}, - "2": {"description": "Destination Event Logs", "function": destination_event_logs}, - "3": {"description": "Source Registry", "function": source_registry}, - "4": {"description": "Destination Registry", "function": destination_registry}, - "5": {"description": "Source File System", "function": source_file_system}, - "6": {"description": "Destination File System", "function": destination_file_system}, - "7": {"description": "Service Creation Details", "function": smbexec_service_creation}, - "8": {"description": "Network Artifacts", "function": smbexec_network_artifacts}, - "9": {"description": "Eviction Techniques", "function": smbexec_eviction_techniques}, - "10": {"description": "Malware Case Study", "function": smbexec_malware_case_study}, - } - build_submenu("SMBExec Persistence", actions) - -# Individual submenu functions - -def source_event_logs(): - """ - Displays source event logs related to SMBExec. - """ - title = "SMBExec Source Event Logs" - content = """ -- **security.evtx** - - `4776` - Logon specifying alternate credentials - - Current logged-on User Name - - Alternate User Name - - Destination Host Name/IP - - Process Name -""" - print_info(title, content) - -def destination_event_logs(): - """ - Displays destination event logs related to SMBExec. - """ - title = "SMBExec Destination Event Logs" - content = """ -- **security.evtx** - - `4776` - Logon specifying alternate credentials - - Connecting User Name - - Process Name - - `4624` Logon Type 3 - - Source IP/Logon User Name - - `4672` - - Logon User Name - - Logon by a user with administrative rights - - `4634` Type 3 (session end) -- **system.evtx** - - `7045` - Service installation - - Default service name: "BTOBTO" or a random 8-character mixed-case string. - - `7036` Service start/stop events -""" - print_info(title, content) - -def source_registry(): - """ - Displays source registry information related to SMBExec. - """ - title = "SMBExec Source Registry" - content = """ -- **NTUSER.DAT** - - Software\\SysInternals\\SMBExec\\EulaAccepted -- **ShimCache** – SYSTEM - - smbexec.exe -- **BAM_DAM** – SYSTEM – Last Time Executed - - smbexec.exe -- **AmCache.hve** – First Time Executed - - smbexec.exe -""" - print_info(title, content) - -def destination_registry(): - """ - Displays destination registry information related to SMBExec. - """ - title = "SMBExec Destination Registry" - content = """ -- SYSTEM\\CurrentControlSet\\Services\\ - - Default: "BTOBTO" or random 8-character string. -- **ShimCache** – SYSTEM - - smbexecsvc.exe -- **AmCache.hve** - - First Time Executed - - smbexecsvc.exe -""" - print_info(title, content) - -def source_file_system(): - """ - Displays source file system artifacts related to SMBExec. - """ - title = "SMBExec Source File System" - content = """ -- **Prefetch** – C:\\Windows\\Prefetch\\ - - smbexec.exe-{hash}.pf -- **File Creation** - - smbexec.exe file downloaded and created on the local host. -""" - print_info(title, content) - -def destination_file_system(): - """ - Displays destination file system artifacts related to SMBExec. - """ - title = "SMBExec Destination File System" - content = """ -- **Prefetch** – C:\\Windows\\Prefetch\\ - - smbexecsvc.exe-{hash}.pf - - execute.bat-{hash}.pf -- **File Creation** - - `execute.bat` created in C:\\Windows\\TEMP\\ - - User-specified commands echoed to `execute.bat`. - - Temporary batch file removed after execution. -""" - print_info(title, content) - -def smbexec_service_creation(): - """ - Displays details about SMBExec service creation events. - """ - title = "SMBExec Service Creation Details" - content = """ -- Service Name: - - Default: "BTOBTO" - - Updated to a random 8-character mixed-case string in May 2023. -- Executable: `execute.bat` created for every command. -- Event Log Evidence: - - `7045` in `system.evtx` logs service creation. - - Command executed via: - - `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`. -""" - print_info(title, content) - -def smbexec_network_artifacts(): - """ - Displays network artifacts related to SMBExec activity. - """ - title = "SMBExec Network Artifacts" - content = """ -- **Network Connections**: - - SMB protocol communication with the target. - - Evidence of ADMIN$ share access. -- **Network Traffic Analysis**: - - Monitor for suspicious SMB traffic to/from servers. - - Detect repeated connections with new service creation. -""" - print_info(title, content) - -def smbexec_eviction_techniques(): - """ - Displays information about SMBExec eviction techniques. - """ - title = "SMBExec Eviction Techniques" - content = """ -- Remove temporary files: - - `execute.bat` is deleted after execution. -- Service cleanup: - - Services created for each command are removed after execution. -""" - print_info(title, content) - -def smbexec_malware_case_study(): - """ - Displays a malware case study involving SMBExec. - """ - title = "SMBExec Malware Case Study" - content = """ -- **Case Study**: - - Malware using SMBExec for lateral movement. - - Leveraged temporary service creation for executing commands. - - Indicators: - - Random service names. - - Temporary batch files in `C:\\Windows\\TEMP`. -- **Detection**: - - Monitor Event ID 7045 for abnormal service names. - - Correlate with batch file creation and execution in `TEMP` directory. -""" - print_info(title, content)