diff --git a/TTPs/Persistence/advanced.py b/TTPs/Persistence/advanced.py new file mode 100644 index 0000000..4bb334e --- /dev/null +++ b/TTPs/Persistence/advanced.py @@ -0,0 +1,35 @@ +from Modules.submenu import build_submenu + +def advanced_submenu(): + actions = { + "1": {"description": "Bios Flashing", "function": view_bios_flashing}, + "2": {"description": "Drivers", "function": view_drivers}, + "3": {"description": "Local Group Policy", "function": view_local_group_policy}, + "4": {"description": "MS Office Add-In", "function": view_ms_office_addin}, + "0": {"description": "Go Back to Persistence Menu", "function": lambda: None}, + } + build_submenu("Advanced Persistence", actions) + +def view_bios_flashing(): + title = "Bios Flashing" + content = "Detection techniques for advanced persistence via BIOS flashing." + print_info(title, content) + +def view_drivers(): + title = "Drivers" + content = "Analyzing drivers for advanced persistence techniques." + print_info(title, content) + +def view_local_group_policy(): + title = "Local Group Policy" + content = "Detection methods for advanced persistence through local group policy manipulation." + print_info(title, content) + +def view_ms_office_addin(): + title = "MS Office Add-In" + content = "Exploring persistence mechanisms via MS Office add-ins." + print_info(title, content) + +def print_info(title, content): + print(f"\n{'='*40}\n{title}\n{'='*40}\n{content}\n{'='*40}") + input("Press Enter to return to the submenu...") diff --git a/TTPs/Persistence/autostart.py b/TTPs/Persistence/autostart.py new file mode 100644 index 0000000..b9865f3 --- /dev/null +++ b/TTPs/Persistence/autostart.py @@ -0,0 +1,101 @@ +from Modules.Imports.ttp_imports import * + +def autostart_submenu(): + """ + Submenu for Autostart Persistence Indicators. + """ + actions = { + "1": {"description": "Registry Run Keys", "function": registry_run_keys}, + "2": {"description": "Winlogon Userinit", "function": winlogon_userinit}, + "3": {"description": "Startup Folder", "function": startup_folder}, + "4": {"description": "Investigative Notes", "function": investigative_notes}, + "4": {"description": "Autostart Extra", "function": autostart_extra}, + } + build_submenu("Autostart Persistence", actions) + +def registry_run_keys(): + """ + Displays information about Registry Run Keys for Autostart. + """ + title = "Registry Run Keys" + content = """ +The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys: +- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run +- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce +- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce +- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run +- Software\\Microsoft\\Windows\\CurrentVersion\\Run + +These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms. +""" + print_info(title, content) + +def winlogon_userinit(): + """ + Displays information about the Winlogon Userinit ASEP. + """ + title = "Winlogon Userinit" + content = """ +The Winlogon Userinit key can be used to maintain persistence: +- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit + +This key typically contains: +- C:\\Windows\\system32\\userinit.exe + +However, it can be modified to include malicious binaries: +- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe +""" + print_info(title, content) + +def startup_folder(): + """ + Displays information about the Startup folder ASEP. + """ + title = "Startup Folder" + content = """ +The Startup folder allows for persistence by placing shortcuts in this folder: +- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup + +Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence. +""" + print_info(title, content) + +def investigative_notes(): + """ + Displays investigative notes about Autostart ASEPs. + """ + title = "Investigative Notes" + content = """ +Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes: +- ASEPs are numerous and diverse, requiring thorough examination. +- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. +- Analyzing data across systems may reveal outliers indicative of malicious activity. + + +""" + print_info(title, content) + +def autostart_extra(): + """ + Displays information about the Winlogon Userinit ASEP. + """ + title = "Autostart Extra" + content = """ +- Items in these keys are executed when a user logs on, unlike other ASEPs that act at boot. +- Multiple "run" keys exist in both the NTUSER.DAT and SOFTWARE hives. +- Another, less common but equally dangerous key is: + - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit. +- This key typically contains a reference to `userinit.exe`, which by default: + - Executes `Userinit.exe`. + - Launches `Explorer.exe`. +- However, it can be modified to include malicious binaries, such as: + - `C:\\Windows\\system32\\userinit.exe,C:\\Temp\\winsvchost.exe`, which would run at boot. + +- Finally, `%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` allows for persistence by placing shortcuts in this folder. +- These shortcuts automatically execute the associated binaries when a user logs on. +- Malware has recently gravitated back to this old attack vector. +- Although these locations are very common for ASEPs, many more exist. +- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. +- Analyzing data across systems may reveal outliers leading to compromised systems. +""" + print_info(title, content) \ No newline at end of file diff --git a/TTPs/Persistence/basic_persistence.py b/TTPs/Persistence/basic_persistence.py new file mode 100644 index 0000000..abe9e5b --- /dev/null +++ b/TTPs/Persistence/basic_persistence.py @@ -0,0 +1,153 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def basic_persistence_submenu(): + """ + Submenu for Basic Persistence Mechanisms. + """ + actions = { + "1": {"description": "BootExecute Key", "function": boot_execute_key}, + "2": {"description": "WinLogon Process Keys", "submenu": winlogon_keys_submenu}, + "3": {"description": "Startup Keys", "function": startup_keys}, + "4": {"description": "Services", "function": services_keys}, + "5": {"description": "Browser Helper Objects", "function": browser_helper_objects}, + "6": {"description": "AppInit_DLLs", "function": appinit_dlls}, + "7": {"description": "Persistence Using Global Flags", "function": persistence_global_flags}, + } + build_submenu("Basic Persistence Mechanisms", actions) + +def boot_execute_key(): + """ + Displays information about the BootExecute Key. + """ + title = "BootExecute Key" + content = r""" +The BootExecute registry key launches processes before the subsystem initializes. + +Key Path: +- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session +""" + print_info(title, content) + +def winlogon_keys_submenu(): + """ + Submenu for WinLogon Process Keys. + """ + actions = { + "1": {"description": "Userinit Key", "function": userinit_key}, + "2": {"description": "Notify Key", "function": notify_key}, + "3": {"description": "Explorer.exe Key", "function": explorer_key}, + } + build_submenu("WinLogon Process Keys", actions) + +def userinit_key(): + """ + Displays information about the Userinit Key. + """ + title = "Userinit Key" + content = r""" +The Userinit Key launches login scripts during the user logon process. + +Key Path: +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon +""" + print_info(title, content) + +def notify_key(): + """ + Displays information about the Notify Key. + """ + title = "Notify Key" + content = r""" +The Notify Key is used for handling the `Ctrl+Alt+Del` event. + +Key Path: +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify +""" + print_info(title, content) + +def explorer_key(): + """ + Displays information about the Explorer.exe Key. + """ + title = "Explorer.exe Key" + content = r""" +This key points to `explorer.exe` and can be abused for persistence. + +Key Path: +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell +""" + print_info(title, content) + +def startup_keys(): + """ + Displays information about Startup Keys. + """ + title = "Startup Keys" + content = r""" +Startup Keys allow programs to launch when a user logs on. + +Key Paths: +- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders +- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders +""" + print_info(title, content) + +def services_keys(): + """ + Displays information about Services Keys. + """ + title = "Services Keys" + content = r""" +Services keys enable services to boot automatically at startup. + +Key Paths: +- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services +- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce +- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices +""" + print_info(title, content) + +def browser_helper_objects(): + """ + Displays information about Browser Helper Objects. + """ + title = "Browser Helper Objects" + content = r""" +Browser Helper Objects can be used for persistence or malicious activity. + +Key Path: +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects +""" + print_info(title, content) + +def appinit_dlls(): + """ + Displays information about AppInit_DLLs. + """ + title = "AppInit_DLLs" + content = r""" +The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`. + +Key Path: +- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs +""" + print_info(title, content) + +def persistence_global_flags(): + """ + Displays information about persistence using global flags. + """ + title = "Persistence Using Global Flags" + content = r""" +Global flags in the Image File Execution Options registry key can be abused for persistence. + +Example Commands: +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512 +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1 +reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe" +""" + print_info(title, content) diff --git a/TTPs/Persistence/dcom.py b/TTPs/Persistence/dcom.py new file mode 100644 index 0000000..b6ff0bc --- /dev/null +++ b/TTPs/Persistence/dcom.py @@ -0,0 +1,105 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def dcom_submenu(): + """ + Submenu for DCOM-based Persistence Indicators. + """ + actions = { + "1": {"description": "DCOM Execution Overview", "function": dcom_execution_overview}, + "2": {"description": "Windows Event Log Residue", "function": windows_event_log_residue}, + "3": {"description": "Analysis of Commands Executed", "function": analyze_commands_executed}, + "4": {"description": "Detection and Mitigation", "function": detection_and_mitigation}, + } + build_submenu("DCOM-Based Persistence", actions) + +def dcom_execution_overview(): + """ + Provides an overview of DCOM execution for persistence. + """ + title = "DCOM Execution Overview" + content = """ +### DCOM Execution (dcomexec.py): +- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command` + - Specify a command to run or leave blank for shell. + - Executes a semi-interactive shell using DCOM objects. + - Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter. + - Uses the first 5 digits of the UNIX Epoch Time in commands. + +**Features**: +- Not detected or blocked by Windows Defender by default. +""" + print_info(title, content) + +def windows_event_log_residue(): + """ + Describes the Windows Event Log residue left by DCOM execution. + """ + title = "Windows Event Log Residue" + content = """ +### Event Log Residue: +- Two rounds of: + - Event ID `4776` in Security on target (for user specified in command). + - Event ID `4672` in Security on target (for user specified in command). + - Event ID `4624` Type 3 in Security on target (for user specified in command). + +#### If Enabled: +- Event ID `4688` in Security on target: + - `svchost.exe → mmc.exe -Embedding`. + - `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time). + - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. + +#### User Specified Commands: +- Event ID `4688` in Security on target: + - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. + - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. + +- Two rounds of: + - Event ID `4634` Type 3 in Security on target (for user specified in command). +""" + print_info(title, content) + +def analyze_commands_executed(): + """ + Analyzes commands executed via DCOM for forensic insights. + """ + title = "Analysis of Commands Executed via DCOM" + content = """ +### Command Execution Details: +- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects. +- Commands use `mmc.exe` and `cmd.exe`: + - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. + - The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution. + +**Key Indicators**: +- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`. +- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag. +""" + print_info(title, content) + +def detection_and_mitigation(): + """ + Provides detection and mitigation strategies for DCOM execution. + """ + title = "Detection and Mitigation" + content = """ +### Detection: +- Monitor `security.evtx` and `system.evtx` for: + - Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments. + - Event ID `4624` and `4672` indicating logon attempts. + - Event ID `4634` showing logoff events. + +- Use tools like Sysmon to log detailed command-line activity: + - Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`. + - Look for suspicious command-line parameters, such as the `-Embedding` flag. + +### Mitigation: +- Restrict DCOM usage via GPO: + - Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`. + - Disable DCOM or restrict to trusted applications. + +- Regularly audit temporary files in ADMIN$ shares. +- Use endpoint protection solutions to detect unusual DCOM activity. +""" + print_info(title, content) diff --git a/TTPs/Persistence/dll_hijacking.py b/TTPs/Persistence/dll_hijacking.py new file mode 100644 index 0000000..9c17456 --- /dev/null +++ b/TTPs/Persistence/dll_hijacking.py @@ -0,0 +1,78 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def dll_hijacking_submenu(): + """ + Submenu for DLL Hijacking detection techniques. + """ + actions = { + "1": {"description": "File System Analysis", "function": file_system_analysis}, + "2": {"description": "Memory Analysis", "function": memory_analysis}, + "3": {"description": "Command Line Analysis", "function": command_line_analysis}, + "4": {"description": "SANS DFIR Insights", "function": sans_dfir_insights}, + } + build_submenu("DLL Hijacking Detection", actions) + +# Individual submenu functions + +def file_system_analysis(): + """ + Displays information about file system analysis for DLL hijacking detection. + """ + title = "DLL Hijacking File System Analysis" + content = """ +- Look for new or unsigned `.exe` and `.dll` files in unusual locations. +- Example Indicators: + - Timestamp: 2021-02-18 03:42:31 + - Impact: - + - Method: mach Meta + - File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824) + - File: `c:/ProgramData/McUtil.dll` (size: 131072) +""" + print_info(title, content) + +def memory_analysis(): + """ + Displays memory analysis techniques for DLL hijacking detection. + """ + title = "DLL Hijacking Memory Analysis" + content = """ +- Identify system processes or DLLs loaded from unusual locations. +- Pay attention to: + - Processes running unexpected code. + - DLLs loaded from locations outside expected directories. +- Newly created DLLs and executables can indicate malicious activity. +""" + print_info(title, content) + +def command_line_analysis(): + """ + Displays command-line analysis techniques for DLL hijacking detection. + """ + title = "DLL Hijacking Command-Line Analysis" + content = """ +- Review suspicious command-line execution patterns. + - Example: + - Command: `C:\\ProgramData\\ncoenchy.exe 0x4` + - Method: mach Meta +- Check for signs of injection or other manipulation. +""" + print_info(title, content) + +def sans_dfir_insights(): + """ + Displays insights from SANS DFIR training for DLL hijacking detection. + """ + title = "DLL Hijacking Insights from SANS DFIR" + content = """ +- Nearly all DLL hijacks require placing a new DLL or executable onto the file system. +- Investigative Techniques: + - **File Timeline Analysis**: + - Focus on newly created files during times of interest. + - **Memory Forensics**: + - Analyze running processes for unexpected DLL locations. +- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory. +- Other anomalous actions like network beaconing or named pipe creation can lead to detection. +""" + print_info(title, content) diff --git a/TTPs/Persistence/map_share.py b/TTPs/Persistence/map_share.py new file mode 100644 index 0000000..e598fdc --- /dev/null +++ b/TTPs/Persistence/map_share.py @@ -0,0 +1,133 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def map_share_submenu(): + """ + Submenu for Map Share detection techniques. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Destination Event Logs", "function": destination_event_logs}, + "3": {"description": "Source Registry", "function": source_registry}, + "4": {"description": "Destination Registry", "function": destination_registry}, + "5": {"description": "Source File System", "function": source_file_system}, + "6": {"description": "Destination File System", "function": destination_file_system}, + } + build_submenu("Map Share Persistence", actions) + +# Individual submenu functions + +def source_event_logs(): + """ + Displays source event logs related to map shares. + """ + title = "Map Share Source Event Logs" + content = """ +- `security.evtx` + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +- `Microsoft-Windows-SmbClient\\Security.evtx` + - `31001` – Failed logon to destination + - Destination Host Name + - User Name for failed logon + - Reason code for failed destination logon (e.g., bad password) +""" + print_info(title, content) + +def destination_event_logs(): + """ + Displays destination event logs related to map shares. + """ + title = "Map Share Destination Event Logs" + content = """ +- **Security Event Log – `security.evtx`** + - `4624` + - Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by user with administrative rights + - Requirement for accessing default shares such as **C$** and **ADMIN$** + - `4776` - NTLM if authenticating to Local System + - Source Host Name/Logon User Name + - `4768` - TGT Granted + - Source Host Name/Logon User Name + - Available only on domain controller + - `4769` - Service Ticket Granted if authenticating to Domain Controller + - Destination Host Name/Logon User Name + - Source IP + - Available only on domain controller + - `5140` + - Share Access + - `5145` + - Auditing of shared files – **NOISY**! +""" + print_info(title, content) + +def source_registry(): + """ + Displays source registry information related to map shares. + """ + title = "Map Share Source Registry" + content = """ +- **MountPoints2** - Remotely mapped shares + - `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2` +- **Shellbags** - USRCLASS.DAT + - Remote folders accessed inside an interactive session via Explorer by attackers. +- **ShimCache** – SYSTEM + - `net.exe` + - `net1.exe` +- **BAM_DAM** – NTUSER.DAT – Last Time Executed + - `net.exe` + - `net1.exe` +- **AmCache.hve** - First Time Executed + - `net.exe` + - `net1.exe` +""" + print_info(title, content) + +def destination_registry(): + """ + Displays destination registry information related to map shares. + """ + title = "Map Share Destination Registry" + content = """ +- N/A +""" + print_info(title, content) + +def source_file_system(): + """ + Displays source file system artifacts related to map shares. + """ + title = "Map Share Source File System" + content = """ +- **Prefetch** - `C:\\Windows\\Prefetch\\` + - `net.exe-{hash}.pf` + - `net1.exe-{hash}.pf` +- **User Profile Artifacts** + - Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP). +""" + print_info(title, content) + +def destination_file_system(): + """ + Displays destination file system artifacts related to map shares. + """ + title = "Map Share Destination File System" + content = """ +- **File Creation** + - Attacker's files (malware) copied to the destination system. + - Look for Modified Time before Creation Time. + - Creation Time is the time of file copy. +- **User Access Logging (Servers Only)** + - `C:\\Windows\\System32\\LogFiles\\Sum` + - User Name + - Source IP Address + - First and Last Access Time +""" + print_info(title, content) diff --git a/TTPs/Persistence/powershell_remoting.py b/TTPs/Persistence/powershell_remoting.py new file mode 100644 index 0000000..5e712f5 --- /dev/null +++ b/TTPs/Persistence/powershell_remoting.py @@ -0,0 +1,139 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def powershell_remoting_submenu(): + """ + Submenu for PowerShell Remoting detection techniques. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Source Registry", "function": source_registry}, + "3": {"description": "Source File System", "function": source_file_system}, + "4": {"description": "Destination Event Logs", "function": destination_event_logs}, + "5": {"description": "Destination Registry", "function": destination_registry}, + "6": {"description": "Destination File System", "function": destination_file_system}, + } + build_submenu("PowerShell Remoting Persistence", actions) + +# Individual submenu functions + +def source_event_logs(): + """ + Displays source event logs related to PowerShell Remoting. + """ + title = "PowerShell Remoting Source Event Logs" + content = """ +- **security.evtx** + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +- **Microsoft-Windows-WinRM/Operational.evtx** + - `161` - Remote Authentication Error + - `6` - WSMan Session initialize + - Session created + - Destination Host Name or IP + - Current logged-on User Name + - `8`, `15`, `16`, `33` - WSMan Session deinitialization + - Closing of WSMan session + - Current logged-on User Name +- **Microsoft-Windows-PowerShell/Operational.evtx** + - `40961`, `40962` + - Records the local initiation of powershell.exe and associated user account + - `8193` & `8194` - Session created + - `8197` - Connect + - Session closed +""" + print_info(title, content) + +def source_registry(): + """ + Displays source registry information related to PowerShell Remoting. + """ + title = "PowerShell Remoting Source Registry" + content = """ +- **ShimCache** – SYSTEM + - powershell.exe +- **BAM_DAM** – SYSTEM – Last Time Executed + - powershell.exe +- **AmCache.hve** – First Time Executed + - powershell.exe +""" + print_info(title, content) + +def source_file_system(): + """ + Displays source file system artifacts related to PowerShell Remoting. + """ + title = "PowerShell Remoting Source File System" + content = """ +- **Prefetch** – C:\\Windows\\Prefetch\\ + - powershell.exe-{hash}.pf + - PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file +- **Command history** + - C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt + - With PS v5+, a history file with previous 4096 commands is maintained per user +""" + print_info(title, content) + +def destination_event_logs(): + """ + Displays destination event logs related to PowerShell Remoting. + """ + title = "PowerShell Remoting Destination Event Logs" + content = """ +- **security.evtx** + - `4624` – Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights +- **Microsoft-Windows-PowerShell%4Operational.evtx** + - `4103`, `4104` – Script Block logging + - Logs suspicious scripts by default in PS v5 + - Logs all scripts if configured + - `53504` - Records the authenticating user +- **Windows PowerShell.evtx** + - `400/403` - "ServerRemoteHost" indicates start/end of remoting session + - `800` - Includes partial script code +- **Microsoft-Windows-WinRM/Operational.evtx** + - `91` – Session creation + - `142` – WSMan Operation Failure + - `169` – Records the authenticating user +""" + print_info(title, content) + +def destination_registry(): + """ + Displays destination registry information related to PowerShell Remoting. + """ + title = "PowerShell Remoting Destination Registry" + content = """ +- **ShimCache** – SYSTEM + - wsmprovhost.exe + - evil.exe +- **SOFTWARE** + - Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy + - Attacker may change execution policy to a less restrictive setting, such as "bypass" +- **AmCache.hve** – First Time Executed + - wsmprovhost.exe + - evil.exe +""" + print_info(title, content) + +def destination_file_system(): + """ + Displays destination file system artifacts related to PowerShell Remoting. + """ + title = "PowerShell Remoting Destination File System" + content = """ +- **File Creation** + - evil.exe + - With Enter-PSSession, a user profile directory may be created +- **Prefetch** – C:\\Windows\\Prefetch\\ + - evil.exe-{hash}.pf + - wsmprovhost.exe-{hash}.pf +""" + print_info(title, content) diff --git a/TTPs/Persistence/psexec.py b/TTPs/Persistence/psexec.py new file mode 100644 index 0000000..b1c9dcb --- /dev/null +++ b/TTPs/Persistence/psexec.py @@ -0,0 +1,253 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def psexec_submenu(): + """ + Submenu for PsExec detection techniques. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Destination Event Logs", "function": destination_event_logs}, + "3": {"description": "Source Registry", "function": source_registry}, + "4": {"description": "Destination Registry", "function": destination_registry}, + "5": {"description": "Source File System", "function": source_file_system}, + "6": {"description": "Destination File System", "function": destination_file_system}, + "7": {"description": "Service Installation Details", "function": service_installation_details}, + "8": {"description": "Network Artifacts", "function": psexec_network_artifacts}, + "9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques}, + "10": {"description": "Malware Case Study", "function": psexec_malware_case_study}, + } + build_submenu("PsExec Persistence", actions) + +# Individual submenu functions + +def source_event_logs(): + """ + Displays source event logs related to PsExec. + """ + title = "PsExec Source Event Logs" + content = """ +- **security.evtx** + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +""" + print_info(title, content) + +def destination_event_logs(): + """ + Displays destination event logs related to PsExec. + """ + title = "PsExec Destination Event Logs" + content = """ +- **security.evtx** + - `4648` Logon specifying alternate credentials + - Connecting User Name + - Process Name + - `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights + - Requirement for access default shares such as **C$** and **ADMIN$** + - `5140` – Share Access + - **ADMIN$** share used by PsExec +- **system.evtx** + - `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file + - %systemroot%\\xxxxxxxx.exe + - `7036` Service start/stop events +- **If Enabled**: + - `4688` in Security: tracks service and cmd.exe execution +""" + print_info(title, content) + +def source_registry(): + """ + Displays source registry information related to PsExec. + """ + title = "PsExec Source Registry" + content = """ +- **NTUSER.DAT** + - Software\\SysInternals\\PsExec\\EulaAccepted +- **ShimCache** – SYSTEM + - psexec.exe +- **BAM_DAM** – SYSTEM – Last Time Executed + - psexec.exe +- **AmCache.hve** – First Time Executed + - psexec.exe +""" + print_info(title, content) + +def destination_registry(): + """ + Displays destination registry information related to PsExec. + """ + title = "PsExec Destination Registry" + content = """ +- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC` + - “-r” option can allow attacker to rename service +- **ShimCache** – SYSTEM + - psexesvc.exe +- **AmCache.hve** + - First Time Executed + - psexesvc.exe +""" + print_info(title, content) + +def source_file_system(): + """ + Displays source file system artifacts related to PsExec. + """ + title = "PsExec Source File System" + content = """ +- **Prefetch** – C:\\Windows\\Prefetch\\ + - psexec.exe-{hash}.pf + - Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option +- **File Creation** + - psexec.exe file downloaded and created on the local host as the file is not native to Windows +""" + print_info(title, content) + +def destination_file_system(): + """ + Displays destination file system artifacts related to PsExec. + """ + title = "PsExec Destination File System" + content = """ +- **Prefetch** – C:\\Windows\\Prefetch\\ + - psexesvc.exe-{hash}.pf + - evil.exe-{hash}.pf +- **File Creation** + - User profile directory structure created unless "-e" option used + - psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec +- **User Access Logging (Servers only)** + - C:\\Windows\\System32\\LogFiles\\Sum + - User Name + - Source IP Address + - First and Last Access Time +""" + print_info(title, content) + +def psexec_analysis(): + """ + Displays analysis of PsExec execution. + """ + title = "PsExec Analysis" + content = """ +- **Command Example**: + - `psexec.py domain/username:password@[hostname | IP] command` + - Can specify a command to run, or leave blank for shell + - PSEXEC like functionality example using RemComSvc + - Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot% + - Detected and blocked by Windows Defender by default + +- **Windows Event Log Residue**: + - Event ID `4776` in Security on target (for user specified in command) + - Event ID `4672` in Security on target (for user specified in command) + - Event ID `4624` Type 3 in Security on target (for user specified in command) + - Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file): + - %systemroot%\\xxxxxxxx.exe + - Event ID `7036` in System on target + - [If Enabled] Event ID `4688` in Security on target: + - `services.exe → C:\\Windows\\xxxxxxxx.exe` + - `C:\\Windows\\xxxxxxxx.exe → command` + - `cmd.exe → conhost.exe 0xffffffff -ForceV1` + - Numerous other `4624`, `4634`, `4672` events +""" + print_info(title, content) + +def service_installation_details(): + """ + Displays details about PsExec service installation events. + """ + title = "PsExec Service Installation Details" + content = """ +- PsExec creates a temporary Windows service for execution: + - Service name: Random 4-character mixed-case alpha name + - Executable: Random 8-character mixed-case alpha .exe file +- Registry Path: + - SYSTEM\\CurrentControlSet\\Services\\ +- Event Log Evidence: + - Event ID 7045 in `system.evtx` logs the service installation. + - Includes: + - Service Name + - Executable Path + - Service Type and Start Mode +- Forensic Insights: + - Compare service names and paths across multiple systems to detect outliers. + - Look for services with short, random names. +""" + print_info(title, content) + +def psexec_network_artifacts(): + """ + Displays network-related artifacts from PsExec usage. + """ + title = "PsExec Network Artifacts" + content = """ +- **Network Connections**: + - PsExec uses SMB for communication and file transfer. + - Ports: + - 445 (SMB over TCP/IP) + - 139 (NetBIOS over TCP/IP) +- **Shared Resources**: + - Default shares such as **ADMIN$** and **C$** are utilized. + - Logs in `security.evtx`: + - Event ID 5140: Share access. + - Event ID 5145: Access to specific shared files. + +- **Forensic Tips**: + - Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts. + - Analyze SMB traffic for PsExec file transfers. +""" + print_info(title, content) + +def psexec_eviction_techniques(): + """ + Displays techniques for detecting and evicting PsExec usage. + """ + title = "PsExec Eviction Techniques" + content = """ +- **Detection**: + - Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems. + - Enable advanced audit policies to log service and process creation events. + +- **Eviction**: + - Audit and remove unauthorized services under: + - SYSTEM\\CurrentControlSet\\Services\\ + - Verify the integrity of executables in: + - C:\\Windows\\System32 + - C:\\Windows\\Prefetch + - Block unauthorized access to default shares like ADMIN$ and C$. + +- **Prevention**: + - Use endpoint protection tools to block PsExec executables. + - Restrict access to administrative shares to trusted hosts and accounts only. +""" + print_info(title, content) + +def psexec_malware_case_study(): + """ + Provides a case study example of malware leveraging PsExec. + """ + title = "PsExec Malware Case Study" + content = """ +- **Real-World Example**: + - Malware Name: Emotet + - Attack Vector: Lateral Movement + - Emotet leveraged PsExec to deploy secondary payloads across compromised networks. + +- **Tactics**: + - Copied malicious payloads to ADMIN$ share. + - Used PsExec to execute payloads on remote systems. + - Cleaned up by removing PsExec artifacts (e.g., services and files). + +- **Forensic Indicators**: + - Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems. + - Unusual services with short, random names. + - Files with mismatched creation and modification times in ADMIN$. +""" + print_info(title, content) diff --git a/TTPs/Persistence/rdp.py b/TTPs/Persistence/rdp.py index 1acb8d2..75c0cab 100644 --- a/TTPs/Persistence/rdp.py +++ b/TTPs/Persistence/rdp.py @@ -1,4 +1,8 @@ -from Modules.Imports.protocol_imports import * +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +import TTPs.Persistence.rdp as rdp def rdp_submenu(): actions = { @@ -9,10 +13,9 @@ def rdp_submenu(): "5": {"description": "Source Artifacts", "function": source_artifacts}, "6": {"description": "Destination Artifacts", "function": destination_artifacts}, "7": {"description": "Extra", "function": extra_rdp_info}, - "8": {"description": "All", "function": all_rdp_info}, } build_submenu("RDP Persistence", actions) - + # Individual submenu functions def source_event_logs(): title = "RDP Source Event Logs" @@ -135,13 +138,4 @@ def extra_rdp_info(): - 21: Session logon succeeded - 22: Shell start notification received """ - print_info(title, content) - -def all_rdp_info(): - source_event_logs() - destination_event_logs() - source_registry() - destination_registry() - source_artifacts() - destination_artifacts() - extra_rdp_info() \ No newline at end of file + print_info(title, content) \ No newline at end of file diff --git a/TTPs/Persistence/schedule_task.py b/TTPs/Persistence/schedule_task.py new file mode 100644 index 0000000..cdeb9b8 --- /dev/null +++ b/TTPs/Persistence/schedule_task.py @@ -0,0 +1,146 @@ +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def schedule_tasks_submenu(): + """ + Submenu for Scheduled Tasks Persistence Indicators. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Destination Event Logs", "function": destination_event_logs}, + "3": {"description": "Source Registry", "function": source_registry}, + "4": {"description": "Destination Registry", "function": destination_registry}, + "5": {"description": "Source Artifacts", "function": source_artifacts}, + "6": {"description": "Destination Artifacts", "function": destination_artifacts}, + "7": {"description": "Atexec Analysis", "function": atexec_analysis}, + "8": {"description": "Extra", "function": extra_scheduled_tasks_info}, + } + build_submenu("Scheduled Tasks Persistence", actions) + +def source_event_logs(): + title = "Scheduled Tasks Source Event Logs" + content = """ +- `security.evtx` + - `4648` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +""" + print_info(title, content) + +def destination_event_logs(): + title = "Scheduled Tasks Destination Event Logs" + content = """ +- `security.evtx` + - `4624` Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights + - Requirement for accessing default shares such as **C$** and **ADMIN$** + - `4698` - Scheduled task created + - `4702` - Scheduled task updated + - `4699` - Scheduled task deleted + - `4700/4701` - Scheduled task enabled/disabled +- `Microsoft-Windows-TaskScheduler%4Operational.evtx` + - `106` - Scheduled task created + - `140` - Scheduled task updated + - `141` - Scheduled task deleted + - `200/201` - Scheduled task executed/completed +""" + print_info(title, content) + +def source_registry(): + title = "Scheduled Tasks Source Registry" + content = """ +- [[ShimCache]] - SYSTEM + - at.exe + - schtasks.exe +- [[BAM|DAM]] - SYSTEM - Last Time Executed + - at.exe + - schtasks.exe +- [[AmCache.hve]] - First Time Executed + - at.exe + - schtasks.exe +""" + print_info(title, content) + +def destination_registry(): + title = "Scheduled Tasks Destination Registry" + content = """ +- SOFTWARE + - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks` + - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\` +- [[ShimCache]] – SYSTEM + - evil.exe +- [[AmCache.hve]] - First Time Executed + - evil.exe +""" + print_info(title, content) + +def source_artifacts(): + title = "Scheduled Tasks Source File System Artifacts" + content = """ +- [[Prefetch]] - C:\\Windows\\Prefetch\\ + - at.exe-{hash}.pf + - schtasks.exe-{hash}.pf +""" + print_info(title, content) + +def destination_artifacts(): + title = "Scheduled Tasks Destination File System Artifacts" + content = """ +- File Creation + - evil.exe +- Job files created in + - `C:\\Windows\\Tasks` +- XML task files created in + - `C:\\Windows\\System32\\Tasks` + - `C:\\Windows\\SysWOW64\\Tasks` + - Author tag can identify: + - Source system name + - Creator username +- [[Prefetch]] – `C:\\Windows\\Prefetch\\` + - evil.exe-{hash}.pf +""" + print_info(title, content) + +def atexec_analysis(): + title = "Atexec Analysis" + content = """ +### Command Syntax: +- `atexec.py domain/username:password@[hostname | IP] command` + +### Characteristics: +- Executes commands remotely but does not provide shell access. +- Creates a Scheduled Task with a random 8-character mixed-case alpha string. +- Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\.tmp` before deleting the file. +- **NOT detected and blocked by Windows Defender by default**. + +### Windows Event Log Residue: +1. Event IDs in `Security.evtx`: + - `4776` - NTLM Authentication + - `4672` - Special privileges assigned to logon. + - `4624` - Successful logon (Type 3). +2. Microsoft-Windows-TaskScheduler/Operational: + - `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle). +3. **IF ENABLED**: + - `4688` - Process creation (`cmd.exe` spawning tasks or executing commands). + - `4698` - Scheduled task created. + - `4699` - Scheduled task deleted. + +### Example Detection Indicators: +- Multiple rounds of Event IDs (4776, 4672, 4624). +- Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output. +""" + print_info(title, content) + +def extra_scheduled_tasks_info(): + title = "Scheduled Tasks Extra Information" + content = """ +# Scheduled Tasks Commands +- `at \\\\host 13:00 "c:\\temp\\evil.exe"` +- `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username` +""" + print_info(title, content) diff --git a/TTPs/Persistence/service.py b/TTPs/Persistence/service.py new file mode 100644 index 0000000..fa106a8 --- /dev/null +++ b/TTPs/Persistence/service.py @@ -0,0 +1,154 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def service_submenu(): + """ + Submenu for Service-based Persistence Indicators. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Destination Event Logs", "function": destination_event_logs}, + "3": {"description": "Source Registry", "function": source_registry}, + "4": {"description": "Destination Registry", "function": destination_registry}, + "5": {"description": "Source File System", "function": source_file_system}, + "6": {"description": "Destination File System", "function": destination_file_system}, + "7": {"description": "Service Replacement Examples", "function": service_replacement_examples}, + "8": {"description": "Exploitation of Windows Services", "function": exploit_windows_services}, + } + build_submenu("Service-Based Persistence", actions) + +def source_event_logs(): + title = "Source Event Logs" + content = """ +No specific source event logs are generated for service-based persistence. +""" + print_info(title, content) + +def destination_event_logs(): + title = "Destination Event Logs" + content = """ +- `security.evtx` + - `4624` Logon Type 3 + - Source IP/Logon User Name + - `4697` + - Records service installation (non-default) + - Useful for centralized log monitoring. + +- `system.evtx` + - `7034` - Service crashed unexpectedly. + - `7035` - Service sent a Start/Stop control. + - `7036` - Service started or stopped. + - `7040` - Start type changed (Boot | On Request | Disabled). + - `7045` - A service was installed on the system. +""" + print_info(title, content) + +def source_registry(): + title = "Source Registry" + content = """ +Registry Artifacts: +- [[ShimCache]] - SYSTEM + - Tracks `sc.exe`. +- [[BAM_DAM]] - SYSTEM - Last Time Executed + - Tracks `sc.exe`. +- [[AmCache.hve]] + - Tracks first execution of `sc.exe`. +""" + print_info(title, content) + +def destination_registry(): + title = "Destination Registry" + content = """ +Registry Artifacts: +- SYSTEM + - `\\CurrentControlSet\\Services\\` - New service creation. +- [[ShimCache]] - SYSTEM + - Tracks `evil.exe`. +- [[AmCache.hve]] - First Time Executed + - Tracks `evil.exe`. +""" + print_info(title, content) + +def source_file_system(): + title = "Source File System" + content = """ +Prefetch Artifacts: +- Prefetch - `C:\\Windows\\Prefetch\\` + - `sc.exe-{hash}.pf`. +""" + print_info(title, content) + +def destination_file_system(): + title = "Destination File System" + content = """ +File Creation Artifacts: +- Malicious executables or DLLs: + - `evil.exe` or `evil.dll`. +- Prefetch - `C:\\Windows\\Prefetch\\` + - Tracks execution of `evil.exe` or service DLLs. +""" + print_info(title, content) + +def service_replacement_examples(): + title = "Service Replacement Examples" + content = """ +Service replacement involves modifying legitimate services to execute malicious payloads. + +### Example 1: Binary Path Manipulation +Modify the `ImagePath` registry key to point to a malicious executable: +- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\ImagePath` +- New Value: `C:\\temp\\evil.exe` + +### Example 2: DLL Hijacking in Services +Replace a legitimate service DLL with a malicious one: +- Locate service DLL in `\\CurrentControlSet\\Services\\\\Parameters\\ServiceDll`. +- Replace the file with `evil.dll`. + +### Example 3: Startup Type Abuse +Change the `Start` registry key to automatically start a malicious service: +- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\Start` +- Value: `2` (Automatic Start). + +### Example 4: Service Install Command +Use `sc` to create and start a malicious service: +- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"` +""" + print_info(title, content) + +def exploit_windows_services(): + title = "Exploitation of Windows Services" + content = """ +Windows services can be exploited in the following ways: + +### 1. Privilege Escalation via Insecure Permissions +- Services with weak `DACL` permissions can be reconfigured by low-privileged users. +- Example: Modify `ImagePath` to point to a malicious binary. + +### 2. DLL Search Order Hijacking +- Service executable dynamically loads a DLL without specifying a full path. +- Place a malicious DLL in the service's working directory. + +### 3. Service Control Abuse +- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations. + +### 4. Unquoted Service Paths +- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path. +- Example: + - Path: `C:\\Program Files\\Legitimate Service\\binary.exe`. + - Malicious executable: `C:\\Program.exe`. + +### 5. Creating New Services +- Install a new malicious service using `sc` or `psexec`. +- Example: + - `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto` + +### 6. Abusing Trusted Services +- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services. + +### Detection Tips: +- Monitor `system.evtx` for service start/stop events. +- Check `security.evtx` for suspicious service creation. +- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries. +""" + print_info(title, content) diff --git a/TTPs/Persistence/smbexec.py b/TTPs/Persistence/smbexec.py new file mode 100644 index 0000000..c49158e --- /dev/null +++ b/TTPs/Persistence/smbexec.py @@ -0,0 +1,186 @@ +import sys +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def smbexec_submenu(): + """ + Submenu for SMBExec detection techniques. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Destination Event Logs", "function": destination_event_logs}, + "3": {"description": "Source Registry", "function": source_registry}, + "4": {"description": "Destination Registry", "function": destination_registry}, + "5": {"description": "Source File System", "function": source_file_system}, + "6": {"description": "Destination File System", "function": destination_file_system}, + "7": {"description": "Service Creation Details", "function": smbexec_service_creation}, + "8": {"description": "Network Artifacts", "function": smbexec_network_artifacts}, + "9": {"description": "Eviction Techniques", "function": smbexec_eviction_techniques}, + "10": {"description": "Malware Case Study", "function": smbexec_malware_case_study}, + } + build_submenu("SMBExec Persistence", actions) + +# Individual submenu functions + +def source_event_logs(): + """ + Displays source event logs related to SMBExec. + """ + title = "SMBExec Source Event Logs" + content = """ +- **security.evtx** + - `4776` - Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +""" + print_info(title, content) + +def destination_event_logs(): + """ + Displays destination event logs related to SMBExec. + """ + title = "SMBExec Destination Event Logs" + content = """ +- **security.evtx** + - `4776` - Logon specifying alternate credentials + - Connecting User Name + - Process Name + - `4624` Logon Type 3 + - Source IP/Logon User Name + - `4672` + - Logon User Name + - Logon by a user with administrative rights + - `4634` Type 3 (session end) +- **system.evtx** + - `7045` - Service installation + - Default service name: "BTOBTO" or a random 8-character mixed-case string. + - `7036` Service start/stop events +""" + print_info(title, content) + +def source_registry(): + """ + Displays source registry information related to SMBExec. + """ + title = "SMBExec Source Registry" + content = """ +- **NTUSER.DAT** + - Software\\SysInternals\\SMBExec\\EulaAccepted +- **ShimCache** – SYSTEM + - smbexec.exe +- **BAM_DAM** – SYSTEM – Last Time Executed + - smbexec.exe +- **AmCache.hve** – First Time Executed + - smbexec.exe +""" + print_info(title, content) + +def destination_registry(): + """ + Displays destination registry information related to SMBExec. + """ + title = "SMBExec Destination Registry" + content = """ +- SYSTEM\\CurrentControlSet\\Services\\ + - Default: "BTOBTO" or random 8-character string. +- **ShimCache** – SYSTEM + - smbexecsvc.exe +- **AmCache.hve** + - First Time Executed + - smbexecsvc.exe +""" + print_info(title, content) + +def source_file_system(): + """ + Displays source file system artifacts related to SMBExec. + """ + title = "SMBExec Source File System" + content = """ +- **Prefetch** – C:\\Windows\\Prefetch\\ + - smbexec.exe-{hash}.pf +- **File Creation** + - smbexec.exe file downloaded and created on the local host. +""" + print_info(title, content) + +def destination_file_system(): + """ + Displays destination file system artifacts related to SMBExec. + """ + title = "SMBExec Destination File System" + content = """ +- **Prefetch** – C:\\Windows\\Prefetch\\ + - smbexecsvc.exe-{hash}.pf + - execute.bat-{hash}.pf +- **File Creation** + - `execute.bat` created in C:\\Windows\\TEMP\\ + - User-specified commands echoed to `execute.bat`. + - Temporary batch file removed after execution. +""" + print_info(title, content) + +def smbexec_service_creation(): + """ + Displays details about SMBExec service creation events. + """ + title = "SMBExec Service Creation Details" + content = """ +- Service Name: + - Default: "BTOBTO" + - Updated to a random 8-character mixed-case string in May 2023. +- Executable: `execute.bat` created for every command. +- Event Log Evidence: + - `7045` in `system.evtx` logs service creation. + - Command executed via: + - `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`. +""" + print_info(title, content) + +def smbexec_network_artifacts(): + """ + Displays network artifacts related to SMBExec activity. + """ + title = "SMBExec Network Artifacts" + content = """ +- **Network Connections**: + - SMB protocol communication with the target. + - Evidence of ADMIN$ share access. +- **Network Traffic Analysis**: + - Monitor for suspicious SMB traffic to/from servers. + - Detect repeated connections with new service creation. +""" + print_info(title, content) + +def smbexec_eviction_techniques(): + """ + Displays information about SMBExec eviction techniques. + """ + title = "SMBExec Eviction Techniques" + content = """ +- Remove temporary files: + - `execute.bat` is deleted after execution. +- Service cleanup: + - Services created for each command are removed after execution. +""" + print_info(title, content) + +def smbexec_malware_case_study(): + """ + Displays a malware case study involving SMBExec. + """ + title = "SMBExec Malware Case Study" + content = """ +- **Case Study**: + - Malware using SMBExec for lateral movement. + - Leveraged temporary service creation for executing commands. + - Indicators: + - Random service names. + - Temporary batch files in `C:\\Windows\\TEMP`. +- **Detection**: + - Monitor Event ID 7045 for abnormal service names. + - Correlate with batch file creation and execution in `TEMP` directory. +""" + print_info(title, content) diff --git a/TTPs/Persistence/wmi.py b/TTPs/Persistence/wmi.py new file mode 100644 index 0000000..af1cfea --- /dev/null +++ b/TTPs/Persistence/wmi.py @@ -0,0 +1,188 @@ +from Modules.Imports.ttp_imports import * +from Modules.submenu import build_submenu + +def wmi_submenu(): + """ + Submenu for Windows Management Instrumentation (WMI) Persistence Indicators. + """ + actions = { + "1": {"description": "Source Event Logs", "function": source_event_logs}, + "2": {"description": "Destination Event Logs", "function": destination_event_logs}, + "3": {"description": "Source Registry", "function": source_registry}, + "4": {"description": "Destination Registry", "function": destination_registry}, + "5": {"description": "Source File System", "function": source_file_system}, + "6": {"description": "Destination File System", "function": destination_file_system}, + "7": {"description": "WMI Event Consumer Backdoors", "function": wmi_event_backdoors}, + "8": {"description": "WMIEXEC Analysis", "function": wmiexec_analysis}, + "9": {"description": "Additional Detection Tips", "function": additional_detection_tips}, + } + build_submenu("WMI Persistence", actions) + +# Individual submenu functions + +def source_event_logs(): + title = "WMI Source Event Logs" + content = """ +`security.evtx`: +- `4648` – Logon specifying alternate credentials + - Current logged-on User Name + - Alternate User Name + - Destination Host Name/IP + - Process Name +""" + print_info(title, content) + +def destination_event_logs(): + title = "WMI Destination Event Logs" + content = """ +`security.evtx`: +- `4624` Logon Type 3 + - Source IP/Logon User Name +- `4672` + - Logon User Name + - Logon by a user with administrative rights + +`Microsoft-Windows-WMI-Activity/Operational.evtx`: +- `5857` + - Indicates time of wmiprvse execution and path to provider DLL – attackers sometimes install malicious WMI provider DLLs. +- `5860`, `5861` + - Registration of Temporary (5860) and Permanent (5861) Event Consumers. + - Typically used for persistence, but can also be used for remote execution. +""" + print_info(title, content) + +def source_registry(): + title = "WMI Source Registry" + content = """ +- **ShimCache** – SYSTEM + - `wmic.exe` +- **BAM_DAM** – SYSTEM – Last Time Executed + - `wmic.exe` +- **AmCache.hve** – First Time Executed + - `wmic.exe` +""" + print_info(title, content) + +def destination_registry(): + title = "WMI Destination Registry" + content = """ +- **ShimCache** – SYSTEM + - `scrcons.exe` + - `mofcomp.exe` + - `wmiprvse.exe` + - `evil.exe` +- **AmCache.hve** – First Time Executed + - `scrcons.exe` + - `mofcomp.exe` + - `wmiprvse.exe` + - `evil.exe` +""" + print_info(title, content) + +def source_file_system(): + title = "WMI Source File System" + content = """ +- **Prefetch**: + - `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf` +""" + print_info(title, content) + +def destination_file_system(): + title = "WMI Destination File System" + content = """ +- **File Creation**: + - `evil.exe` + - `evil.mof` - .mof files can be used to manage the WMI Repository. + +- **Prefetch**: + - `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf` + - `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf` + - `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf` + - `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf` + +- **Unauthorized changes to the WMI Repository**: + - `C:\\Windows\\System32\\wbem\\Repository` +""" + print_info(title, content) + +def wmi_event_backdoors(): + title = "WMI Event Consumer Backdoors" + content = """ +### WMI Event Triggers: +- Event triggers can be used to execute arbitrary code when specific conditions are met. + +### WMI Event Filters: +- Define conditions under which events trigger. +- Example: Trigger on process start. + +### WMI Event Consumers: +- Define actions for triggered events. +- Example: Execute a script. + +### WMI Event Bindings: +- Link filters and consumers. +- Example: Detect process start and execute a script. + +### Example Malicious MOF File: + +#PRAGMA AUTORECOVER #PRAGMA NAMESPACE("\\.\root\subscription") + +instance of __EventFilter as $Filter { Name = "SCM Event Filter"; QueryLanguage = "WQL"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='sens'"; }; + +instance of CommandLineEventConsumer as $Consumer { Name = "SCM Event Consumer"; ExecutablePath = "c:\windows\system32\cmd.exe"; CommandLineTemplate = "net stop sens && net start sens"; }; + +instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; }; + + +### Detection and Mitigation: +- Use tools like Sysmon or Autoruns to monitor WMI activity. +- Regular audits of WMI filters and consumers can identify unauthorized entries. +""" + print_info(title, content) + +def wmiexec_analysis(): + title = "WMIEXEC Analysis" + content = """ +`wmiexec.py` Usage: +- **Command**: `wmiexec.py domain/username:password@[hostname | IP] command` +- Executes a semi-interactive shell using WMI. +- Uses UNIX Epoch Time in commands. +- NOT detected and blocked by Windows Defender by default. + +### Windows Event Log Residue: +- **Multiple rounds**: + - Event ID `4776` in Security on target (for user specified in command). + - Event ID `4672` in Security on target (for user specified in command). + - Event ID `4624` Type 3 in Security on target (for user specified in command). + +- **Always present**: + - Event ID `4688` in Security on target: + - `wmiprvse.exe` → `cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__ssssssssss.sssssss 2>&1`. + - Event ID `4688` in Security on target: + - `cmd.exe` → `conhost.exe 0xffffffff -ForceV1`. + +- **If Enabled**: + - Event ID `5857/5858` in Microsoft-Windows-WMI-Activity\Operational on target. + +### Detection Tips: +- Monitor for WMI commands triggering `wmiprvse.exe` and subsequent processes. +- Look for unusual Event ID patterns tied to administrative privileges. +""" + print_info(title, content) + +def additional_detection_tips(): + title = "Additional WMI Detection Tips" + content = """ +### Advanced Detection: +- Enable and monitor verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log. +- Use Sysmon Event IDs `20` (WMI Activity) and `21` (WMI Consumer/Filter) for detection. + +### Correlation: +- Correlate WMI activity with unusual file system or registry changes. +- Watch for newly created `.mof` files or suspicious DLLs loaded by `wmiprvse.exe`. + +### Threat Intelligence: +- Understand common TTPs for WMI abuse from frameworks like MITRE ATT&CK. +- Research WMI use by known APTs or malware families. +""" + print_info(title, content)