Upload files to "TTPs/Persistence"

TTPs/Persistence/autostart.py

@@ -0,0 +1,101 @@
+from Modules.Imports.ttp_imports import *
+
+def autostart_submenu():
+    """
+    Submenu for Autostart Persistence Indicators.
+    """
+    actions = {
+        "1": {"description": "Registry Run Keys", "function": registry_run_keys},
+        "2": {"description": "Winlogon Userinit", "function": winlogon_userinit},
+        "3": {"description": "Startup Folder", "function": startup_folder},
+        "4": {"description": "Investigative Notes", "function": investigative_notes},
+        "4": {"description": "Autostart Extra", "function": autostart_extra},
+    }
+    build_submenu("Autostart Persistence", actions)
+
+def registry_run_keys():
+    """
+    Displays information about Registry Run Keys for Autostart.
+    """
+    title = "Registry Run Keys"
+    content = """
+The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys:
+- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
+- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
+- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
+- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
+- Software\\Microsoft\\Windows\\CurrentVersion\\Run
+
+These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms.
+"""
+    print_info(title, content)
+
+def winlogon_userinit():
+    """
+    Displays information about the Winlogon Userinit ASEP.
+    """
+    title = "Winlogon Userinit"
+    content = """
+The Winlogon Userinit key can be used to maintain persistence:
+- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit
+
+This key typically contains:
+- C:\\Windows\\system32\\userinit.exe
+
+However, it can be modified to include malicious binaries:
+- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe
+"""
+    print_info(title, content)
+
+def startup_folder():
+    """
+    Displays information about the Startup folder ASEP.
+    """
+    title = "Startup Folder"
+    content = """
+The Startup folder allows for persistence by placing shortcuts in this folder:
+- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
+
+Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence.
+"""
+    print_info(title, content)
+
+def investigative_notes():
+    """
+    Displays investigative notes about Autostart ASEPs.
+    """
+    title = "Investigative Notes"
+    content = """
+Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes:
+- ASEPs are numerous and diverse, requiring thorough examination.
+- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
+- Analyzing data across systems may reveal outliers indicative of malicious activity.
+
+
+"""
+    print_info(title, content)
+
+def autostart_extra():
+    """
+    Displays information about the Winlogon Userinit ASEP.
+    """
+    title = "Autostart Extra"
+    content = """
+- Items in these keys are executed when a user logs on, unlike other ASEPs that act at boot.
+- Multiple "run" keys exist in both the NTUSER.DAT and SOFTWARE hives.
+- Another, less common but equally dangerous key is:
+  - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.
+- This key typically contains a reference to `userinit.exe`, which by default:
+  - Executes `Userinit.exe`.
+  - Launches `Explorer.exe`.
+- However, it can be modified to include malicious binaries, such as:
+  - `C:\\Windows\\system32\\userinit.exe,C:\\Temp\\winsvchost.exe`, which would run at boot.
+
+- Finally, `%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` allows for persistence by placing shortcuts in this folder.
+- These shortcuts automatically execute the associated binaries when a user logs on.
+- Malware has recently gravitated back to this old attack vector.
+- Although these locations are very common for ASEPs, many more exist.
+- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
+- Analyzing data across systems may reveal outliers leading to compromised systems.
+"""
+    print_info(title, content)