Upload files to "TTPs/Persistence"

TTPs/Persistence/dcom.py

@@ -0,0 +1,105 @@
+import sys
+from Modules.Imports.ttp_imports import *
+from Modules.submenu import build_submenu
+
+def dcom_submenu():
+    """
+    Submenu for DCOM-based Persistence Indicators.
+    """
+    actions = {
+        "1": {"description": "DCOM Execution Overview", "function": dcom_execution_overview},
+        "2": {"description": "Windows Event Log Residue", "function": windows_event_log_residue},
+        "3": {"description": "Analysis of Commands Executed", "function": analyze_commands_executed},
+        "4": {"description": "Detection and Mitigation", "function": detection_and_mitigation},
+    }
+    build_submenu("DCOM-Based Persistence", actions)
+
+def dcom_execution_overview():
+    """
+    Provides an overview of DCOM execution for persistence.
+    """
+    title = "DCOM Execution Overview"
+    content = """
+### DCOM Execution (dcomexec.py):
+- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command`
+    - Specify a command to run or leave blank for shell.
+    - Executes a semi-interactive shell using DCOM objects.
+    - Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter.
+    - Uses the first 5 digits of the UNIX Epoch Time in commands.
+
+**Features**:
+- Not detected or blocked by Windows Defender by default.
+"""
+    print_info(title, content)
+
+def windows_event_log_residue():
+    """
+    Describes the Windows Event Log residue left by DCOM execution.
+    """
+    title = "Windows Event Log Residue"
+    content = """
+### Event Log Residue:
+- Two rounds of:
+    - Event ID `4776` in Security on target (for user specified in command).
+    - Event ID `4672` in Security on target (for user specified in command).
+    - Event ID `4624` Type 3 in Security on target (for user specified in command).
+
+#### If Enabled:
+- Event ID `4688` in Security on target:
+    - `svchost.exe → mmc.exe -Embedding`.
+    - `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time).
+    - `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
+
+#### User Specified Commands:
+- Event ID `4688` in Security on target:
+    - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
+    - `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
+
+- Two rounds of:
+    - Event ID `4634` Type 3 in Security on target (for user specified in command).
+"""
+    print_info(title, content)
+
+def analyze_commands_executed():
+    """
+    Analyzes commands executed via DCOM for forensic insights.
+    """
+    title = "Analysis of Commands Executed via DCOM"
+    content = """
+### Command Execution Details:
+- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects.
+- Commands use `mmc.exe` and `cmd.exe`:
+    - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
+    - The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution.
+
+**Key Indicators**:
+- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`.
+- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag.
+"""
+    print_info(title, content)
+
+def detection_and_mitigation():
+    """
+    Provides detection and mitigation strategies for DCOM execution.
+    """
+    title = "Detection and Mitigation"
+    content = """
+### Detection:
+- Monitor `security.evtx` and `system.evtx` for:
+    - Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments.
+    - Event ID `4624` and `4672` indicating logon attempts.
+    - Event ID `4634` showing logoff events.
+
+- Use tools like Sysmon to log detailed command-line activity:
+    - Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`.
+    - Look for suspicious command-line parameters, such as the `-Embedding` flag.
+
+### Mitigation:
+- Restrict DCOM usage via GPO:
+    - Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`.
+    - Disable DCOM or restrict to trusted applications.
+
+- Regularly audit temporary files in ADMIN$ shares.
+- Use endpoint protection solutions to detect unusual DCOM activity.
+"""
+    print_info(title, content)