Upload files to "TTPs/Persistence"

2024-11-24 18:11:15 -05:00
parent 107db93a19
commit 9245f7eeee
13 changed files with 1678 additions and 13 deletions
--- a/TTPs/Persistence/powershell_remoting.py
+++ b/TTPs/Persistence/powershell_remoting.py
@ -0,0 +1,139 @@
+import sys
+from Modules.Imports.ttp_imports import *
+from Modules.submenu import build_submenu
+
+def powershell_remoting_submenu():
+    """
+    Submenu for PowerShell Remoting detection techniques.
+    """
+    actions = {
+        "1": {"description": "Source Event Logs", "function": source_event_logs},
+        "2": {"description": "Source Registry", "function": source_registry},
+        "3": {"description": "Source File System", "function": source_file_system},
+        "4": {"description": "Destination Event Logs", "function": destination_event_logs},
+        "5": {"description": "Destination Registry", "function": destination_registry},
+        "6": {"description": "Destination File System", "function": destination_file_system},
+    }
+    build_submenu("PowerShell Remoting Persistence", actions)
+
+# Individual submenu functions
+
+def source_event_logs():
+    """
+    Displays source event logs related to PowerShell Remoting.
+    """
+    title = "PowerShell Remoting Source Event Logs"
+    content = """
+- **security.evtx**
+    - `4648` - Logon specifying alternate credentials
+        - Current logged-on User Name
+        - Alternate User Name
+        - Destination Host Name/IP
+        - Process Name
+- **Microsoft-Windows-WinRM/Operational.evtx**
+    - `161` - Remote Authentication Error
+    - `6` - WSMan Session initialize
+        - Session created
+        - Destination Host Name or IP
+        - Current logged-on User Name
+    - `8`, `15`, `16`, `33` - WSMan Session deinitialization
+        - Closing of WSMan session
+        - Current logged-on User Name
+- **Microsoft-Windows-PowerShell/Operational.evtx**
+    - `40961`, `40962`
+        - Records the local initiation of powershell.exe and associated user account
+    - `8193` & `8194` - Session created
+    - `8197` - Connect
+        - Session closed
+"""
+    print_info(title, content)
+
+def source_registry():
+    """
+    Displays source registry information related to PowerShell Remoting.
+    """
+    title = "PowerShell Remoting Source Registry"
+    content = """
+- **ShimCache** – SYSTEM
+    - powershell.exe
+- **BAM_DAM** – SYSTEM – Last Time Executed
+    - powershell.exe
+- **AmCache.hve** – First Time Executed
+    - powershell.exe
+"""
+    print_info(title, content)
+
+def source_file_system():
+    """
+    Displays source file system artifacts related to PowerShell Remoting.
+    """
+    title = "PowerShell Remoting Source File System"
+    content = """
+- **Prefetch** – C:\\Windows\\Prefetch\\
+    - powershell.exe-{hash}.pf
+    - PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
+- **Command history**
+    - C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
+        - With PS v5+, a history file with previous 4096 commands is maintained per user
+"""
+    print_info(title, content)
+
+def destination_event_logs():
+    """
+    Displays destination event logs related to PowerShell Remoting.
+    """
+    title = "PowerShell Remoting Destination Event Logs"
+    content = """
+- **security.evtx**
+    - `4624` – Logon Type 3
+        - Source IP/Logon User Name
+    - `4672`
+        - Logon User Name
+        - Logon by a user with administrative rights
+- **Microsoft-Windows-PowerShell%4Operational.evtx**
+    - `4103`, `4104` – Script Block logging
+        - Logs suspicious scripts by default in PS v5
+        - Logs all scripts if configured
+    - `53504` - Records the authenticating user
+- **Windows PowerShell.evtx**
+    - `400/403` - "ServerRemoteHost" indicates start/end of remoting session
+    - `800` - Includes partial script code
+- **Microsoft-Windows-WinRM/Operational.evtx**
+    - `91` – Session creation
+    - `142` – WSMan Operation Failure
+    - `169` – Records the authenticating user
+"""
+    print_info(title, content)
+
+def destination_registry():
+    """
+    Displays destination registry information related to PowerShell Remoting.
+    """
+    title = "PowerShell Remoting Destination Registry"
+    content = """
+- **ShimCache** – SYSTEM
+    - wsmprovhost.exe
+    - evil.exe
+- **SOFTWARE**
+    - Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
+        - Attacker may change execution policy to a less restrictive setting, such as "bypass"
+- **AmCache.hve** – First Time Executed
+    - wsmprovhost.exe
+    - evil.exe
+"""
+    print_info(title, content)
+
+def destination_file_system():
+    """
+    Displays destination file system artifacts related to PowerShell Remoting.
+    """
+    title = "PowerShell Remoting Destination File System"
+    content = """
+- **File Creation**
+    - evil.exe
+    - With Enter-PSSession, a user profile directory may be created
+- **Prefetch** – C:\\Windows\\Prefetch\\
+    - evil.exe-{hash}.pf
+    - wsmprovhost.exe-{hash}.pf
+"""
+    print_info(title, content)