Upload files to "TTPs/Persistence"

TTPs/Persistence/psexec.py

@@ -0,0 +1,253 @@
+import sys
+from Modules.Imports.ttp_imports import *
+from Modules.submenu import build_submenu
+
+def psexec_submenu():
+    """
+    Submenu for PsExec detection techniques.
+    """
+    actions = {
+        "1": {"description": "Source Event Logs", "function": source_event_logs},
+        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
+        "3": {"description": "Source Registry", "function": source_registry},
+        "4": {"description": "Destination Registry", "function": destination_registry},
+        "5": {"description": "Source File System", "function": source_file_system},
+        "6": {"description": "Destination File System", "function": destination_file_system},
+        "7": {"description": "Service Installation Details", "function": service_installation_details},
+        "8": {"description": "Network Artifacts", "function": psexec_network_artifacts},
+        "9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques},
+        "10": {"description": "Malware Case Study", "function": psexec_malware_case_study},
+    }
+    build_submenu("PsExec Persistence", actions)
+
+# Individual submenu functions
+
+def source_event_logs():
+    """
+    Displays source event logs related to PsExec.
+    """
+    title = "PsExec Source Event Logs"
+    content = """
+- **security.evtx**
+    - `4648` - Logon specifying alternate credentials
+        - Current logged-on User Name
+        - Alternate User Name
+        - Destination Host Name/IP
+        - Process Name
+"""
+    print_info(title, content)
+
+def destination_event_logs():
+    """
+    Displays destination event logs related to PsExec.
+    """
+    title = "PsExec Destination Event Logs"
+    content = """
+- **security.evtx**
+    - `4648` Logon specifying alternate credentials
+        - Connecting User Name
+        - Process Name
+    - `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
+        - Source IP/Logon User Name
+    - `4672`
+        - Logon User Name
+        - Logon by a user with administrative rights
+        - Requirement for access default shares such as **C$** and **ADMIN$**
+    - `5140` – Share Access
+        - **ADMIN$** share used by PsExec
+- **system.evtx**
+    - `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
+        - %systemroot%\\xxxxxxxx.exe
+    - `7036` Service start/stop events
+- **If Enabled**:
+    - `4688` in Security: tracks service and cmd.exe execution
+"""
+    print_info(title, content)
+
+def source_registry():
+    """
+    Displays source registry information related to PsExec.
+    """
+    title = "PsExec Source Registry"
+    content = """
+- **NTUSER.DAT**
+    - Software\\SysInternals\\PsExec\\EulaAccepted
+- **ShimCache** – SYSTEM
+    - psexec.exe
+- **BAM_DAM** – SYSTEM – Last Time Executed
+    - psexec.exe
+- **AmCache.hve** – First Time Executed
+    - psexec.exe
+"""
+    print_info(title, content)
+
+def destination_registry():
+    """
+    Displays destination registry information related to PsExec.
+    """
+    title = "PsExec Destination Registry"
+    content = """
+- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
+    - “-r” option can allow attacker to rename service
+- **ShimCache** – SYSTEM
+    - psexesvc.exe
+- **AmCache.hve**
+    - First Time Executed
+        - psexesvc.exe
+"""
+    print_info(title, content)
+
+def source_file_system():
+    """
+    Displays source file system artifacts related to PsExec.
+    """
+    title = "PsExec Source File System"
+    content = """
+- **Prefetch** – C:\\Windows\\Prefetch\\
+    - psexec.exe-{hash}.pf
+    - Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
+- **File Creation**
+    - psexec.exe file downloaded and created on the local host as the file is not native to Windows
+"""
+    print_info(title, content)
+
+def destination_file_system():
+    """
+    Displays destination file system artifacts related to PsExec.
+    """
+    title = "PsExec Destination File System"
+    content = """
+- **Prefetch** – C:\\Windows\\Prefetch\\
+    - psexesvc.exe-{hash}.pf
+    - evil.exe-{hash}.pf
+- **File Creation**
+    - User profile directory structure created unless "-e" option used
+    - psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
+- **User Access Logging (Servers only)**
+    - C:\\Windows\\System32\\LogFiles\\Sum
+        - User Name
+        - Source IP Address
+        - First and Last Access Time
+"""
+    print_info(title, content)
+
+def psexec_analysis():
+    """
+    Displays analysis of PsExec execution.
+    """
+    title = "PsExec Analysis"
+    content = """
+- **Command Example**:
+    - `psexec.py domain/username:password@[hostname | IP] command`
+        - Can specify a command to run, or leave blank for shell
+    - PSEXEC like functionality example using RemComSvc
+        - Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot%
+        - Detected and blocked by Windows Defender by default
+
+- **Windows Event Log Residue**:
+    - Event ID `4776` in Security on target (for user specified in command)
+    - Event ID `4672` in Security on target (for user specified in command)
+    - Event ID `4624` Type 3 in Security on target (for user specified in command)
+    - Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file):
+        - %systemroot%\\xxxxxxxx.exe
+    - Event ID `7036` in System on target
+    - [If Enabled] Event ID `4688` in Security on target:
+        - `services.exe → C:\\Windows\\xxxxxxxx.exe`
+        - `C:\\Windows\\xxxxxxxx.exe → command`
+        - `cmd.exe → conhost.exe 0xffffffff -ForceV1`
+    - Numerous other `4624`, `4634`, `4672` events
+"""
+    print_info(title, content)
+
+def service_installation_details():
+    """
+    Displays details about PsExec service installation events.
+    """
+    title = "PsExec Service Installation Details"
+    content = """
+- PsExec creates a temporary Windows service for execution:
+    - Service name: Random 4-character mixed-case alpha name
+    - Executable: Random 8-character mixed-case alpha .exe file
+- Registry Path:
+    - SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
+- Event Log Evidence:
+    - Event ID 7045 in `system.evtx` logs the service installation.
+    - Includes:
+        - Service Name
+        - Executable Path
+        - Service Type and Start Mode
+- Forensic Insights:
+    - Compare service names and paths across multiple systems to detect outliers.
+    - Look for services with short, random names.
+"""
+    print_info(title, content)
+
+def psexec_network_artifacts():
+    """
+    Displays network-related artifacts from PsExec usage.
+    """
+    title = "PsExec Network Artifacts"
+    content = """
+- **Network Connections**:
+    - PsExec uses SMB for communication and file transfer.
+    - Ports:
+        - 445 (SMB over TCP/IP)
+        - 139 (NetBIOS over TCP/IP)
+- **Shared Resources**:
+    - Default shares such as **ADMIN$** and **C$** are utilized.
+    - Logs in `security.evtx`:
+        - Event ID 5140: Share access.
+        - Event ID 5145: Access to specific shared files.
+
+- **Forensic Tips**:
+    - Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
+    - Analyze SMB traffic for PsExec file transfers.
+"""
+    print_info(title, content)
+
+def psexec_eviction_techniques():
+    """
+    Displays techniques for detecting and evicting PsExec usage.
+    """
+    title = "PsExec Eviction Techniques"
+    content = """
+- **Detection**:
+    - Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
+    - Enable advanced audit policies to log service and process creation events.
+
+- **Eviction**:
+    - Audit and remove unauthorized services under:
+        - SYSTEM\\CurrentControlSet\\Services\\
+    - Verify the integrity of executables in:
+        - C:\\Windows\\System32
+        - C:\\Windows\\Prefetch
+    - Block unauthorized access to default shares like ADMIN$ and C$.
+
+- **Prevention**:
+    - Use endpoint protection tools to block PsExec executables.
+    - Restrict access to administrative shares to trusted hosts and accounts only.
+"""
+    print_info(title, content)
+
+def psexec_malware_case_study():
+    """
+    Provides a case study example of malware leveraging PsExec.
+    """
+    title = "PsExec Malware Case Study"
+    content = """
+- **Real-World Example**:
+    - Malware Name: Emotet
+    - Attack Vector: Lateral Movement
+    - Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
+
+- **Tactics**:
+    - Copied malicious payloads to ADMIN$ share.
+    - Used PsExec to execute payloads on remote systems.
+    - Cleaned up by removing PsExec artifacts (e.g., services and files).
+
+- **Forensic Indicators**:
+    - Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
+    - Unusual services with short, random names.
+    - Files with mismatched creation and modification times in ADMIN$.
+"""
+    print_info(title, content)