matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upload files to "TTPs/Persistence"

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-24 18:11:15 -05:00
parent 107db93a19
commit 9245f7eeee
13 changed files with 1678 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
TTPs/Persistence/advanced.py Normal file
View File

@ -0,0 +1,35 @@
from Modules.submenu import build_submenu
def advanced_submenu():
actions = {
"1": {"description": "Bios Flashing", "function": view_bios_flashing},
"2": {"description": "Drivers", "function": view_drivers},
"3": {"description": "Local Group Policy", "function": view_local_group_policy},
"4": {"description": "MS Office Add-In", "function": view_ms_office_addin},
"0": {"description": "Go Back to Persistence Menu", "function": lambda: None},
}
build_submenu("Advanced Persistence", actions)
def view_bios_flashing():
title = "Bios Flashing"
content = "Detection techniques for advanced persistence via BIOS flashing."
print_info(title, content)
def view_drivers():
title = "Drivers"
content = "Analyzing drivers for advanced persistence techniques."
print_info(title, content)
def view_local_group_policy():
title = "Local Group Policy"
content = "Detection methods for advanced persistence through local group policy manipulation."
print_info(title, content)
def view_ms_office_addin():
title = "MS Office Add-In"
content = "Exploring persistence mechanisms via MS Office add-ins."
print_info(title, content)
def print_info(title, content):
print(f"\n{'='*40}\n{title}\n{'='*40}\n{content}\n{'='*40}")
input("Press Enter to return to the submenu...")

101
TTPs/Persistence/autostart.py Normal file
View File

@ -0,0 +1,101 @@
from Modules.Imports.ttp_imports import *
def autostart_submenu():
"""
Submenu for Autostart Persistence Indicators.
"""
actions = {
"1": {"description": "Registry Run Keys", "function": registry_run_keys},
"2": {"description": "Winlogon Userinit", "function": winlogon_userinit},
"3": {"description": "Startup Folder", "function": startup_folder},
"4": {"description": "Investigative Notes", "function": investigative_notes},
"4": {"description": "Autostart Extra", "function": autostart_extra},
}
build_submenu("Autostart Persistence", actions)
def registry_run_keys():
"""
Displays information about Registry Run Keys for Autostart.
"""
title = "Registry Run Keys"
content = """
The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys:
- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
- Software\\Microsoft\\Windows\\CurrentVersion\\Run
These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms.
"""
print_info(title, content)
def winlogon_userinit():
"""
Displays information about the Winlogon Userinit ASEP.
"""
title = "Winlogon Userinit"
content = """
The Winlogon Userinit key can be used to maintain persistence:
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit
This key typically contains:
- C:\\Windows\\system32\\userinit.exe
However, it can be modified to include malicious binaries:
- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe
"""
print_info(title, content)
def startup_folder():
"""
Displays information about the Startup folder ASEP.
"""
title = "Startup Folder"
content = """
The Startup folder allows for persistence by placing shortcuts in this folder:
- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence.
"""
print_info(title, content)
def investigative_notes():
"""
Displays investigative notes about Autostart ASEPs.
"""
title = "Investigative Notes"
content = """
Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes:
- ASEPs are numerous and diverse, requiring thorough examination.
- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
- Analyzing data across systems may reveal outliers indicative of malicious activity.
"""
print_info(title, content)
def autostart_extra():
"""
Displays information about the Winlogon Userinit ASEP.
"""
title = "Autostart Extra"
content = """
- Items in these keys are executed when a user logs on, unlike other ASEPs that act at boot.
- Multiple "run" keys exist in both the NTUSER.DAT and SOFTWARE hives.
- Another, less common but equally dangerous key is:
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.
- This key typically contains a reference to `userinit.exe`, which by default:
- Executes `Userinit.exe`.
- Launches `Explorer.exe`.
- However, it can be modified to include malicious binaries, such as:
- `C:\\Windows\\system32\\userinit.exe,C:\\Temp\\winsvchost.exe`, which would run at boot.
- Finally, `%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` allows for persistence by placing shortcuts in this folder.
- These shortcuts automatically execute the associated binaries when a user logs on.
- Malware has recently gravitated back to this old attack vector.
- Although these locations are very common for ASEPs, many more exist.
- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
- Analyzing data across systems may reveal outliers leading to compromised systems.
"""
print_info(title, content)

153
TTPs/Persistence/basic_persistence.py Normal file
View File

@ -0,0 +1,153 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def basic_persistence_submenu():
"""
Submenu for Basic Persistence Mechanisms.
"""
actions = {
"1": {"description": "BootExecute Key", "function": boot_execute_key},
"2": {"description": "WinLogon Process Keys", "submenu": winlogon_keys_submenu},
"3": {"description": "Startup Keys", "function": startup_keys},
"4": {"description": "Services", "function": services_keys},
"5": {"description": "Browser Helper Objects", "function": browser_helper_objects},
"6": {"description": "AppInit_DLLs", "function": appinit_dlls},
"7": {"description": "Persistence Using Global Flags", "function": persistence_global_flags},
}
build_submenu("Basic Persistence Mechanisms", actions)
def boot_execute_key():
"""
Displays information about the BootExecute Key.
"""
title = "BootExecute Key"
content = r"""
The BootExecute registry key launches processes before the subsystem initializes.
Key Path:
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session
"""
print_info(title, content)
def winlogon_keys_submenu():
"""
Submenu for WinLogon Process Keys.
"""
actions = {
"1": {"description": "Userinit Key", "function": userinit_key},
"2": {"description": "Notify Key", "function": notify_key},
"3": {"description": "Explorer.exe Key", "function": explorer_key},
}
build_submenu("WinLogon Process Keys", actions)
def userinit_key():
"""
Displays information about the Userinit Key.
"""
title = "Userinit Key"
content = r"""
The Userinit Key launches login scripts during the user logon process.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"""
print_info(title, content)
def notify_key():
"""
Displays information about the Notify Key.
"""
title = "Notify Key"
content = r"""
The Notify Key is used for handling the `Ctrl+Alt+Del` event.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
"""
print_info(title, content)
def explorer_key():
"""
Displays information about the Explorer.exe Key.
"""
title = "Explorer.exe Key"
content = r"""
This key points to `explorer.exe` and can be abused for persistence.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
"""
print_info(title, content)
def startup_keys():
"""
Displays information about Startup Keys.
"""
title = "Startup Keys"
content = r"""
Startup Keys allow programs to launch when a user logs on.
Key Paths:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
"""
print_info(title, content)
def services_keys():
"""
Displays information about Services Keys.
"""
title = "Services Keys"
content = r"""
Services keys enable services to boot automatically at startup.
Key Paths:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
"""
print_info(title, content)
def browser_helper_objects():
"""
Displays information about Browser Helper Objects.
"""
title = "Browser Helper Objects"
content = r"""
Browser Helper Objects can be used for persistence or malicious activity.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
"""
print_info(title, content)
def appinit_dlls():
"""
Displays information about AppInit_DLLs.
"""
title = "AppInit_DLLs"
content = r"""
The AppInit_DLLs registry key specifies DLLs that are loaded into every user-mode process that loads `user32.dll`.
Key Path:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
"""
print_info(title, content)
def persistence_global_flags():
"""
Displays information about persistence using global flags.
"""
title = "Persistence Using Global Flags"
content = r"""
Global flags in the Image File Execution Options registry key can be abused for persistence.
Example Commands:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
"""
print_info(title, content)

105
TTPs/Persistence/dcom.py Normal file
View File

@ -0,0 +1,105 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def dcom_submenu():
"""
Submenu for DCOM-based Persistence Indicators.
"""
actions = {
"1": {"description": "DCOM Execution Overview", "function": dcom_execution_overview},
"2": {"description": "Windows Event Log Residue", "function": windows_event_log_residue},
"3": {"description": "Analysis of Commands Executed", "function": analyze_commands_executed},
"4": {"description": "Detection and Mitigation", "function": detection_and_mitigation},
}
build_submenu("DCOM-Based Persistence", actions)
def dcom_execution_overview():
"""
Provides an overview of DCOM execution for persistence.
"""
title = "DCOM Execution Overview"
content = """
### DCOM Execution (dcomexec.py):
- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command`
- Specify a command to run or leave blank for shell.
- Executes a semi-interactive shell using DCOM objects.
- Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter.
- Uses the first 5 digits of the UNIX Epoch Time in commands.
**Features**:
- Not detected or blocked by Windows Defender by default.
"""
print_info(title, content)
def windows_event_log_residue():
"""
Describes the Windows Event Log residue left by DCOM execution.
"""
title = "Windows Event Log Residue"
content = """
### Event Log Residue:
- Two rounds of:
- Event ID `4776` in Security on target (for user specified in command).
- Event ID `4672` in Security on target (for user specified in command).
- Event ID `4624` Type 3 in Security on target (for user specified in command).
#### If Enabled:
- Event ID `4688` in Security on target:
- `svchost.exe → mmc.exe -Embedding`.
- `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time).
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
#### User Specified Commands:
- Event ID `4688` in Security on target:
- `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
- Two rounds of:
- Event ID `4634` Type 3 in Security on target (for user specified in command).
"""
print_info(title, content)
def analyze_commands_executed():
"""
Analyzes commands executed via DCOM for forensic insights.
"""
title = "Analysis of Commands Executed via DCOM"
content = """
### Command Execution Details:
- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects.
- Commands use `mmc.exe` and `cmd.exe`:
- `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
- The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution.
**Key Indicators**:
- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`.
- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag.
"""
print_info(title, content)
def detection_and_mitigation():
"""
Provides detection and mitigation strategies for DCOM execution.
"""
title = "Detection and Mitigation"
content = """
### Detection:
- Monitor `security.evtx` and `system.evtx` for:
- Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments.
- Event ID `4624` and `4672` indicating logon attempts.
- Event ID `4634` showing logoff events.
- Use tools like Sysmon to log detailed command-line activity:
- Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`.
- Look for suspicious command-line parameters, such as the `-Embedding` flag.
### Mitigation:
- Restrict DCOM usage via GPO:
- Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`.
- Disable DCOM or restrict to trusted applications.
- Regularly audit temporary files in ADMIN$ shares.
- Use endpoint protection solutions to detect unusual DCOM activity.
"""
print_info(title, content)

78
TTPs/Persistence/dll_hijacking.py Normal file
View File

@ -0,0 +1,78 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def dll_hijacking_submenu():
"""
Submenu for DLL Hijacking detection techniques.
"""
actions = {
"1": {"description": "File System Analysis", "function": file_system_analysis},
"2": {"description": "Memory Analysis", "function": memory_analysis},
"3": {"description": "Command Line Analysis", "function": command_line_analysis},
"4": {"description": "SANS DFIR Insights", "function": sans_dfir_insights},
}
build_submenu("DLL Hijacking Detection", actions)
# Individual submenu functions
def file_system_analysis():
"""
Displays information about file system analysis for DLL hijacking detection.
"""
title = "DLL Hijacking File System Analysis"
content = """
- Look for new or unsigned `.exe` and `.dll` files in unusual locations.
- Example Indicators:
- Timestamp: 2021-02-18 03:42:31
- Impact: -
- Method: mach Meta
- File Name: `c:/ProgramData/mcoemcpy.exe` (size: 77824)
- File: `c:/ProgramData/McUtil.dll` (size: 131072)
"""
print_info(title, content)
def memory_analysis():
"""
Displays memory analysis techniques for DLL hijacking detection.
"""
title = "DLL Hijacking Memory Analysis"
content = """
- Identify system processes or DLLs loaded from unusual locations.
- Pay attention to:
- Processes running unexpected code.
- DLLs loaded from locations outside expected directories.
- Newly created DLLs and executables can indicate malicious activity.
"""
print_info(title, content)
def command_line_analysis():
"""
Displays command-line analysis techniques for DLL hijacking detection.
"""
title = "DLL Hijacking Command-Line Analysis"
content = """
- Review suspicious command-line execution patterns.
- Example:
- Command: `C:\\ProgramData\\ncoenchy.exe 0x4`
- Method: mach Meta
- Check for signs of injection or other manipulation.
"""
print_info(title, content)
def sans_dfir_insights():
"""
Displays insights from SANS DFIR training for DLL hijacking detection.
"""
title = "DLL Hijacking Insights from SANS DFIR"
content = """
- Nearly all DLL hijacks require placing a new DLL or executable onto the file system.
- Investigative Techniques:
- **File Timeline Analysis**:
- Focus on newly created files during times of interest.
- **Memory Forensics**:
- Analyze running processes for unexpected DLL locations.
- Obscure DLLs are more likely to be targeted since common DLLs are usually preloaded into memory.
- Other anomalous actions like network beaconing or named pipe creation can lead to detection.
"""
print_info(title, content)

133
TTPs/Persistence/map_share.py Normal file
View File

@ -0,0 +1,133 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def map_share_submenu():
"""
Submenu for Map Share detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
}
build_submenu("Map Share Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to map shares.
"""
title = "Map Share Source Event Logs"
content = """
- `security.evtx`
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- `Microsoft-Windows-SmbClient\\Security.evtx`
- `31001` Failed logon to destination
- Destination Host Name
- User Name for failed logon
- Reason code for failed destination logon (e.g., bad password)
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to map shares.
"""
title = "Map Share Destination Event Logs"
content = """
- **Security Event Log `security.evtx`**
- `4624`
- Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by user with administrative rights
- Requirement for accessing default shares such as **C$** and **ADMIN$**
- `4776` - NTLM if authenticating to Local System
- Source Host Name/Logon User Name
- `4768` - TGT Granted
- Source Host Name/Logon User Name
- Available only on domain controller
- `4769` - Service Ticket Granted if authenticating to Domain Controller
- Destination Host Name/Logon User Name
- Source IP
- Available only on domain controller
- `5140`
- Share Access
- `5145`
- Auditing of shared files **NOISY**!
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to map shares.
"""
title = "Map Share Source Registry"
content = """
- **MountPoints2** - Remotely mapped shares
- `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
- **Shellbags** - USRCLASS.DAT
- Remote folders accessed inside an interactive session via Explorer by attackers.
- **ShimCache** SYSTEM
- `net.exe`
- `net1.exe`
- **BAM_DAM** NTUSER.DAT Last Time Executed
- `net.exe`
- `net1.exe`
- **AmCache.hve** - First Time Executed
- `net.exe`
- `net1.exe`
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to map shares.
"""
title = "Map Share Destination Registry"
content = """
- N/A
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to map shares.
"""
title = "Map Share Source File System"
content = """
- **Prefetch** - `C:\\Windows\\Prefetch\\`
- `net.exe-{hash}.pf`
- `net1.exe-{hash}.pf`
- **User Profile Artifacts**
- Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to map shares.
"""
title = "Map Share Destination File System"
content = """
- **File Creation**
- Attacker's files (malware) copied to the destination system.
- Look for Modified Time before Creation Time.
- Creation Time is the time of file copy.
- **User Access Logging (Servers Only)**
- `C:\\Windows\\System32\\LogFiles\\Sum`
- User Name
- Source IP Address
- First and Last Access Time
"""
print_info(title, content)

139
TTPs/Persistence/powershell_remoting.py Normal file
View File

@ -0,0 +1,139 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def powershell_remoting_submenu():
"""
Submenu for PowerShell Remoting detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Source Registry", "function": source_registry},
"3": {"description": "Source File System", "function": source_file_system},
"4": {"description": "Destination Event Logs", "function": destination_event_logs},
"5": {"description": "Destination Registry", "function": destination_registry},
"6": {"description": "Destination File System", "function": destination_file_system},
}
build_submenu("PowerShell Remoting Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to PowerShell Remoting.
"""
title = "PowerShell Remoting Source Event Logs"
content = """
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- **Microsoft-Windows-WinRM/Operational.evtx**
- `161` - Remote Authentication Error
- `6` - WSMan Session initialize
- Session created
- Destination Host Name or IP
- Current logged-on User Name
- `8`, `15`, `16`, `33` - WSMan Session deinitialization
- Closing of WSMan session
- Current logged-on User Name
- **Microsoft-Windows-PowerShell/Operational.evtx**
- `40961`, `40962`
- Records the local initiation of powershell.exe and associated user account
- `8193` & `8194` - Session created
- `8197` - Connect
- Session closed
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to PowerShell Remoting.
"""
title = "PowerShell Remoting Source Registry"
content = """
- **ShimCache** SYSTEM
- powershell.exe
- **BAM_DAM** SYSTEM Last Time Executed
- powershell.exe
- **AmCache.hve** First Time Executed
- powershell.exe
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to PowerShell Remoting.
"""
title = "PowerShell Remoting Source File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- powershell.exe-{hash}.pf
- PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
- **Command history**
- C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
- With PS v5+, a history file with previous 4096 commands is maintained per user
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to PowerShell Remoting.
"""
title = "PowerShell Remoting Destination Event Logs"
content = """
- **security.evtx**
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- **Microsoft-Windows-PowerShell%4Operational.evtx**
- `4103`, `4104` Script Block logging
- Logs suspicious scripts by default in PS v5
- Logs all scripts if configured
- `53504` - Records the authenticating user
- **Windows PowerShell.evtx**
- `400/403` - "ServerRemoteHost" indicates start/end of remoting session
- `800` - Includes partial script code
- **Microsoft-Windows-WinRM/Operational.evtx**
- `91` Session creation
- `142` WSMan Operation Failure
- `169` Records the authenticating user
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to PowerShell Remoting.
"""
title = "PowerShell Remoting Destination Registry"
content = """
- **ShimCache** SYSTEM
- wsmprovhost.exe
- evil.exe
- **SOFTWARE**
- Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
- Attacker may change execution policy to a less restrictive setting, such as "bypass"
- **AmCache.hve** First Time Executed
- wsmprovhost.exe
- evil.exe
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to PowerShell Remoting.
"""
title = "PowerShell Remoting Destination File System"
content = """
- **File Creation**
- evil.exe
- With Enter-PSSession, a user profile directory may be created
- **Prefetch** C:\\Windows\\Prefetch\\
- evil.exe-{hash}.pf
- wsmprovhost.exe-{hash}.pf
"""
print_info(title, content)

253
TTPs/Persistence/psexec.py Normal file
View File

@ -0,0 +1,253 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def psexec_submenu():
"""
Submenu for PsExec detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "Service Installation Details", "function": service_installation_details},
"8": {"description": "Network Artifacts", "function": psexec_network_artifacts},
"9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques},
"10": {"description": "Malware Case Study", "function": psexec_malware_case_study},
}
build_submenu("PsExec Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to PsExec.
"""
title = "PsExec Source Event Logs"
content = """
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to PsExec.
"""
title = "PsExec Destination Event Logs"
content = """
- **security.evtx**
- `4648` Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for access default shares such as **C$** and **ADMIN$**
- `5140` Share Access
- **ADMIN$** share used by PsExec
- **system.evtx**
- `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
- %systemroot%\\xxxxxxxx.exe
- `7036` Service start/stop events
- **If Enabled**:
- `4688` in Security: tracks service and cmd.exe execution
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to PsExec.
"""
title = "PsExec Source Registry"
content = """
- **NTUSER.DAT**
- Software\\SysInternals\\PsExec\\EulaAccepted
- **ShimCache** SYSTEM
- psexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- psexec.exe
- **AmCache.hve** First Time Executed
- psexec.exe
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to PsExec.
"""
title = "PsExec Destination Registry"
content = """
- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
- “-r” option can allow attacker to rename service
- **ShimCache** SYSTEM
- psexesvc.exe
- **AmCache.hve**
- First Time Executed
- psexesvc.exe
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to PsExec.
"""
title = "PsExec Source File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- psexec.exe-{hash}.pf
- Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
- **File Creation**
- psexec.exe file downloaded and created on the local host as the file is not native to Windows
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to PsExec.
"""
title = "PsExec Destination File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- psexesvc.exe-{hash}.pf
- evil.exe-{hash}.pf
- **File Creation**
- User profile directory structure created unless "-e" option used
- psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
- **User Access Logging (Servers only)**
- C:\\Windows\\System32\\LogFiles\\Sum
- User Name
- Source IP Address
- First and Last Access Time
"""
print_info(title, content)
def psexec_analysis():
"""
Displays analysis of PsExec execution.
"""
title = "PsExec Analysis"
content = """
- **Command Example**:
- `psexec.py domain/username:password@[hostname | IP] command`
- Can specify a command to run, or leave blank for shell
- PSEXEC like functionality example using RemComSvc
- Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot%
- Detected and blocked by Windows Defender by default
- **Windows Event Log Residue**:
- Event ID `4776` in Security on target (for user specified in command)
- Event ID `4672` in Security on target (for user specified in command)
- Event ID `4624` Type 3 in Security on target (for user specified in command)
- Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file):
- %systemroot%\\xxxxxxxx.exe
- Event ID `7036` in System on target
- [If Enabled] Event ID `4688` in Security on target:
- `services.exe → C:\\Windows\\xxxxxxxx.exe`
- `C:\\Windows\\xxxxxxxx.exe → command`
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`
- Numerous other `4624`, `4634`, `4672` events
"""
print_info(title, content)
def service_installation_details():
"""
Displays details about PsExec service installation events.
"""
title = "PsExec Service Installation Details"
content = """
- PsExec creates a temporary Windows service for execution:
- Service name: Random 4-character mixed-case alpha name
- Executable: Random 8-character mixed-case alpha .exe file
- Registry Path:
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Event Log Evidence:
- Event ID 7045 in `system.evtx` logs the service installation.
- Includes:
- Service Name
- Executable Path
- Service Type and Start Mode
- Forensic Insights:
- Compare service names and paths across multiple systems to detect outliers.
- Look for services with short, random names.
"""
print_info(title, content)
def psexec_network_artifacts():
"""
Displays network-related artifacts from PsExec usage.
"""
title = "PsExec Network Artifacts"
content = """
- **Network Connections**:
- PsExec uses SMB for communication and file transfer.
- Ports:
- 445 (SMB over TCP/IP)
- 139 (NetBIOS over TCP/IP)
- **Shared Resources**:
- Default shares such as **ADMIN$** and **C$** are utilized.
- Logs in `security.evtx`:
- Event ID 5140: Share access.
- Event ID 5145: Access to specific shared files.
- **Forensic Tips**:
- Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
- Analyze SMB traffic for PsExec file transfers.
"""
print_info(title, content)
def psexec_eviction_techniques():
"""
Displays techniques for detecting and evicting PsExec usage.
"""
title = "PsExec Eviction Techniques"
content = """
- **Detection**:
- Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
- Enable advanced audit policies to log service and process creation events.
- **Eviction**:
- Audit and remove unauthorized services under:
- SYSTEM\\CurrentControlSet\\Services\\
- Verify the integrity of executables in:
- C:\\Windows\\System32
- C:\\Windows\\Prefetch
- Block unauthorized access to default shares like ADMIN$ and C$.
- **Prevention**:
- Use endpoint protection tools to block PsExec executables.
- Restrict access to administrative shares to trusted hosts and accounts only.
"""
print_info(title, content)
def psexec_malware_case_study():
"""
Provides a case study example of malware leveraging PsExec.
"""
title = "PsExec Malware Case Study"
content = """
- **Real-World Example**:
- Malware Name: Emotet
- Attack Vector: Lateral Movement
- Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
- **Tactics**:
- Copied malicious payloads to ADMIN$ share.
- Used PsExec to execute payloads on remote systems.
- Cleaned up by removing PsExec artifacts (e.g., services and files).
- **Forensic Indicators**:
- Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
- Unusual services with short, random names.
- Files with mismatched creation and modification times in ADMIN$.
"""
print_info(title, content)

16
TTPs/Persistence/rdp.py
View File

@ -1,4 +1,8 @@
from Modules.Imports.protocol_imports import * import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
import TTPs.Persistence.rdp as rdp
def rdp_submenu(): def rdp_submenu():
actions = { actions = {
@ -9,7 +13,6 @@ def rdp_submenu():
"5": {"description": "Source Artifacts", "function": source_artifacts}, "5": {"description": "Source Artifacts", "function": source_artifacts},
"6": {"description": "Destination Artifacts", "function": destination_artifacts}, "6": {"description": "Destination Artifacts", "function": destination_artifacts},
"7": {"description": "Extra", "function": extra_rdp_info}, "7": {"description": "Extra", "function": extra_rdp_info},
"8": {"description": "All", "function": all_rdp_info},
} }
build_submenu("RDP Persistence", actions) build_submenu("RDP Persistence", actions)
@ -136,12 +139,3 @@ def extra_rdp_info():
- 22: Shell start notification received - 22: Shell start notification received
""" """
print_info(title, content) print_info(title, content)
def all_rdp_info():
source_event_logs()
destination_event_logs()
source_registry()
destination_registry()
source_artifacts()
destination_artifacts()
extra_rdp_info()

146
TTPs/Persistence/schedule_task.py Normal file
View File

@ -0,0 +1,146 @@
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def schedule_tasks_submenu():
"""
Submenu for Scheduled Tasks Persistence Indicators.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source Artifacts", "function": source_artifacts},
"6": {"description": "Destination Artifacts", "function": destination_artifacts},
"7": {"description": "Atexec Analysis", "function": atexec_analysis},
"8": {"description": "Extra", "function": extra_scheduled_tasks_info},
}
build_submenu("Scheduled Tasks Persistence", actions)
def source_event_logs():
title = "Scheduled Tasks Source Event Logs"
content = """
- `security.evtx`
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
title = "Scheduled Tasks Destination Event Logs"
content = """
- `security.evtx`
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for accessing default shares such as **C$** and **ADMIN$**
- `4698` - Scheduled task created
- `4702` - Scheduled task updated
- `4699` - Scheduled task deleted
- `4700/4701` - Scheduled task enabled/disabled
- `Microsoft-Windows-TaskScheduler%4Operational.evtx`
- `106` - Scheduled task created
- `140` - Scheduled task updated
- `141` - Scheduled task deleted
- `200/201` - Scheduled task executed/completed
"""
print_info(title, content)
def source_registry():
title = "Scheduled Tasks Source Registry"
content = """
- [[ShimCache]] - SYSTEM
- at.exe
- schtasks.exe
- [[BAM|DAM]] - SYSTEM - Last Time Executed
- at.exe
- schtasks.exe
- [[AmCache.hve]] - First Time Executed
- at.exe
- schtasks.exe
"""
print_info(title, content)
def destination_registry():
title = "Scheduled Tasks Destination Registry"
content = """
- SOFTWARE
- `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks`
- `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\`
- [[ShimCache]] SYSTEM
- evil.exe
- [[AmCache.hve]] - First Time Executed
- evil.exe
"""
print_info(title, content)
def source_artifacts():
title = "Scheduled Tasks Source File System Artifacts"
content = """
- [[Prefetch]] - C:\\Windows\\Prefetch\\
- at.exe-{hash}.pf
- schtasks.exe-{hash}.pf
"""
print_info(title, content)
def destination_artifacts():
title = "Scheduled Tasks Destination File System Artifacts"
content = """
- File Creation
- evil.exe
- Job files created in
- `C:\\Windows\\Tasks`
- XML task files created in
- `C:\\Windows\\System32\\Tasks`
- `C:\\Windows\\SysWOW64\\Tasks`
- Author tag can identify:
- Source system name
- Creator username
- [[Prefetch]] `C:\\Windows\\Prefetch\\`
- evil.exe-{hash}.pf
"""
print_info(title, content)
def atexec_analysis():
title = "Atexec Analysis"
content = """
### Command Syntax:
- `atexec.py domain/username:password@[hostname | IP] command`
### Characteristics:
- Executes commands remotely but does not provide shell access.
- Creates a Scheduled Task with a random 8-character mixed-case alpha string.
- Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\<random>.tmp` before deleting the file.
- **NOT detected and blocked by Windows Defender by default**.
### Windows Event Log Residue:
1. Event IDs in `Security.evtx`:
- `4776` - NTLM Authentication
- `4672` - Special privileges assigned to logon.
- `4624` - Successful logon (Type 3).
2. Microsoft-Windows-TaskScheduler/Operational:
- `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle).
3. **IF ENABLED**:
- `4688` - Process creation (`cmd.exe` spawning tasks or executing commands).
- `4698` - Scheduled task created.
- `4699` - Scheduled task deleted.
### Example Detection Indicators:
- Multiple rounds of Event IDs (4776, 4672, 4624).
- Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output.
"""
print_info(title, content)
def extra_scheduled_tasks_info():
title = "Scheduled Tasks Extra Information"
content = """
# Scheduled Tasks Commands
- `at \\\\host 13:00 "c:\\temp\\evil.exe"`
- `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username`
"""
print_info(title, content)

154
TTPs/Persistence/service.py Normal file
View File

@ -0,0 +1,154 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def service_submenu():
"""
Submenu for Service-based Persistence Indicators.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "Service Replacement Examples", "function": service_replacement_examples},
"8": {"description": "Exploitation of Windows Services", "function": exploit_windows_services},
}
build_submenu("Service-Based Persistence", actions)
def source_event_logs():
title = "Source Event Logs"
content = """
No specific source event logs are generated for service-based persistence.
"""
print_info(title, content)
def destination_event_logs():
title = "Destination Event Logs"
content = """
- `security.evtx`
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4697`
- Records service installation (non-default)
- Useful for centralized log monitoring.
- `system.evtx`
- `7034` - Service crashed unexpectedly.
- `7035` - Service sent a Start/Stop control.
- `7036` - Service started or stopped.
- `7040` - Start type changed (Boot | On Request | Disabled).
- `7045` - A service was installed on the system.
"""
print_info(title, content)
def source_registry():
title = "Source Registry"
content = """
Registry Artifacts:
- [[ShimCache]] - SYSTEM
- Tracks `sc.exe`.
- [[BAM_DAM]] - SYSTEM - Last Time Executed
- Tracks `sc.exe`.
- [[AmCache.hve]]
- Tracks first execution of `sc.exe`.
"""
print_info(title, content)
def destination_registry():
title = "Destination Registry"
content = """
Registry Artifacts:
- SYSTEM
- `\\CurrentControlSet\\Services\\` - New service creation.
- [[ShimCache]] - SYSTEM
- Tracks `evil.exe`.
- [[AmCache.hve]] - First Time Executed
- Tracks `evil.exe`.
"""
print_info(title, content)
def source_file_system():
title = "Source File System"
content = """
Prefetch Artifacts:
- Prefetch - `C:\\Windows\\Prefetch\\`
- `sc.exe-{hash}.pf`.
"""
print_info(title, content)
def destination_file_system():
title = "Destination File System"
content = """
File Creation Artifacts:
- Malicious executables or DLLs:
- `evil.exe` or `evil.dll`.
- Prefetch - `C:\\Windows\\Prefetch\\`
- Tracks execution of `evil.exe` or service DLLs.
"""
print_info(title, content)
def service_replacement_examples():
title = "Service Replacement Examples"
content = """
Service replacement involves modifying legitimate services to execute malicious payloads.
### Example 1: Binary Path Manipulation
Modify the `ImagePath` registry key to point to a malicious executable:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\ImagePath`
- New Value: `C:\\temp\\evil.exe`
### Example 2: DLL Hijacking in Services
Replace a legitimate service DLL with a malicious one:
- Locate service DLL in `\\CurrentControlSet\\Services\\<ServiceName>\\Parameters\\ServiceDll`.
- Replace the file with `evil.dll`.
### Example 3: Startup Type Abuse
Change the `Start` registry key to automatically start a malicious service:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\Start`
- Value: `2` (Automatic Start).
### Example 4: Service Install Command
Use `sc` to create and start a malicious service:
- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"`
"""
print_info(title, content)
def exploit_windows_services():
title = "Exploitation of Windows Services"
content = """
Windows services can be exploited in the following ways:
### 1. Privilege Escalation via Insecure Permissions
- Services with weak `DACL` permissions can be reconfigured by low-privileged users.
- Example: Modify `ImagePath` to point to a malicious binary.
### 2. DLL Search Order Hijacking
- Service executable dynamically loads a DLL without specifying a full path.
- Place a malicious DLL in the service's working directory.
### 3. Service Control Abuse
- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations.
### 4. Unquoted Service Paths
- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path.
- Example:
- Path: `C:\\Program Files\\Legitimate Service\\binary.exe`.
- Malicious executable: `C:\\Program.exe`.
### 5. Creating New Services
- Install a new malicious service using `sc` or `psexec`.
- Example:
- `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto`
### 6. Abusing Trusted Services
- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services.
### Detection Tips:
- Monitor `system.evtx` for service start/stop events.
- Check `security.evtx` for suspicious service creation.
- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries.
"""
print_info(title, content)

186
TTPs/Persistence/smbexec.py Normal file
View File

@ -0,0 +1,186 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def smbexec_submenu():
"""
Submenu for SMBExec detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "Service Creation Details", "function": smbexec_service_creation},
"8": {"description": "Network Artifacts", "function": smbexec_network_artifacts},
"9": {"description": "Eviction Techniques", "function": smbexec_eviction_techniques},
"10": {"description": "Malware Case Study", "function": smbexec_malware_case_study},
}
build_submenu("SMBExec Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to SMBExec.
"""
title = "SMBExec Source Event Logs"
content = """
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to SMBExec.
"""
title = "SMBExec Destination Event Logs"
content = """
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- `4634` Type 3 (session end)
- **system.evtx**
- `7045` - Service installation
- Default service name: "BTOBTO" or a random 8-character mixed-case string.
- `7036` Service start/stop events
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to SMBExec.
"""
title = "SMBExec Source Registry"
content = """
- **NTUSER.DAT**
- Software\\SysInternals\\SMBExec\\EulaAccepted
- **ShimCache** SYSTEM
- smbexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- smbexec.exe
- **AmCache.hve** First Time Executed
- smbexec.exe
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to SMBExec.
"""
title = "SMBExec Destination Registry"
content = """
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Default: "BTOBTO" or random 8-character string.
- **ShimCache** SYSTEM
- smbexecsvc.exe
- **AmCache.hve**
- First Time Executed
- smbexecsvc.exe
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to SMBExec.
"""
title = "SMBExec Source File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexec.exe-{hash}.pf
- **File Creation**
- smbexec.exe file downloaded and created on the local host.
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to SMBExec.
"""
title = "SMBExec Destination File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexecsvc.exe-{hash}.pf
- execute.bat-{hash}.pf
- **File Creation**
- `execute.bat` created in C:\\Windows\\TEMP\\
- User-specified commands echoed to `execute.bat`.
- Temporary batch file removed after execution.
"""
print_info(title, content)
def smbexec_service_creation():
"""
Displays details about SMBExec service creation events.
"""
title = "SMBExec Service Creation Details"
content = """
- Service Name:
- Default: "BTOBTO"
- Updated to a random 8-character mixed-case string in May 2023.
- Executable: `execute.bat` created for every command.
- Event Log Evidence:
- `7045` in `system.evtx` logs service creation.
- Command executed via:
- `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`.
"""
print_info(title, content)
def smbexec_network_artifacts():
"""
Displays network artifacts related to SMBExec activity.
"""
title = "SMBExec Network Artifacts"
content = """
- **Network Connections**:
- SMB protocol communication with the target.
- Evidence of ADMIN$ share access.
- **Network Traffic Analysis**:
- Monitor for suspicious SMB traffic to/from servers.
- Detect repeated connections with new service creation.
"""
print_info(title, content)
def smbexec_eviction_techniques():
"""
Displays information about SMBExec eviction techniques.
"""
title = "SMBExec Eviction Techniques"
content = """
- Remove temporary files:
- `execute.bat` is deleted after execution.
- Service cleanup:
- Services created for each command are removed after execution.
"""
print_info(title, content)
def smbexec_malware_case_study():
"""
Displays a malware case study involving SMBExec.
"""
title = "SMBExec Malware Case Study"
content = """
- **Case Study**:
- Malware using SMBExec for lateral movement.
- Leveraged temporary service creation for executing commands.
- Indicators:
- Random service names.
- Temporary batch files in `C:\\Windows\\TEMP`.
- **Detection**:
- Monitor Event ID 7045 for abnormal service names.
- Correlate with batch file creation and execution in `TEMP` directory.
"""
print_info(title, content)

188
TTPs/Persistence/wmi.py Normal file
View File

@ -0,0 +1,188 @@
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def wmi_submenu():
"""
Submenu for Windows Management Instrumentation (WMI) Persistence Indicators.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "WMI Event Consumer Backdoors", "function": wmi_event_backdoors},
"8": {"description": "WMIEXEC Analysis", "function": wmiexec_analysis},
"9": {"description": "Additional Detection Tips", "function": additional_detection_tips},
}
build_submenu("WMI Persistence", actions)
# Individual submenu functions
def source_event_logs():
title = "WMI Source Event Logs"
content = """
`security.evtx`:
- `4648` Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
title = "WMI Destination Event Logs"
content = """
`security.evtx`:
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
`Microsoft-Windows-WMI-Activity/Operational.evtx`:
- `5857`
- Indicates time of wmiprvse execution and path to provider DLL attackers sometimes install malicious WMI provider DLLs.
- `5860`, `5861`
- Registration of Temporary (5860) and Permanent (5861) Event Consumers.
- Typically used for persistence, but can also be used for remote execution.
"""
print_info(title, content)
def source_registry():
title = "WMI Source Registry"
content = """
- **ShimCache** SYSTEM
- `wmic.exe`
- **BAM_DAM** SYSTEM Last Time Executed
- `wmic.exe`
- **AmCache.hve** First Time Executed
- `wmic.exe`
"""
print_info(title, content)
def destination_registry():
title = "WMI Destination Registry"
content = """
- **ShimCache** SYSTEM
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
- **AmCache.hve** First Time Executed
- `scrcons.exe`
- `mofcomp.exe`
- `wmiprvse.exe`
- `evil.exe`
"""
print_info(title, content)
def source_file_system():
title = "WMI Source File System"
content = """
- **Prefetch**:
- `C:\\Windows\\Prefetch\\wmic.exe-{hash}.pf`
"""
print_info(title, content)
def destination_file_system():
title = "WMI Destination File System"
content = """
- **File Creation**:
- `evil.exe`
- `evil.mof` - .mof files can be used to manage the WMI Repository.
- **Prefetch**:
- `C:\\Windows\\Prefetch\\scrcons.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\mofcomp.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\wmiprvse.exe-{hash}.pf`
- `C:\\Windows\\Prefetch\\evil.exe-{hash}.pf`
- **Unauthorized changes to the WMI Repository**:
- `C:\\Windows\\System32\\wbem\\Repository`
"""
print_info(title, content)
def wmi_event_backdoors():
title = "WMI Event Consumer Backdoors"
content = """
### WMI Event Triggers:
- Event triggers can be used to execute arbitrary code when specific conditions are met.
### WMI Event Filters:
- Define conditions under which events trigger.
- Example: Trigger on process start.
### WMI Event Consumers:
- Define actions for triggered events.
- Example: Execute a script.
### WMI Event Bindings:
- Link filters and consumers.
- Example: Detect process start and execute a script.
### Example Malicious MOF File:
#PRAGMA AUTORECOVER #PRAGMA NAMESPACE("\\.\root\subscription")
instance of __EventFilter as $Filter { Name = "SCM Event Filter"; QueryLanguage = "WQL"; Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_Service' AND TargetInstance.Name='sens'"; };
instance of CommandLineEventConsumer as $Consumer { Name = "SCM Event Consumer"; ExecutablePath = "c:\windows\system32\cmd.exe"; CommandLineTemplate = "net stop sens && net start sens"; };
instance of __FilterToConsumerBinding { Filter = $Filter; Consumer = $Consumer; };
### Detection and Mitigation:
- Use tools like Sysmon or Autoruns to monitor WMI activity.
- Regular audits of WMI filters and consumers can identify unauthorized entries.
"""
print_info(title, content)
def wmiexec_analysis():
title = "WMIEXEC Analysis"
content = """
`wmiexec.py` Usage:
- **Command**: `wmiexec.py domain/username:password@[hostname | IP] command`
- Executes a semi-interactive shell using WMI.
- Uses UNIX Epoch Time in commands.
- NOT detected and blocked by Windows Defender by default.
### Windows Event Log Residue:
- **Multiple rounds**:
- Event ID `4776` in Security on target (for user specified in command).
- Event ID `4672` in Security on target (for user specified in command).
- Event ID `4624` Type 3 in Security on target (for user specified in command).
- **Always present**:
- Event ID `4688` in Security on target:
- `wmiprvse.exe` → `cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__ssssssssss.sssssss 2>&1`.
- Event ID `4688` in Security on target:
- `cmd.exe` → `conhost.exe 0xffffffff -ForceV1`.
- **If Enabled**:
- Event ID `5857/5858` in Microsoft-Windows-WMI-Activity\Operational on target.
### Detection Tips:
- Monitor for WMI commands triggering `wmiprvse.exe` and subsequent processes.
- Look for unusual Event ID patterns tied to administrative privileges.
"""
print_info(title, content)
def additional_detection_tips():
title = "Additional WMI Detection Tips"
content = """
### Advanced Detection:
- Enable and monitor verbose WMI logging in the `Microsoft-Windows-WMI-Activity` log.
- Use Sysmon Event IDs `20` (WMI Activity) and `21` (WMI Consumer/Filter) for detection.
### Correlation:
- Correlate WMI activity with unusual file system or registry changes.
- Watch for newly created `.mof` files or suspicious DLLs loaded by `wmiprvse.exe`.
### Threat Intelligence:
- Understand common TTPs for WMI abuse from frameworks like MITRE ATT&CK.
- Research WMI use by known APTs or malware families.
"""
print_info(title, content)