From aa19188a4af525d285f0c8fda57117441957379e Mon Sep 17 00:00:00 2001
From: Matthew Iverson <matthew@noreply.localhost>
Date: Sun, 24 Nov 2024 11:30:34 -0500
Subject: [PATCH] Update TTPs/Persistence/rdp.py

---
 TTPs/{ => Persistence}/rdp.py | 38 ++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 18 deletions(-)
 rename TTPs/{ => Persistence}/rdp.py (84%)

diff --git a/TTPs/rdp.py b/TTPs/Persistence/rdp.py
similarity index 84%
rename from TTPs/rdp.py
rename to TTPs/Persistence/rdp.py
index 22f7f00..c7504d7 100644
--- a/TTPs/rdp.py
+++ b/TTPs/Persistence/rdp.py
@@ -1,6 +1,6 @@
 from Modules.Imports.protocol_imports import *
 
-def rdp_submenu(target_ip, open_ports):
+def rdp_submenu():
     actions = {
         "1": {"description": "Source Event Logs", "function": source_event_logs},
         "2": {"description": "Destination Event Logs", "function": destination_event_logs},
@@ -8,26 +8,28 @@ def rdp_submenu(target_ip, open_ports):
         "4": {"description": "Destination Registry", "function": destination_registry},
         "5": {"description": "Source Artifacts", "function": source_artifacts},
         "6": {"description": "Destination Artifacts", "function": destination_artifacts},
-        "7": {"description": "Extra", "function": extra_info},
-        "8": {"description": "All", "function": run_all_rdp_checks},
+        "7": {"description": "Extra", "function": extra_rdp_info},
+        "8": {"description": "All", "function": all_rdp_info},
     }
-    build_submenu("RDP Persistence", target_ip, actions, open_ports)
+    build_submenu("RDP Persistence", actions)
 
 # Individual submenu functions
-def source_event_logs(target_ip, open_ports):
-    title = "Source Event Logs"
-    content = (
-        f"- `security.evtx`\n"
-        f"  - 4648: Logon specifying alternate credentials (NLA enabled)\n"
-        f"    - Current logged-on User Name\n"
-        f"    - Alternate User Name\n"
-        f"    - Destination Host Name/IP\n"
-        f"    - Process Name\n"
-        f"- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`\n"
-        f"  - 1024: Destination Host Name\n"
-        f"  - 1102: Destination IP Address"
-    )
-    run_command(title, content, target_ip, open_ports)
+def source_event_logs():
+    title = "RDP Source Event Logs"
+    content = """
+- `security.evtx`
+    - `4648` - Logon specifying alternate credentials - if NLA enabled on destination
+        - Current logged-on User Name
+        - Alternate User Name
+        - Destination Host Name/IP
+        - Process Name
+- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
+    - `1024`
+        - Destination Host Name
+    - `1102`
+        - Destination IP Address
+"""
+    print_info(title, content)
 
 def destination_event_logs(target_ip, open_ports):
     title = "Destination Event Logs"