Update TTPs/Persistence/rdp.py

TTPs/Persistence/rdp.py

@@ -0,0 +1,122 @@
+from Modules.Imports.protocol_imports import *
+
+def rdp_submenu():
+    actions = {
+        "1": {"description": "Source Event Logs", "function": source_event_logs},
+        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
+        "3": {"description": "Source Registry", "function": source_registry},
+        "4": {"description": "Destination Registry", "function": destination_registry},
+        "5": {"description": "Source Artifacts", "function": source_artifacts},
+        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
+        "7": {"description": "Extra", "function": extra_rdp_info},
+        "8": {"description": "All", "function": all_rdp_info},
+    }
+    build_submenu("RDP Persistence", actions)
+
+# Individual submenu functions
+def source_event_logs():
+    title = "RDP Source Event Logs"
+    content = """
+- `security.evtx`
+    - `4648` - Logon specifying alternate credentials - if NLA enabled on destination
+        - Current logged-on User Name
+        - Alternate User Name
+        - Destination Host Name/IP
+        - Process Name
+- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
+    - `1024`
+        - Destination Host Name
+    - `1102`
+        - Destination IP Address
+"""
+    print_info(title, content)
+
+def destination_event_logs(target_ip, open_ports):
+    title = "Destination Event Logs"
+    content = (
+        f"- **Security Event Log** – `security.evtx`\n"
+        f"  - 4624: Logon Type 10\n"
+        f"    - Source IP/Logon User Name\n"
+        f"  - 4778/4779\n"
+        f"    - IP Address of Source/Source System Name\n"
+        f"    - Logon User Name\n"
+        f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n"
+        f"  - 131: Connection Attempts (Source IP)\n"
+        f"  - 98: Successful Connections\n"
+        f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n"
+        f"  - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n"
+        f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n"
+        f"  - 21, 22, 25: Source IP/Logon User Name\n"
+        f"  - 41: Logon User Name"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def source_registry(target_ip, open_ports):
+    title = "Source Registry"
+    content = (
+        f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
+        f"- `ShimCache` – SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
+        f"- `BAM_DAM` – SYSTEM: Last Time Executed (`mstsc.exe`)\n"
+        f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
+        f"- `UserAssist` – `NTUSER.DAT`\n"
+        f"  - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
+        f"- `RecentApps` – `NTUSER.DAT`\n"
+        f"  - Tracks `mstsc.exe` and connection destinations"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def destination_registry(target_ip, open_ports):
+    title = "Destination Registry"
+    content = (
+        f"- `ShimCache` - SYSTEM\n"
+        f"  - Tracks `rdpclip.exe` and `tstheme.exe`\n"
+        f"- `AmCache.hve`: First Time Executed\n"
+        f"  - Tracks `rdpclip.exe` and `tstheme.exe`"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def source_artifacts(target_ip, open_ports):
+    title = "Source File System Artifacts"
+    content = (
+        f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n"
+        f"  - Tracks remote desktop connection destinations and times\n"
+        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
+        f"  - Tracks execution of `mstsc.exe`\n"
+        f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n"
+        f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def destination_artifacts(target_ip, open_ports):
+    title = "Destination File System Artifacts"
+    content = (
+        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
+        f"  - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def extra_info(target_ip, open_ports):
+    title = "Extra Information"
+    content = (
+        f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n"
+        f"- Key Concepts:\n"
+        f"  - RDP_NLA (Network Level Authentication)\n"
+        f"  - RDP_successful_logon event codes\n"
+        f"    - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n"
+        f"  - Understand authentication failures vs. authorization successes"
+    )
+    run_command(title, content, target_ip, open_ports)
+
+def run_all_rdp_checks(target_ip, open_ports):
+    title = "Run All RDP Checks"
+    content = "Executing all RDP persistence checks. Please wait..."
+    run_command(title, content, target_ip, open_ports)
+
+    # Sequentially run all functions
+    source_event_logs(target_ip, open_ports)
+    destination_event_logs(target_ip, open_ports)
+    source_registry(target_ip, open_ports)
+    destination_registry(target_ip, open_ports)
+    source_artifacts(target_ip, open_ports)
+    destination_artifacts(target_ip, open_ports)
+    extra_info(target_ip, open_ports)