matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update TTPs/Persistence/rdp.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-24 11:30:34 -05:00
parent 9c8a926f8d
commit aa19188a4a
1 changed files with 20 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
TTPs/rdp.py → TTPs/Persistence/rdp.py
View File

@ -1,6 +1,6 @@
from Modules.Imports.protocol_imports import * from Modules.Imports.protocol_imports import *
def rdp_submenu(target_ip, open_ports): def rdp_submenu():
actions = { actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs}, "1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs}, "2": {"description": "Destination Event Logs", "function": destination_event_logs},
@ -8,26 +8,28 @@ def rdp_submenu(target_ip, open_ports):
"4": {"description": "Destination Registry", "function": destination_registry}, "4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source Artifacts", "function": source_artifacts}, "5": {"description": "Source Artifacts", "function": source_artifacts},
"6": {"description": "Destination Artifacts", "function": destination_artifacts}, "6": {"description": "Destination Artifacts", "function": destination_artifacts},
"7": {"description": "Extra", "function": extra_info}, "7": {"description": "Extra", "function": extra_rdp_info},
"8": {"description": "All", "function": run_all_rdp_checks}, "8": {"description": "All", "function": all_rdp_info},
} }
build_submenu("RDP Persistence", target_ip, actions, open_ports) build_submenu("RDP Persistence", actions)
# Individual submenu functions # Individual submenu functions
def source_event_logs(target_ip, open_ports): def source_event_logs():
title = "Source Event Logs" title = "RDP Source Event Logs"
content = ( content = """
f"- `security.evtx`\n" - `security.evtx`
f" - 4648: Logon specifying alternate credentials (NLA enabled)\n" - `4648` - Logon specifying alternate credentials - if NLA enabled on destination
f" - Current logged-on User Name\n" - Current logged-on User Name
f" - Alternate User Name\n" - Alternate User Name
f" - Destination Host Name/IP\n" - Destination Host Name/IP
f" - Process Name\n" - Process Name
f"- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`\n" - `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
f" - 1024: Destination Host Name\n" - `1024`
f" - 1102: Destination IP Address" - Destination Host Name
) - `1102`
run_command(title, content, target_ip, open_ports) - Destination IP Address
"""
print_info(title, content)
def destination_event_logs(target_ip, open_ports): def destination_event_logs(target_ip, open_ports):
title = "Destination Event Logs" title = "Destination Event Logs"