diff --git a/TTPs/Persistence/rdp.py b/TTPs/Persistence/rdp.py deleted file mode 100644 index 75c0cab..0000000 --- a/TTPs/Persistence/rdp.py +++ /dev/null @@ -1,141 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -import TTPs.Persistence.rdp as rdp - -def rdp_submenu(): - actions = { - "1": {"description": "Source Event Logs", "function": source_event_logs}, - "2": {"description": "Destination Event Logs", "function": destination_event_logs}, - "3": {"description": "Source Registry", "function": source_registry}, - "4": {"description": "Destination Registry", "function": destination_registry}, - "5": {"description": "Source Artifacts", "function": source_artifacts}, - "6": {"description": "Destination Artifacts", "function": destination_artifacts}, - "7": {"description": "Extra", "function": extra_rdp_info}, - } - build_submenu("RDP Persistence", actions) - -# Individual submenu functions -def source_event_logs(): - title = "RDP Source Event Logs" - content = """ -- `security.evtx` - - `4648` - Logon specifying alternate credentials - if NLA enabled on destination - - Current logged-on User Name - - Alternate User Name - - Destination Host Name/IP - - Process Name -- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx` - - `1024` - - Destination Host Name - - `1102` - - Destination IP Address -""" - print_info(title, content) - -def destination_event_logs(): - title = "RDP Destination Event Logs" - content = """ -- **Security Event Log** - `security.evtx` - - `4624` Logon Type 10 - - Source IP/Logon User Name - - `4778/4779` - - IP Address of Source/Source System Name - - Logon User Name -- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx` - - `131` - Connection Attempts - - Source IP - - `98` - Successful Connections -- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx` - - `1149` - - Source IP/Logon User Name - - Blank user name may indicate use of Sticky Keys -- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` - - 21, 22, 25 - - Source IP/Logon User Name - - 41 - - Logon User Name -""" - print_info(title, content) - - -def source_registry(): - title = "RDP Source Registry" - content = """ -- Remote desktop destinations are tracked per-user - - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers` -- [[ShimCache]] - SYSTEM - - `mstsc.exe` Remote Desktop Client -- [[BAM_DAM]] - SYSTEM - Last Time Executed - - `mstsc.exe` Remote Desktop Client -- [[AmCache.hve]] - First Time Executed - - `mstsc.exe` -- UserAssist - `NTUSER.DAT` - - `mstsc.exe` Remote Desktop Client execution - - Last Time Executed - - Number of Times Executed -- RecentApps - `NTUSER.DAT` - - `mstsc.exe` - - Remote Desktop Client execution - - Last Time Executed - - Number of Times Executed - - RecentItems subkey tracks connection destinations and times -""" - print_info(title, content) - -def destination_registry(): - title = "RDP Destination Registry" - content = """ -- [[ShimCache]] - SYSTEM - - `rdpclip.exe` - - `tstheme.exe` -- [[AmCache.hve]] - First Time Executed - - `rdpclip.exe` - - `tstheme.exe` -""" - print_info(title, content) - - -def source_artifacts(): - title = "RDP Source File System Artifacts" - content = """ -- Jumplists - `C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\` - - `{MSTSC-APPID}-automaticDestinations-ms` - - Tracks remote desktop connection destination and times -- [[Prefetch]] - `C:\\Windows\\Prefetch\\` - - `mstsc.exe-{hash}.pf` -- [[Bitmap_Cache]] - `C:\\Users\\\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache` - - bcache##.bmc - - cache####.bin -- Default.rdp file - - - `C:\\Users\\\\Documents\\` -""" - print_info(title, content) - - -def destination_artifacts(): - title = "RDP Destination File System Artifacts" - content = """ -- Prefetch - `C:\\Windows\\Prefetch\\` -- `rdpclip.exe-{hash}.pf` -- `tstheme.exe-{hash}.pf` -""" - print_info(title, content) - - -def extra_rdp_info(): - title = "RDP Extra Information" - content = """ -# RDP Authentication vs. Authorization -- RDP authentication happens prior to session establishment (NLA). -- Know when authentication can fail and authorization can succeed. - -# RDP Event Flow -1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22 -- 1149: Authentication succeeded -- 4624: Account successfully logged on -- 21: Session logon succeeded -- 22: Shell start notification received -""" - print_info(title, content) \ No newline at end of file