diff --git a/TTPs/Persistence/autostart.py b/TTPs/Persistence/autostart.py deleted file mode 100644 index c42031f..0000000 --- a/TTPs/Persistence/autostart.py +++ /dev/null @@ -1,91 +0,0 @@ -from Modules.Imports.ttp_imports import * - -def autostart_submenu(): - build_submenu("Autostart Persistence", module=globals()) - -def registry_run_keys(): - """ - Displays information about Registry Run Keys for Autostart. - """ - title = "Registry Run Keys" - content = """ -The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys: -- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce -- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce -- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run -- Software\\Microsoft\\Windows\\CurrentVersion\\Run - -These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms. -""" - print_info(title, content) - -def winlogon_userinit(): - """ - Displays information about the Winlogon Userinit ASEP. - """ - title = "Winlogon Userinit" - content = """ -The Winlogon Userinit key can be used to maintain persistence: -- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit - -This key typically contains: -- C:\\Windows\\system32\\userinit.exe - -However, it can be modified to include malicious binaries: -- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe -""" - print_info(title, content) - -def startup_folder(): - """ - Displays information about the Startup folder ASEP. - """ - title = "Startup Folder" - content = """ -The Startup folder allows for persistence by placing shortcuts in this folder: -- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup - -Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence. -""" - print_info(title, content) - -def investigative_notes(): - """ - Displays investigative notes about Autostart ASEPs. - """ - title = "Investigative Notes" - content = """ -Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes: -- ASEPs are numerous and diverse, requiring thorough examination. -- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. -- Analyzing data across systems may reveal outliers indicative of malicious activity. - - -""" - print_info(title, content) - -def autostart_extra(): - """ - Displays information about the Winlogon Userinit ASEP. - """ - title = "Autostart Extra" - content = """ -- Items in these keys are executed when a user logs on, unlike other ASEPs that act at boot. -- Multiple "run" keys exist in both the NTUSER.DAT and SOFTWARE hives. -- Another, less common but equally dangerous key is: - - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit. -- This key typically contains a reference to `userinit.exe`, which by default: - - Executes `Userinit.exe`. - - Launches `Explorer.exe`. -- However, it can be modified to include malicious binaries, such as: - - `C:\\Windows\\system32\\userinit.exe,C:\\Temp\\winsvchost.exe`, which would run at boot. - -- Finally, `%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` allows for persistence by placing shortcuts in this folder. -- These shortcuts automatically execute the associated binaries when a user logs on. -- Malware has recently gravitated back to this old attack vector. -- Although these locations are very common for ASEPs, many more exist. -- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. -- Analyzing data across systems may reveal outliers leading to compromised systems. -""" - print_info(title, content) \ No newline at end of file