Delete TTPs/Persistence/powershell_remoting.py

2024-11-28 00:54:05 -05:00
parent 47590b84df
commit cd27b85641
1 changed files with 0 additions and 139 deletions
--- a/TTPs/Persistence/powershell_remoting.py
+++ b/TTPs/Persistence/powershell_remoting.py
@ -1,139 +0,0 @@
 import sys
 from Modules.Imports.ttp_imports import *
 from Modules.submenu import build_submenu
 def powershell_remoting_submenu():
    """
    Submenu for PowerShell Remoting detection techniques.
    """
    actions = {
        "1": {"description": "Source Event Logs", "function": source_event_logs},
        "2": {"description": "Source Registry", "function": source_registry},
        "3": {"description": "Source File System", "function": source_file_system},
        "4": {"description": "Destination Event Logs", "function": destination_event_logs},
        "5": {"description": "Destination Registry", "function": destination_registry},
        "6": {"description": "Destination File System", "function": destination_file_system},
    }
    build_submenu("PowerShell Remoting Persistence", actions)
 # Individual submenu functions
 def source_event_logs():
    """
    Displays source event logs related to PowerShell Remoting.
    """
    title = "PowerShell Remoting Source Event Logs"
    content = """
 - **security.evtx**
    - `4648` - Logon specifying alternate credentials
        - Current logged-on User Name
        - Alternate User Name
        - Destination Host Name/IP
        - Process Name
 - **Microsoft-Windows-WinRM/Operational.evtx**
    - `161` - Remote Authentication Error
    - `6` - WSMan Session initialize
        - Session created
        - Destination Host Name or IP
        - Current logged-on User Name
    - `8`, `15`, `16`, `33` - WSMan Session deinitialization
        - Closing of WSMan session
        - Current logged-on User Name
 - **Microsoft-Windows-PowerShell/Operational.evtx**
    - `40961`, `40962`
        - Records the local initiation of powershell.exe and associated user account
    - `8193` & `8194` - Session created
    - `8197` - Connect
        - Session closed
 """
    print_info(title, content)
 def source_registry():
    """
    Displays source registry information related to PowerShell Remoting.
    """
    title = "PowerShell Remoting Source Registry"
    content = """
 - **ShimCache** – SYSTEM
    - powershell.exe
 - **BAM_DAM** – SYSTEM – Last Time Executed
    - powershell.exe
 - **AmCache.hve** – First Time Executed
    - powershell.exe
 """
    print_info(title, content)
 def source_file_system():
    """
    Displays source file system artifacts related to PowerShell Remoting.
    """
    title = "PowerShell Remoting Source File System"
    content = """
 - **Prefetch** – C:\\Windows\\Prefetch\\
    - powershell.exe-{hash}.pf
    - PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
 - **Command history**
    - C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
        - With PS v5+, a history file with previous 4096 commands is maintained per user
 """
    print_info(title, content)
 def destination_event_logs():
    """
    Displays destination event logs related to PowerShell Remoting.
    """
    title = "PowerShell Remoting Destination Event Logs"
    content = """
 - **security.evtx**
    - `4624` – Logon Type 3
        - Source IP/Logon User Name
    - `4672`
        - Logon User Name
        - Logon by a user with administrative rights
 - **Microsoft-Windows-PowerShell%4Operational.evtx**
    - `4103`, `4104` – Script Block logging
        - Logs suspicious scripts by default in PS v5
        - Logs all scripts if configured
    - `53504` - Records the authenticating user
 - **Windows PowerShell.evtx**
    - `400/403` - "ServerRemoteHost" indicates start/end of remoting session
    - `800` - Includes partial script code
 - **Microsoft-Windows-WinRM/Operational.evtx**
    - `91` – Session creation
    - `142` – WSMan Operation Failure
    - `169` – Records the authenticating user
 """
    print_info(title, content)
 def destination_registry():
    """
    Displays destination registry information related to PowerShell Remoting.
    """
    title = "PowerShell Remoting Destination Registry"
    content = """
 - **ShimCache** – SYSTEM
    - wsmprovhost.exe
    - evil.exe
 - **SOFTWARE**
    - Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
        - Attacker may change execution policy to a less restrictive setting, such as "bypass"
 - **AmCache.hve** – First Time Executed
    - wsmprovhost.exe
    - evil.exe
 """
    print_info(title, content)
 def destination_file_system():
    """
    Displays destination file system artifacts related to PowerShell Remoting.
    """
    title = "PowerShell Remoting Destination File System"
    content = """
 - **File Creation**
    - evil.exe
    - With Enter-PSSession, a user profile directory may be created
 - **Prefetch** – C:\\Windows\\Prefetch\\
    - evil.exe-{hash}.pf
    - wsmprovhost.exe-{hash}.pf
 """
    print_info(title, content)