Delete TTPs/Persistence/powershell_remoting.py

2024-11-28 00:54:05 -05:00
parent 47590b84df
commit cd27b85641
1 changed files with 0 additions and 139 deletions
--- a/TTPs/Persistence/powershell_remoting.py
+++ b/TTPs/Persistence/powershell_remoting.py
@ -1,139 +0,0 @@
-import sys
-from Modules.Imports.ttp_imports import *
-from Modules.submenu import build_submenu
-
-def powershell_remoting_submenu():
-    """
-    Submenu for PowerShell Remoting detection techniques.
-    """
-    actions = {
-        "1": {"description": "Source Event Logs", "function": source_event_logs},
-        "2": {"description": "Source Registry", "function": source_registry},
-        "3": {"description": "Source File System", "function": source_file_system},
-        "4": {"description": "Destination Event Logs", "function": destination_event_logs},
-        "5": {"description": "Destination Registry", "function": destination_registry},
-        "6": {"description": "Destination File System", "function": destination_file_system},
-    }
-    build_submenu("PowerShell Remoting Persistence", actions)
-
-# Individual submenu functions
-
-def source_event_logs():
-    """
-    Displays source event logs related to PowerShell Remoting.
-    """
-    title = "PowerShell Remoting Source Event Logs"
-    content = """
- **security.evtx**
-    - `4648` - Logon specifying alternate credentials
-        - Current logged-on User Name
-        - Alternate User Name
-        - Destination Host Name/IP
-        - Process Name
- **Microsoft-Windows-WinRM/Operational.evtx**
-    - `161` - Remote Authentication Error
-    - `6` - WSMan Session initialize
-        - Session created
-        - Destination Host Name or IP
-        - Current logged-on User Name
-    - `8`, `15`, `16`, `33` - WSMan Session deinitialization
-        - Closing of WSMan session
-        - Current logged-on User Name
- **Microsoft-Windows-PowerShell/Operational.evtx**
-    - `40961`, `40962`
-        - Records the local initiation of powershell.exe and associated user account
-    - `8193` & `8194` - Session created
-    - `8197` - Connect
-        - Session closed
-"""
-    print_info(title, content)
-
-def source_registry():
-    """
-    Displays source registry information related to PowerShell Remoting.
-    """
-    title = "PowerShell Remoting Source Registry"
-    content = """
- **ShimCache** – SYSTEM
-    - powershell.exe
- **BAM_DAM** – SYSTEM – Last Time Executed
-    - powershell.exe
- **AmCache.hve** – First Time Executed
-    - powershell.exe
-"""
-    print_info(title, content)
-
-def source_file_system():
-    """
-    Displays source file system artifacts related to PowerShell Remoting.
-    """
-    title = "PowerShell Remoting Source File System"
-    content = """
- **Prefetch** – C:\\Windows\\Prefetch\\
-    - powershell.exe-{hash}.pf
-    - PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
- **Command history**
-    - C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
-        - With PS v5+, a history file with previous 4096 commands is maintained per user
-"""
-    print_info(title, content)
-
-def destination_event_logs():
-    """
-    Displays destination event logs related to PowerShell Remoting.
-    """
-    title = "PowerShell Remoting Destination Event Logs"
-    content = """
- **security.evtx**
-    - `4624` – Logon Type 3
-        - Source IP/Logon User Name
-    - `4672`
-        - Logon User Name
-        - Logon by a user with administrative rights
- **Microsoft-Windows-PowerShell%4Operational.evtx**
-    - `4103`, `4104` – Script Block logging
-        - Logs suspicious scripts by default in PS v5
-        - Logs all scripts if configured
-    - `53504` - Records the authenticating user
- **Windows PowerShell.evtx**
-    - `400/403` - "ServerRemoteHost" indicates start/end of remoting session
-    - `800` - Includes partial script code
- **Microsoft-Windows-WinRM/Operational.evtx**
-    - `91` – Session creation
-    - `142` – WSMan Operation Failure
-    - `169` – Records the authenticating user
-"""
-    print_info(title, content)
-
-def destination_registry():
-    """
-    Displays destination registry information related to PowerShell Remoting.
-    """
-    title = "PowerShell Remoting Destination Registry"
-    content = """
- **ShimCache** – SYSTEM
-    - wsmprovhost.exe
-    - evil.exe
- **SOFTWARE**
-    - Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
-        - Attacker may change execution policy to a less restrictive setting, such as "bypass"
- **AmCache.hve** – First Time Executed
-    - wsmprovhost.exe
-    - evil.exe
-"""
-    print_info(title, content)
-
-def destination_file_system():
-    """
-    Displays destination file system artifacts related to PowerShell Remoting.
-    """
-    title = "PowerShell Remoting Destination File System"
-    content = """
- **File Creation**
-    - evil.exe
-    - With Enter-PSSession, a user profile directory may be created
- **Prefetch** – C:\\Windows\\Prefetch\\
-    - evil.exe-{hash}.pf
-    - wsmprovhost.exe-{hash}.pf
-"""
-    print_info(title, content)