From f134383b9a8463cb8a4f221296f0f8086c2aa38c Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 00:53:57 -0500 Subject: [PATCH] Delete TTPs/Persistence/dcom.py --- TTPs/Persistence/dcom.py | 105 --------------------------------------- 1 file changed, 105 deletions(-) delete mode 100644 TTPs/Persistence/dcom.py diff --git a/TTPs/Persistence/dcom.py b/TTPs/Persistence/dcom.py deleted file mode 100644 index b6ff0bc..0000000 --- a/TTPs/Persistence/dcom.py +++ /dev/null @@ -1,105 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def dcom_submenu(): - """ - Submenu for DCOM-based Persistence Indicators. - """ - actions = { - "1": {"description": "DCOM Execution Overview", "function": dcom_execution_overview}, - "2": {"description": "Windows Event Log Residue", "function": windows_event_log_residue}, - "3": {"description": "Analysis of Commands Executed", "function": analyze_commands_executed}, - "4": {"description": "Detection and Mitigation", "function": detection_and_mitigation}, - } - build_submenu("DCOM-Based Persistence", actions) - -def dcom_execution_overview(): - """ - Provides an overview of DCOM execution for persistence. - """ - title = "DCOM Execution Overview" - content = """ -### DCOM Execution (dcomexec.py): -- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command` - - Specify a command to run or leave blank for shell. - - Executes a semi-interactive shell using DCOM objects. - - Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter. - - Uses the first 5 digits of the UNIX Epoch Time in commands. - -**Features**: -- Not detected or blocked by Windows Defender by default. -""" - print_info(title, content) - -def windows_event_log_residue(): - """ - Describes the Windows Event Log residue left by DCOM execution. - """ - title = "Windows Event Log Residue" - content = """ -### Event Log Residue: -- Two rounds of: - - Event ID `4776` in Security on target (for user specified in command). - - Event ID `4672` in Security on target (for user specified in command). - - Event ID `4624` Type 3 in Security on target (for user specified in command). - -#### If Enabled: -- Event ID `4688` in Security on target: - - `svchost.exe → mmc.exe -Embedding`. - - `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time). - - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. - -#### User Specified Commands: -- Event ID `4688` in Security on target: - - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. - - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. - -- Two rounds of: - - Event ID `4634` Type 3 in Security on target (for user specified in command). -""" - print_info(title, content) - -def analyze_commands_executed(): - """ - Analyzes commands executed via DCOM for forensic insights. - """ - title = "Analysis of Commands Executed via DCOM" - content = """ -### Command Execution Details: -- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects. -- Commands use `mmc.exe` and `cmd.exe`: - - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. - - The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution. - -**Key Indicators**: -- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`. -- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag. -""" - print_info(title, content) - -def detection_and_mitigation(): - """ - Provides detection and mitigation strategies for DCOM execution. - """ - title = "Detection and Mitigation" - content = """ -### Detection: -- Monitor `security.evtx` and `system.evtx` for: - - Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments. - - Event ID `4624` and `4672` indicating logon attempts. - - Event ID `4634` showing logoff events. - -- Use tools like Sysmon to log detailed command-line activity: - - Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`. - - Look for suspicious command-line parameters, such as the `-Embedding` flag. - -### Mitigation: -- Restrict DCOM usage via GPO: - - Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`. - - Disable DCOM or restrict to trusted applications. - -- Regularly audit temporary files in ADMIN$ shares. -- Use endpoint protection solutions to detect unusual DCOM activity. -""" - print_info(title, content)