Delete TTPs/Persistence/dcom.py
This commit is contained in:
@ -1,105 +0,0 @@
|
|||||||
import sys
|
|
||||||
from Modules.Imports.ttp_imports import *
|
|
||||||
from Modules.submenu import build_submenu
|
|
||||||
|
|
||||||
def dcom_submenu():
|
|
||||||
"""
|
|
||||||
Submenu for DCOM-based Persistence Indicators.
|
|
||||||
"""
|
|
||||||
actions = {
|
|
||||||
"1": {"description": "DCOM Execution Overview", "function": dcom_execution_overview},
|
|
||||||
"2": {"description": "Windows Event Log Residue", "function": windows_event_log_residue},
|
|
||||||
"3": {"description": "Analysis of Commands Executed", "function": analyze_commands_executed},
|
|
||||||
"4": {"description": "Detection and Mitigation", "function": detection_and_mitigation},
|
|
||||||
}
|
|
||||||
build_submenu("DCOM-Based Persistence", actions)
|
|
||||||
|
|
||||||
def dcom_execution_overview():
|
|
||||||
"""
|
|
||||||
Provides an overview of DCOM execution for persistence.
|
|
||||||
"""
|
|
||||||
title = "DCOM Execution Overview"
|
|
||||||
content = """
|
|
||||||
### DCOM Execution (dcomexec.py):
|
|
||||||
- **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command`
|
|
||||||
- Specify a command to run or leave blank for shell.
|
|
||||||
- Executes a semi-interactive shell using DCOM objects.
|
|
||||||
- Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter.
|
|
||||||
- Uses the first 5 digits of the UNIX Epoch Time in commands.
|
|
||||||
|
|
||||||
**Features**:
|
|
||||||
- Not detected or blocked by Windows Defender by default.
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def windows_event_log_residue():
|
|
||||||
"""
|
|
||||||
Describes the Windows Event Log residue left by DCOM execution.
|
|
||||||
"""
|
|
||||||
title = "Windows Event Log Residue"
|
|
||||||
content = """
|
|
||||||
### Event Log Residue:
|
|
||||||
- Two rounds of:
|
|
||||||
- Event ID `4776` in Security on target (for user specified in command).
|
|
||||||
- Event ID `4672` in Security on target (for user specified in command).
|
|
||||||
- Event ID `4624` Type 3 in Security on target (for user specified in command).
|
|
||||||
|
|
||||||
#### If Enabled:
|
|
||||||
- Event ID `4688` in Security on target:
|
|
||||||
- `svchost.exe → mmc.exe -Embedding`.
|
|
||||||
- `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time).
|
|
||||||
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
|
|
||||||
|
|
||||||
#### User Specified Commands:
|
|
||||||
- Event ID `4688` in Security on target:
|
|
||||||
- `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
|
|
||||||
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`.
|
|
||||||
|
|
||||||
- Two rounds of:
|
|
||||||
- Event ID `4634` Type 3 in Security on target (for user specified in command).
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def analyze_commands_executed():
|
|
||||||
"""
|
|
||||||
Analyzes commands executed via DCOM for forensic insights.
|
|
||||||
"""
|
|
||||||
title = "Analysis of Commands Executed via DCOM"
|
|
||||||
content = """
|
|
||||||
### Command Execution Details:
|
|
||||||
- DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects.
|
|
||||||
- Commands use `mmc.exe` and `cmd.exe`:
|
|
||||||
- `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`.
|
|
||||||
- The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution.
|
|
||||||
|
|
||||||
**Key Indicators**:
|
|
||||||
- Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`.
|
|
||||||
- Monitor suspicious use of `mmc.exe` with the `-Embedding` flag.
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
|
|
||||||
def detection_and_mitigation():
|
|
||||||
"""
|
|
||||||
Provides detection and mitigation strategies for DCOM execution.
|
|
||||||
"""
|
|
||||||
title = "Detection and Mitigation"
|
|
||||||
content = """
|
|
||||||
### Detection:
|
|
||||||
- Monitor `security.evtx` and `system.evtx` for:
|
|
||||||
- Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments.
|
|
||||||
- Event ID `4624` and `4672` indicating logon attempts.
|
|
||||||
- Event ID `4634` showing logoff events.
|
|
||||||
|
|
||||||
- Use tools like Sysmon to log detailed command-line activity:
|
|
||||||
- Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`.
|
|
||||||
- Look for suspicious command-line parameters, such as the `-Embedding` flag.
|
|
||||||
|
|
||||||
### Mitigation:
|
|
||||||
- Restrict DCOM usage via GPO:
|
|
||||||
- Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`.
|
|
||||||
- Disable DCOM or restrict to trusted applications.
|
|
||||||
|
|
||||||
- Regularly audit temporary files in ADMIN$ shares.
|
|
||||||
- Use endpoint protection solutions to detect unusual DCOM activity.
|
|
||||||
"""
|
|
||||||
print_info(title, content)
|
|
||||||
Reference in New Issue
Block a user