Delete TTPs/Persistence/service.py

2024-11-28 00:53:41 -05:00
parent aa81dbb84a
commit f7b50f0344
1 changed files with 0 additions and 154 deletions
--- a/TTPs/Persistence/service.py
+++ b/TTPs/Persistence/service.py
@ -1,154 +0,0 @@
-import sys
-from Modules.Imports.ttp_imports import *
-from Modules.submenu import build_submenu
-
-def service_submenu():
-    """
-    Submenu for Service-based Persistence Indicators.
-    """
-    actions = {
-        "1": {"description": "Source Event Logs", "function": source_event_logs},
-        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
-        "3": {"description": "Source Registry", "function": source_registry},
-        "4": {"description": "Destination Registry", "function": destination_registry},
-        "5": {"description": "Source File System", "function": source_file_system},
-        "6": {"description": "Destination File System", "function": destination_file_system},
-        "7": {"description": "Service Replacement Examples", "function": service_replacement_examples},
-        "8": {"description": "Exploitation of Windows Services", "function": exploit_windows_services},
-    }
-    build_submenu("Service-Based Persistence", actions)
-
-def source_event_logs():
-    title = "Source Event Logs"
-    content = """
-No specific source event logs are generated for service-based persistence.
-"""
-    print_info(title, content)
-
-def destination_event_logs():
-    title = "Destination Event Logs"
-    content = """
- `security.evtx`
-    - `4624` Logon Type 3
-        - Source IP/Logon User Name
-    - `4697`
-        - Records service installation (non-default)
-    - Useful for centralized log monitoring.
-
- `system.evtx`
-    - `7034` - Service crashed unexpectedly.
-    - `7035` - Service sent a Start/Stop control.
-    - `7036` - Service started or stopped.
-    - `7040` - Start type changed (Boot | On Request | Disabled).
-    - `7045` - A service was installed on the system.
-"""
-    print_info(title, content)
-
-def source_registry():
-    title = "Source Registry"
-    content = """
-Registry Artifacts:
- [[ShimCache]] - SYSTEM
-    - Tracks `sc.exe`.
- [[BAM_DAM]] - SYSTEM - Last Time Executed
-    - Tracks `sc.exe`.
- [[AmCache.hve]]
-    - Tracks first execution of `sc.exe`.
-"""
-    print_info(title, content)
-
-def destination_registry():
-    title = "Destination Registry"
-    content = """
-Registry Artifacts:
- SYSTEM
-    - `\\CurrentControlSet\\Services\\` - New service creation.
- [[ShimCache]] - SYSTEM
-    - Tracks `evil.exe`.
- [[AmCache.hve]] - First Time Executed
-    - Tracks `evil.exe`.
-"""
-    print_info(title, content)
-
-def source_file_system():
-    title = "Source File System"
-    content = """
-Prefetch Artifacts:
- Prefetch - `C:\\Windows\\Prefetch\\`
-    - `sc.exe-{hash}.pf`.
-"""
-    print_info(title, content)
-
-def destination_file_system():
-    title = "Destination File System"
-    content = """
-File Creation Artifacts:
- Malicious executables or DLLs:
-    - `evil.exe` or `evil.dll`.
- Prefetch - `C:\\Windows\\Prefetch\\`
-    - Tracks execution of `evil.exe` or service DLLs.
-"""
-    print_info(title, content)
-
-def service_replacement_examples():
-    title = "Service Replacement Examples"
-    content = """
-Service replacement involves modifying legitimate services to execute malicious payloads.
-
-### Example 1: Binary Path Manipulation
-Modify the `ImagePath` registry key to point to a malicious executable:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\ImagePath`
- New Value: `C:\\temp\\evil.exe`
-
-### Example 2: DLL Hijacking in Services
-Replace a legitimate service DLL with a malicious one:
- Locate service DLL in `\\CurrentControlSet\\Services\\<ServiceName>\\Parameters\\ServiceDll`.
- Replace the file with `evil.dll`.
-
-### Example 3: Startup Type Abuse
-Change the `Start` registry key to automatically start a malicious service:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\Start`
- Value: `2` (Automatic Start).
-
-### Example 4: Service Install Command
-Use `sc` to create and start a malicious service:
- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"`
-"""
-    print_info(title, content)
-
-def exploit_windows_services():
-    title = "Exploitation of Windows Services"
-    content = """
-Windows services can be exploited in the following ways:
-
-### 1. Privilege Escalation via Insecure Permissions
- Services with weak `DACL` permissions can be reconfigured by low-privileged users.
- Example: Modify `ImagePath` to point to a malicious binary.
-
-### 2. DLL Search Order Hijacking
- Service executable dynamically loads a DLL without specifying a full path.
- Place a malicious DLL in the service's working directory.
-
-### 3. Service Control Abuse
- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations.
-
-### 4. Unquoted Service Paths
- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path.
- Example:
-    - Path: `C:\\Program Files\\Legitimate Service\\binary.exe`.
-    - Malicious executable: `C:\\Program.exe`.
-
-### 5. Creating New Services
- Install a new malicious service using `sc` or `psexec`.
- Example:
-    - `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto`
-
-### 6. Abusing Trusted Services
- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services.
-
-### Detection Tips:
- Monitor `system.evtx` for service start/stop events.
- Check `security.evtx` for suspicious service creation.
- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries.
-"""
-    print_info(title, content)