From f7b50f0344ff25ce987a34660ae4d3de740df6e2 Mon Sep 17 00:00:00 2001 From: Matthew Iverson Date: Thu, 28 Nov 2024 00:53:41 -0500 Subject: [PATCH] Delete TTPs/Persistence/service.py --- TTPs/Persistence/service.py | 154 ------------------------------------ 1 file changed, 154 deletions(-) delete mode 100644 TTPs/Persistence/service.py diff --git a/TTPs/Persistence/service.py b/TTPs/Persistence/service.py deleted file mode 100644 index fa106a8..0000000 --- a/TTPs/Persistence/service.py +++ /dev/null @@ -1,154 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def service_submenu(): - """ - Submenu for Service-based Persistence Indicators. - """ - actions = { - "1": {"description": "Source Event Logs", "function": source_event_logs}, - "2": {"description": "Destination Event Logs", "function": destination_event_logs}, - "3": {"description": "Source Registry", "function": source_registry}, - "4": {"description": "Destination Registry", "function": destination_registry}, - "5": {"description": "Source File System", "function": source_file_system}, - "6": {"description": "Destination File System", "function": destination_file_system}, - "7": {"description": "Service Replacement Examples", "function": service_replacement_examples}, - "8": {"description": "Exploitation of Windows Services", "function": exploit_windows_services}, - } - build_submenu("Service-Based Persistence", actions) - -def source_event_logs(): - title = "Source Event Logs" - content = """ -No specific source event logs are generated for service-based persistence. -""" - print_info(title, content) - -def destination_event_logs(): - title = "Destination Event Logs" - content = """ -- `security.evtx` - - `4624` Logon Type 3 - - Source IP/Logon User Name - - `4697` - - Records service installation (non-default) - - Useful for centralized log monitoring. - -- `system.evtx` - - `7034` - Service crashed unexpectedly. - - `7035` - Service sent a Start/Stop control. - - `7036` - Service started or stopped. - - `7040` - Start type changed (Boot | On Request | Disabled). - - `7045` - A service was installed on the system. -""" - print_info(title, content) - -def source_registry(): - title = "Source Registry" - content = """ -Registry Artifacts: -- [[ShimCache]] - SYSTEM - - Tracks `sc.exe`. -- [[BAM_DAM]] - SYSTEM - Last Time Executed - - Tracks `sc.exe`. -- [[AmCache.hve]] - - Tracks first execution of `sc.exe`. -""" - print_info(title, content) - -def destination_registry(): - title = "Destination Registry" - content = """ -Registry Artifacts: -- SYSTEM - - `\\CurrentControlSet\\Services\\` - New service creation. -- [[ShimCache]] - SYSTEM - - Tracks `evil.exe`. -- [[AmCache.hve]] - First Time Executed - - Tracks `evil.exe`. -""" - print_info(title, content) - -def source_file_system(): - title = "Source File System" - content = """ -Prefetch Artifacts: -- Prefetch - `C:\\Windows\\Prefetch\\` - - `sc.exe-{hash}.pf`. -""" - print_info(title, content) - -def destination_file_system(): - title = "Destination File System" - content = """ -File Creation Artifacts: -- Malicious executables or DLLs: - - `evil.exe` or `evil.dll`. -- Prefetch - `C:\\Windows\\Prefetch\\` - - Tracks execution of `evil.exe` or service DLLs. -""" - print_info(title, content) - -def service_replacement_examples(): - title = "Service Replacement Examples" - content = """ -Service replacement involves modifying legitimate services to execute malicious payloads. - -### Example 1: Binary Path Manipulation -Modify the `ImagePath` registry key to point to a malicious executable: -- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\ImagePath` -- New Value: `C:\\temp\\evil.exe` - -### Example 2: DLL Hijacking in Services -Replace a legitimate service DLL with a malicious one: -- Locate service DLL in `\\CurrentControlSet\\Services\\\\Parameters\\ServiceDll`. -- Replace the file with `evil.dll`. - -### Example 3: Startup Type Abuse -Change the `Start` registry key to automatically start a malicious service: -- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\\\Start` -- Value: `2` (Automatic Start). - -### Example 4: Service Install Command -Use `sc` to create and start a malicious service: -- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"` -""" - print_info(title, content) - -def exploit_windows_services(): - title = "Exploitation of Windows Services" - content = """ -Windows services can be exploited in the following ways: - -### 1. Privilege Escalation via Insecure Permissions -- Services with weak `DACL` permissions can be reconfigured by low-privileged users. -- Example: Modify `ImagePath` to point to a malicious binary. - -### 2. DLL Search Order Hijacking -- Service executable dynamically loads a DLL without specifying a full path. -- Place a malicious DLL in the service's working directory. - -### 3. Service Control Abuse -- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations. - -### 4. Unquoted Service Paths -- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path. -- Example: - - Path: `C:\\Program Files\\Legitimate Service\\binary.exe`. - - Malicious executable: `C:\\Program.exe`. - -### 5. Creating New Services -- Install a new malicious service using `sc` or `psexec`. -- Example: - - `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto` - -### 6. Abusing Trusted Services -- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services. - -### Detection Tips: -- Monitor `system.evtx` for service start/stop events. -- Check `security.evtx` for suspicious service creation. -- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries. -""" - print_info(title, content)