diff --git a/TTPs/Persistence/psexec.py b/TTPs/Persistence/psexec.py deleted file mode 100644 index b1c9dcb..0000000 --- a/TTPs/Persistence/psexec.py +++ /dev/null @@ -1,253 +0,0 @@ -import sys -from Modules.Imports.ttp_imports import * -from Modules.submenu import build_submenu - -def psexec_submenu(): - """ - Submenu for PsExec detection techniques. - """ - actions = { - "1": {"description": "Source Event Logs", "function": source_event_logs}, - "2": {"description": "Destination Event Logs", "function": destination_event_logs}, - "3": {"description": "Source Registry", "function": source_registry}, - "4": {"description": "Destination Registry", "function": destination_registry}, - "5": {"description": "Source File System", "function": source_file_system}, - "6": {"description": "Destination File System", "function": destination_file_system}, - "7": {"description": "Service Installation Details", "function": service_installation_details}, - "8": {"description": "Network Artifacts", "function": psexec_network_artifacts}, - "9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques}, - "10": {"description": "Malware Case Study", "function": psexec_malware_case_study}, - } - build_submenu("PsExec Persistence", actions) - -# Individual submenu functions - -def source_event_logs(): - """ - Displays source event logs related to PsExec. - """ - title = "PsExec Source Event Logs" - content = """ -- **security.evtx** - - `4648` - Logon specifying alternate credentials - - Current logged-on User Name - - Alternate User Name - - Destination Host Name/IP - - Process Name -""" - print_info(title, content) - -def destination_event_logs(): - """ - Displays destination event logs related to PsExec. - """ - title = "PsExec Destination Event Logs" - content = """ -- **security.evtx** - - `4648` Logon specifying alternate credentials - - Connecting User Name - - Process Name - - `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) - - Source IP/Logon User Name - - `4672` - - Logon User Name - - Logon by a user with administrative rights - - Requirement for access default shares such as **C$** and **ADMIN$** - - `5140` – Share Access - - **ADMIN$** share used by PsExec -- **system.evtx** - - `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file - - %systemroot%\\xxxxxxxx.exe - - `7036` Service start/stop events -- **If Enabled**: - - `4688` in Security: tracks service and cmd.exe execution -""" - print_info(title, content) - -def source_registry(): - """ - Displays source registry information related to PsExec. - """ - title = "PsExec Source Registry" - content = """ -- **NTUSER.DAT** - - Software\\SysInternals\\PsExec\\EulaAccepted -- **ShimCache** – SYSTEM - - psexec.exe -- **BAM_DAM** – SYSTEM – Last Time Executed - - psexec.exe -- **AmCache.hve** – First Time Executed - - psexec.exe -""" - print_info(title, content) - -def destination_registry(): - """ - Displays destination registry information related to PsExec. - """ - title = "PsExec Destination Registry" - content = """ -- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC` - - “-r” option can allow attacker to rename service -- **ShimCache** – SYSTEM - - psexesvc.exe -- **AmCache.hve** - - First Time Executed - - psexesvc.exe -""" - print_info(title, content) - -def source_file_system(): - """ - Displays source file system artifacts related to PsExec. - """ - title = "PsExec Source File System" - content = """ -- **Prefetch** – C:\\Windows\\Prefetch\\ - - psexec.exe-{hash}.pf - - Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option -- **File Creation** - - psexec.exe file downloaded and created on the local host as the file is not native to Windows -""" - print_info(title, content) - -def destination_file_system(): - """ - Displays destination file system artifacts related to PsExec. - """ - title = "PsExec Destination File System" - content = """ -- **Prefetch** – C:\\Windows\\Prefetch\\ - - psexesvc.exe-{hash}.pf - - evil.exe-{hash}.pf -- **File Creation** - - User profile directory structure created unless "-e" option used - - psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec -- **User Access Logging (Servers only)** - - C:\\Windows\\System32\\LogFiles\\Sum - - User Name - - Source IP Address - - First and Last Access Time -""" - print_info(title, content) - -def psexec_analysis(): - """ - Displays analysis of PsExec execution. - """ - title = "PsExec Analysis" - content = """ -- **Command Example**: - - `psexec.py domain/username:password@[hostname | IP] command` - - Can specify a command to run, or leave blank for shell - - PSEXEC like functionality example using RemComSvc - - Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot% - - Detected and blocked by Windows Defender by default - -- **Windows Event Log Residue**: - - Event ID `4776` in Security on target (for user specified in command) - - Event ID `4672` in Security on target (for user specified in command) - - Event ID `4624` Type 3 in Security on target (for user specified in command) - - Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file): - - %systemroot%\\xxxxxxxx.exe - - Event ID `7036` in System on target - - [If Enabled] Event ID `4688` in Security on target: - - `services.exe → C:\\Windows\\xxxxxxxx.exe` - - `C:\\Windows\\xxxxxxxx.exe → command` - - `cmd.exe → conhost.exe 0xffffffff -ForceV1` - - Numerous other `4624`, `4634`, `4672` events -""" - print_info(title, content) - -def service_installation_details(): - """ - Displays details about PsExec service installation events. - """ - title = "PsExec Service Installation Details" - content = """ -- PsExec creates a temporary Windows service for execution: - - Service name: Random 4-character mixed-case alpha name - - Executable: Random 8-character mixed-case alpha .exe file -- Registry Path: - - SYSTEM\\CurrentControlSet\\Services\\ -- Event Log Evidence: - - Event ID 7045 in `system.evtx` logs the service installation. - - Includes: - - Service Name - - Executable Path - - Service Type and Start Mode -- Forensic Insights: - - Compare service names and paths across multiple systems to detect outliers. - - Look for services with short, random names. -""" - print_info(title, content) - -def psexec_network_artifacts(): - """ - Displays network-related artifacts from PsExec usage. - """ - title = "PsExec Network Artifacts" - content = """ -- **Network Connections**: - - PsExec uses SMB for communication and file transfer. - - Ports: - - 445 (SMB over TCP/IP) - - 139 (NetBIOS over TCP/IP) -- **Shared Resources**: - - Default shares such as **ADMIN$** and **C$** are utilized. - - Logs in `security.evtx`: - - Event ID 5140: Share access. - - Event ID 5145: Access to specific shared files. - -- **Forensic Tips**: - - Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts. - - Analyze SMB traffic for PsExec file transfers. -""" - print_info(title, content) - -def psexec_eviction_techniques(): - """ - Displays techniques for detecting and evicting PsExec usage. - """ - title = "PsExec Eviction Techniques" - content = """ -- **Detection**: - - Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems. - - Enable advanced audit policies to log service and process creation events. - -- **Eviction**: - - Audit and remove unauthorized services under: - - SYSTEM\\CurrentControlSet\\Services\\ - - Verify the integrity of executables in: - - C:\\Windows\\System32 - - C:\\Windows\\Prefetch - - Block unauthorized access to default shares like ADMIN$ and C$. - -- **Prevention**: - - Use endpoint protection tools to block PsExec executables. - - Restrict access to administrative shares to trusted hosts and accounts only. -""" - print_info(title, content) - -def psexec_malware_case_study(): - """ - Provides a case study example of malware leveraging PsExec. - """ - title = "PsExec Malware Case Study" - content = """ -- **Real-World Example**: - - Malware Name: Emotet - - Attack Vector: Lateral Movement - - Emotet leveraged PsExec to deploy secondary payloads across compromised networks. - -- **Tactics**: - - Copied malicious payloads to ADMIN$ share. - - Used PsExec to execute payloads on remote systems. - - Cleaned up by removing PsExec artifacts (e.g., services and files). - -- **Forensic Indicators**: - - Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems. - - Unusual services with short, random names. - - Files with mismatched creation and modification times in ADMIN$. -""" - print_info(title, content)