matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Delete TTPs/Persistence/psexec.py

Browse Source
This commit is contained in:
Matthew Iverson
2024-11-28 00:54:09 -05:00
parent cd27b85641
commit fe02979652
1 changed files with 0 additions and 253 deletions
Download Patch File Download Diff File Expand all files Collapse all files

253
TTPs/Persistence/psexec.py
View File

@ -1,253 +0,0 @@
import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def psexec_submenu():
"""
Submenu for PsExec detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "Service Installation Details", "function": service_installation_details},
"8": {"description": "Network Artifacts", "function": psexec_network_artifacts},
"9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques},
"10": {"description": "Malware Case Study", "function": psexec_malware_case_study},
}
build_submenu("PsExec Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to PsExec.
"""
title = "PsExec Source Event Logs"
content = """
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to PsExec.
"""
title = "PsExec Destination Event Logs"
content = """
- **security.evtx**
- `4648` Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for access default shares such as **C$** and **ADMIN$**
- `5140` Share Access
- **ADMIN$** share used by PsExec
- **system.evtx**
- `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
- %systemroot%\\xxxxxxxx.exe
- `7036` Service start/stop events
- **If Enabled**:
- `4688` in Security: tracks service and cmd.exe execution
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to PsExec.
"""
title = "PsExec Source Registry"
content = """
- **NTUSER.DAT**
- Software\\SysInternals\\PsExec\\EulaAccepted
- **ShimCache** SYSTEM
- psexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- psexec.exe
- **AmCache.hve** First Time Executed
- psexec.exe
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to PsExec.
"""
title = "PsExec Destination Registry"
content = """
- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
- “-r” option can allow attacker to rename service
- **ShimCache** SYSTEM
- psexesvc.exe
- **AmCache.hve**
- First Time Executed
- psexesvc.exe
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to PsExec.
"""
title = "PsExec Source File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- psexec.exe-{hash}.pf
- Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
- **File Creation**
- psexec.exe file downloaded and created on the local host as the file is not native to Windows
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to PsExec.
"""
title = "PsExec Destination File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- psexesvc.exe-{hash}.pf
- evil.exe-{hash}.pf
- **File Creation**
- User profile directory structure created unless "-e" option used
- psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
- **User Access Logging (Servers only)**
- C:\\Windows\\System32\\LogFiles\\Sum
- User Name
- Source IP Address
- First and Last Access Time
"""
print_info(title, content)
def psexec_analysis():
"""
Displays analysis of PsExec execution.
"""
title = "PsExec Analysis"
content = """
- **Command Example**:
- `psexec.py domain/username:password@[hostname | IP] command`
- Can specify a command to run, or leave blank for shell
- PSEXEC like functionality example using RemComSvc
- Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot%
- Detected and blocked by Windows Defender by default
- **Windows Event Log Residue**:
- Event ID `4776` in Security on target (for user specified in command)
- Event ID `4672` in Security on target (for user specified in command)
- Event ID `4624` Type 3 in Security on target (for user specified in command)
- Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file):
- %systemroot%\\xxxxxxxx.exe
- Event ID `7036` in System on target
- [If Enabled] Event ID `4688` in Security on target:
- `services.exe → C:\\Windows\\xxxxxxxx.exe`
- `C:\\Windows\\xxxxxxxx.exe → command`
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`
- Numerous other `4624`, `4634`, `4672` events
"""
print_info(title, content)
def service_installation_details():
"""
Displays details about PsExec service installation events.
"""
title = "PsExec Service Installation Details"
content = """
- PsExec creates a temporary Windows service for execution:
- Service name: Random 4-character mixed-case alpha name
- Executable: Random 8-character mixed-case alpha .exe file
- Registry Path:
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Event Log Evidence:
- Event ID 7045 in `system.evtx` logs the service installation.
- Includes:
- Service Name
- Executable Path
- Service Type and Start Mode
- Forensic Insights:
- Compare service names and paths across multiple systems to detect outliers.
- Look for services with short, random names.
"""
print_info(title, content)
def psexec_network_artifacts():
"""
Displays network-related artifacts from PsExec usage.
"""
title = "PsExec Network Artifacts"
content = """
- **Network Connections**:
- PsExec uses SMB for communication and file transfer.
- Ports:
- 445 (SMB over TCP/IP)
- 139 (NetBIOS over TCP/IP)
- **Shared Resources**:
- Default shares such as **ADMIN$** and **C$** are utilized.
- Logs in `security.evtx`:
- Event ID 5140: Share access.
- Event ID 5145: Access to specific shared files.
- **Forensic Tips**:
- Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
- Analyze SMB traffic for PsExec file transfers.
"""
print_info(title, content)
def psexec_eviction_techniques():
"""
Displays techniques for detecting and evicting PsExec usage.
"""
title = "PsExec Eviction Techniques"
content = """
- **Detection**:
- Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
- Enable advanced audit policies to log service and process creation events.
- **Eviction**:
- Audit and remove unauthorized services under:
- SYSTEM\\CurrentControlSet\\Services\\
- Verify the integrity of executables in:
- C:\\Windows\\System32
- C:\\Windows\\Prefetch
- Block unauthorized access to default shares like ADMIN$ and C$.
- **Prevention**:
- Use endpoint protection tools to block PsExec executables.
- Restrict access to administrative shares to trusted hosts and accounts only.
"""
print_info(title, content)
def psexec_malware_case_study():
"""
Provides a case study example of malware leveraging PsExec.
"""
title = "PsExec Malware Case Study"
content = """
- **Real-World Example**:
- Malware Name: Emotet
- Attack Vector: Lateral Movement
- Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
- **Tactics**:
- Copied malicious payloads to ADMIN$ share.
- Used PsExec to execute payloads on remote systems.
- Cleaned up by removing PsExec artifacts (e.g., services and files).
- **Forensic Indicators**:
- Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
- Unusual services with short, random names.
- Files with mismatched creation and modification times in ADMIN$.
"""
print_info(title, content)