import sys from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def psexec_submenu(): """ Submenu for PsExec detection techniques. """ actions = { "1": {"description": "Source Event Logs", "function": source_event_logs}, "2": {"description": "Destination Event Logs", "function": destination_event_logs}, "3": {"description": "Source Registry", "function": source_registry}, "4": {"description": "Destination Registry", "function": destination_registry}, "5": {"description": "Source File System", "function": source_file_system}, "6": {"description": "Destination File System", "function": destination_file_system}, "7": {"description": "Service Installation Details", "function": service_installation_details}, "8": {"description": "Network Artifacts", "function": psexec_network_artifacts}, "9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques}, "10": {"description": "Malware Case Study", "function": psexec_malware_case_study}, } build_submenu("PsExec Persistence", actions) # Individual submenu functions def source_event_logs(): """ Displays source event logs related to PsExec. """ title = "PsExec Source Event Logs" content = """ - **security.evtx** - `4648` - Logon specifying alternate credentials - Current logged-on User Name - Alternate User Name - Destination Host Name/IP - Process Name """ print_info(title, content) def destination_event_logs(): """ Displays destination event logs related to PsExec. """ title = "PsExec Destination Event Logs" content = """ - **security.evtx** - `4648` Logon specifying alternate credentials - Connecting User Name - Process Name - `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used) - Source IP/Logon User Name - `4672` - Logon User Name - Logon by a user with administrative rights - Requirement for access default shares such as **C$** and **ADMIN$** - `5140` – Share Access - **ADMIN$** share used by PsExec - **system.evtx** - `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file - %systemroot%\\xxxxxxxx.exe - `7036` Service start/stop events - **If Enabled**: - `4688` in Security: tracks service and cmd.exe execution """ print_info(title, content) def source_registry(): """ Displays source registry information related to PsExec. """ title = "PsExec Source Registry" content = """ - **NTUSER.DAT** - Software\\SysInternals\\PsExec\\EulaAccepted - **ShimCache** – SYSTEM - psexec.exe - **BAM_DAM** – SYSTEM – Last Time Executed - psexec.exe - **AmCache.hve** – First Time Executed - psexec.exe """ print_info(title, content) def destination_registry(): """ Displays destination registry information related to PsExec. """ title = "PsExec Destination Registry" content = """ - New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC` - “-r” option can allow attacker to rename service - **ShimCache** – SYSTEM - psexesvc.exe - **AmCache.hve** - First Time Executed - psexesvc.exe """ print_info(title, content) def source_file_system(): """ Displays source file system artifacts related to PsExec. """ title = "PsExec Source File System" content = """ - **Prefetch** – C:\\Windows\\Prefetch\\ - psexec.exe-{hash}.pf - Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option - **File Creation** - psexec.exe file downloaded and created on the local host as the file is not native to Windows """ print_info(title, content) def destination_file_system(): """ Displays destination file system artifacts related to PsExec. """ title = "PsExec Destination File System" content = """ - **Prefetch** – C:\\Windows\\Prefetch\\ - psexesvc.exe-{hash}.pf - evil.exe-{hash}.pf - **File Creation** - User profile directory structure created unless "-e" option used - psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec - **User Access Logging (Servers only)** - C:\\Windows\\System32\\LogFiles\\Sum - User Name - Source IP Address - First and Last Access Time """ print_info(title, content) def psexec_analysis(): """ Displays analysis of PsExec execution. """ title = "PsExec Analysis" content = """ - **Command Example**: - `psexec.py domain/username:password@[hostname | IP] command` - Can specify a command to run, or leave blank for shell - PSEXEC like functionality example using RemComSvc - Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot% - Detected and blocked by Windows Defender by default - **Windows Event Log Residue**: - Event ID `4776` in Security on target (for user specified in command) - Event ID `4672` in Security on target (for user specified in command) - Event ID `4624` Type 3 in Security on target (for user specified in command) - Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file): - %systemroot%\\xxxxxxxx.exe - Event ID `7036` in System on target - [If Enabled] Event ID `4688` in Security on target: - `services.exe → C:\\Windows\\xxxxxxxx.exe` - `C:\\Windows\\xxxxxxxx.exe → command` - `cmd.exe → conhost.exe 0xffffffff -ForceV1` - Numerous other `4624`, `4634`, `4672` events """ print_info(title, content) def service_installation_details(): """ Displays details about PsExec service installation events. """ title = "PsExec Service Installation Details" content = """ - PsExec creates a temporary Windows service for execution: - Service name: Random 4-character mixed-case alpha name - Executable: Random 8-character mixed-case alpha .exe file - Registry Path: - SYSTEM\\CurrentControlSet\\Services\\ - Event Log Evidence: - Event ID 7045 in `system.evtx` logs the service installation. - Includes: - Service Name - Executable Path - Service Type and Start Mode - Forensic Insights: - Compare service names and paths across multiple systems to detect outliers. - Look for services with short, random names. """ print_info(title, content) def psexec_network_artifacts(): """ Displays network-related artifacts from PsExec usage. """ title = "PsExec Network Artifacts" content = """ - **Network Connections**: - PsExec uses SMB for communication and file transfer. - Ports: - 445 (SMB over TCP/IP) - 139 (NetBIOS over TCP/IP) - **Shared Resources**: - Default shares such as **ADMIN$** and **C$** are utilized. - Logs in `security.evtx`: - Event ID 5140: Share access. - Event ID 5145: Access to specific shared files. - **Forensic Tips**: - Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts. - Analyze SMB traffic for PsExec file transfers. """ print_info(title, content) def psexec_eviction_techniques(): """ Displays techniques for detecting and evicting PsExec usage. """ title = "PsExec Eviction Techniques" content = """ - **Detection**: - Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems. - Enable advanced audit policies to log service and process creation events. - **Eviction**: - Audit and remove unauthorized services under: - SYSTEM\\CurrentControlSet\\Services\\ - Verify the integrity of executables in: - C:\\Windows\\System32 - C:\\Windows\\Prefetch - Block unauthorized access to default shares like ADMIN$ and C$. - **Prevention**: - Use endpoint protection tools to block PsExec executables. - Restrict access to administrative shares to trusted hosts and accounts only. """ print_info(title, content) def psexec_malware_case_study(): """ Provides a case study example of malware leveraging PsExec. """ title = "PsExec Malware Case Study" content = """ - **Real-World Example**: - Malware Name: Emotet - Attack Vector: Lateral Movement - Emotet leveraged PsExec to deploy secondary payloads across compromised networks. - **Tactics**: - Copied malicious payloads to ADMIN$ share. - Used PsExec to execute payloads on remote systems. - Cleaned up by removing PsExec artifacts (e.g., services and files). - **Forensic Indicators**: - Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems. - Unusual services with short, random names. - Files with mismatched creation and modification times in ADMIN$. """ print_info(title, content)