import sys from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def powershell_remoting_submenu(): """ Submenu for PowerShell Remoting detection techniques. """ actions = { "1": {"description": "Source Event Logs", "function": source_event_logs}, "2": {"description": "Source Registry", "function": source_registry}, "3": {"description": "Source File System", "function": source_file_system}, "4": {"description": "Destination Event Logs", "function": destination_event_logs}, "5": {"description": "Destination Registry", "function": destination_registry}, "6": {"description": "Destination File System", "function": destination_file_system}, } build_submenu("PowerShell Remoting Persistence", actions) # Individual submenu functions def source_event_logs(): """ Displays source event logs related to PowerShell Remoting. """ title = "PowerShell Remoting Source Event Logs" content = """ - **security.evtx** - `4648` - Logon specifying alternate credentials - Current logged-on User Name - Alternate User Name - Destination Host Name/IP - Process Name - **Microsoft-Windows-WinRM/Operational.evtx** - `161` - Remote Authentication Error - `6` - WSMan Session initialize - Session created - Destination Host Name or IP - Current logged-on User Name - `8`, `15`, `16`, `33` - WSMan Session deinitialization - Closing of WSMan session - Current logged-on User Name - **Microsoft-Windows-PowerShell/Operational.evtx** - `40961`, `40962` - Records the local initiation of powershell.exe and associated user account - `8193` & `8194` - Session created - `8197` - Connect - Session closed """ print_info(title, content) def source_registry(): """ Displays source registry information related to PowerShell Remoting. """ title = "PowerShell Remoting Source Registry" content = """ - **ShimCache** – SYSTEM - powershell.exe - **BAM_DAM** – SYSTEM – Last Time Executed - powershell.exe - **AmCache.hve** – First Time Executed - powershell.exe """ print_info(title, content) def source_file_system(): """ Displays source file system artifacts related to PowerShell Remoting. """ title = "PowerShell Remoting Source File System" content = """ - **Prefetch** – C:\\Windows\\Prefetch\\ - powershell.exe-{hash}.pf - PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file - **Command history** - C:\\Users\\\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt - With PS v5+, a history file with previous 4096 commands is maintained per user """ print_info(title, content) def destination_event_logs(): """ Displays destination event logs related to PowerShell Remoting. """ title = "PowerShell Remoting Destination Event Logs" content = """ - **security.evtx** - `4624` – Logon Type 3 - Source IP/Logon User Name - `4672` - Logon User Name - Logon by a user with administrative rights - **Microsoft-Windows-PowerShell%4Operational.evtx** - `4103`, `4104` – Script Block logging - Logs suspicious scripts by default in PS v5 - Logs all scripts if configured - `53504` - Records the authenticating user - **Windows PowerShell.evtx** - `400/403` - "ServerRemoteHost" indicates start/end of remoting session - `800` - Includes partial script code - **Microsoft-Windows-WinRM/Operational.evtx** - `91` – Session creation - `142` – WSMan Operation Failure - `169` – Records the authenticating user """ print_info(title, content) def destination_registry(): """ Displays destination registry information related to PowerShell Remoting. """ title = "PowerShell Remoting Destination Registry" content = """ - **ShimCache** – SYSTEM - wsmprovhost.exe - evil.exe - **SOFTWARE** - Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy - Attacker may change execution policy to a less restrictive setting, such as "bypass" - **AmCache.hve** – First Time Executed - wsmprovhost.exe - evil.exe """ print_info(title, content) def destination_file_system(): """ Displays destination file system artifacts related to PowerShell Remoting. """ title = "PowerShell Remoting Destination File System" content = """ - **File Creation** - evil.exe - With Enter-PSSession, a user profile directory may be created - **Prefetch** – C:\\Windows\\Prefetch\\ - evil.exe-{hash}.pf - wsmprovhost.exe-{hash}.pf """ print_info(title, content)