from Modules.Imports.ttp_imports import * def autostart_submenu(): """ Submenu for Autostart Persistence Indicators. """ actions = { "1": {"description": "Registry Run Keys", "function": registry_run_keys}, "2": {"description": "Winlogon Userinit", "function": winlogon_userinit}, "3": {"description": "Startup Folder", "function": startup_folder}, "4": {"description": "Investigative Notes", "function": investigative_notes}, "4": {"description": "Autostart Extra", "function": autostart_extra}, } build_submenu("Autostart Persistence", actions) def registry_run_keys(): """ Displays information about Registry Run Keys for Autostart. """ title = "Registry Run Keys" content = """ The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys: - NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run - NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce - Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce - Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run - Software\\Microsoft\\Windows\\CurrentVersion\\Run These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms. """ print_info(title, content) def winlogon_userinit(): """ Displays information about the Winlogon Userinit ASEP. """ title = "Winlogon Userinit" content = """ The Winlogon Userinit key can be used to maintain persistence: - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit This key typically contains: - C:\\Windows\\system32\\userinit.exe However, it can be modified to include malicious binaries: - Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe """ print_info(title, content) def startup_folder(): """ Displays information about the Startup folder ASEP. """ title = "Startup Folder" content = """ The Startup folder allows for persistence by placing shortcuts in this folder: - %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence. """ print_info(title, content) def investigative_notes(): """ Displays investigative notes about Autostart ASEPs. """ title = "Investigative Notes" content = """ Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes: - ASEPs are numerous and diverse, requiring thorough examination. - Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. - Analyzing data across systems may reveal outliers indicative of malicious activity. """ print_info(title, content) def autostart_extra(): """ Displays information about the Winlogon Userinit ASEP. """ title = "Autostart Extra" content = """ - Items in these keys are executed when a user logs on, unlike other ASEPs that act at boot. - Multiple "run" keys exist in both the NTUSER.DAT and SOFTWARE hives. - Another, less common but equally dangerous key is: - SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit. - This key typically contains a reference to `userinit.exe`, which by default: - Executes `Userinit.exe`. - Launches `Explorer.exe`. - However, it can be modified to include malicious binaries, such as: - `C:\\Windows\\system32\\userinit.exe,C:\\Temp\\winsvchost.exe`, which would run at boot. - Finally, `%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` allows for persistence by placing shortcuts in this folder. - These shortcuts automatically execute the associated binaries when a user logs on. - Malware has recently gravitated back to this old attack vector. - Although these locations are very common for ASEPs, many more exist. - Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives. - Analyzing data across systems may reveal outliers leading to compromised systems. """ print_info(title, content)