from Modules.Imports.protocol_imports import *

def rdp_submenu():
    actions = {
        "1": {"description": "Source Event Logs", "function": source_event_logs},
        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
        "3": {"description": "Source Registry", "function": source_registry},
        "4": {"description": "Destination Registry", "function": destination_registry},
        "5": {"description": "Source Artifacts", "function": source_artifacts},
        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
        "7": {"description": "Extra", "function": extra_rdp_info},
        "8": {"description": "All", "function": all_rdp_info},
    }
    build_submenu("RDP Persistence", actions)

# Individual submenu functions
def source_event_logs():
    title = "RDP Source Event Logs"
    content = """
- `security.evtx`
    - `4648` - Logon specifying alternate credentials - if NLA enabled on destination
        - Current logged-on User Name
        - Alternate User Name
        - Destination Host Name/IP
        - Process Name
- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
    - `1024`
        - Destination Host Name
    - `1102`
        - Destination IP Address
"""
    print_info(title, content)

def destination_event_logs():
    title = "RDP Destination Event Logs"
    content = """
- **Security Event Log** – `security.evtx`
    - `4624` Logon Type 10
        - Source IP/Logon User Name
    - `4778/4779`
        - IP Address of Source/Source System Name
        - Logon User Name
- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`
    - `131` - Connection Attempts
        - Source IP
    - `98` - Successful Connections
- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`
    - `1149` 
        - Source IP/Logon User Name
            - Blank user name may indicate use of Sticky Keys
- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
    - 21, 22, 25
        - Source IP/Logon User Name
    - 41
        - Logon User Name
"""
    print_info(title, content)


def source_registry():
    title = "RDP Source Registry"
    content = """
- Remote desktop destinations are tracked per-user
    - `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
- [[ShimCache]] – SYSTEM
    - `mstsc.exe` Remote Desktop Client
- [[BAM_DAM]] – SYSTEM – Last Time Executed
    - `mstsc.exe` Remote Desktop Client
- [[AmCache.hve]] - First Time Executed
    - `mstsc.exe`
- UserAssist – `NTUSER.DAT`
    - `mstsc.exe` Remote Desktop Client execution
    - Last Time Executed
    - Number of Times Executed
- RecentApps – `NTUSER.DAT`
    - `mstsc.exe`
    - Remote Desktop Client execution
    - Last Time Executed
    - Number of Times Executed
    - RecentItems subkey tracks connection destinations and times
"""
    print_info(title, content)

def destination_registry():
    title = "RDP Destination Registry"
    content = """
- [[ShimCache]] - SYSTEM
    - `rdpclip.exe`
    - `tstheme.exe`
- [[AmCache.hve]] - First Time Executed
    - `rdpclip.exe`
    - `tstheme.exe`
"""
    print_info(title, content)


def source_artifacts():
    title = "RDP Source File System Artifacts"
    content = """
- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
    - `{MSTSC-APPID}-automaticDestinations-ms`
    - Tracks remote desktop connection destination and times
- [[Prefetch]] – `C:\\Windows\\Prefetch\\`
    - `mstsc.exe-{hash}.pf`
- [[Bitmap_Cache]] – `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
    - bcache##.bmc
    - cache####.bin
- Default.rdp file –
    - `C:\\Users\\<Username>\\Documents\\`
"""
    print_info(title, content)


def destination_artifacts():
    title = "RDP Destination File System Artifacts"
    content = """
- Prefetch – `C:\\Windows\\Prefetch\\`
- `rdpclip.exe-{hash}.pf`
- `tstheme.exe-{hash}.pf`
"""
    print_info(title, content)


def extra_rdp_info():
    title = "RDP Extra Information"
    content = """
# RDP Authentication vs. Authorization
- RDP authentication happens prior to session establishment (NLA).
- Know when authentication can fail and authorization can succeed.

# RDP Event Flow
1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22
- 1149: Authentication succeeded
- 4624: Account successfully logged on
- 21: Session logon succeeded
- 22: Shell start notification received
"""
    print_info(title, content)

def all_rdp_info():
    source_event_logs()
    destination_event_logs()
    source_registry()
    destination_registry()
    source_artifacts()
    destination_artifacts()
    extra_rdp_info()