import sys from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def smbexec_submenu(): """ Submenu for SMBExec detection techniques. """ actions = { "1": {"description": "Source Event Logs", "function": source_event_logs}, "2": {"description": "Destination Event Logs", "function": destination_event_logs}, "3": {"description": "Source Registry", "function": source_registry}, "4": {"description": "Destination Registry", "function": destination_registry}, "5": {"description": "Source File System", "function": source_file_system}, "6": {"description": "Destination File System", "function": destination_file_system}, "7": {"description": "Service Creation Details", "function": smbexec_service_creation}, "8": {"description": "Network Artifacts", "function": smbexec_network_artifacts}, "9": {"description": "Eviction Techniques", "function": smbexec_eviction_techniques}, "10": {"description": "Malware Case Study", "function": smbexec_malware_case_study}, } build_submenu("SMBExec Persistence", actions) # Individual submenu functions def source_event_logs(): """ Displays source event logs related to SMBExec. """ title = "SMBExec Source Event Logs" content = """ - **security.evtx** - `4776` - Logon specifying alternate credentials - Current logged-on User Name - Alternate User Name - Destination Host Name/IP - Process Name """ print_info(title, content) def destination_event_logs(): """ Displays destination event logs related to SMBExec. """ title = "SMBExec Destination Event Logs" content = """ - **security.evtx** - `4776` - Logon specifying alternate credentials - Connecting User Name - Process Name - `4624` Logon Type 3 - Source IP/Logon User Name - `4672` - Logon User Name - Logon by a user with administrative rights - `4634` Type 3 (session end) - **system.evtx** - `7045` - Service installation - Default service name: "BTOBTO" or a random 8-character mixed-case string. - `7036` Service start/stop events """ print_info(title, content) def source_registry(): """ Displays source registry information related to SMBExec. """ title = "SMBExec Source Registry" content = """ - **NTUSER.DAT** - Software\\SysInternals\\SMBExec\\EulaAccepted - **ShimCache** – SYSTEM - smbexec.exe - **BAM_DAM** – SYSTEM – Last Time Executed - smbexec.exe - **AmCache.hve** – First Time Executed - smbexec.exe """ print_info(title, content) def destination_registry(): """ Displays destination registry information related to SMBExec. """ title = "SMBExec Destination Registry" content = """ - SYSTEM\\CurrentControlSet\\Services\\ - Default: "BTOBTO" or random 8-character string. - **ShimCache** – SYSTEM - smbexecsvc.exe - **AmCache.hve** - First Time Executed - smbexecsvc.exe """ print_info(title, content) def source_file_system(): """ Displays source file system artifacts related to SMBExec. """ title = "SMBExec Source File System" content = """ - **Prefetch** – C:\\Windows\\Prefetch\\ - smbexec.exe-{hash}.pf - **File Creation** - smbexec.exe file downloaded and created on the local host. """ print_info(title, content) def destination_file_system(): """ Displays destination file system artifacts related to SMBExec. """ title = "SMBExec Destination File System" content = """ - **Prefetch** – C:\\Windows\\Prefetch\\ - smbexecsvc.exe-{hash}.pf - execute.bat-{hash}.pf - **File Creation** - `execute.bat` created in C:\\Windows\\TEMP\\ - User-specified commands echoed to `execute.bat`. - Temporary batch file removed after execution. """ print_info(title, content) def smbexec_service_creation(): """ Displays details about SMBExec service creation events. """ title = "SMBExec Service Creation Details" content = """ - Service Name: - Default: "BTOBTO" - Updated to a random 8-character mixed-case string in May 2023. - Executable: `execute.bat` created for every command. - Event Log Evidence: - `7045` in `system.evtx` logs service creation. - Command executed via: - `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`. """ print_info(title, content) def smbexec_network_artifacts(): """ Displays network artifacts related to SMBExec activity. """ title = "SMBExec Network Artifacts" content = """ - **Network Connections**: - SMB protocol communication with the target. - Evidence of ADMIN$ share access. - **Network Traffic Analysis**: - Monitor for suspicious SMB traffic to/from servers. - Detect repeated connections with new service creation. """ print_info(title, content) def smbexec_eviction_techniques(): """ Displays information about SMBExec eviction techniques. """ title = "SMBExec Eviction Techniques" content = """ - Remove temporary files: - `execute.bat` is deleted after execution. - Service cleanup: - Services created for each command are removed after execution. """ print_info(title, content) def smbexec_malware_case_study(): """ Displays a malware case study involving SMBExec. """ title = "SMBExec Malware Case Study" content = """ - **Case Study**: - Malware using SMBExec for lateral movement. - Leveraged temporary service creation for executing commands. - Indicators: - Random service names. - Temporary batch files in `C:\\Windows\\TEMP`. - **Detection**: - Monitor Event ID 7045 for abnormal service names. - Correlate with batch file creation and execution in `TEMP` directory. """ print_info(title, content)