from Modules.Imports.protocol_imports import *

def rdp_submenu(target_ip, open_ports):
    actions = {
        "1": {"description": "Source Event Logs", "function": source_event_logs},
        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
        "3": {"description": "Source Registry", "function": source_registry},
        "4": {"description": "Destination Registry", "function": destination_registry},
        "5": {"description": "Source Artifacts", "function": source_artifacts},
        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
        "7": {"description": "Extra", "function": extra_info},
        "8": {"description": "All", "function": run_all_rdp_checks},
    }
    build_submenu("RDP Persistence", target_ip, actions, open_ports)

# Individual submenu functions
def source_event_logs(target_ip, open_ports):
    title = "Source Event Logs"
    content = (
        f"- `security.evtx`\n"
        f"  - 4648: Logon specifying alternate credentials (NLA enabled)\n"
        f"    - Current logged-on User Name\n"
        f"    - Alternate User Name\n"
        f"    - Destination Host Name/IP\n"
        f"    - Process Name\n"
        f"- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`\n"
        f"  - 1024: Destination Host Name\n"
        f"  - 1102: Destination IP Address"
    )
    run_command(title, content, target_ip, open_ports)

def destination_event_logs(target_ip, open_ports):
    title = "Destination Event Logs"
    content = (
        f"- **Security Event Log** – `security.evtx`\n"
        f"  - 4624: Logon Type 10\n"
        f"    - Source IP/Logon User Name\n"
        f"  - 4778/4779\n"
        f"    - IP Address of Source/Source System Name\n"
        f"    - Logon User Name\n"
        f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n"
        f"  - 131: Connection Attempts (Source IP)\n"
        f"  - 98: Successful Connections\n"
        f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n"
        f"  - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n"
        f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n"
        f"  - 21, 22, 25: Source IP/Logon User Name\n"
        f"  - 41: Logon User Name"
    )
    run_command(title, content, target_ip, open_ports)

def source_registry(target_ip, open_ports):
    title = "Source Registry"
    content = (
        f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
        f"- `ShimCache` – SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
        f"- `BAM_DAM` – SYSTEM: Last Time Executed (`mstsc.exe`)\n"
        f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
        f"- `UserAssist` – `NTUSER.DAT`\n"
        f"  - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
        f"- `RecentApps` – `NTUSER.DAT`\n"
        f"  - Tracks `mstsc.exe` and connection destinations"
    )
    run_command(title, content, target_ip, open_ports)

def destination_registry(target_ip, open_ports):
    title = "Destination Registry"
    content = (
        f"- `ShimCache` - SYSTEM\n"
        f"  - Tracks `rdpclip.exe` and `tstheme.exe`\n"
        f"- `AmCache.hve`: First Time Executed\n"
        f"  - Tracks `rdpclip.exe` and `tstheme.exe`"
    )
    run_command(title, content, target_ip, open_ports)

def source_artifacts(target_ip, open_ports):
    title = "Source File System Artifacts"
    content = (
        f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n"
        f"  - Tracks remote desktop connection destinations and times\n"
        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
        f"  - Tracks execution of `mstsc.exe`\n"
        f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n"
        f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`"
    )
    run_command(title, content, target_ip, open_ports)

def destination_artifacts(target_ip, open_ports):
    title = "Destination File System Artifacts"
    content = (
        f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
        f"  - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
    )
    run_command(title, content, target_ip, open_ports)

def extra_info(target_ip, open_ports):
    title = "Extra Information"
    content = (
        f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n"
        f"- Key Concepts:\n"
        f"  - RDP_NLA (Network Level Authentication)\n"
        f"  - RDP_successful_logon event codes\n"
        f"    - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n"
        f"  - Understand authentication failures vs. authorization successes"
    )
    run_command(title, content, target_ip, open_ports)

def run_all_rdp_checks(target_ip, open_ports):
    title = "Run All RDP Checks"
    content = "Executing all RDP persistence checks. Please wait..."
    run_command(title, content, target_ip, open_ports)

    # Sequentially run all functions
    source_event_logs(target_ip, open_ports)
    destination_event_logs(target_ip, open_ports)
    source_registry(target_ip, open_ports)
    destination_registry(target_ip, open_ports)
    source_artifacts(target_ip, open_ports)
    destination_artifacts(target_ip, open_ports)
    extra_info(target_ip, open_ports)