from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu

def schedule_tasks_submenu():
    """
    Submenu for Scheduled Tasks Persistence Indicators.
    """
    actions = {
        "1": {"description": "Source Event Logs", "function": source_event_logs},
        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
        "3": {"description": "Source Registry", "function": source_registry},
        "4": {"description": "Destination Registry", "function": destination_registry},
        "5": {"description": "Source Artifacts", "function": source_artifacts},
        "6": {"description": "Destination Artifacts", "function": destination_artifacts},
        "7": {"description": "Atexec Analysis", "function": atexec_analysis},
        "8": {"description": "Extra", "function": extra_scheduled_tasks_info},
    }
    build_submenu("Scheduled Tasks Persistence", actions)

def source_event_logs():
    title = "Scheduled Tasks Source Event Logs"
    content = """
- `security.evtx`
    - `4648` - Logon specifying alternate credentials
        - Current logged-on User Name
        - Alternate User Name
        - Destination Host Name/IP
        - Process Name
"""
    print_info(title, content)

def destination_event_logs():
    title = "Scheduled Tasks Destination Event Logs"
    content = """
- `security.evtx`
    - `4624` Logon Type 3
        - Source IP/Logon User Name
    - `4672`
        - Logon User Name
        - Logon by a user with administrative rights
        - Requirement for accessing default shares such as **C$** and **ADMIN$**
    - `4698` - Scheduled task created
    - `4702` - Scheduled task updated
    - `4699` - Scheduled task deleted
    - `4700/4701` - Scheduled task enabled/disabled
- `Microsoft-Windows-TaskScheduler%4Operational.evtx`
    - `106` - Scheduled task created
    - `140` - Scheduled task updated
    - `141` - Scheduled task deleted
    - `200/201` - Scheduled task executed/completed
"""
    print_info(title, content)

def source_registry():
    title = "Scheduled Tasks Source Registry"
    content = """
- [[ShimCache]] - SYSTEM
    - at.exe
    - schtasks.exe
- [[BAM|DAM]] - SYSTEM - Last Time Executed
    - at.exe
    - schtasks.exe
- [[AmCache.hve]] - First Time Executed
    - at.exe
    - schtasks.exe
"""
    print_info(title, content)

def destination_registry():
    title = "Scheduled Tasks Destination Registry"
    content = """
- SOFTWARE
    - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks`
    - `Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tree\\`
- [[ShimCache]] – SYSTEM
    - evil.exe
- [[AmCache.hve]] - First Time Executed
    - evil.exe
"""
    print_info(title, content)

def source_artifacts():
    title = "Scheduled Tasks Source File System Artifacts"
    content = """
- [[Prefetch]] - C:\\Windows\\Prefetch\\
    - at.exe-{hash}.pf
    - schtasks.exe-{hash}.pf
"""
    print_info(title, content)

def destination_artifacts():
    title = "Scheduled Tasks Destination File System Artifacts"
    content = """
- File Creation
    - evil.exe
- Job files created in
    - `C:\\Windows\\Tasks`
- XML task files created in
    - `C:\\Windows\\System32\\Tasks`
    - `C:\\Windows\\SysWOW64\\Tasks`
    - Author tag can identify:
        - Source system name
        - Creator username
- [[Prefetch]] – `C:\\Windows\\Prefetch\\`
    - evil.exe-{hash}.pf
"""
    print_info(title, content)

def atexec_analysis():
    title = "Atexec Analysis"
    content = """
### Command Syntax:
- `atexec.py domain/username:password@[hostname | IP] command`

### Characteristics:
- Executes commands remotely but does not provide shell access.
- Creates a Scheduled Task with a random 8-character mixed-case alpha string.
- Uses `cmd.exe /C` to run commands, outputting results to `C:\\Windows\\Temp\\<random>.tmp` before deleting the file.
- **NOT detected and blocked by Windows Defender by default**.

### Windows Event Log Residue:
1. Event IDs in `Security.evtx`:
    - `4776` - NTLM Authentication
    - `4672` - Special privileges assigned to logon.
    - `4624` - Successful logon (Type 3).
2. Microsoft-Windows-TaskScheduler/Operational:
    - `106`, `325`, `129`, `100`, `200`, `110`, `141`, `111`, `201`, `102` (Task lifecycle).
3. **IF ENABLED**:
    - `4688` - Process creation (`cmd.exe` spawning tasks or executing commands).
    - `4698` - Scheduled task created.
    - `4699` - Scheduled task deleted.

### Example Detection Indicators:
- Multiple rounds of Event IDs (4776, 4672, 4624).
- Temporary `.tmp` files in `C:\\Windows\\Temp` with scheduled task output.
"""
    print_info(title, content)

def extra_scheduled_tasks_info():
    title = "Scheduled Tasks Extra Information"
    content = """
# Scheduled Tasks Commands
- `at \\\\host 13:00 "c:\\temp\\evil.exe"`
- `schtasks /CREATE /TN taskname /TR c:\\temp\\evil.exe /SC once /RU “SYSTEM” /ST 13:00 /S host /U username`
"""
    print_info(title, content)