import sys from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def dcom_submenu(): """ Submenu for DCOM-based Persistence Indicators. """ actions = { "1": {"description": "DCOM Execution Overview", "function": dcom_execution_overview}, "2": {"description": "Windows Event Log Residue", "function": windows_event_log_residue}, "3": {"description": "Analysis of Commands Executed", "function": analyze_commands_executed}, "4": {"description": "Detection and Mitigation", "function": detection_and_mitigation}, } build_submenu("DCOM-Based Persistence", actions) def dcom_execution_overview(): """ Provides an overview of DCOM execution for persistence. """ title = "DCOM Execution Overview" content = """ ### DCOM Execution (dcomexec.py): - **Command**: `dcomexec.py -object [ShellWindows | ShellBrowserWindow | MMC20] domain/username:password@[hostname | IP] command` - Specify a command to run or leave blank for shell. - Executes a semi-interactive shell using DCOM objects. - Must specify 'ShellWindows', 'ShellBrowserWindow', or 'MMC20' via the `-object` parameter. - Uses the first 5 digits of the UNIX Epoch Time in commands. **Features**: - Not detected or blocked by Windows Defender by default. """ print_info(title, content) def windows_event_log_residue(): """ Describes the Windows Event Log residue left by DCOM execution. """ title = "Windows Event Log Residue" content = """ ### Event Log Residue: - Two rounds of: - Event ID `4776` in Security on target (for user specified in command). - Event ID `4672` in Security on target (for user specified in command). - Event ID `4624` Type 3 in Security on target (for user specified in command). #### If Enabled: - Event ID `4688` in Security on target: - `svchost.exe → mmc.exe -Embedding`. - `mmc.exe → cmd.exe /Q /c cd \\ 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1` (where “s” is the first 5 digits of the UNIX Epoch Time). - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. #### User Specified Commands: - Event ID `4688` in Security on target: - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. - `cmd.exe → conhost.exe 0xffffffff -ForceV1`. - Two rounds of: - Event ID `4634` Type 3 in Security on target (for user specified in command). """ print_info(title, content) def analyze_commands_executed(): """ Analyzes commands executed via DCOM for forensic insights. """ title = "Analysis of Commands Executed via DCOM" content = """ ### Command Execution Details: - DCOM execution involves creating a semi-interactive shell or running specific commands via DCOM objects. - Commands use `mmc.exe` and `cmd.exe`: - `mmc.exe → cmd.exe /Q /c command 1> \\127.0.0.1\\ADMIN$\\__sssss 2>&1`. - The temporary file (__sssss) is created in the ADMIN$ share and cleaned up after execution. **Key Indicators**: - Look for temporary files in the ADMIN$ share with names matching the pattern `__sssss`. - Monitor suspicious use of `mmc.exe` with the `-Embedding` flag. """ print_info(title, content) def detection_and_mitigation(): """ Provides detection and mitigation strategies for DCOM execution. """ title = "Detection and Mitigation" content = """ ### Detection: - Monitor `security.evtx` and `system.evtx` for: - Event ID `4688` showing `mmc.exe` or `cmd.exe` with unusual arguments. - Event ID `4624` and `4672` indicating logon attempts. - Event ID `4634` showing logoff events. - Use tools like Sysmon to log detailed command-line activity: - Enable logging for `mmc.exe`, `cmd.exe`, and `conhost.exe`. - Look for suspicious command-line parameters, such as the `-Embedding` flag. ### Mitigation: - Restrict DCOM usage via GPO: - Navigate to: `Computer Configuration > Administrative Templates > Windows Components > DCOM`. - Disable DCOM or restrict to trusted applications. - Regularly audit temporary files in ADMIN$ shares. - Use endpoint protection solutions to detect unusual DCOM activity. """ print_info(title, content)