import sys from Modules.Imports.ttp_imports import * from Modules.submenu import build_submenu def map_share_submenu(): """ Submenu for Map Share detection techniques. """ actions = { "1": {"description": "Source Event Logs", "function": source_event_logs}, "2": {"description": "Destination Event Logs", "function": destination_event_logs}, "3": {"description": "Source Registry", "function": source_registry}, "4": {"description": "Destination Registry", "function": destination_registry}, "5": {"description": "Source File System", "function": source_file_system}, "6": {"description": "Destination File System", "function": destination_file_system}, } build_submenu("Map Share Persistence", actions) # Individual submenu functions def source_event_logs(): """ Displays source event logs related to map shares. """ title = "Map Share Source Event Logs" content = """ - `security.evtx` - `4648` - Logon specifying alternate credentials - Current logged-on User Name - Alternate User Name - Destination Host Name/IP - Process Name - `Microsoft-Windows-SmbClient\\Security.evtx` - `31001` – Failed logon to destination - Destination Host Name - User Name for failed logon - Reason code for failed destination logon (e.g., bad password) """ print_info(title, content) def destination_event_logs(): """ Displays destination event logs related to map shares. """ title = "Map Share Destination Event Logs" content = """ - **Security Event Log – `security.evtx`** - `4624` - Logon Type 3 - Source IP/Logon User Name - `4672` - Logon User Name - Logon by user with administrative rights - Requirement for accessing default shares such as **C$** and **ADMIN$** - `4776` - NTLM if authenticating to Local System - Source Host Name/Logon User Name - `4768` - TGT Granted - Source Host Name/Logon User Name - Available only on domain controller - `4769` - Service Ticket Granted if authenticating to Domain Controller - Destination Host Name/Logon User Name - Source IP - Available only on domain controller - `5140` - Share Access - `5145` - Auditing of shared files – **NOISY**! """ print_info(title, content) def source_registry(): """ Displays source registry information related to map shares. """ title = "Map Share Source Registry" content = """ - **MountPoints2** - Remotely mapped shares - `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2` - **Shellbags** - USRCLASS.DAT - Remote folders accessed inside an interactive session via Explorer by attackers. - **ShimCache** – SYSTEM - `net.exe` - `net1.exe` - **BAM_DAM** – NTUSER.DAT – Last Time Executed - `net.exe` - `net1.exe` - **AmCache.hve** - First Time Executed - `net.exe` - `net1.exe` """ print_info(title, content) def destination_registry(): """ Displays destination registry information related to map shares. """ title = "Map Share Destination Registry" content = """ - N/A """ print_info(title, content) def source_file_system(): """ Displays source file system artifacts related to map shares. """ title = "Map Share Source File System" content = """ - **Prefetch** - `C:\\Windows\\Prefetch\\` - `net.exe-{hash}.pf` - `net1.exe-{hash}.pf` - **User Profile Artifacts** - Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP). """ print_info(title, content) def destination_file_system(): """ Displays destination file system artifacts related to map shares. """ title = "Map Share Destination File System" content = """ - **File Creation** - Attacker's files (malware) copied to the destination system. - Look for Modified Time before Creation Time. - Creation Time is the time of file copy. - **User Access Logging (Servers Only)** - `C:\\Windows\\System32\\LogFiles\\Sum` - User Name - Source IP Address - First and Last Access Time """ print_info(title, content)