matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
Hunt-AI/Modules/Persistence/powershell_remoting.py

109 lines
3.7 KiB
Python
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

def get_content():
"""
Returns structured content for the PowerShell Remoting persistence method.
"""
return [
{
"title": "PowerShell Remoting Source Event Logs",
"content": """
### Source Event Logs
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- **Microsoft-Windows-WinRM/Operational.evtx**
- `161` - Remote Authentication Error
- `6` - WSMan Session initialize
- Session created
- Destination Host Name or IP
- Current logged-on User Name
- `8`, `15`, `16`, `33` - WSMan Session deinitialization
- Closing of WSMan session
- Current logged-on User Name
- **Microsoft-Windows-PowerShell/Operational.evtx**
- `40961`, `40962`
- Records the local initiation of powershell.exe and associated user account
- `8193` & `8194` - Session created
- `8197` - Connect
- Session closed
"""
},
{
"title": "PowerShell Remoting Source Registry",
"content": """
### Source Registry
- **ShimCache** SYSTEM
- powershell.exe
- **BAM_DAM** SYSTEM Last Time Executed
- powershell.exe
- **AmCache.hve** First Time Executed
- powershell.exe
"""
},
{
"title": "PowerShell Remoting Source File System Artifacts",
"content": """
### Source File System Artifacts
- **Prefetch** C:\\Windows\\Prefetch\\
- powershell.exe-{hash}.pf
- PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
- **Command history**
- C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
- With PS v5+, a history file with previous 4096 commands is maintained per user
"""
},
{
"title": "PowerShell Remoting Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- **Microsoft-Windows-PowerShell%4Operational.evtx**
- `4103`, `4104` Script Block logging
- Logs suspicious scripts by default in PS v5
- Logs all scripts if configured
- `53504` - Records the authenticating user
- **Windows PowerShell.evtx**
- `400/403` - "ServerRemoteHost" indicates start/end of remoting session
- `800` - Includes partial script code
- **Microsoft-Windows-WinRM/Operational.evtx**
- `91` Session creation
- `142` WSMan Operation Failure
- `169` Records the authenticating user
"""
},
{
"title": "PowerShell Remoting Destination Registry",
"content": """
### Destination Registry
- **ShimCache** SYSTEM
- wsmprovhost.exe
- evil.exe
- **SOFTWARE**
- Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
- Attacker may change execution policy to a less restrictive setting, such as "bypass"
- **AmCache.hve** First Time Executed
- wsmprovhost.exe
- evil.exe
"""
},
{
"title": "PowerShell Remoting Destination File System Artifacts",
"content": """
### Destination File System Artifacts
- **File Creation**
- evil.exe
- With Enter-PSSession, a user profile directory may be created
- **Prefetch** C:\\Windows\\Prefetch\\
- evil.exe-{hash}.pf
- wsmprovhost.exe-{hash}.pf
"""
}
]
Reference in New Issue View Git Blame Copy Permalink