147 lines
4.6 KiB
Python
147 lines
4.6 KiB
Python
from Modules.Imports.protocol_imports import *
|
|
|
|
def rdp_submenu():
|
|
actions = {
|
|
"1": {"description": "Source Event Logs", "function": source_event_logs},
|
|
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
|
|
"3": {"description": "Source Registry", "function": source_registry},
|
|
"4": {"description": "Destination Registry", "function": destination_registry},
|
|
"5": {"description": "Source Artifacts", "function": source_artifacts},
|
|
"6": {"description": "Destination Artifacts", "function": destination_artifacts},
|
|
"7": {"description": "Extra", "function": extra_rdp_info},
|
|
"8": {"description": "All", "function": all_rdp_info},
|
|
}
|
|
build_submenu("RDP Persistence", actions)
|
|
|
|
# Individual submenu functions
|
|
def source_event_logs():
|
|
title = "RDP Source Event Logs"
|
|
content = """
|
|
- `security.evtx`
|
|
- `4648` - Logon specifying alternate credentials - if NLA enabled on destination
|
|
- Current logged-on User Name
|
|
- Alternate User Name
|
|
- Destination Host Name/IP
|
|
- Process Name
|
|
- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
|
|
- `1024`
|
|
- Destination Host Name
|
|
- `1102`
|
|
- Destination IP Address
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def destination_event_logs():
|
|
title = "RDP Destination Event Logs"
|
|
content = """
|
|
- **Security Event Log** - `security.evtx`
|
|
- `4624` Logon Type 10
|
|
- Source IP/Logon User Name
|
|
- `4778/4779`
|
|
- IP Address of Source/Source System Name
|
|
- Logon User Name
|
|
- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`
|
|
- `131` - Connection Attempts
|
|
- Source IP
|
|
- `98` - Successful Connections
|
|
- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`
|
|
- `1149`
|
|
- Source IP/Logon User Name
|
|
- Blank user name may indicate use of Sticky Keys
|
|
- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
|
|
- 21, 22, 25
|
|
- Source IP/Logon User Name
|
|
- 41
|
|
- Logon User Name
|
|
"""
|
|
print_info(title, content)
|
|
|
|
|
|
def source_registry():
|
|
title = "RDP Source Registry"
|
|
content = """
|
|
- Remote desktop destinations are tracked per-user
|
|
- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
|
|
- [[ShimCache]] - SYSTEM
|
|
- `mstsc.exe` Remote Desktop Client
|
|
- [[BAM_DAM]] - SYSTEM - Last Time Executed
|
|
- `mstsc.exe` Remote Desktop Client
|
|
- [[AmCache.hve]] - First Time Executed
|
|
- `mstsc.exe`
|
|
- UserAssist - `NTUSER.DAT`
|
|
- `mstsc.exe` Remote Desktop Client execution
|
|
- Last Time Executed
|
|
- Number of Times Executed
|
|
- RecentApps - `NTUSER.DAT`
|
|
- `mstsc.exe`
|
|
- Remote Desktop Client execution
|
|
- Last Time Executed
|
|
- Number of Times Executed
|
|
- RecentItems subkey tracks connection destinations and times
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def destination_registry():
|
|
title = "RDP Destination Registry"
|
|
content = """
|
|
- [[ShimCache]] - SYSTEM
|
|
- `rdpclip.exe`
|
|
- `tstheme.exe`
|
|
- [[AmCache.hve]] - First Time Executed
|
|
- `rdpclip.exe`
|
|
- `tstheme.exe`
|
|
"""
|
|
print_info(title, content)
|
|
|
|
|
|
def source_artifacts():
|
|
title = "RDP Source File System Artifacts"
|
|
content = """
|
|
- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
|
|
- `{MSTSC-APPID}-automaticDestinations-ms`
|
|
- Tracks remote desktop connection destination and times
|
|
- [[Prefetch]] - `C:\\Windows\\Prefetch\\`
|
|
- `mstsc.exe-{hash}.pf`
|
|
- [[Bitmap_Cache]] - `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
|
|
- bcache##.bmc
|
|
- cache####.bin
|
|
- Default.rdp file -
|
|
- `C:\\Users\\<Username>\\Documents\\`
|
|
"""
|
|
print_info(title, content)
|
|
|
|
|
|
def destination_artifacts():
|
|
title = "RDP Destination File System Artifacts"
|
|
content = """
|
|
- Prefetch - `C:\\Windows\\Prefetch\\`
|
|
- `rdpclip.exe-{hash}.pf`
|
|
- `tstheme.exe-{hash}.pf`
|
|
"""
|
|
print_info(title, content)
|
|
|
|
|
|
def extra_rdp_info():
|
|
title = "RDP Extra Information"
|
|
content = """
|
|
# RDP Authentication vs. Authorization
|
|
- RDP authentication happens prior to session establishment (NLA).
|
|
- Know when authentication can fail and authorization can succeed.
|
|
|
|
# RDP Event Flow
|
|
1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22
|
|
- 1149: Authentication succeeded
|
|
- 4624: Account successfully logged on
|
|
- 21: Session logon succeeded
|
|
- 22: Shell start notification received
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def all_rdp_info():
|
|
source_event_logs()
|
|
destination_event_logs()
|
|
source_registry()
|
|
destination_registry()
|
|
source_artifacts()
|
|
destination_artifacts()
|
|
extra_rdp_info() |