matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1e1b7dd2ed6f5a03204dc8b9cea5caed255ca3ab
Hunt-AI/TTPs/Persistence/map_share.py

134 lines
4.2 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def map_share_submenu():
"""
Submenu for Map Share detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
}
build_submenu("Map Share Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to map shares.
"""
title = "Map Share Source Event Logs"
content = """
- `security.evtx`
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- `Microsoft-Windows-SmbClient\\Security.evtx`
- `31001` Failed logon to destination
- Destination Host Name
- User Name for failed logon
- Reason code for failed destination logon (e.g., bad password)
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to map shares.
"""
title = "Map Share Destination Event Logs"
content = """
- **Security Event Log `security.evtx`**
- `4624`
- Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by user with administrative rights
- Requirement for accessing default shares such as **C$** and **ADMIN$**
- `4776` - NTLM if authenticating to Local System
- Source Host Name/Logon User Name
- `4768` - TGT Granted
- Source Host Name/Logon User Name
- Available only on domain controller
- `4769` - Service Ticket Granted if authenticating to Domain Controller
- Destination Host Name/Logon User Name
- Source IP
- Available only on domain controller
- `5140`
- Share Access
- `5145`
- Auditing of shared files **NOISY**!
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to map shares.
"""
title = "Map Share Source Registry"
content = """
- **MountPoints2** - Remotely mapped shares
- `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
- **Shellbags** - USRCLASS.DAT
- Remote folders accessed inside an interactive session via Explorer by attackers.
- **ShimCache** SYSTEM
- `net.exe`
- `net1.exe`
- **BAM_DAM** NTUSER.DAT Last Time Executed
- `net.exe`
- `net1.exe`
- **AmCache.hve** - First Time Executed
- `net.exe`
- `net1.exe`
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to map shares.
"""
title = "Map Share Destination Registry"
content = """
- N/A
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to map shares.
"""
title = "Map Share Source File System"
content = """
- **Prefetch** - `C:\\Windows\\Prefetch\\`
- `net.exe-{hash}.pf`
- `net1.exe-{hash}.pf`
- **User Profile Artifacts**
- Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to map shares.
"""
title = "Map Share Destination File System"
content = """
- **File Creation**
- Attacker's files (malware) copied to the destination system.
- Look for Modified Time before Creation Time.
- Creation Time is the time of file copy.
- **User Access Logging (Servers Only)**
- `C:\\Windows\\System32\\LogFiles\\Sum`
- User Name
- Source IP Address
- First and Last Access Time
"""
print_info(title, content)
Reference in New Issue View Git Blame Copy Permalink