140 lines
4.8 KiB
Python
140 lines
4.8 KiB
Python
import sys
|
||
from Modules.Imports.ttp_imports import *
|
||
from Modules.submenu import build_submenu
|
||
|
||
def powershell_remoting_submenu():
|
||
"""
|
||
Submenu for PowerShell Remoting detection techniques.
|
||
"""
|
||
actions = {
|
||
"1": {"description": "Source Event Logs", "function": source_event_logs},
|
||
"2": {"description": "Source Registry", "function": source_registry},
|
||
"3": {"description": "Source File System", "function": source_file_system},
|
||
"4": {"description": "Destination Event Logs", "function": destination_event_logs},
|
||
"5": {"description": "Destination Registry", "function": destination_registry},
|
||
"6": {"description": "Destination File System", "function": destination_file_system},
|
||
}
|
||
build_submenu("PowerShell Remoting Persistence", actions)
|
||
|
||
# Individual submenu functions
|
||
|
||
def source_event_logs():
|
||
"""
|
||
Displays source event logs related to PowerShell Remoting.
|
||
"""
|
||
title = "PowerShell Remoting Source Event Logs"
|
||
content = """
|
||
- **security.evtx**
|
||
- `4648` - Logon specifying alternate credentials
|
||
- Current logged-on User Name
|
||
- Alternate User Name
|
||
- Destination Host Name/IP
|
||
- Process Name
|
||
- **Microsoft-Windows-WinRM/Operational.evtx**
|
||
- `161` - Remote Authentication Error
|
||
- `6` - WSMan Session initialize
|
||
- Session created
|
||
- Destination Host Name or IP
|
||
- Current logged-on User Name
|
||
- `8`, `15`, `16`, `33` - WSMan Session deinitialization
|
||
- Closing of WSMan session
|
||
- Current logged-on User Name
|
||
- **Microsoft-Windows-PowerShell/Operational.evtx**
|
||
- `40961`, `40962`
|
||
- Records the local initiation of powershell.exe and associated user account
|
||
- `8193` & `8194` - Session created
|
||
- `8197` - Connect
|
||
- Session closed
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def source_registry():
|
||
"""
|
||
Displays source registry information related to PowerShell Remoting.
|
||
"""
|
||
title = "PowerShell Remoting Source Registry"
|
||
content = """
|
||
- **ShimCache** – SYSTEM
|
||
- powershell.exe
|
||
- **BAM_DAM** – SYSTEM – Last Time Executed
|
||
- powershell.exe
|
||
- **AmCache.hve** – First Time Executed
|
||
- powershell.exe
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def source_file_system():
|
||
"""
|
||
Displays source file system artifacts related to PowerShell Remoting.
|
||
"""
|
||
title = "PowerShell Remoting Source File System"
|
||
content = """
|
||
- **Prefetch** – C:\\Windows\\Prefetch\\
|
||
- powershell.exe-{hash}.pf
|
||
- PowerShell scripts (.ps1 files) that run within 10 seconds of powershell.exe launching will be tracked in powershell.exe prefetch file
|
||
- **Command history**
|
||
- C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadline\\ConsoleHost_history.txt
|
||
- With PS v5+, a history file with previous 4096 commands is maintained per user
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_event_logs():
|
||
"""
|
||
Displays destination event logs related to PowerShell Remoting.
|
||
"""
|
||
title = "PowerShell Remoting Destination Event Logs"
|
||
content = """
|
||
- **security.evtx**
|
||
- `4624` – Logon Type 3
|
||
- Source IP/Logon User Name
|
||
- `4672`
|
||
- Logon User Name
|
||
- Logon by a user with administrative rights
|
||
- **Microsoft-Windows-PowerShell%4Operational.evtx**
|
||
- `4103`, `4104` – Script Block logging
|
||
- Logs suspicious scripts by default in PS v5
|
||
- Logs all scripts if configured
|
||
- `53504` - Records the authenticating user
|
||
- **Windows PowerShell.evtx**
|
||
- `400/403` - "ServerRemoteHost" indicates start/end of remoting session
|
||
- `800` - Includes partial script code
|
||
- **Microsoft-Windows-WinRM/Operational.evtx**
|
||
- `91` – Session creation
|
||
- `142` – WSMan Operation Failure
|
||
- `169` – Records the authenticating user
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_registry():
|
||
"""
|
||
Displays destination registry information related to PowerShell Remoting.
|
||
"""
|
||
title = "PowerShell Remoting Destination Registry"
|
||
content = """
|
||
- **ShimCache** – SYSTEM
|
||
- wsmprovhost.exe
|
||
- evil.exe
|
||
- **SOFTWARE**
|
||
- Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell\\ExecutionPolicy
|
||
- Attacker may change execution policy to a less restrictive setting, such as "bypass"
|
||
- **AmCache.hve** – First Time Executed
|
||
- wsmprovhost.exe
|
||
- evil.exe
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_file_system():
|
||
"""
|
||
Displays destination file system artifacts related to PowerShell Remoting.
|
||
"""
|
||
title = "PowerShell Remoting Destination File System"
|
||
content = """
|
||
- **File Creation**
|
||
- evil.exe
|
||
- With Enter-PSSession, a user profile directory may be created
|
||
- **Prefetch** – C:\\Windows\\Prefetch\\
|
||
- evil.exe-{hash}.pf
|
||
- wsmprovhost.exe-{hash}.pf
|
||
"""
|
||
print_info(title, content)
|