matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4cce63fe7ebbf8d5089082e82929b5b3a573796a
Hunt-AI/Modules/Persistence/psexec.py

179 lines
6.0 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

def get_content():
"""
Returns structured content for the PsExec persistence method.
"""
return [
{
"title": "Source Event Logs",
"content": """
### Source Event Logs
- **security.evtx**
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
},
{
"title": "Destination Event Logs",
"content": """
### Destination Event Logs
- **security.evtx**
- `4648` Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- Requirement for access default shares such as **C$** and **ADMIN$**
- `5140` Share Access
- **ADMIN$** share used by PsExec
- **system.evtx**
- `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
- %systemroot%\\xxxxxxxx.exe
- `7036` Service start/stop events
- **If Enabled**:
- `4688` in Security: tracks service and cmd.exe execution
"""
},
{
"title": "Source Registry",
"content": """
### Source Registry
- **NTUSER.DAT**
- Software\\SysInternals\\PsExec\\EulaAccepted
- **ShimCache** SYSTEM
- psexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- psexec.exe
- **AmCache.hve** First Time Executed
- psexec.exe
"""
},
{
"title": "Destination Registry",
"content": """
### Destination Registry
- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
- “-r” option can allow attacker to rename service
- **ShimCache** SYSTEM
- psexesvc.exe
- **AmCache.hve**
- First Time Executed
- psexesvc.exe
"""
},
{
"title": "Source File System",
"content": """
### Source File System
- **Prefetch** C:\\Windows\\Prefetch\\
- psexec.exe-{hash}.pf
- Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
- **File Creation**
- psexec.exe file downloaded and created on the local host as the file is not native to Windows
"""
},
{
"title": "Destination File System",
"content": """
### Destination File System
- **Prefetch** C:\\Windows\\Prefetch\\
- psexesvc.exe-{hash}.pf
- evil.exe-{hash}.pf
- **File Creation**
- User profile directory structure created unless "-e" option used
- psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
- **User Access Logging (Servers only)**
- C:\\Windows\\System32\\LogFiles\\Sum
- User Name
- Source IP Address
- First and Last Access Time
"""
},
{
"title": "Service Installation Details",
"content": """
### Service Installation Details
- PsExec creates a temporary Windows service for execution:
- Service name: Random 4-character mixed-case alpha name
- Executable: Random 8-character mixed-case alpha .exe file
- Registry Path:
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Event Log Evidence:
- Event ID 7045 in `system.evtx` logs the service installation.
- Includes:
- Service Name
- Executable Path
- Service Type and Start Mode
- Forensic Insights:
- Compare service names and paths across multiple systems to detect outliers.
- Look for services with short, random names.
"""
},
{
"title": "Network Artifacts",
"content": """
### Network Artifacts
- **Network Connections**:
- PsExec uses SMB for communication and file transfer.
- Ports:
- 445 (SMB over TCP/IP)
- 139 (NetBIOS over TCP/IP)
- **Shared Resources**:
- Default shares such as **ADMIN$** and **C$** are utilized.
- Logs in `security.evtx`:
- Event ID 5140: Share access.
- Event ID 5145: Access to specific shared files.
- **Forensic Tips**:
- Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
- Analyze SMB traffic for PsExec file transfers.
"""
},
{
"title": "Eviction Techniques",
"content": """
### Eviction Techniques
- **Detection**:
- Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
- Enable advanced audit policies to log service and process creation events.
- **Eviction**:
- Audit and remove unauthorized services under:
- SYSTEM\\CurrentControlSet\\Services\\
- Verify the integrity of executables in:
- C:\\Windows\\System32
- C:\\Windows\\Prefetch
- Block unauthorized access to default shares like ADMIN$ and C$.
- **Prevention**:
- Use endpoint protection tools to block PsExec executables.
- Restrict access to administrative shares to trusted hosts and accounts only.
"""
},
{
"title": "Malware Case Study",
"content": """
### Malware Case Study
- **Real-World Example**:
- Malware Name: Emotet
- Attack Vector: Lateral Movement
- Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
- **Tactics**:
- Copied malicious payloads to ADMIN$ share.
- Used PsExec to execute payloads on remote systems.
- Cleaned up by removing PsExec artifacts (e.g., services and files).
- **Forensic Indicators**:
- Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
- Unusual services with short, random names.
- Files with mismatched creation and modification times in ADMIN$.
"""
}
]
Reference in New Issue View Git Blame Copy Permalink