matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
578ae833753433e30af92a4f358eb9be55202318
Hunt-AI/Modules/Persistence/map_share.py

103 lines
3.2 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

def get_content():
"""
Returns structured content for the Map Share persistence method.
"""
return [
{
"title": "Map Share Source Event Logs",
"content": """
### Source Event Logs
- `security.evtx`
- `4648` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
- `Microsoft-Windows-SmbClient\\Security.evtx`
- `31001` Failed logon to destination
- Destination Host Name
- User Name for failed logon
- Reason code for failed destination logon (e.g., bad password)
"""
},
{
"title": "Map Share Destination Event Logs",
"content": """
### Destination Event Logs
- **Security Event Log `security.evtx`**
- `4624`
- Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by user with administrative rights
- Requirement for accessing default shares such as **C$** and **ADMIN$**
- `4776` - NTLM if authenticating to Local System
- Source Host Name/Logon User Name
- `4768` - TGT Granted
- Source Host Name/Logon User Name
- Available only on domain controller
- `4769` - Service Ticket Granted if authenticating to Domain Controller
- Destination Host Name/Logon User Name
- Source IP
- Available only on domain controller
- `5140`
- Share Access
- `5145`
- Auditing of shared files **NOISY**!
"""
},
{
"title": "Map Share Source Registry",
"content": """
### Source Registry
- **MountPoints2** - Remotely mapped shares
- `NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2`
- **Shellbags** - USRCLASS.DAT
- Remote folders accessed inside an interactive session via Explorer by attackers.
- **ShimCache** SYSTEM
- `net.exe`
- `net1.exe`
- **BAM_DAM** NTUSER.DAT Last Time Executed
- `net.exe`
- `net1.exe`
- **AmCache.hve** - First Time Executed
- `net.exe`
- `net1.exe`
"""
},
{
"title": "Map Share Destination Registry",
"content": """
### Destination Registry
- N/A
"""
},
{
"title": "Map Share Source File System",
"content": """
### Source File System
- **Prefetch** - `C:\\Windows\\Prefetch\\`
- `net.exe-{hash}.pf`
- `net1.exe-{hash}.pf`
- **User Profile Artifacts**
- Review shortcut files and jumplists for remote files accessed by attackers if they had interactive access (RDP).
"""
},
{
"title": "Map Share Destination File System",
"content": """
### Destination File System
- **File Creation**
- Attacker's files (malware) copied to the destination system.
- Look for Modified Time before Creation Time.
- Creation Time is the time of file copy.
- **User Access Logging (Servers Only)**
- `C:\\Windows\\System32\\LogFiles\\Sum`
- User Name
- Source IP Address
- First and Last Access Time
"""
}
]
Reference in New Issue View Git Blame Copy Permalink