147 lines
4.6 KiB
Python
147 lines
4.6 KiB
Python
from Modules.Imports.protocol_imports import *
|
||
|
||
def rdp_submenu():
|
||
actions = {
|
||
"1": {"description": "Source Event Logs", "function": source_event_logs},
|
||
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
|
||
"3": {"description": "Source Registry", "function": source_registry},
|
||
"4": {"description": "Destination Registry", "function": destination_registry},
|
||
"5": {"description": "Source Artifacts", "function": source_artifacts},
|
||
"6": {"description": "Destination Artifacts", "function": destination_artifacts},
|
||
"7": {"description": "Extra", "function": extra_rdp_info},
|
||
"8": {"description": "All", "function": all_rdp_info},
|
||
}
|
||
build_submenu("RDP Persistence", actions)
|
||
|
||
# Individual submenu functions
|
||
def source_event_logs():
|
||
title = "RDP Source Event Logs"
|
||
content = """
|
||
- `security.evtx`
|
||
- `4648` - Logon specifying alternate credentials - if NLA enabled on destination
|
||
- Current logged-on User Name
|
||
- Alternate User Name
|
||
- Destination Host Name/IP
|
||
- Process Name
|
||
- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`
|
||
- `1024`
|
||
- Destination Host Name
|
||
- `1102`
|
||
- Destination IP Address
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_event_logs():
|
||
title = "RDP Destination Event Logs"
|
||
content = """
|
||
- **Security Event Log** – `security.evtx`
|
||
- `4624` Logon Type 10
|
||
- Source IP/Logon User Name
|
||
- `4778/4779`
|
||
- IP Address of Source/Source System Name
|
||
- Logon User Name
|
||
- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`
|
||
- `131` - Connection Attempts
|
||
- Source IP
|
||
- `98` - Successful Connections
|
||
- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`
|
||
- `1149`
|
||
- Source IP/Logon User Name
|
||
- Blank user name may indicate use of Sticky Keys
|
||
- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`
|
||
- 21, 22, 25
|
||
- Source IP/Logon User Name
|
||
- 41
|
||
- Logon User Name
|
||
"""
|
||
print_info(title, content)
|
||
|
||
|
||
def source_registry():
|
||
title = "RDP Source Registry"
|
||
content = """
|
||
- Remote desktop destinations are tracked per-user
|
||
- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`
|
||
- [[ShimCache]] – SYSTEM
|
||
- `mstsc.exe` Remote Desktop Client
|
||
- [[BAM_DAM]] – SYSTEM – Last Time Executed
|
||
- `mstsc.exe` Remote Desktop Client
|
||
- [[AmCache.hve]] - First Time Executed
|
||
- `mstsc.exe`
|
||
- UserAssist – `NTUSER.DAT`
|
||
- `mstsc.exe` Remote Desktop Client execution
|
||
- Last Time Executed
|
||
- Number of Times Executed
|
||
- RecentApps – `NTUSER.DAT`
|
||
- `mstsc.exe`
|
||
- Remote Desktop Client execution
|
||
- Last Time Executed
|
||
- Number of Times Executed
|
||
- RecentItems subkey tracks connection destinations and times
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_registry():
|
||
title = "RDP Destination Registry"
|
||
content = """
|
||
- [[ShimCache]] - SYSTEM
|
||
- `rdpclip.exe`
|
||
- `tstheme.exe`
|
||
- [[AmCache.hve]] - First Time Executed
|
||
- `rdpclip.exe`
|
||
- `tstheme.exe`
|
||
"""
|
||
print_info(title, content)
|
||
|
||
|
||
def source_artifacts():
|
||
title = "RDP Source File System Artifacts"
|
||
content = """
|
||
- Jumplists - `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`
|
||
- `{MSTSC-APPID}-automaticDestinations-ms`
|
||
- Tracks remote desktop connection destination and times
|
||
- [[Prefetch]] – `C:\\Windows\\Prefetch\\`
|
||
- `mstsc.exe-{hash}.pf`
|
||
- [[Bitmap_Cache]] – `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`
|
||
- bcache##.bmc
|
||
- cache####.bin
|
||
- Default.rdp file –
|
||
- `C:\\Users\\<Username>\\Documents\\`
|
||
"""
|
||
print_info(title, content)
|
||
|
||
|
||
def destination_artifacts():
|
||
title = "RDP Destination File System Artifacts"
|
||
content = """
|
||
- Prefetch – `C:\\Windows\\Prefetch\\`
|
||
- `rdpclip.exe-{hash}.pf`
|
||
- `tstheme.exe-{hash}.pf`
|
||
"""
|
||
print_info(title, content)
|
||
|
||
|
||
def extra_rdp_info():
|
||
title = "RDP Extra Information"
|
||
content = """
|
||
# RDP Authentication vs. Authorization
|
||
- RDP authentication happens prior to session establishment (NLA).
|
||
- Know when authentication can fail and authorization can succeed.
|
||
|
||
# RDP Event Flow
|
||
1149 > 4624 (type 10) OR 7 (reconnect) > 21 > 22
|
||
- 1149: Authentication succeeded
|
||
- 4624: Account successfully logged on
|
||
- 21: Session logon succeeded
|
||
- 22: Shell start notification received
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def all_rdp_info():
|
||
source_event_logs()
|
||
destination_event_logs()
|
||
source_registry()
|
||
destination_registry()
|
||
source_artifacts()
|
||
destination_artifacts()
|
||
extra_rdp_info() |