Hunt-AI/TTPs/Persistence/service.py

import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu

def service_submenu():
    """
    Submenu for Service-based Persistence Indicators.
    """
    actions = {
        "1": {"description": "Source Event Logs", "function": source_event_logs},
        "2": {"description": "Destination Event Logs", "function": destination_event_logs},
        "3": {"description": "Source Registry", "function": source_registry},
        "4": {"description": "Destination Registry", "function": destination_registry},
        "5": {"description": "Source File System", "function": source_file_system},
        "6": {"description": "Destination File System", "function": destination_file_system},
        "7": {"description": "Service Replacement Examples", "function": service_replacement_examples},
        "8": {"description": "Exploitation of Windows Services", "function": exploit_windows_services},
    }
    build_submenu("Service-Based Persistence", actions)

def source_event_logs():
    title = "Source Event Logs"
    content = """
No specific source event logs are generated for service-based persistence.
"""
    print_info(title, content)

def destination_event_logs():
    title = "Destination Event Logs"
    content = """
- `security.evtx`
    - `4624` Logon Type 3
        - Source IP/Logon User Name
    - `4697`
        - Records service installation (non-default)
    - Useful for centralized log monitoring.

- `system.evtx`
    - `7034` - Service crashed unexpectedly.
    - `7035` - Service sent a Start/Stop control.
    - `7036` - Service started or stopped.
    - `7040` - Start type changed (Boot | On Request | Disabled).
    - `7045` - A service was installed on the system.
"""
    print_info(title, content)

def source_registry():
    title = "Source Registry"
    content = """
Registry Artifacts:
- [[ShimCache]] - SYSTEM
    - Tracks `sc.exe`.
- [[BAM_DAM]] - SYSTEM - Last Time Executed
    - Tracks `sc.exe`.
- [[AmCache.hve]]
    - Tracks first execution of `sc.exe`.
"""
    print_info(title, content)

def destination_registry():
    title = "Destination Registry"
    content = """
Registry Artifacts:
- SYSTEM
    - `\\CurrentControlSet\\Services\\` - New service creation.
- [[ShimCache]] - SYSTEM
    - Tracks `evil.exe`.
- [[AmCache.hve]] - First Time Executed
    - Tracks `evil.exe`.
"""
    print_info(title, content)

def source_file_system():
    title = "Source File System"
    content = """
Prefetch Artifacts:
- Prefetch - `C:\\Windows\\Prefetch\\`
    - `sc.exe-{hash}.pf`.
"""
    print_info(title, content)

def destination_file_system():
    title = "Destination File System"
    content = """
File Creation Artifacts:
- Malicious executables or DLLs:
    - `evil.exe` or `evil.dll`.
- Prefetch - `C:\\Windows\\Prefetch\\`
    - Tracks execution of `evil.exe` or service DLLs.
"""
    print_info(title, content)

def service_replacement_examples():
    title = "Service Replacement Examples"
    content = """
Service replacement involves modifying legitimate services to execute malicious payloads.

### Example 1: Binary Path Manipulation
Modify the `ImagePath` registry key to point to a malicious executable:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\ImagePath`
- New Value: `C:\\temp\\evil.exe`

### Example 2: DLL Hijacking in Services
Replace a legitimate service DLL with a malicious one:
- Locate service DLL in `\\CurrentControlSet\\Services\\<ServiceName>\\Parameters\\ServiceDll`.
- Replace the file with `evil.dll`.

### Example 3: Startup Type Abuse
Change the `Start` registry key to automatically start a malicious service:
- Key Path: `HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\<ServiceName>\\Start`
- Value: `2` (Automatic Start).

### Example 4: Service Install Command
Use `sc` to create and start a malicious service:
- Command: `sc \\host create servicename binpath="c:\\temp\\evil.exe"`
"""
    print_info(title, content)

def exploit_windows_services():
    title = "Exploitation of Windows Services"
    content = """
Windows services can be exploited in the following ways:

### 1. Privilege Escalation via Insecure Permissions
- Services with weak `DACL` permissions can be reconfigured by low-privileged users.
- Example: Modify `ImagePath` to point to a malicious binary.

### 2. DLL Search Order Hijacking
- Service executable dynamically loads a DLL without specifying a full path.
- Place a malicious DLL in the service's working directory.

### 3. Service Control Abuse
- Use `sc` or similar tools to start/stop services, potentially disrupting legitimate operations.

### 4. Unquoted Service Paths
- If the binary path contains spaces and is unquoted, an attacker can place a malicious executable in the path.
- Example:
    - Path: `C:\\Program Files\\Legitimate Service\\binary.exe`.
    - Malicious executable: `C:\\Program.exe`.

### 5. Creating New Services
- Install a new malicious service using `sc` or `psexec`.
- Example:
    - `sc create maliciousservice binpath="c:\\temp\\evil.exe" start=auto`

### 6. Abusing Trusted Services
- Replace binaries or DLLs of highly trusted services, such as antivirus or backup services.

### Detection Tips:
- Monitor `system.evtx` for service start/stop events.
- Check `security.evtx` for suspicious service creation.
- Regularly audit `\\CurrentControlSet\\Services\\` for unexpected entries.
"""
    print_info(title, content)