matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c8a926f8d1f7d4b973ded4aab9afdde1ca60036
Hunt-AI/TTPs/rdp.py
Matthew Iverson 9c8a926f8d Update TTPs/rdp.py
2024-11-24 11:28:51 -05:00

121 lines
5.4 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

from Modules.Imports.protocol_imports import *
def rdp_submenu(target_ip, open_ports):
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source Artifacts", "function": source_artifacts},
"6": {"description": "Destination Artifacts", "function": destination_artifacts},
"7": {"description": "Extra", "function": extra_info},
"8": {"description": "All", "function": run_all_rdp_checks},
}
build_submenu("RDP Persistence", target_ip, actions, open_ports)
# Individual submenu functions
def source_event_logs(target_ip, open_ports):
title = "Source Event Logs"
content = (
f"- `security.evtx`\n"
f" - 4648: Logon specifying alternate credentials (NLA enabled)\n"
f" - Current logged-on User Name\n"
f" - Alternate User Name\n"
f" - Destination Host Name/IP\n"
f" - Process Name\n"
f"- `Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`\n"
f" - 1024: Destination Host Name\n"
f" - 1102: Destination IP Address"
)
run_command(title, content, target_ip, open_ports)
def destination_event_logs(target_ip, open_ports):
title = "Destination Event Logs"
content = (
f"- **Security Event Log** `security.evtx`\n"
f" - 4624: Logon Type 10\n"
f" - Source IP/Logon User Name\n"
f" - 4778/4779\n"
f" - IP Address of Source/Source System Name\n"
f" - Logon User Name\n"
f"- `Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx`\n"
f" - 131: Connection Attempts (Source IP)\n"
f" - 98: Successful Connections\n"
f"- `Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`\n"
f" - 1149: Source IP/Logon User Name (Blank user name may indicate Sticky Keys)\n"
f"- `Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx`\n"
f" - 21, 22, 25: Source IP/Logon User Name\n"
f" - 41: Logon User Name"
)
run_command(title, content, target_ip, open_ports)
def source_registry(target_ip, open_ports):
title = "Source Registry"
content = (
f"- `NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers`: Remote desktop destinations (per-user)\n"
f"- `ShimCache` SYSTEM: Tracks `mstsc.exe` (Remote Desktop Client)\n"
f"- `BAM_DAM` SYSTEM: Last Time Executed (`mstsc.exe`)\n"
f"- `AmCache.hve`: First Time Executed (`mstsc.exe`)\n"
f"- `UserAssist` `NTUSER.DAT`\n"
f" - Tracks execution of `mstsc.exe` (Remote Desktop Client)\n"
f"- `RecentApps` `NTUSER.DAT`\n"
f" - Tracks `mstsc.exe` and connection destinations"
)
run_command(title, content, target_ip, open_ports)
def destination_registry(target_ip, open_ports):
title = "Destination Registry"
content = (
f"- `ShimCache` - SYSTEM\n"
f" - Tracks `rdpclip.exe` and `tstheme.exe`\n"
f"- `AmCache.hve`: First Time Executed\n"
f" - Tracks `rdpclip.exe` and `tstheme.exe`"
)
run_command(title, content, target_ip, open_ports)
def source_artifacts(target_ip, open_ports):
title = "Source File System Artifacts"
content = (
f"- Jumplists: `C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\`\n"
f" - Tracks remote desktop connection destinations and times\n"
f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
f" - Tracks execution of `mstsc.exe`\n"
f"- Bitmap Cache: `C:\\Users\\<Username>\\AppData\\Local\\Microsoft\\TerminalServer Client\\Cache`\n"
f"- Default.rdp file: `C:\\Users\\<Username>\\Documents\\`"
)
run_command(title, content, target_ip, open_ports)
def destination_artifacts(target_ip, open_ports):
title = "Destination File System Artifacts"
content = (
f"- Prefetch: `C:\\Windows\\Prefetch\\`\n"
f" - Tracks execution of `rdpclip.exe` and `tstheme.exe`"
)
run_command(title, content, target_ip, open_ports)
def extra_info(target_ip, open_ports):
title = "Extra Information"
content = (
f"- [RDP Authentication vs. Authorization - 13Cubed](https://youtu.be/OlENso8_u7s)\n"
f"- Key Concepts:\n"
f" - RDP_NLA (Network Level Authentication)\n"
f" - RDP_successful_logon event codes\n"
f" - 1149 > 4624 type 10 (established) OR 7 (reconnect) > 21 > 22\n"
f" - Understand authentication failures vs. authorization successes"
)
run_command(title, content, target_ip, open_ports)
def run_all_rdp_checks(target_ip, open_ports):
title = "Run All RDP Checks"
content = "Executing all RDP persistence checks. Please wait..."
run_command(title, content, target_ip, open_ports)
# Sequentially run all functions
source_event_logs(target_ip, open_ports)
destination_event_logs(target_ip, open_ports)
source_registry(target_ip, open_ports)
destination_registry(target_ip, open_ports)
source_artifacts(target_ip, open_ports)
destination_artifacts(target_ip, open_ports)
extra_info(target_ip, open_ports)
Reference in New Issue View Git Blame Copy Permalink