91 lines
3.6 KiB
Python
91 lines
3.6 KiB
Python
from Modules.Imports.ttp_imports import *
|
|
|
|
def autostart_submenu():
|
|
build_submenu("Autostart Persistence", module=globals())
|
|
|
|
def registry_run_keys():
|
|
"""
|
|
Displays information about Registry Run Keys for Autostart.
|
|
"""
|
|
title = "Registry Run Keys"
|
|
content = """
|
|
The most common ASEPs (AutoStart Extension Points) are the “Run” Registry keys:
|
|
- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Run
|
|
- NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
|
|
- Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
|
|
- Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
|
|
- Software\\Microsoft\\Windows\\CurrentVersion\\Run
|
|
|
|
These keys are executed when a user logs on. Monitoring these keys is crucial for detecting persistence mechanisms.
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def winlogon_userinit():
|
|
"""
|
|
Displays information about the Winlogon Userinit ASEP.
|
|
"""
|
|
title = "Winlogon Userinit"
|
|
content = """
|
|
The Winlogon Userinit key can be used to maintain persistence:
|
|
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit
|
|
|
|
This key typically contains:
|
|
- C:\\Windows\\system32\\userinit.exe
|
|
|
|
However, it can be modified to include malicious binaries:
|
|
- Example: C:\\Windows\\system32\\userinit.exe,C:\\Temp\\malicious.exe
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def startup_folder():
|
|
"""
|
|
Displays information about the Startup folder ASEP.
|
|
"""
|
|
title = "Startup Folder"
|
|
content = """
|
|
The Startup folder allows for persistence by placing shortcuts in this folder:
|
|
- %AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup
|
|
|
|
Files in this folder automatically execute when a user logs on. Malware often uses this location for persistence.
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def investigative_notes():
|
|
"""
|
|
Displays investigative notes about Autostart ASEPs.
|
|
"""
|
|
title = "Investigative Notes"
|
|
content = """
|
|
Investigating ASEPs across multiple systems can help identify compromised hosts. Key notes:
|
|
- ASEPs are numerous and diverse, requiring thorough examination.
|
|
- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
|
|
- Analyzing data across systems may reveal outliers indicative of malicious activity.
|
|
|
|
|
|
"""
|
|
print_info(title, content)
|
|
|
|
def autostart_extra():
|
|
"""
|
|
Displays information about the Winlogon Userinit ASEP.
|
|
"""
|
|
title = "Autostart Extra"
|
|
content = """
|
|
- Items in these keys are executed when a user logs on, unlike other ASEPs that act at boot.
|
|
- Multiple "run" keys exist in both the NTUSER.DAT and SOFTWARE hives.
|
|
- Another, less common but equally dangerous key is:
|
|
- SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit.
|
|
- This key typically contains a reference to `userinit.exe`, which by default:
|
|
- Executes `Userinit.exe`.
|
|
- Launches `Explorer.exe`.
|
|
- However, it can be modified to include malicious binaries, such as:
|
|
- `C:\\Windows\\system32\\userinit.exe,C:\\Temp\\winsvchost.exe`, which would run at boot.
|
|
|
|
- Finally, `%AppData%\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup` allows for persistence by placing shortcuts in this folder.
|
|
- These shortcuts automatically execute the associated binaries when a user logs on.
|
|
- Malware has recently gravitated back to this old attack vector.
|
|
- Although these locations are very common for ASEPs, many more exist.
|
|
- Tools like Registry Explorer and RegRipper can retrieve additional ASEPs from Registry hives.
|
|
- Analyzing data across systems may reveal outliers leading to compromised systems.
|
|
"""
|
|
print_info(title, content) |