matthew/Hunt-AI
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
af63a3adf523686fde564f322d09784c1135e0bb
Hunt-AI/TTPs/Persistence/smbexec.py

187 lines
5.8 KiB
Python
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

import sys
from Modules.Imports.ttp_imports import *
from Modules.submenu import build_submenu
def smbexec_submenu():
"""
Submenu for SMBExec detection techniques.
"""
actions = {
"1": {"description": "Source Event Logs", "function": source_event_logs},
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
"3": {"description": "Source Registry", "function": source_registry},
"4": {"description": "Destination Registry", "function": destination_registry},
"5": {"description": "Source File System", "function": source_file_system},
"6": {"description": "Destination File System", "function": destination_file_system},
"7": {"description": "Service Creation Details", "function": smbexec_service_creation},
"8": {"description": "Network Artifacts", "function": smbexec_network_artifacts},
"9": {"description": "Eviction Techniques", "function": smbexec_eviction_techniques},
"10": {"description": "Malware Case Study", "function": smbexec_malware_case_study},
}
build_submenu("SMBExec Persistence", actions)
# Individual submenu functions
def source_event_logs():
"""
Displays source event logs related to SMBExec.
"""
title = "SMBExec Source Event Logs"
content = """
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Current logged-on User Name
- Alternate User Name
- Destination Host Name/IP
- Process Name
"""
print_info(title, content)
def destination_event_logs():
"""
Displays destination event logs related to SMBExec.
"""
title = "SMBExec Destination Event Logs"
content = """
- **security.evtx**
- `4776` - Logon specifying alternate credentials
- Connecting User Name
- Process Name
- `4624` Logon Type 3
- Source IP/Logon User Name
- `4672`
- Logon User Name
- Logon by a user with administrative rights
- `4634` Type 3 (session end)
- **system.evtx**
- `7045` - Service installation
- Default service name: "BTOBTO" or a random 8-character mixed-case string.
- `7036` Service start/stop events
"""
print_info(title, content)
def source_registry():
"""
Displays source registry information related to SMBExec.
"""
title = "SMBExec Source Registry"
content = """
- **NTUSER.DAT**
- Software\\SysInternals\\SMBExec\\EulaAccepted
- **ShimCache** SYSTEM
- smbexec.exe
- **BAM_DAM** SYSTEM Last Time Executed
- smbexec.exe
- **AmCache.hve** First Time Executed
- smbexec.exe
"""
print_info(title, content)
def destination_registry():
"""
Displays destination registry information related to SMBExec.
"""
title = "SMBExec Destination Registry"
content = """
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
- Default: "BTOBTO" or random 8-character string.
- **ShimCache** SYSTEM
- smbexecsvc.exe
- **AmCache.hve**
- First Time Executed
- smbexecsvc.exe
"""
print_info(title, content)
def source_file_system():
"""
Displays source file system artifacts related to SMBExec.
"""
title = "SMBExec Source File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexec.exe-{hash}.pf
- **File Creation**
- smbexec.exe file downloaded and created on the local host.
"""
print_info(title, content)
def destination_file_system():
"""
Displays destination file system artifacts related to SMBExec.
"""
title = "SMBExec Destination File System"
content = """
- **Prefetch** C:\\Windows\\Prefetch\\
- smbexecsvc.exe-{hash}.pf
- execute.bat-{hash}.pf
- **File Creation**
- `execute.bat` created in C:\\Windows\\TEMP\\
- User-specified commands echoed to `execute.bat`.
- Temporary batch file removed after execution.
"""
print_info(title, content)
def smbexec_service_creation():
"""
Displays details about SMBExec service creation events.
"""
title = "SMBExec Service Creation Details"
content = """
- Service Name:
- Default: "BTOBTO"
- Updated to a random 8-character mixed-case string in May 2023.
- Executable: `execute.bat` created for every command.
- Event Log Evidence:
- `7045` in `system.evtx` logs service creation.
- Command executed via:
- `%COMSPEC% /Q /c echo cd ^> \\127.0.0.1\\C$\\__output 2^>^&1 > %TEMP%\\execute.bat`.
"""
print_info(title, content)
def smbexec_network_artifacts():
"""
Displays network artifacts related to SMBExec activity.
"""
title = "SMBExec Network Artifacts"
content = """
- **Network Connections**:
- SMB protocol communication with the target.
- Evidence of ADMIN$ share access.
- **Network Traffic Analysis**:
- Monitor for suspicious SMB traffic to/from servers.
- Detect repeated connections with new service creation.
"""
print_info(title, content)
def smbexec_eviction_techniques():
"""
Displays information about SMBExec eviction techniques.
"""
title = "SMBExec Eviction Techniques"
content = """
- Remove temporary files:
- `execute.bat` is deleted after execution.
- Service cleanup:
- Services created for each command are removed after execution.
"""
print_info(title, content)
def smbexec_malware_case_study():
"""
Displays a malware case study involving SMBExec.
"""
title = "SMBExec Malware Case Study"
content = """
- **Case Study**:
- Malware using SMBExec for lateral movement.
- Leveraged temporary service creation for executing commands.
- Indicators:
- Random service names.
- Temporary batch files in `C:\\Windows\\TEMP`.
- **Detection**:
- Monitor Event ID 7045 for abnormal service names.
- Correlate with batch file creation and execution in `TEMP` directory.
"""
print_info(title, content)
Reference in New Issue View Git Blame Copy Permalink