254 lines
9.1 KiB
Python
254 lines
9.1 KiB
Python
import sys
|
||
from Modules.Imports.ttp_imports import *
|
||
from Modules.submenu import build_submenu
|
||
|
||
def psexec_submenu():
|
||
"""
|
||
Submenu for PsExec detection techniques.
|
||
"""
|
||
actions = {
|
||
"1": {"description": "Source Event Logs", "function": source_event_logs},
|
||
"2": {"description": "Destination Event Logs", "function": destination_event_logs},
|
||
"3": {"description": "Source Registry", "function": source_registry},
|
||
"4": {"description": "Destination Registry", "function": destination_registry},
|
||
"5": {"description": "Source File System", "function": source_file_system},
|
||
"6": {"description": "Destination File System", "function": destination_file_system},
|
||
"7": {"description": "Service Installation Details", "function": service_installation_details},
|
||
"8": {"description": "Network Artifacts", "function": psexec_network_artifacts},
|
||
"9": {"description": "Eviction Techniques", "function": psexec_eviction_techniques},
|
||
"10": {"description": "Malware Case Study", "function": psexec_malware_case_study},
|
||
}
|
||
build_submenu("PsExec Persistence", actions)
|
||
|
||
# Individual submenu functions
|
||
|
||
def source_event_logs():
|
||
"""
|
||
Displays source event logs related to PsExec.
|
||
"""
|
||
title = "PsExec Source Event Logs"
|
||
content = """
|
||
- **security.evtx**
|
||
- `4648` - Logon specifying alternate credentials
|
||
- Current logged-on User Name
|
||
- Alternate User Name
|
||
- Destination Host Name/IP
|
||
- Process Name
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_event_logs():
|
||
"""
|
||
Displays destination event logs related to PsExec.
|
||
"""
|
||
title = "PsExec Destination Event Logs"
|
||
content = """
|
||
- **security.evtx**
|
||
- `4648` Logon specifying alternate credentials
|
||
- Connecting User Name
|
||
- Process Name
|
||
- `4624` Logon Type 3 (and Type 2 if “-u” Alternate Credentials are used)
|
||
- Source IP/Logon User Name
|
||
- `4672`
|
||
- Logon User Name
|
||
- Logon by a user with administrative rights
|
||
- Requirement for access default shares such as **C$** and **ADMIN$**
|
||
- `5140` – Share Access
|
||
- **ADMIN$** share used by PsExec
|
||
- **system.evtx**
|
||
- `7045` Service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file
|
||
- %systemroot%\\xxxxxxxx.exe
|
||
- `7036` Service start/stop events
|
||
- **If Enabled**:
|
||
- `4688` in Security: tracks service and cmd.exe execution
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def source_registry():
|
||
"""
|
||
Displays source registry information related to PsExec.
|
||
"""
|
||
title = "PsExec Source Registry"
|
||
content = """
|
||
- **NTUSER.DAT**
|
||
- Software\\SysInternals\\PsExec\\EulaAccepted
|
||
- **ShimCache** – SYSTEM
|
||
- psexec.exe
|
||
- **BAM_DAM** – SYSTEM – Last Time Executed
|
||
- psexec.exe
|
||
- **AmCache.hve** – First Time Executed
|
||
- psexec.exe
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_registry():
|
||
"""
|
||
Displays destination registry information related to PsExec.
|
||
"""
|
||
title = "PsExec Destination Registry"
|
||
content = """
|
||
- New service creation configured in `SYSTEM\\CurrentControlSet\\Services\\PSEXESVC`
|
||
- “-r” option can allow attacker to rename service
|
||
- **ShimCache** – SYSTEM
|
||
- psexesvc.exe
|
||
- **AmCache.hve**
|
||
- First Time Executed
|
||
- psexesvc.exe
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def source_file_system():
|
||
"""
|
||
Displays source file system artifacts related to PsExec.
|
||
"""
|
||
title = "PsExec Source File System"
|
||
content = """
|
||
- **Prefetch** – C:\\Windows\\Prefetch\\
|
||
- psexec.exe-{hash}.pf
|
||
- Possible references to other files accessed by psexec.exe, such as executables copied to target system with the “-c” option
|
||
- **File Creation**
|
||
- psexec.exe file downloaded and created on the local host as the file is not native to Windows
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def destination_file_system():
|
||
"""
|
||
Displays destination file system artifacts related to PsExec.
|
||
"""
|
||
title = "PsExec Destination File System"
|
||
content = """
|
||
- **Prefetch** – C:\\Windows\\Prefetch\\
|
||
- psexesvc.exe-{hash}.pf
|
||
- evil.exe-{hash}.pf
|
||
- **File Creation**
|
||
- User profile directory structure created unless "-e" option used
|
||
- psexesvc.exe will be placed in **ADMIN$** (\\Windows) by default, as well as other executables (evil.exe) pushed by PsExec
|
||
- **User Access Logging (Servers only)**
|
||
- C:\\Windows\\System32\\LogFiles\\Sum
|
||
- User Name
|
||
- Source IP Address
|
||
- First and Last Access Time
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def psexec_analysis():
|
||
"""
|
||
Displays analysis of PsExec execution.
|
||
"""
|
||
title = "PsExec Analysis"
|
||
content = """
|
||
- **Command Example**:
|
||
- `psexec.py domain/username:password@[hostname | IP] command`
|
||
- Can specify a command to run, or leave blank for shell
|
||
- PSEXEC like functionality example using RemComSvc
|
||
- Creates and subsequently deletes a Windows Service with a random 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file in %systemroot%
|
||
- Detected and blocked by Windows Defender by default
|
||
|
||
- **Windows Event Log Residue**:
|
||
- Event ID `4776` in Security on target (for user specified in command)
|
||
- Event ID `4672` in Security on target (for user specified in command)
|
||
- Event ID `4624` Type 3 in Security on target (for user specified in command)
|
||
- Event ID `7045` in System on target (service installation: 4-character mixed-case alpha name referencing an 8-character mixed-case alpha .exe file):
|
||
- %systemroot%\\xxxxxxxx.exe
|
||
- Event ID `7036` in System on target
|
||
- [If Enabled] Event ID `4688` in Security on target:
|
||
- `services.exe → C:\\Windows\\xxxxxxxx.exe`
|
||
- `C:\\Windows\\xxxxxxxx.exe → command`
|
||
- `cmd.exe → conhost.exe 0xffffffff -ForceV1`
|
||
- Numerous other `4624`, `4634`, `4672` events
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def service_installation_details():
|
||
"""
|
||
Displays details about PsExec service installation events.
|
||
"""
|
||
title = "PsExec Service Installation Details"
|
||
content = """
|
||
- PsExec creates a temporary Windows service for execution:
|
||
- Service name: Random 4-character mixed-case alpha name
|
||
- Executable: Random 8-character mixed-case alpha .exe file
|
||
- Registry Path:
|
||
- SYSTEM\\CurrentControlSet\\Services\\<ServiceName>
|
||
- Event Log Evidence:
|
||
- Event ID 7045 in `system.evtx` logs the service installation.
|
||
- Includes:
|
||
- Service Name
|
||
- Executable Path
|
||
- Service Type and Start Mode
|
||
- Forensic Insights:
|
||
- Compare service names and paths across multiple systems to detect outliers.
|
||
- Look for services with short, random names.
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def psexec_network_artifacts():
|
||
"""
|
||
Displays network-related artifacts from PsExec usage.
|
||
"""
|
||
title = "PsExec Network Artifacts"
|
||
content = """
|
||
- **Network Connections**:
|
||
- PsExec uses SMB for communication and file transfer.
|
||
- Ports:
|
||
- 445 (SMB over TCP/IP)
|
||
- 139 (NetBIOS over TCP/IP)
|
||
- **Shared Resources**:
|
||
- Default shares such as **ADMIN$** and **C$** are utilized.
|
||
- Logs in `security.evtx`:
|
||
- Event ID 5140: Share access.
|
||
- Event ID 5145: Access to specific shared files.
|
||
|
||
- **Forensic Tips**:
|
||
- Monitor for abnormal access to ADMIN$ or C$ from unexpected hosts.
|
||
- Analyze SMB traffic for PsExec file transfers.
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def psexec_eviction_techniques():
|
||
"""
|
||
Displays techniques for detecting and evicting PsExec usage.
|
||
"""
|
||
title = "PsExec Eviction Techniques"
|
||
content = """
|
||
- **Detection**:
|
||
- Use centralized logging solutions (e.g., Splunk, ELK) to correlate Event IDs across systems.
|
||
- Enable advanced audit policies to log service and process creation events.
|
||
|
||
- **Eviction**:
|
||
- Audit and remove unauthorized services under:
|
||
- SYSTEM\\CurrentControlSet\\Services\\
|
||
- Verify the integrity of executables in:
|
||
- C:\\Windows\\System32
|
||
- C:\\Windows\\Prefetch
|
||
- Block unauthorized access to default shares like ADMIN$ and C$.
|
||
|
||
- **Prevention**:
|
||
- Use endpoint protection tools to block PsExec executables.
|
||
- Restrict access to administrative shares to trusted hosts and accounts only.
|
||
"""
|
||
print_info(title, content)
|
||
|
||
def psexec_malware_case_study():
|
||
"""
|
||
Provides a case study example of malware leveraging PsExec.
|
||
"""
|
||
title = "PsExec Malware Case Study"
|
||
content = """
|
||
- **Real-World Example**:
|
||
- Malware Name: Emotet
|
||
- Attack Vector: Lateral Movement
|
||
- Emotet leveraged PsExec to deploy secondary payloads across compromised networks.
|
||
|
||
- **Tactics**:
|
||
- Copied malicious payloads to ADMIN$ share.
|
||
- Used PsExec to execute payloads on remote systems.
|
||
- Cleaned up by removing PsExec artifacts (e.g., services and files).
|
||
|
||
- **Forensic Indicators**:
|
||
- Sudden increase in Event IDs 4624, 4672, and 5140 across multiple systems.
|
||
- Unusual services with short, random names.
|
||
- Files with mismatched creation and modification times in ADMIN$.
|
||
"""
|
||
print_info(title, content)
|