From ce8986df661f031fbd1474777218dec4da4d8e69 Mon Sep 17 00:00:00 2001
From: Gurulhu <lucasag@hotmail.com.br>
Date: Thu, 4 Apr 2019 23:39:32 -0300
Subject: [PATCH 1/5] First pass. Will test it on a Windows VM right now.

---
 red_ttp/__pycache__/__init__.cpython-37.pyc | Bin 0 -> 708 bytes
 red_ttp/__pycache__/common.cpython-37.pyc   | Bin 0 -> 9623 bytes
 red_ttp/common.py                           |  13 ++++----
 red_ttp/office_application_startup.py       |   2 +-
 red_ttp/registry_persistence_create.py      |  34 ++++++++++----------
 red_ttp/scrobj_com_hijack.py                |   4 +--
 red_ttp/sip_provider.py                     |   2 +-
 red_ttp/trust_provider.py                   |   2 +-
 red_ttp/uac_eventviewer.py                  |   2 +-
 red_ttp/uac_sdclt.py                        |   4 +--
 10 files changed, 32 insertions(+), 31 deletions(-)
 create mode 100644 red_ttp/__pycache__/__init__.cpython-37.pyc
 create mode 100644 red_ttp/__pycache__/common.cpython-37.pyc

diff --git a/red_ttp/__pycache__/__init__.cpython-37.pyc b/red_ttp/__pycache__/__init__.cpython-37.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..61120530fceaa729d4b16fae1df1873f2fb7e212
GIT binary patch
literal 708
zcmYk3&2AGh5XU`U??-4-wGszTIdDK)4um7B5TZ0loT92kLRuABNo>*$o9tpcQi+mN
zd649S#3S%3zHs2gD{x}Qp;ax-cxKl2f9AJuI-Lg$*RP-7FONB6zbUz0F$S;E><e^?
zDX3Vn-=P4_W_%k3FLb<v9TbV;D*DEXR0$R1o+)_G^5hTRW`hZNTByQOv@<l@M>k~~
zc75WQgDp5di?+hW3U+)4H_&GvyPJJAS)+#HpHtIavu#QlurJ*YY|T(58mz?AXU*4~
zuMVUv7p0RD(^YFy&*$}mzGObJwQ*W`F|F#c=e6~s8M!MjW_7vn?Tfd4IUJtL^V8uw
zpN&UWFGh3ilTp*?h01x6+KDL}XYrvB{9xt)2l)HAcU8}IZ@M(g-o@~=XS9;eHNAU{
z`1VvgD$1&~j^?)kJP7E*5gc;U!P*@pfk}cEAe~?kAU${Nh9QzChy)0K@Pbh6;F53n
zCPFmv8qpz|_J1@m$dmB8p;rz4RiD|WDxJP|CZk#lT`qh~^IAiVg?bUu2^w+l+8FuH
z?I7Xs5ti;IX~QEp1VgpFwO5Pia*#|_X#&r5G`0bICgrEH(o!1Yv2T&?-ct<PK{k6i
Uuhp{BuK-V2>N<mrKa8^0KTxEgcK`qY

literal 0
HcmV?d00001

diff --git a/red_ttp/__pycache__/common.cpython-37.pyc b/red_ttp/__pycache__/common.cpython-37.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..a61729bae320ff53b78be4e9d45232e016365084
GIT binary patch
literal 9623
zcmai4U2GdycAh^DheJxDek{wjVlz&hn6V|tj^lU}$F?j{u{JiPh;;1CDq$(!kwl3i
z={uMDVTZ*Q&ce!~&Za1^*lxF5swlQC+5&wl`mj$$p7x;+eJB?5v_PK%6zD^NJ{Ty_
z@7y6N*>O<HbLY<en{&@O_nhyX@vXi-Tfy&tfBmba-@dLW|3MGkpM}azT;Bhvioz78
zRum_^tBxw4HAj<o-O=UUa3b<<I;Olwov6H9jwSCgCnoQ<W6OKoiOYM!NyvMj)3<xv
zRonghN_${magwMHy2*Xj8M?1jj~j}st`Be6{1>W1e@t_RK2fUL17$ayKjIw0xG{_y
z#i)Pjj8dH=;V3u0ezZL%%VX~GeHH7TV7fET4Cf^labG&BF!QM5oWzJz?G%fm|7ADP
zKHZ__6{a|^GRrx`V$N&Kc3x+3=PXM&X|%t=`kZsDpACGjIOkcC4dOn*hS)Iflk6rt
z%EmrdoeOM=9cL#{dy|c`m(X{Son)tQzr<4PW!&Flr`apGUuLheGq}IaUSqH0e#ISP
zs(WHZXJ=U&^WR~&*c<E|YFF7bJI^Li`yQKQ7cll+_9nZC`+MvXdkgn#>@s^B_xITq
z_73jX-AQ(peeaRx++Z{8UG^U4-eehejlGZB6uZuDVAL(9=9Kj8H>3^OX6)jncP8J&
z-^FH>Zuo1SUShw0@%&q@rOEHCG-GQ*)V&+;UbxUS-d$qnoaprY-P}TE`Wxt!@{LA?
zPK7~5go>LeO1R{Y`l#yzT;44dt4d4VdDB;BluysLG@-1kZOzyARnHbWQ+;g|TJcCz
z6<=)|)UGNI?fZ&|`068-=^GmMWMrF1?v_2TTwP5ux9(P%TP^LT&UjDNmpPG@HUq8Z
z1xCFn)&kSrDSN^T^h#|tFpG5>j|aD!)`JL*@Pg=OxEiOk^tTEh#O-P7!dh+9y|CKg
zjSGwUsSDg?1@PiRskXUUt4`K;gQ3!zTiPh}NGQABMa=XPC=}IDZ8f3x<Bt#H`CA-`
z($K3YR+TT5ozs#d$6IQLBhYQn-c#DTk6Ors$I6PzRHl7ywZJj(LC=<GxAY@95S!^u
z-Z%=OwADRjUwy1RR#&ue+9S24`lJ+?h#~Sv@*zr2;qvk*gt7-t^Y071Yfo9%)^%AL
zD?Q2VoZeF*z2lHxgz3UukG3se6R~}acto_Gg}m&XvZwfv;+OP7NG$a&iGf|Il^TcK
z-aX@;O>;6=O)G`p1lrPZ-j4=O%yeQajcTb-sxdc+muiKTGQ?Nhbb}}!WF=DP<*MK@
znn6MgqTH=W@msg1a+$)+++r|tcP^Kk%YIOp$t+~DGnwr4TqXx4Fp7ND3(Spey2B8<
z^|ThKD?CYykt*;ZS~14lQjHgd%ck%c3R$z%;}G+42)lXdupUfatJF%xig$goGpokG
z)#Ng~NA672Y85YtZ1ZB>OKY6u$6rE`RwWU*$);z>sPUUb1_@nJ$E@b5|L65-<A6In
zj!C=^MOx<rR41PC6cx1L&U?dsCk`+CE_$EUZ!KZ-m(kkOC{jt%DtY3GWYXw$P3SAC
zul!Q`Qh`3G*~8=n#(J$><zpC&H%n3^+Yfket-7K>;=GG79x1z`@>fvKesdCKzC^l1
zzY$zipT_0=J4g{wLZLp=_(`F)VPJ54&@ux>-B(*sPw$d2pu`bhAq6M(723MlvSb-U
z8Ex6V>D}=o{P%<<V(T_D9%-$(A8*BQ*&^PK?<=hYMkb){mLKzNKguFcBCS5mdCJUI
z|IQWBC;ENe?>~Vzu;@{gI6x;`1DHMF_tOFQ``XEUg;^Uh{&QyKl!rgZAsS>cG358H
z4?n^VRAqM*qek}OIB6a;X&&6=h@prhaF_7%^cT9y>TiAHE0zB%vs+25Fxox}+Q(?d
z&P?xJ7DjxG-ec|K*u$Vdi02VM=?}i6V3zuo>W%msmBR1`+b8xVf4)*5j@(x;isp^)
zD{^eI{SsD4cDOO*5BZ5Pr8Vpii<27)R{beaEKd5vW3WkN+_CD{a_z6N&M6k(&@t-Q
zkVS%?JCZP%O%kCNKe+;v=lA8nBPdW`^Gs&PEj5IjDyHhZR&qTrRjjfU6eT6r+*GY0
z>J2gZEd!Y&#UL$Ng&KUCAbU%m<&U+8My{*;f$j;8v#CwK8R#$yp%Lh5<5T-u1s(-{
zpnjb!rqoAMX`XOHiVhC?!MJAhjF-9&vlgh^X(Nbuf|aX*i5m!&cb9WCuep`VD%QmB
zcQ-gGdbT<6VYyNvU)R}Zphzdz?1y6$DKd(w_fuzBIu+Pu_(V?>t0gxuh{nM78q1w&
zPJ&u4l{Og`bNMLN4y@brxqNo&ZYD4m<`y!Jnaj`2-^&L^4PH{(iy+F}t!krE2@Fw&
z#f>abS77e&Vs+IGbXZ-GU2)wy+-<E=k@lLOp~dxjnFYoMh!3LkxeVtu&flO87`n26
z@g_Pvx6aQ=Qn*``lm#XS`^#95T8LHjFm!h=TgW`fOyA4T&1VbwInZo#S2TE)IFKH3
z;0rc4p#p)mR%UJi-rg}bp&(9_2q!ih+r_fr@8fNb!Fa9CCs36nNfP*ZdVHIR!Apx=
z1Zo|4*sX|SpcVo%R4HO?6&nYNa4g=a7HIY7G$e?2RN*5m<}IO6G+Q0f3^l2lD*oU%
z67U%Y?$l~%<V6yyr6pBOwIpb;FwQ_Ni5?Se33W*8S1sK_-B$axgaj9;YkVH-KUL3_
zq+O(U;Ud2vjUef|0QUD`eY+-(kqy?e&FBx#c%PE5Ri!#W<)fQ8NJR+N0{;qPxBmRr
zq<nvZHM>@r{PT<7oa(+AC#?HsL1+)p`!Hu+Dw5N+`Y!1=j>rU^5jZ7U6~|(&A<EFa
z5(a=c)2lT&RNI7baL%7+dW?oiZ15+T-SLb`mEXrx&km4x>hXrOv4gi@miTKDfhvSR
znf?S60z?_UG+2^WpqTigyII=`iG8Y0fN_ghBOQ6(w}$j{8ti_DPm71WlHi|V5zj=S
zK&l|wLG8sP-$c(LlCR0SPDJv{u$~a|A@U<_GbF!iiKs8FcXuO4dK+P7?v_N26M*Iq
zuzYt@)^nQ*B4rPQ!xK(+)G_&{;I1pl{f=EGJG<<?<(HV~k&maX(q<DHrxQ}5rtXh4
zSZXgpK-wZxk3lLMCiGU%I-?7V^V6AJZho;awK#oyE}xms-&@S2HAmmMa@mPY-JQ8|
z89<8QAkJcStITWFL+a8q<$+c93Rf;Km&IRWXji2_L%l~1k)q?0aOOBFJ0lXR_gn`6
zuX#UIX26<Ic6j#ztdeg#cxB>{+`YfUf*nn@RbIeT@5QJq6i-P$Ork=kxTl#aGgyR~
zEV^nii^Zh262P&^y-Fd+v(2&TidzIQUQG#ivkveIArp3fM$XN|Vxu}!sl0V*5>~63
zn5(*Cx?Y(q)hp+nQMtn1-8?UrHoRNA3!$qG)T?=Hm3ShZ6wn-LytG983e^ZGzL4Vs
zC8DXY?JgHeMFdd)h=D!TA5nP`&n03w{pd)L5b4?b8x*7q>sm|SL*4>V>9o+>#-6&T
zt!Tc!uYI9cZ|&SfR02Ld(g3k8eWC4+K0jswpy}ZxKocStz^2c-u<7CC1GL{)C}eu9
zJ=RwM44Hvw%MjLj%m=@psI7<}Y1<+6LJiOlRwB{vqg;ck?CFvg9a?H-%Qq2ImCwHN
z0+9~WcFxM}Ajkswd&-L5!8|aK6t~f0ZJn0yn#s#K@<}92@Gj-Ke9PsjS~W!hI>K{`
zqL_@QdPj{+X-6>fBt%MU=yUqy+yX)`7fVPX0g}Xe(*lj0FVuyAiF{2cNEv>FlX*d`
zk$3)@HWJ#cA$X-`NEQkA00f0gbS6M)KE|AU596f!1A}(JSJ3Q?<;t7&ihDbsUs!Y>
zHe65KhDWcsJV<!8(uOO-#hh4vdLb8*MiDf52I>tW*iVfIv5-3O$}#hjP$%ZOVx|at
zT;+3^aiFAWlQU{?sVJdvqHEzhIT7iY;aVLw$q|Pp5Y?UVP?APl|0lG06qYD(=$1O9
zlT%N^iNlp^LuLYuvH%D8CPtLV7tt?@i-a_d%iBWX>vhxDTe|e!2w~ti5wiHYtRXM5
zVssP+#-FtPC;ctMH`)eZc!bQ+N6Mn|K!J`TbAmjI)-r|e>rBVUq#SAbodBXcw(A;B
zFBC;-jTCKpS0F}*Tb4LsLON$z4>Z0UXxq!_Xy~b}<#M&?mC9u&x_qfvSaWyyW$b~|
zZYUJ5SBfQ<-@sEk8pK04E*+l}t5sM*z9)!P-R({_9(s5=M8>{>RjO5mTNR!YMH~pb
z!46p$shPHHms9=?FY+jShXeqjh5(juq2$Eb7xVnb=#e~Ex;*#w1Jv>ikF{rcO!fsl
zjz}IWWHZ2X@YaV_>dFX?7|$4^w;}>kWRad6qG-i&KaiP}gPCofI3$M@cURpV5=AHl
zUIn?$!D*=KDoLsfotoPD6tAH#ZG{&3KnxlO<X$OPSrI7xG=?C|X)Jey!Z{k8h<pq8
zQ0Ib*aVi?r72T9v_nzl^Jmk8Z_&W^rNEXEQWXN=NRAN=$MC&t%Mn{8GcESR_(uQ-}
zr&JMOsnrlG6Bn;kfSi!M3-P@gsNZ^bWV^Ih<o|{FUC-U3x8RaLT9}TNe9Ik~3t$NK
zV6dedWyTY2Noye;DKi5&CJ>-j4#jUG;?*9hq4;)Ie7GAC`H^;v(v}~G#|KJ42QEsc
zpIOHgVI9;rG+uu=D`LW4kFyx^1rd>0?_;))L+itZ;HjU*pBOD1LgWREYs$k}#QTP?
zBR^nmP~?7fXHN{Ugv=E9EoG-7lD^&^q!=7DEP?W9%kr)E5V8i!hQ<HWx7LT-BY5Kx
zQYSo(VkM3LMjZ8{$o$28r0zFjSa}>Kr4M<EXjeV`7$R%EJ?2X%_V72L1Q`J)^AZpL
z8BYou5EgJH(&7?moPeB$vdz;uc=FIvP#%wP4dU_pP_f#!ms+bK>)Nz{CQ@5vce{%h
znuAODo&CYm_7Yo~EKGcQF5NsaQ}#+g%7j5#s$N5Cce&z*D+KDK40m}NqHGR&B|<5w
zr6p)Q90cD*ut4!+7`(lK+BX#OG>_er>ERAdL<^mfv+#&L*VBCeUbRT?5jCJ9<PM76
zEy&?$t(UiINGH@LQ{iedrzgq6VlrO|f3}F%rN<B9pKT&%hYCWkLG13-g963bxgb)h
zZNryEym|$J=p`B=&nFpv8F=!GRC|Ytx2WhkH;$|$;5Sg5$KRt4+NeCbG7HFO@faj2
zNmj0JT`m+E<A~!Bfg{MhLPH6T1=gMU>8U$~xrMaNKcrS-oD-3Pf>}jG3sVvplu*U@
z9(SuiaX<gQoJxaa$3SOXp_5h!o#AsBH%a^~gv>9{)c?jJ9uXl;gPPC{gt|j86XU9;
zlSkC>hY(onN02)zLt7iZ(}vHaAh;i+`HwNXXF|wt67Z0R+d+jA-U6}ZzQ&V2;@dEm
zBfQLv)d*o_dE8ax&XI!K(D@azvlQWB7Wqd?0@Cq|;?OKoAFOor7)8of)-mc}O;ek=
zjH@akZ&#l?9~?MIJ%~sv8CY`*g~iMVnFk>t?&$*1*cUVm0WEX+9aNoIM^?b(&+?G}
z2;JkbS{;jud;ziq7D@`63|02`*g-i@8<%9qAE2_cLkywl57uIRNpE4}Eq&)RpI|X8
z7=Sdw1%%=TwjSA?>^uWHOE+ftCV`4p)Q`3!667jyVG=O-ksKmuLD0G0gU;iC&f|d9
ziB2S>X92<h-$D;gM;8u>)SQwqm5ngTOHN20fFM$;)PSEpp#jmkd6_Fp<D=tp(Q^v`
zrpN`=YDnOqiafatVFHyoCL9==_?NVh^i|LDFc_11DAP@J(rKwM)_sE*JBn!vv<>ML
zXkS0>q;aHg{HN$CQFr&JqavA0{*5r%hE`7!iy5#ObOakVy<HC{^r`wP<@N97GK&S7
zTC;GlyzMe@<N<ZEMoR^W@FP+<_bQP^5hv2ye@4AJfK}68@G?j(lHuzKoapH}w_o5v
zD36fFmwFpIgsVbk-PeIeP%|ll-d9&OS%*6#XLeL+L6E?N<P>#`M1mXNotDrhqf2S*
z@g)bz+k}X*D3DGc+zsN*RV2)hVm<nxL|=O;rMo^r-=&z1^Yb&T5Qp=k?|Ag3sxKSb
zaN1h){FI<@RE9DzvTnuQ!dDft!nsd!`OMu^Lz?bz)6HafPgP-wS89zaJDj7yY20qc
zCyJ$#TNiGlQbdEt$u2a<XN!n*87=F2_!RTZD?;0y?C==84{Ty?Ly(pnq&<RYaoGdF
zS(D$0wn7^p$Lc|JAt$quL4Wt7(n5~1lLrPoFky~M+l=4Fcxj;1I!-%ZZEO;Zm1dPc
zp}qsHkP2Z_QZZDA8>9}T*9s*AVGm!!C6B*04qc_RAmWI>LVt-e1@t3B(9?^*#6xHX
zB)9>@X=?<t0C{u<I|xLo_X1DKbwwaQL>%j|g!>Vh|1zm<pMa7HW1#ycEaw_#1FHBY
z0f^ADLe2(~{P+?WM#30j(fWr+fRb3a8b%|E?gh88>{E5AdFnp0!h~fZF~CXWs%1)w
z9K8%Y!ld`H`<y@q8kZXa<B%Li6wAmTKfrD~{`kPh_b(nK?66ci9+=zs*5s}_v1vrG
z!u`<Q<+m_X3fHl7uK2iEX}Fmk$Ak$l<QymQ5#fwZ>w!CU;xkZP;mQstGEEi?Hp^Hm
zZy`Or;qC^JEm{dytB4G;i9|9+Bicn5EEh6vh+$r&07+@D;5}Chl>4r(E|MCIfkp+k
z--g>9fm;kS$H*#E0`2e7*E0=t$jH=6b45&{Z(t$r4Q)P-_(?Kh)K-P%hovV2fK;ap
z4@bj~B4qd5CgIJ)!3jni)FOkFNVYjNF)@+K&gWCJ^Y^kdh)yOZnn@}T|75hnDTjrC
zk*w~)5eq*>_M#Li3S`g7m%Y%U+ww!NbSsS5LJ*5E1sEgG#&M1R16tD2*;)Q7D*4&j
zSt!K<wNZL5{FhI6PU<?^Ly=ZcbK;bWm<*E)e2x0*ROG1mb1KSINPtHicA_}r^`hr-
z3iq8jp1L@R{~?Vei0AZmnwNJ8K=H@aW~~;>VXh)t2=$Tw3hhCBj`DOuIzY(;e19o(
zIqxs1-zvzh7Yg!gsbfyvAw0+bh}P@}xVv*}YWl+t_V|=0=y<tfP2Zg<EKKEZOM)BN
zAOBP8jOOl5Qy$gn`yi9eECL&578mCi`7v~IG9J#ry=?B@!ovJwJ~LCm|AKJ(rsNEK
zL(k4-W_X51{*a1cDqg1I6)NVbNKkQ~3PNZy&C4mdDifVD(<hT4GAfr5BBuaO0zC<D
zq#Kq-n(tEwSvslfQpSf2=Yc!5u5H#>qvBqNawr}JvGl>@g@1-7aVBMD!kVp(!2280
u!Y1gmO!v<)G()#y*05#R*KNa!SSFt2Jvnao+XJYlt$zF&wr&sGL;nYA0<DPv

literal 0
HcmV?d00001

diff --git a/red_ttp/common.py b/red_ttp/common.py
index c7c8213..941bf59 100755
--- a/red_ttp/common.py
+++ b/red_ttp/common.py
@@ -2,17 +2,18 @@
 import socket
 import time
 import threading
-import SimpleHTTPServer
+import http.server
 import binascii
 import shutil
 import sys
-import SocketServer
+import socketserver
 import re
 import os
 import getpass
 import functools
 
 
+
 try:
     HOSTNAME = socket.gethostname().lower()
     LOCAL_IP = socket.gethostbyname(HOSTNAME)
@@ -80,7 +81,7 @@ def get_path(*path):
 def execute(command, hide_log=False, mute=False, timeout=30, wait=True, kill=False, drop=False, shell=False):
     """Execute a process and get the output."""
     if isinstance(command, list):
-        command = subprocess.list2cmdline([unicode(arg) for arg in command])
+        command = subprocess.list2cmdline([str(arg) for arg in command])
 
     if not hide_log:
         print("%s > %s" % (HOSTNAME, command))
@@ -179,15 +180,15 @@ def clear_web_cache():
 
 
 def serve_web(ip=LOCAL_IP, port=None, directory=BASE_DIR):
-    handler = SimpleHTTPServer.SimpleHTTPRequestHandler
+    handler = http.server.SimpleHTTPRequestHandler
 
     if port is not None:
-        server = SocketServer.TCPServer((ip, port), handler)
+        server = socketserver.TCPServer((ip, port), handler)
     else:
         # Otherwise, try to find a port
         for port in xrange(8000, 9000):
             try:
-                server = SocketServer.TCPServer((ip, port), handler)
+                server = socketserver.TCPServer((ip, port), handler)
                 break
             except socket.error:
                 pass
diff --git a/red_ttp/office_application_startup.py b/red_ttp/office_application_startup.py
index 7ee555f..a44bf70 100755
--- a/red_ttp/office_application_startup.py
+++ b/red_ttp/office_application_startup.py
@@ -4,7 +4,7 @@
 # Description: Modifies the registry to persist a DLL on Office Startup.
 
 import common
-import _winreg as winreg
+import winreg
 import sys
 import time
 
diff --git a/red_ttp/registry_persistence_create.py b/red_ttp/registry_persistence_create.py
index ebc9ac8..9463558 100755
--- a/red_ttp/registry_persistence_create.py
+++ b/red_ttp/registry_persistence_create.py
@@ -3,7 +3,7 @@
 # ATT&CK: T1015, T1103
 # Description: Creates registry persistence for mock malware in Run and RunOnce keys, Services and debuggers.
 
-import _winreg as wreg
+import winreg
 import time
 import common
 
@@ -15,18 +15,18 @@ def pause():
 
 
 def write_reg_string(hive, key, value, data, delete=True):
-    hkey = wreg.CreateKey(hive, key)
+    hkey = winreg.CreateKey(hive, key)
     key = key.rstrip('\\')
     common.log("Writing to registry %s\\%s -> %s" % (key, value, data))
-    wreg.SetValueEx(hkey, value, 0, wreg.REG_SZ, data)
-    stored, code = wreg.QueryValueEx(hkey, value)
+    winreg.SetValueEx(hkey, value, 0, winreg.REG_SZ, data)
+    stored, code = winreg.QueryValueEx(hkey, value)
     if data != stored:
         common.log("Wrote %s but retrieved %s" % (data, stored), log_type="-")
 
     if delete:
         pause()
         common.log("Removing %s\\%s" % (key, value), log_type="-")
-        wreg.DeleteValue(hkey, value)
+        winreg.DeleteValue(hkey, value)
 
     hkey.Close()
     pause()
@@ -37,39 +37,39 @@ def write_reg_string(hive, key, value, data, delete=True):
 def main():
     common.log("Suspicious Registry Persistence")
 
-    for hive in (wreg.HKEY_LOCAL_MACHINE, wreg.HKEY_CURRENT_USER):
+    for hive in (winreg.HKEY_LOCAL_MACHINE, winreg.HKEY_CURRENT_USER):
         write_reg_string(hive, "Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\", "RunOnceTest", TARGET_APP)
         write_reg_string(hive, "Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", "RunTest", TARGET_APP)
 
     # create Services subkey for "ServiceTest"
     common.log("Creating ServiceTest registry key")
-    hkey = wreg.CreateKey(wreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\ServiceTest\\")
+    hkey = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\ServiceTest\\")
 
     # create "ServiceTest" data values
     common.log("Updating ServiceTest metadata")
-    wreg.SetValueEx(hkey, "Description", 0, wreg.REG_SZ, "A fake service")
-    wreg.SetValueEx(hkey, "DisplayName", 0, wreg.REG_SZ, "ServiceTest Service")
-    wreg.SetValueEx(hkey, "ImagePath", 0, wreg.REG_SZ, "c:\\ServiceTest.exe")
-    wreg.SetValueEx(hkey, "ServiceDLL", 0, wreg.REG_SZ, "C:\\ServiceTest.dll")
+    winreg.SetValueEx(hkey, "Description", 0, winreg.REG_SZ, "A fake service")
+    winreg.SetValueEx(hkey, "DisplayName", 0, winreg.REG_SZ, "ServiceTest Service")
+    winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ, "c:\\ServiceTest.exe")
+    winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ, "C:\\ServiceTest.dll")
 
     # modify contents of ServiceDLL and ImagePath
     common.log("Modifying ServiceTest binary")
-    wreg.SetValueEx(hkey, "ImagePath", 0, wreg.REG_SZ, "c:\\ServiceTestMod.exe")
-    wreg.SetValueEx(hkey, "ServiceDLL", 0, wreg.REG_SZ, "c:\\ServiceTestMod.dll")
+    winreg.SetValueEx(hkey, "ImagePath", 0, winreg.REG_SZ, "c:\\ServiceTestMod.exe")
+    winreg.SetValueEx(hkey, "ServiceDLL", 0, winreg.REG_SZ, "c:\\ServiceTestMod.dll")
 
     hkey.Close()
     pause()
 
     # delete Service subkey for "ServiceTest"
     common.log("Removing ServiceTest", log_type="-")
-    hkey = wreg.CreateKey(wreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\")
-    wreg.DeleteKeyEx(hkey, "ServiceTest")
+    hkey = winreg.CreateKey(winreg.HKEY_LOCAL_MACHINE, "System\\CurrentControlSet\\Services\\")
+    winreg.DeleteKeyEx(hkey, "ServiceTest")
 
     hkey.Close()
     pause()
 
     # Additional persistence
-    hklm = wreg.HKEY_LOCAL_MACHINE
+    hklm = winreg.HKEY_LOCAL_MACHINE
     common.log("Adding AppInit DLL")
     windows_base = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\"
     write_reg_string(hklm, windows_base, "AppInit_Dlls", "evil.dll", delete=False)
@@ -84,7 +84,7 @@ def main():
     for victim in debugger_targets:
         common.log("Registering Image File Execution Options debugger for %s -> %s" % (victim, TARGET_APP))
         base_key = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\%s" % victim
-        write_reg_string(wreg.HKEY_LOCAL_MACHINE, base_key, "Debugger", TARGET_APP, delete=True)
+        write_reg_string(winreg.HKEY_LOCAL_MACHINE, base_key, "Debugger", TARGET_APP, delete=True)
 
 
 if __name__ == "__main__":
diff --git a/red_ttp/scrobj_com_hijack.py b/red_ttp/scrobj_com_hijack.py
index 203a2e3..164a168 100755
--- a/red_ttp/scrobj_com_hijack.py
+++ b/red_ttp/scrobj_com_hijack.py
@@ -3,7 +3,7 @@
 # ATT&CK: T1122
 # Description: Modifies the Registry to create a new user-defined COM broker, "scrobj.dll".
 
-import _winreg as winreg
+import winreg
 import common
 
 
@@ -19,7 +19,7 @@ def main():
     winreg.DeleteValue(hkey, "")
     winreg.DeleteKey(hkey, "")
     winreg.CloseKey(hkey)
-    
+
     hkey = winreg.CreateKey(winreg.HKEY_CURRENT_USER, "SOFTWARE\\Classes\\CLSID")
     winreg.DeleteKey(hkey, "{00000000-0000-0000-0000-0000DEADBEEF}")
     winreg.CloseKey(hkey)
diff --git a/red_ttp/sip_provider.py b/red_ttp/sip_provider.py
index 0ea3c2f..afab38b 100755
--- a/red_ttp/sip_provider.py
+++ b/red_ttp/sip_provider.py
@@ -4,7 +4,7 @@
 # Description: Registers a mock SIP provider to bypass code integrity checks and execute mock malware.
 
 import os
-import _winreg as winreg
+import winreg
 import common
 
 
diff --git a/red_ttp/trust_provider.py b/red_ttp/trust_provider.py
index 1fa8bdd..d4c079a 100755
--- a/red_ttp/trust_provider.py
+++ b/red_ttp/trust_provider.py
@@ -4,7 +4,7 @@
 # Description: Substitutes an invalid code authentication policy, enabling trust policy bypass.
 
 import os
-import _winreg as winreg
+import winreg
 import common
 
 FINAL_POLICY_KEY = "Software\\Microsoft\\Cryptography\\providers\\trust\\FinalPolicy\\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}"
diff --git a/red_ttp/uac_eventviewer.py b/red_ttp/uac_eventviewer.py
index d57e9e6..8b579b8 100755
--- a/red_ttp/uac_eventviewer.py
+++ b/red_ttp/uac_eventviewer.py
@@ -4,7 +4,7 @@
 # Description: Modifies the Registry value to change the handler for MSC files, bypassing UAC.
 
 import sys
-import _winreg as winreg
+import winreg
 import common
 
 # Default machine value:
diff --git a/red_ttp/uac_sdclt.py b/red_ttp/uac_sdclt.py
index 9723bfc..7ff9935 100755
--- a/red_ttp/uac_sdclt.py
+++ b/red_ttp/uac_sdclt.py
@@ -6,7 +6,7 @@
 import subprocess
 import sys
 import os
-import _winreg as winreg
+import winreg
 import common
 
 # HKCU:\Software\Classes\exefile\shell\runas\command value: IsolatedCommand
@@ -26,7 +26,7 @@ def main(target_process=common.get_path("bin", "myapp.exe")):
 
     common.log("Running Sdclt to bypass UAC")
     common.execute([r"c:\windows\system32\sdclt.exe", "/KickOffElev"])
-    
+
     common.log("Clearing registry keys", log_type="-")
     winreg.DeleteValue(hkey, "IsolatedCommand")
     winreg.DeleteKey(hkey, "")

From 9a2286479736695b0b134af289360f8d9045a48b Mon Sep 17 00:00:00 2001
From: Gurulhu <lucasag@hotmail.com.br>
Date: Fri, 5 Apr 2019 00:50:16 -0300
Subject: [PATCH 2/5] xrange and os.sep fixed.

---
 red_ttp/common.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/red_ttp/common.py b/red_ttp/common.py
index 941bf59..06e1783 100755
--- a/red_ttp/common.py
+++ b/red_ttp/common.py
@@ -101,7 +101,7 @@ def execute(command, hide_log=False, mute=False, timeout=30, wait=True, kill=Fal
     if kill:
         delta = 0.5
         # Try waiting for the process to die
-        for _ in xrange(int(timeout / delta) + 1):
+        for _ in range(int(timeout / delta) + 1):
             time.sleep(delta)
             if p.poll() is not None:
                 return
@@ -114,10 +114,11 @@ def execute(command, hide_log=False, mute=False, timeout=30, wait=True, kill=Fal
             pass
     elif wait:
         output = ''
-        p.stdin.write(os.linesep)
+        p.stdin.write(os.linesep.encode())
         while p.poll() is None:
             line = p.stdout.readline()
             if line:
+                line = line.decode()
                 output += line
                 if not (hide_log or mute):
                     print(line.rstrip())
@@ -186,7 +187,7 @@ def serve_web(ip=LOCAL_IP, port=None, directory=BASE_DIR):
         server = socketserver.TCPServer((ip, port), handler)
     else:
         # Otherwise, try to find a port
-        for port in xrange(8000, 9000):
+        for port in range(8000, 9000):
             try:
                 server = socketserver.TCPServer((ip, port), handler)
                 break
@@ -264,7 +265,7 @@ def find_remote_host():
 
     if len(pending) > 0:
         # See which ones return first with a success code, and use that host
-        for _ in xrange(20):
+        for _ in range(20):
             for hostname, pending_process in sorted(pending.items()):
                 if pending_process.poll() is None:
                     pending_process.stdin.write(os.linesep)

From 6348559ff6691aaa51012d324413c6ce6ff86705 Mon Sep 17 00:00:00 2001
From: Gurulhu <lucasag@hotmail.com.br>
Date: Fri, 5 Apr 2019 01:18:48 -0300
Subject: [PATCH 3/5] Fixed print_file and ran it a couple times on a Windows
 10 box. Seems to be working just fine. Will test it again tomorrow before
 PR'ing

---
 red_ttp/common.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/red_ttp/common.py b/red_ttp/common.py
index 06e1783..c65f563 100755
--- a/red_ttp/common.py
+++ b/red_ttp/common.py
@@ -116,14 +116,13 @@ def execute(command, hide_log=False, mute=False, timeout=30, wait=True, kill=Fal
         output = ''
         p.stdin.write(os.linesep.encode())
         while p.poll() is None:
-            line = p.stdout.readline()
+            line = p.stdout.readline().decode()
             if line:
-                line = line.decode()
                 output += line
                 if not (hide_log or mute):
                     print(line.rstrip())
 
-        output += p.stdout.read()
+        output += p.stdout.read().decode()
         output = output.strip()
 
         # Add artificial sleep to slow down command lines
@@ -361,6 +360,6 @@ def print_file(path):
     else:
         print('-' * 16)
         with open(path, 'rb') as f:
-            print(f.read().rstrip())
+            print(f.read().decode().rstrip())
 
     print('')

From fb642410981a3324f15a12b9de66da8f0643ecf7 Mon Sep 17 00:00:00 2001
From: Gurulhu <lucasag@hotmail.com.br>
Date: Fri, 5 Apr 2019 20:20:33 -0300
Subject: [PATCH 4/5] A few more byte/str confusion fixes and dependencies
 inspection func_code changed to py3 syntax.

---
 red_ttp/common.py          | 8 ++++----
 red_ttp/powershell_args.py | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/red_ttp/common.py b/red_ttp/common.py
index c65f563..f36c2bf 100755
--- a/red_ttp/common.py
+++ b/red_ttp/common.py
@@ -65,7 +65,7 @@ def decorator(f):
         @functools.wraps(f)
         def decorated(*args, **kwargs):
             if len(missing):
-                log("Missing dependencies for %s:%s()" % (f.func_code.co_filename, f.func_code.co_name), "!")
+                log("Missing dependencies for %s:%s()" % (f.__code__.co_filename, f.__code__.co_name), "!")
                 for dep in missing:
                     print("    - %s" % os.path.relpath(dep, BASE_DIR))
                 return MISSING_DEPENDENCIES
@@ -213,7 +213,7 @@ def patch_file(source_file, old_bytes, new_bytes, target_file=None):
                                                 target_file, binascii.b2a_hex(new_bytes)))
 
     with open(source_file, "rb") as f:
-        contents = f.read()
+        contents = f.read().decode()
 
     patched = contents.replace(old_bytes, new_bytes)
 
@@ -226,14 +226,14 @@ def patch_regex(source_file, regex, new_bytes, target_file=None):
     log("Patching by regex %s --> %s" % (source_file, target_file))
 
     with open(source_file, "rb") as f:
-        contents = f.read()
+        contents = f.read().decode()
 
     matches = re.findall(regex, contents)
     log("Changing %s -> %s" % (', '.join(matches), new_bytes))
     contents = re.sub(regex, new_bytes, contents)
 
     with open(target_file, "wb") as f:
-        f.write(contents)
+        f.write(contents.encode())
 
 
 def wchar(s):
diff --git a/red_ttp/powershell_args.py b/red_ttp/powershell_args.py
index d6f06f7..5a9a091 100755
--- a/red_ttp/powershell_args.py
+++ b/red_ttp/powershell_args.py
@@ -16,9 +16,9 @@ def main():
     common.log("PowerShell Suspicious Commands")
     temp_script = os.path.abspath("tmp.ps1")
 
-    # Create an empty script     
+    # Create an empty script
     with open(temp_script, "wb") as f:
-        f.write("whoami.exe\n")
+        f.write("whoami.exe\n".encode())
 
     powershell_commands = [
         'powershell -encoded %s' % encode('ping google.com'),

From 288f3a390126b0cae9e1ed033ac66f9a771fddee Mon Sep 17 00:00:00 2001
From: Gurulhu <lucasag@hotmail.com.br>
Date: Sat, 6 Apr 2019 08:21:02 -0300
Subject: [PATCH 5/5] Fixed the powershell_args commands, but there's a bug in
 installutil_network that still needs to be fixed.

---
 red_ttp/common.py          | 2 +-
 red_ttp/powershell_args.py | 2 +-
 red_ttp/smb_connection.py  | 3 +--
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/red_ttp/common.py b/red_ttp/common.py
index f36c2bf..3d34ad7 100755
--- a/red_ttp/common.py
+++ b/red_ttp/common.py
@@ -213,7 +213,7 @@ def patch_file(source_file, old_bytes, new_bytes, target_file=None):
                                                 target_file, binascii.b2a_hex(new_bytes)))
 
     with open(source_file, "rb") as f:
-        contents = f.read().decode()
+        contents = f.read()
 
     patched = contents.replace(old_bytes, new_bytes)
 
diff --git a/red_ttp/powershell_args.py b/red_ttp/powershell_args.py
index 5a9a091..4b609c2 100755
--- a/red_ttp/powershell_args.py
+++ b/red_ttp/powershell_args.py
@@ -9,7 +9,7 @@
 
 
 def encode(command):
-    return base64.b64encode(command.encode('utf-16le'))
+    return base64.b64encode(command.encode('utf-16le')).decode()
 
 
 def main():
diff --git a/red_ttp/smb_connection.py b/red_ttp/smb_connection.py
index d34158b..1d87d82 100755
--- a/red_ttp/smb_connection.py
+++ b/red_ttp/smb_connection.py
@@ -16,7 +16,7 @@ def main(ip=common.LOCAL_IP):
     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
     s.connect((ip, 445))
     common.log("Sending HELLO")
-    s.send("HELLO!")
+    s.send("HELLO!".encode())
     common.log("Shutting down the conection...")
     s.close()
     common.log("Closed connection to {}:{}".format(ip, SMB_PORT))
@@ -24,4 +24,3 @@ def main(ip=common.LOCAL_IP):
 
 if __name__ == "__main__":
     exit(main(*sys.argv[1:]))
-