Maintaining Access
After gaining access and escalating privileges on the target system, now attackers try to maintain their access for further exploitation of the target system or make the compromised system a launchpad from which to attack other systems in the network. Attackers remotely execute malicious applications such as keyloggers, spyware, and other malicious programs to maintain their access to the target system and steal critical information such as usernames and passwords. Attackers hide their malicious programs or files using rootkits, steganography, NTFS data streams, etc. to maintain their access to the target system.
Executing Applications
– Attackers use malicious applications to own the system
– executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture screenshot, install backdoor to maintain easy access.
| Backdoors | Program designed to deny or disrupt the operation, gather information that leads to exploitation, loss of privacy, gain unauthorized access to system resources |
| Crackers | Programs designed for cracking code or passwords |
| Keyloggers | record each key stroke made on the computer keyboard |
| Spyware | Spy software may do screenshots, send to specified location defined by hacker. |
Remote Code Execution Techniques – Backdoor
| Exploitation for Client execution | – Unsecure coding practices in software can make it vulnerable to various attacks – targets vulnerabilities in software and exploits with an objective of arbitrary code execution to maintain access Web browser Base exploitation Office Application Based exploitation Third-Party Application Based exploitation |
| Service execution | – system services that run at the backend of the OS – Run binary files or commands that communicate with the windows system services such as Service Control Manager |
| Windows Management Instrumentation (WMI) | – features that provides platform for accessing Windows system resources locally and remotely – exploit WMI features to interact with the remote target system and use it to perform information gathering on systems resources, execute code for maintaining access |
| Window Remote Management (WinRM) | – Window based protocol to allow a user run an executable file, modify system services and registry on a remote system – use winrm to execute payload on remote system |
Tools for executing Applications
Dameware Remote Support – Remote control and systems management tool that simplifies remote Windows administration.
Other tools
– Ninja
– Pupy
– PDQ Deploy
– ManageEngine Desktop Central
– PsExec
Keylogger
– Programs that monitor keystroke as the user types on a keyboard, logs onto a file, or transmits them to a remote location
– gather confidential information
– Physical keyloggers are placed between the keyboard hardware and the OS
Types of Keystroke Loggers
Hardware Keyloggers
| PC/BIOS Embedded | BIOs-level firmware that is responsible for managing the keystrokes that are typed |
| keylogger Keyboard | Attached to the keyboard cable connector, capture keystrokes |
| External Keylogger | PS/2 / USB keylogger – no software/ OS dependency Acoustic/CAM keylogger – electromagnetic sound waves Bluetooth keylogger – access the target once, using bluetooth Wifi Keylogger – same as USB, Connect via Wifi, can remote access |
Hardware : Keygrabber USB, KeyCarbon, Keyboard logger, KeyGhost, KeyKatcher
Software Keyloggers
| Application Keylogger | – can record everything happening within the network |
| Kernel/Rootkit/Device Driver Keylogger | – Kernel level, difficult to detect, acts as driver driver |
| Hypervisor Based Keylogger | – works within a malware hypervisor operating on the OS |
| Form-Grabbing-Based Keylogger | – records web form data and submits over internet, bypassing https encryption. – recording web browsing on the “submit event” function |
| Javascript-Based Keylogger | – attackers inject malicious javascript tags on the webpage to listen to key events. – mitm, cross site scripting to inject script |
| Memory-Injection-Based Keylogger | – modify the memory tables associated with the web browser and system functions to log keystrokes. |
Windows : Spyrix Keylogger, REFOG Personal Monitor, All in one keylogger, Elite Keylogger, StaffCorp Stardard, Spytector
MacOS : Refog Mac keylogger, spyrix keylogger for Mac, Elite Keylogger for Mac, Aobo Mac OS X Keylogger, Perfect Keylogger for Mac, Kidlogger for MAC
Remote Keylogger Attack Using Metasploit
– Attackers use Metasploit to launch persistent keylogging
do ps -> getpid -> migrate pid of svchost.exe
– Use Keyscan_start to initiate the keylogging process
– Use Keyscan_dump to sniff the keystroke of the user on the machine
– use keyscan_stop to stop sniffing
Automate by using lockout_keylogger exploit
Spyware
– stealthy records user interaction with the computer and the internet
– like trojan horse, usually bundled as a hidden component off freeware programs
– gather information about the victim and organization
Spyware Propagation – means install without user’s consent
| Drive-by download | Piggybacked software installation |
| Masquerading as anti-spyware | Browser add ons |
| Web browser vulnerability exploits | Cookies |
Spyware Tools: Spytech SpyAgent, Power Spy
Type of Spyware
| Desktop Spyware | live recordings of remote desktop internet activities, software usage and timings activity logs, user’s keystrokes |
| Email Spyware | monitor, records, forwards all incoming and outgoing email. |
| Internet Spyware | monitor all webpages access by the users, able to block websites |
| Child Monitoring Spyware | track and monitor children activities on computer, online and offline. able to restrict web |
| Screen-capturing Spyware | monitor activities by taking snapshots, capture keystrokes, mouse activity, visited URL, etc. |
| USB Spyware | copies spyware from a USB device to a computer without any request or notification. monitors and captures everything |
| Audio Spyware | sound surveillance program |
| Video Spyware | video surveillance program |
| Print Spyware | monitor printer usage, number of pages printed, date/time, content, etc. |
| Telephone/Cellphone Spyware | monitor phone and activities |
| GPS Spyware | device or software using GPS to determine location of vehicle, person, attached/installed asset |
Defense against Keyloggers
| Use pop-up blockers and avoid opening Junk Mails | Use keystroke interference software that inserts randomized char into every keystroke |
| install antispyware/ anti virus programs | Scan the files before installing, use registry editor or process explorer to check for keystroke loggers |
| Install professional firewall software and anti-keylogging software | Use windows on-screen keyboard for password and confidential information |
| Recognize phishing emails and email them | Install host based IDS |
| Regularly update and patch system software | Use automatic form filling password manager or virtual keyboard |
| Do not click on this unsolicited/dubious emails | Frequently scan and monitors the changes in the system or network |
| Restrict physical access to sensitive computer systems |
| Check keyboard interface for no extra component are plugged into the keyboard cable connector |
| use encryption between keyboard and driver |
| use anti keylogger that detects the presence of hardware keylogger |
| use on-screen keyboard |
| check monitor cables to hardware keyloggers |
| setup video surveillance around the computer desk |
| disable USB ports or setup advanced BIOS authentication to enable BIOS |
Anti Keyloggers: Zemana Antilogger, GardedID, Keyscrabler, Oxynger KeyShield, Ghostpress, SpyShelter Silent Antilogger
Defense against Spyware
| Avoid using any computer systems you do not have control over | use anti spyware |
| Browser security settings to medium or high | perform web surfing safely |
| Suspiuous emails and websites | avoid administrative mode |
| firewall to enhance security level | OS patching on the date |
| update firewall with outbound protection | avoid free music files, screensavers or emoticons from internet |
| Check task manager and MS configuration manager reports | Beware of pop-up windows or webpages, never click anywhere on these windows |
| update virus definition files | Read disclosures, license agreement and privacy statement before installing any applications |
Anti-Spyware : SUPERAnti Spyware, Kaspersky Total Security, SecureAnywhere Internet Security, Adaware Antivirus, MacScan, Norton Antivirus
Rootkits
- Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time, and in the future
- Rootkits replace certain operating system calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system causing malicious functions to be executed
| Attacker places a rootkit by | objectives |
| – Scanning for vulnerable devices – wrapping in special package – installing on public machine through social engineering – zero day attack | – root the host system and gain remote backdoor – mask attacker tracks – gather sensitive data, network traffic from the system – store other malicious programs |
| Hypervisor level rootkit – act as hypervisor and modifies the boot sequence of the computer system to load the host operating system as a vm |
| Hardware/Firmware rootkit – Hides in hardware devices or platform firmware that are not inspected for code integrity |
| Kernel Level rootkit – adds malicious code or replaces the original OS kernel and device driver codes |
| Boot Loader Level rootkit – replaces the original boot loader with the one controlled by a remote attacker |
| Application Level/User mode rootkit – replaces regular application binaries with a fake trojan or modifies the behavior of the existing applications by injecting malicious code |
| Library Level rootkit – replaces the original system calls with fake ones to hide information about the attacker |
How a Rootkit works
System hooking is the process of changing and replacing the original function pointer with a pointer provided by the rootkit in stealth mode. The incline function hooking is a technique in which a rootkit changes some of the bytes of a function inside the core system DLLs, replacing an instruction so that any process calls hit the rootkit first.
Direct kernel object manipulation (DKOM) rootkits can locate and manipulate the “system” process in the kernel memory structures and patch it. This can also hide processes and ports change privileges, and misguide the windows event viewer without any problem by manipulating the list of active processes of the OS.
Tools
- purplefox – distributed via a fake malicious telegram installer, can both 32-bit and 64-bit windows version trojan can be used for hiding within the system and maintaining persistence.
- MoonBounce – concealed within UEFI firmware in the SPI flash that is schedule to execute as a specific time. Inject malicious driver into the windows kernel during the boot process.
- Dubbed Demodex Rootkit – can survive OS reinstallation. Conceal malware fingerprints such as file, registry keys and network traffic.
- Others: Moriya, iLOBleed, Netfilter, Skidmap
Detecting Rootkits
- Integrity-Based detection – compares snapshot of the file system, boot records or memory with a known trusted baseline
- Signature-Based detection – compares the characteristics of all system processes and executable files with a database of known rootkit fingerprints
- Heuristic/ Behavior-Based detection – Deviations in the systems normal activity indicates the presence of a rootkit
- Runtime execution path profiling – compares runtime execution paths of all the system processes before and after rootkit infection
- Cross View-Based Detection -enumerates key elements in the computer system such as system files, processes ad registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Discrepancies between the two data sets indicates a presence of a root kit
- Alternative trust medium – the infected system is shut down and then booted from an alternative trusted media to find traces of the rootkit
- Analyzing Memory Dumps – the RAM of the suspected system is dumped analyzed to detect the rootkit in the system
Steps for detecting rootkits
| Step 1 – Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results |
| Step 2 – Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results |
| Step 3 – Run the latest version of WinMerge on the two sets of results to detect file-hiding ghostware. |
| There will be some false positive, Also does not detect stealth software that hides in BIOS, video card, EEPROM, bad sectors, alternate data streams. |
Defense against Rootkits
| Reinstall OS/application from a trust source | update and patch OS, application and firmware |
| Maintain well documented automated installation procedures | Regularly verify integrity of system files using cryptographically strong digital fingerprint tech |
| Perform kernel dumps analysis to determine the presence of rootkits | Update antivirus and anti-spyware |
| harden the workstation or server | Avoid logging with administrative privileges |
| educate staff to avoid downloading any files from untrusted sources | principal of least privilege |
| install network and host based firewalls | antivirus software with rootkit protection |
| Ensure the availability of trusted restoration media | avoid installing unnecessary application, disable features/services if not used |
Tools
GMER-detect and removes rootkits by scanning processes, threads, modules, services etc.
Others: stinger, Avast One, TDSSKiller, Malwarebytes Anti Rootkit, Rootkit Buster
NTFS Data Streams
NTFS is a filesystem that stores file with the help of two data streams, called NTFS data streams, along with the file attributes. First data stream stores the security descriptor for the file to be stored, such as permissions, the second stores the data within a file. ADS are another type of named data stream that can be present in each file.
An ADS refers to any type of data attached to a file, but not in the file on an NTFS system. ADS is not contained in the master file table but attached to it through the file table.
How to create NTFS streams
| Step 1 – Launch c:\>notepad myfile.txt:lion.txt click “yes” to create the new file, enter some data and save the file |
| Step 2 – Launch c:\>notepad myfile.txt:tiger.txt click “yes” to create the new file, enter some data and save the file |
| Step 3 – View the size of the myfile.txt (it should be zero) |
| Step 4 – To view or modify the stream data hidden in step 1 and 2, use the following commands respectively – notepad myfile.txt:lion.txt, notepad myfile.txt:tiger.txt |
NTFS streams Manipulation
| Step 1 – To move the contents of Trojan.exe to Readme.txt(stream): c:\type c:\Trojan.exe > c:\readme.txt:Trojan.exe the type command hides a file in an alternative data stream |
| Step 2 – To create a link to the Trojan.exe stream inside the readme.txt file c:\mklink backdoor.exe Readme.txt:Trojan.exe |
| Step 3 – To execute the Trojan.exe inside the Readme.txt(stream) c:\backdoor |
Defense against NTFS Streams
| To delete NTFS streams, move the suspected files to the FAT partition |
| file integrity checker |
| Stream detector or GMER to detect streams |
| Enable real-time antivirus scanning against execution of malicious streams in the system |
| up to date antivirus software |
Countermeasure for NTFS streams
- LADS – searches for streams and reports the presence of ADS
- Move the file to FAT partition and move back. FAT does not support ADS, this effectively removes ADS from files.
- Stream Armor – discovers hidden ADS and cleans them completely
- Others : Stream Detector, GMER, ADS Manager, ADS Scanner, Streams
Steganography
- Technique of hiding a secret message within an ordinary message and extracting it at the destination.
- Utilizing a graphic image as a cover
Classification of Steganography
- Technical Steganography – Uses physical or chemical methods to hide the existence of a message.
– invisible ink – colorless liquid that can later be made visible
– microbots – text or image considerable condensed in size, fitting up to one page in a single dot, to avoid detection by unintended recipients
– Computer-Based method – makes changes to digital carriers to embed information foreign to the native carriers. Communication can be in the form of text, binary files, disk and storage devices, network protocols.
— Substitution Techniques – tries to encode secret info by substituting the insignificant bits with the secret message
— Transform Domain Techniques – hides the info in significant parts of the cover image, such as cropping, compression etc
— Spread spectrum Techniques – The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the coder to recover the information from the spread spectrum data
— Statistical Techniques – utilizes the existence of ‘1-bit’ steganography schemes by modifying the cover in such a way that, when transmission of a 1 occurs, some of the statistical characteristics change significantly. Some unchanged, to distinguish between the modified and unmodified covers
— Distortion Techniques – implements a sequence of modification the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message. decoding the process requires knowledge about the original cover.
— Cover Generation Techniques – digital objects are developed specifically to cover secret communication. When this information is encoded, it ensures that creation of a cover for the secret communication - Linguistic Steganography
– Semagrams – hides information with the help of signs or symbols.
— visual semagrams – hides infomation in a drawing, painting, letter, music or a symbol
— text semagras – hides text message by converting or transforming the appearance of the carrier text message, such by change the font size, styles, adding extra spaces as whitespaces in a doc. - Open Codes – hides the secret message in a legit carrier message specially designed in a pattern on a document that is unclear to the average reader. Carrier message is known as a overt communication, the secret message is covert communication.
— Jargon codes – language used that can be understood by the particular group
— Covered Cipher – hides the message in a carrier medium visible to everyone. This type of message can be extracted by any person with the knowledge of the method used to hide it
— Null cipher – hide the message within a large amount of useless data. the original data are mixed with the unused data in any order so that no one can understand it other than those who knows the order.
— Grille cipher – encrypt plaintext by writing it onto a sheet of paper through a pierced (stenciled) sheet.
Types of Steganography based on Cover Medium
- Image steganography
— least-Significant Bit Insertion
— Masking and filtering
— Algorithms and Transformation
– Openstego – Data hiding, watermarking,
– StegOnline, Coagula, QuickStego, SSuite Picsel, CryptaPix - Document steganography
– StegoStick – hide file in any other file, image, audio, video
– SNOW, StegJ, Data Stash, Texto - Folder steganography
– hiding secret information in folders
– GiliSoft File Lock Pro
– Folder Lock, Hide Folder 5, InvisibleSecrets, QuickCrypto - Video steganography
– Omnihide Pro – hide any file within an image, video, music file - Audio steganography
– Echo Data Hiding – by adding echo into audio
– Spread Spectrum Method
— Direct-Sequence Spread Spectrum DSSS – frequency modulation technique, spread a signal of low bandwidth over a broad frequency range to enable sharing of a single channel between multiple users. transposes the secret messages in radio wave frequencies.
— Frequency Hopping Spread Spectrum FHSS – alters the audio files frequency spectrum so that it hops rapidly between frequencies. Used in secured communications commercial, military.
— LSB Coding – inserts a secret binary message in the least significant bit of each sampling point of the audio signal
— Tone Insertion – embedding data in the audio signal by inserting low-power tones.
— Phase Encoding – initial audio segment is substituted by a reference phase that represents the data.
– DeepSound
– BitCrypt. Stegostick, MP3Stego, QuickCrypto, spectrology
- White Space steganography
– SNOW – for whitespace steganography - Web steganography
– Hides web objects behind other objects and uploads them to a webserver - Spam/email steganography
– Sending of secret message by embedding them and hiding the embedded data in spam emails.
– Spam Mimic- encodes secret messages into innocent looking emails - DVD-Rom steganography
– the user embeds the content in audio and graphical data - Natural text steganography
– process of converting sensitive information into user-definable free speech as such as a play - Hidden OS steganography
– hiding one OS in another - C++ source-code steganography
– Users hides a set of tools in the files
For mobile phones – Segais, SPY PIX, PixelKnot, NoClue, Photo Hidden Data
Steganalysis
Reverse process of Stegnography – art of discoverying and rendering covert messages using stegnography
– detects hidden messages embedded in images, text, audo, and video carrier mediums
Challenges of Steganalysis
- suspect information stream may or may not have encoded hidden data
- efficient and accurate detection of hidden content within digital images is difficult
- the message could be encrypted before being inserted into a file or signal
- some of the suspect signals or files may have irrelevant data or noise encoded into them
Steganalysis Methods/Attacks on Steganography
| Stego-only – only stego object is available for analysis |
| Known-stego – attacker has access to the stego algorithm, cover medium and stego-object |
| Known-message – attacker has access to the hidden message and the stego object |
| Known-cover – compares the stego-object and the cover medium to identify the hidden message |
| Chosen-message – generates stego-objects from a known message using tools in order to identify the algorithm |
| Chosen-stego – attacker has access to the stego0object and stego algorithm |
| Chi-Square – probability analysis to test whether the stego object and original data are the same or not |
| Distinguishing statistical – analyzes the embedded algorithm, used to detect distinguishing statistical changes along with the length of the embedded data |
| Blind Classifier – blind detector is fed with the original unmodified data to learn the resemblance of the original data from multiple prespectives. |
Detecting Steganography
| Text file | – alteration are made to the character positions to hide the data – alterations are detected by looking for text patterns or disturbances and unusual amount of blank spaces |
| Image file | – hidden data in an image can be detected by determining changes in size, file format, last mod time-stamp pointing to the existence of hidden data – statistical analysis method is used for image scanning |
| Audio file | – use steganalysis method for detecting LSB modifications – inaudible frequencies – odd distortions and patterns |
| Video file | – Detection fo secret data in video files includes a combination of methods used in image and audio files |
Steganography Detection Tools
zsteg – detect stegano-hidden data in PNG and BMP files
others : StegoVeritas, Stegextract, StegoHUNT MP, Steganography Studio, virtual steganographic laboratory.
Maintaining Persistence by Abusing Boot or Logon AutoStart execution
Attackers abuse the system boot or logon autostart program for escalating privileges and maintaining persistence by applying custom configuration settings on the compromised machine
- Registry run keys
– Enumerating Assign permission using winPEAS - Startup files
– abusing startup folder using icacls
– using accesschk.exe for identifying permissions
Domain Dominance Through Different Paths
Domain dominance is a process of taking control over critical assets such as domain controllers on a target systems and gain access to other networks resources.
Domain Dominance Techniques
- Remote code execution – Attackers attempt to execute malicious code on the target domain controller through CLI to launch a domain dominance attack
— WIMC, PsExec.exe - Abusing Data Protection API – The Windows domain controllers contain a master key to decrypt DPAPl-protected files, attackers will want to obtain the master key
— Mimikatz - Malicious replication – enables attackers to create an exact copy of user data using the admin credentials. such as krbtgt
- Skeleton key attack – skeleton key is a form of malware that attackers use to inject false credentials into domain controllers to create a backdoor password. It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain
- Golder ticket attack – A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the ent i re Active Directory (AD) Attackers forge Ticket Granting Tickets (TGTs) by compromising a Key Distribution Service account (KRBTGT) to access various AD resources
- Silver ticket attacks- A silver ticket attack is a post-exploitation technique implemented by an attacker to steal legitimate users’ credentials and create a fake Kerberos Ticket Grant ing Service (TGS) ticket
To initiate this attack, the attacker must have access to the credentials gathered from a local service account or the system’s SAM database - The attacker creates a forged Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service
CY - Technical Memory extension 