Maintaining Access

After gaining access and escalating privileges on the target system, now attackers try to maintain their access for further exploitation of the target system or make the compromised system a launchpad from which to attack other systems in the network. Attackers remotely execute malicious applications such as keyloggers, spyware, and other malicious programs to maintain their access to the target system and steal critical information such as usernames and passwords. Attackers hide their malicious programs or files using rootkits, steganography, NTFS data streams, etc. to maintain their access to the target system.

Executing Applications

– Attackers use malicious applications to own the system
– executes malicious programs remotely in the victim’s machine to gather information that leads to exploitation or loss of privacy, gain unauthorized access to system resources, crack the password, capture screenshot, install backdoor to maintain easy access.

Backdoors	Program designed to deny or disrupt the operation, gather information that leads to exploitation, loss of privacy, gain unauthorized access to system resources
Crackers	Programs designed for cracking code or passwords
Keyloggers	record each key stroke made on the computer keyboard
Spyware	Spy software may do screenshots, send to specified location defined by hacker.

Remote Code Execution Techniques – Backdoor

Exploitation for Client execution	– Unsecure coding practices in software can make it vulnerable to various attacks – targets vulnerabilities in software and exploits with an objective of arbitrary code execution to maintain access Web browser Base exploitation Office Application Based exploitation Third-Party Application Based exploitation
Service execution	– system services that run at the backend of the OS – Run binary files or commands that communicate with the windows system services such as Service Control Manager
Windows Management Instrumentation (WMI)	– features that provides platform for accessing Windows system resources locally and remotely – exploit WMI features to interact with the remote target system and use it to perform information gathering on systems resources, execute code for maintaining access
Window Remote Management (WinRM)	– Window based protocol to allow a user run an executable file, modify system services and registry on a remote system – use winrm to execute payload on remote system

Tools for executing Applications

Dameware Remote Support – Remote control and systems management tool that simplifies remote Windows administration.
Other tools
– Ninja
– Pupy
– PDQ Deploy
– ManageEngine Desktop Central
– PsExec

Keylogger

– Programs that monitor keystroke as the user types on a keyboard, logs onto a file, or transmits them to a remote location
– gather confidential information
– Physical keyloggers are placed between the keyboard hardware and the OS

Types of Keystroke Loggers

Hardware Keyloggers

PC/BIOS Embedded	BIOs-level firmware that is responsible for managing the keystrokes that are typed
keylogger Keyboard	Attached to the keyboard cable connector, capture keystrokes
External Keylogger	PS/2 / USB keylogger – no software/ OS dependency Acoustic/CAM keylogger – electromagnetic sound waves Bluetooth keylogger – access the target once, using bluetooth Wifi Keylogger – same as USB, Connect via Wifi, can remote access

Hardware : Keygrabber USB, KeyCarbon, Keyboard logger, KeyGhost, KeyKatcher

Software Keyloggers

Application Keylogger	– can record everything happening within the network
Kernel/Rootkit/Device Driver Keylogger	– Kernel level, difficult to detect, acts as driver driver
Hypervisor Based Keylogger	– works within a malware hypervisor operating on the OS
Form-Grabbing-Based Keylogger	– records web form data and submits over internet, bypassing https encryption. – recording web browsing on the “submit event” function
Javascript-Based Keylogger	– attackers inject malicious javascript tags on the webpage to listen to key events. – mitm, cross site scripting to inject script
Memory-Injection-Based Keylogger	– modify the memory tables associated with the web browser and system functions to log keystrokes.

Windows : Spyrix Keylogger, REFOG Personal Monitor, All in one keylogger, Elite Keylogger, StaffCorp Stardard, Spytector
MacOS : Refog Mac keylogger, spyrix keylogger for Mac, Elite Keylogger for Mac, Aobo Mac OS X Keylogger, Perfect Keylogger for Mac, Kidlogger for MAC

Remote Keylogger Attack Using Metasploit
– Attackers use Metasploit to launch persistent keylogging
do ps -> getpid -> migrate pid of svchost.exe
– Use Keyscan_start to initiate the keylogging process
– Use Keyscan_dump to sniff the keystroke of the user on the machine
– use keyscan_stop to stop sniffing

Automate by using lockout_keylogger exploit

Spyware

– stealthy records user interaction with the computer and the internet
– like trojan horse, usually bundled as a hidden component off freeware programs
– gather information about the victim and organization

Spyware Propagation – means install without user’s consent

Drive-by download	Piggybacked software installation
Masquerading as anti-spyware	Browser add ons
Web browser vulnerability exploits	Cookies

Spyware Tools: Spytech SpyAgent, Power Spy

Type of Spyware

Desktop Spyware	live recordings of remote desktop internet activities, software usage and timings activity logs, user’s keystrokes
Email Spyware	monitor, records, forwards all incoming and outgoing email.
Internet Spyware	monitor all webpages access by the users, able to block websites
Child Monitoring Spyware	track and monitor children activities on computer, online and offline. able to restrict web
Screen-capturing Spyware	monitor activities by taking snapshots, capture keystrokes, mouse activity, visited URL, etc.
USB Spyware	copies spyware from a USB device to a computer without any request or notification. monitors and captures everything
Audio Spyware	sound surveillance program
Video Spyware	video surveillance program
Print Spyware	monitor printer usage, number of pages printed, date/time, content, etc.
Telephone/Cellphone Spyware	monitor phone and activities
GPS Spyware	device or software using GPS to determine location of vehicle, person, attached/installed asset

Defense against Keyloggers

Use pop-up blockers and avoid opening Junk Mails	Use keystroke interference software that inserts randomized char into every keystroke
install antispyware/ anti virus programs	Scan the files before installing, use registry editor or process explorer to check for keystroke loggers
Install professional firewall software and anti-keylogging software	Use windows on-screen keyboard for password and confidential information
Recognize phishing emails and email them	Install host based IDS
Regularly update and patch system software	Use automatic form filling password manager or virtual keyboard
Do not click on this unsolicited/dubious emails	Frequently scan and monitors the changes in the system or network

Restrict physical access to sensitive computer systems

Check keyboard interface for no extra component are plugged into the keyboard cable connector

use encryption between keyboard and driver

use anti keylogger that detects the presence of hardware keylogger

use on-screen keyboard

check monitor cables to hardware keyloggers

setup video surveillance around the computer desk

disable USB ports or setup advanced BIOS authentication to enable BIOS

Anti Keyloggers: Zemana Antilogger, GardedID, Keyscrabler, Oxynger KeyShield, Ghostpress, SpyShelter Silent Antilogger

Defense against Spyware

Avoid using any computer systems you do not have control over	use anti spyware
Browser security settings to medium or high	perform web surfing safely
Suspiuous emails and websites	avoid administrative mode
firewall to enhance security level	OS patching on the date
update firewall with outbound protection	avoid free music files, screensavers or emoticons from internet
Check task manager and MS configuration manager reports	Beware of pop-up windows or webpages, never click anywhere on these windows
update virus definition files	Read disclosures, license agreement and privacy statement before installing any applications

Anti-Spyware : SUPERAnti Spyware, Kaspersky Total Security, SecureAnywhere Internet Security, Adaware Antivirus, MacScan, Norton Antivirus

Rootkits

• Rootkits are programs that hide their presence as well as attacker’s malicious activities, granting them full access to the server or host at that time, and in the future
• Rootkits replace certain operating system calls and utilities with their own modified versions of those routines that, in turn, undermine the security of the target system causing malicious functions to be executed

Attacker places a rootkit by	objectives
– Scanning for vulnerable devices – wrapping in special package – installing on public machine through social engineering – zero day attack	– root the host system and gain remote backdoor – mask attacker tracks – gather sensitive data, network traffic from the system – store other malicious programs

Hypervisor level rootkit – act as hypervisor and modifies the boot sequence of the computer system to load the host operating system as a vm

Hardware/Firmware rootkit – Hides in hardware devices or platform firmware that are not inspected for code integrity

Kernel Level rootkit – adds malicious code or replaces the original OS kernel and device driver codes

Boot Loader Level rootkit – replaces the original boot loader with the one controlled by a remote attacker

Application Level/User mode rootkit – replaces regular application binaries with a fake trojan or modifies the behavior of the existing applications by injecting malicious code

Library Level rootkit – replaces the original system calls with fake ones to hide information about the attacker

How a Rootkit works

System hooking is the process of changing and replacing the original function pointer with a pointer provided by the rootkit in stealth mode. The incline function hooking is a technique in which a rootkit changes some of the bytes of a function inside the core system DLLs, replacing an instruction so that any process calls hit the rootkit first.

Direct kernel object manipulation (DKOM) rootkits can locate and manipulate the “system” process in the kernel memory structures and patch it. This can also hide processes and ports change privileges, and misguide the windows event viewer without any problem by manipulating the list of active processes of the OS.

Tools

• purplefox – distributed via a fake malicious telegram installer, can both 32-bit and 64-bit windows version trojan can be used for hiding within the system and maintaining persistence.
• MoonBounce – concealed within UEFI firmware in the SPI flash that is schedule to execute as a specific time. Inject malicious driver into the windows kernel during the boot process.
• Dubbed Demodex Rootkit – can survive OS reinstallation. Conceal malware fingerprints such as file, registry keys and network traffic.
• Others: Moriya, iLOBleed, Netfilter, Skidmap

Detecting Rootkits

• Integrity-Based detection – compares snapshot of the file system, boot records or memory with a known trusted baseline
• Signature-Based detection – compares the characteristics of all system processes and executable files with a database of known rootkit fingerprints
• Heuristic/ Behavior-Based detection – Deviations in the systems normal activity indicates the presence of a rootkit
• Runtime execution path profiling – compares runtime execution paths of all the system processes before and after rootkit infection
• Cross View-Based Detection -enumerates key elements in the computer system such as system files, processes ad registry keys and compares them to an algorithm used to generate a similar data set that does not rely on the common APIs. Discrepancies between the two data sets indicates a presence of a root kit
• Alternative trust medium – the infected system is shut down and then booted from an alternative trusted media to find traces of the rootkit
• Analyzing Memory Dumps – the RAM of the suspected system is dumped analyzed to detect the rootkit in the system

Steps for detecting rootkits

Step 1 – Run “dir /s /b /ah” and “dir /s /b /a-h” inside the potentially infected OS and save the results

Step 2 – Boot into a clean CD, run “dir /s /b /ah” and “dir /s /b /a-h” on the same drive and save the results

Step 3 – Run the latest version of WinMerge on the two sets of results to detect file-hiding ghostware.

There will be some false positive, Also does not detect stealth software that hides in BIOS, video card, EEPROM, bad sectors, alternate data streams.

Defense against Rootkits

Reinstall OS/application from a trust source	update and patch OS, application and firmware
Maintain well documented automated installation procedures	Regularly verify integrity of system files using cryptographically strong digital fingerprint tech
Perform kernel dumps analysis to determine the presence of rootkits	Update antivirus and anti-spyware
harden the workstation or server	Avoid logging with administrative privileges
educate staff to avoid downloading any files from untrusted sources	principal of least privilege
install network and host based firewalls	antivirus software with rootkit protection
Ensure the availability of trusted restoration media	avoid installing unnecessary application, disable features/services if not used

Tools

GMER-detect and removes rootkits by scanning processes, threads, modules, services etc.
Others: stinger, Avast One, TDSSKiller, Malwarebytes Anti Rootkit, Rootkit Buster

NTFS Data Streams

NTFS is a filesystem that stores file with the help of two data streams, called NTFS data streams, along with the file attributes. First data stream stores the security descriptor for the file to be stored, such as permissions, the second stores the data within a file. ADS are another type of named data stream that can be present in each file.

An ADS refers to any type of data attached to a file, but not in the file on an NTFS system. ADS is not contained in the master file table but attached to it through the file table.

How to create NTFS streams

Step 1 – Launch c:\>notepad myfile.txt:lion.txt click “yes” to create the new file, enter some data and save the file

Step 2 – Launch c:\>notepad myfile.txt:tiger.txt click “yes” to create the new file, enter some data and save the file

Step 3 – View the size of the myfile.txt (it should be zero)

Step 4 – To view or modify the stream data hidden in step 1 and 2, use the following commands respectively – notepad myfile.txt:lion.txt, notepad myfile.txt:tiger.txt

NTFS streams Manipulation

Step 1 – To move the contents of Trojan.exe to Readme.txt(stream): c:\type c:\Trojan.exe > c:\readme.txt:Trojan.exe the type command hides a file in an alternative data stream

Step 2 – To create a link to the Trojan.exe stream inside the readme.txt file c:\mklink backdoor.exe Readme.txt:Trojan.exe

Step 3 – To execute the Trojan.exe inside the Readme.txt(stream) c:\backdoor

Defense against NTFS Streams

To delete NTFS streams, move the suspected files to the FAT partition

file integrity checker

Stream detector or GMER to detect streams

Enable real-time antivirus scanning against execution of malicious streams in the system

up to date antivirus software

Countermeasure for NTFS streams

• LADS – searches for streams and reports the presence of ADS
• Move the file to FAT partition and move back. FAT does not support ADS, this effectively removes ADS from files.
• Stream Armor – discovers hidden ADS and cleans them completely
• Others : Stream Detector, GMER, ADS Manager, ADS Scanner, Streams

Steganography

• Technique of hiding a secret message within an ordinary message and extracting it at the destination.
• Utilizing a graphic image as a cover

Classification of Steganography

• Technical Steganography – Uses physical or chemical methods to hide the existence of a message.
  – invisible ink – colorless liquid that can later be made visible
  – microbots – text or image considerable condensed in size, fitting up to one page in a single dot, to avoid detection by unintended recipients
  – Computer-Based method – makes changes to digital carriers to embed information foreign to the native carriers. Communication can be in the form of text, binary files, disk and storage devices, network protocols.
  — Substitution Techniques – tries to encode secret info by substituting the insignificant bits with the secret message
  — Transform Domain Techniques – hides the info in significant parts of the cover image, such as cropping, compression etc
  — Spread spectrum Techniques – The sender increases the band spread by means of code (independent of data), and the receiver uses a synchronized reception with the coder to recover the information from the spread spectrum data
  — Statistical Techniques – utilizes the existence of ‘1-bit’ steganography schemes by modifying the cover in such a way that, when transmission of a 1 occurs, some of the statistical characteristics change significantly. Some unchanged, to distinguish between the modified and unmodified covers
  — Distortion Techniques – implements a sequence of modification the cover to obtain a stego-object. The sequence of modifications represents the transformation of a specific message. decoding the process requires knowledge about the original cover.
  — Cover Generation Techniques – digital objects are developed specifically to cover secret communication. When this information is encoded, it ensures that creation of a cover for the secret communication
• Linguistic Steganography
  – Semagrams – hides information with the help of signs or symbols.
  — visual semagrams – hides infomation in a drawing, painting, letter, music or a symbol
  — text semagras – hides text message by converting or transforming the appearance of the carrier text message, such by change the font size, styles, adding extra spaces as whitespaces in a doc.
• Open Codes – hides the secret message in a legit carrier message specially designed in a pattern on a document that is unclear to the average reader. Carrier message is known as a overt communication, the secret message is covert communication.
  — Jargon codes – language used that can be understood by the particular group
  — Covered Cipher – hides the message in a carrier medium visible to everyone. This type of message can be extracted by any person with the knowledge of the method used to hide it
  — Null cipher – hide the message within a large amount of useless data. the original data are mixed with the unused data in any order so that no one can understand it other than those who knows the order.
  — Grille cipher – encrypt plaintext by writing it onto a sheet of paper through a pierced (stenciled) sheet.

Types of Steganography based on Cover Medium

• Image steganography
  — least-Significant Bit Insertion
  — Masking and filtering
  — Algorithms and Transformation
  – Openstego – Data hiding, watermarking,
  – StegOnline, Coagula, QuickStego, SSuite Picsel, CryptaPix
  
• Document steganography
  – StegoStick – hide file in any other file, image, audio, video
  – SNOW, StegJ, Data Stash, Texto
  
• Folder steganography
  – hiding secret information in folders
  – GiliSoft File Lock Pro
  – Folder Lock, Hide Folder 5, InvisibleSecrets, QuickCrypto
  
• Video steganography
  – Omnihide Pro – hide any file within an image, video, music file
  
• Audio steganography
  – Echo Data Hiding – by adding echo into audio
  – Spread Spectrum Method
  — Direct-Sequence Spread Spectrum DSSS – frequency modulation technique, spread a signal of low bandwidth over a broad frequency range to enable sharing of a single channel between multiple users. transposes the secret messages in radio wave frequencies.
  — Frequency Hopping Spread Spectrum FHSS – alters the audio files frequency spectrum so that it hops rapidly between frequencies. Used in secured communications commercial, military.
  — LSB Coding – inserts a secret binary message in the least significant bit of each sampling point of the audio signal
  — Tone Insertion – embedding data in the audio signal by inserting low-power tones.
  — Phase Encoding – initial audio segment is substituted by a reference phase that represents the data.
  – DeepSound
  – BitCrypt. Stegostick, MP3Stego, QuickCrypto, spectrology
  
• White Space steganography
  – SNOW – for whitespace steganography
  
• Web steganography
  – Hides web objects behind other objects and uploads them to a webserver
  
• Spam/email steganography
  – Sending of secret message by embedding them and hiding the embedded data in spam emails.
  – Spam Mimic- encodes secret messages into innocent looking emails
  
• DVD-Rom steganography
  – the user embeds the content in audio and graphical data
  
• Natural text steganography
  – process of converting sensitive information into user-definable free speech as such as a play
  
• Hidden OS steganography
  – hiding one OS in another
  
• C++ source-code steganography
  – Users hides a set of tools in the files

For mobile phones – Segais, SPY PIX, PixelKnot, NoClue, Photo Hidden Data

Steganalysis

Reverse process of Stegnography – art of discoverying and rendering covert messages using stegnography
– detects hidden messages embedded in images, text, audo, and video carrier mediums

Challenges of Steganalysis

• suspect information stream may or may not have encoded hidden data
• efficient and accurate detection of hidden content within digital images is difficult
• the message could be encrypted before being inserted into a file or signal
• some of the suspect signals or files may have irrelevant data or noise encoded into them

Steganalysis Methods/Attacks on Steganography

Stego-only – only stego object is available for analysis

Known-stego – attacker has access to the stego algorithm, cover medium and stego-object

Known-message – attacker has access to the hidden message and the stego object

Known-cover – compares the stego-object and the cover medium to identify the hidden message

Chosen-message – generates stego-objects from a known message using tools in order to identify the algorithm

Chosen-stego – attacker has access to the stego0object and stego algorithm

Chi-Square – probability analysis to test whether the stego object and original data are the same or not

Distinguishing statistical – analyzes the embedded algorithm, used to detect distinguishing statistical changes along with the length of the embedded data

Blind Classifier – blind detector is fed with the original unmodified data to learn the resemblance of the original data from multiple prespectives.

Detecting Steganography

Text file	– alteration are made to the character positions to hide the data – alterations are detected by looking for text patterns or disturbances and unusual amount of blank spaces
Image file	– hidden data in an image can be detected by determining changes in size, file format, last mod time-stamp pointing to the existence of hidden data – statistical analysis method is used for image scanning
Audio file	– use steganalysis method for detecting LSB modifications – inaudible frequencies – odd distortions and patterns
Video file	– Detection fo secret data in video files includes a combination of methods used in image and audio files

Steganography Detection Tools

zsteg – detect stegano-hidden data in PNG and BMP files
others : StegoVeritas, Stegextract, StegoHUNT MP, Steganography Studio, virtual steganographic laboratory.

Maintaining Persistence by Abusing Boot or Logon AutoStart execution

Attackers abuse the system boot or logon autostart program for escalating privileges and maintaining persistence by applying custom configuration settings on the compromised machine

• Registry run keys
  – Enumerating Assign permission using winPEAS
• Startup files
  – abusing startup folder using icacls
  – using accesschk.exe for identifying permissions

Domain Dominance Through Different Paths

Domain dominance is a process of taking control over critical assets such as domain controllers on a target systems and gain access to other networks resources.

Domain Dominance Techniques

• Remote code execution – Attackers attempt to execute malicious code on the target domain controller through CLI to launch a domain dominance attack
  — WIMC, PsExec.exe
• Abusing Data Protection API – The Windows domain controllers contain a master key to decrypt DPAPl-protected files, attackers will want to obtain the master key
  — Mimikatz
• Malicious replication – enables attackers to create an exact copy of user data using the admin credentials. such as krbtgt
• Skeleton key attack – skeleton key is a form of malware that attackers use to inject false credentials into domain controllers to create a backdoor password. It is a memory-resident virus that enables an attacker to obtain a master password to validate themselves as a legitimate user in the domain
• Golder ticket attack – A golden ticket attack is a post-exploitation technique implemented by attackers to gain complete control over the ent i re Active Directory (AD) Attackers forge Ticket Granting Tickets (TGTs) by compromising a Key Distribution Service account (KRBTGT) to access various AD resources
• Silver ticket attacks- A silver ticket attack is a post-exploitation technique implemented by an attacker to steal legitimate users’ credentials and create a fake Kerberos Ticket Grant ing Service (TGS) ticket
  To initiate this attack, the attacker must have access to the credentials gathered from a local service account or the system’s SAM database
• The attacker creates a forged Kerberos TGS ticket using the mimikatz tool to establish a connection with the target service