Defense Evasion: Hide Artifacts

Today, in this article, we will focus on various methods that are implemented by an attacker to evade their detection by hiding artifacts in the victim’s system in order to execute their malicious intent.

Table of Content

  • Introduction
  • Hiding Files and Directories
    • Using Command Prompt
  • Hiding System Users
    • Using Command Prompt
    • Using Registry Edit
  • Hiding File Systems
    • Over Command Prompt
    • Using Registry Edit
    • With Disk Management
  • NTFS File Attributes
    • Using Command Prompt
  • Detection

Introduction

An artifact can simply be defined as an important system file, which thus includes documentation, test plans, images and even some executable modules.

Operating Systems have a feature to hide these artifacts, in order to avoid disrupting user work environments and prevent users from changing files or features on the system. However, an attacker can abuse these functionalities in order to carry out his evil intents by hiding up these artifacts which thus provides a clear path to evade his detection.

Let’s try to understand the above statement by taking a simple example.

Suppose an attacker penetrates your machine and got a session enabled with that, which thus allows him to exploit your system. The very first thing that the attacker would do, is that he would create a hidden file and hide his payload, as by exploiting the operating system’s feature i.e. hiding artifacts. Once the attacker has his payload hidden, now he can carry that out for his malicious intent by tricking up the system administrator.

With that said, let’s have a look at the various approaches that the attackers take to evade their presence.

Hiding Files and Directories

Attackers may set files or directories to be hidden to evade detection mechanisms.

Let’s boot into our command prompt by running it as an administrator. Further, we’ll create up a folder over at our directory, as in our case I’ve done it as ignite at Desktop. The same can be confirmed by running the dir command.

 In order to hide the file which we have just created, simply run the following command:

Okay!! The file has been hidden now, but wait, let’s see how to unhide the same, simply run the following command:

Great!! From the below screenshot we can see that as we hit the “dir” command we got our file back over onto the Desktop.

Hiding Users

Adversaries may use hidden users to mask the presence of user accounts that they create. In this section, we will have a look at how users can be hidden.

Using Command Prompt

So let’s reboot into our command prompt and create a user as in our case we have named it as “ignite”. A user can be created by using the command: net user ignite /add

Now, that the user has been created we need to activate it, which can be done by running the command: net user ignite /active:yes

We will hide the user “ignite” by running the command:

To check the changes, we would simply restart our PC and notice that our user is no more visible on the sign-in page.

So, to unhide the user, simply re-run the command:

We’ll notice that our user “ignite” is again visible over at our sign-in page.

Using Registry Editor

This method can be lengthier as compared to the above one, but it’s always good to know. So, let’s explore this path and hide our user. 

Over at the Run Window, type “Regedit” in the search prompt

Once we enter the registry edit, just navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Now, that we have navigated to the path mentioned above let’s Right-click on Winlogon -> Select New and choose Key

After completing the above process, we will rename the new key created as “SpecialAccounts”.

Then, right-click on SpecialAccounts -> Select New and choose Key. We’ll rename this key as “UserList”.

We can see that we have created two new keys. One is “SpecialAccounts” under Winlogon and the second key is “UserList” under “SpecialAccounts”.

Over at the blank right-hand side, follow up as:

Right-click -> Select New -> Select DWORD (32-bit) Value as shown below

The new key created should be named as the user we are supposed to hide. In our case, we have named the new key as igniteas we are hiding this user.

Now, close your registry editor and restart your PC to see the changes. The user is now invisible.

In order to unhide the same user, we’ll just go back to our registry editor and navigate to

Then, we’ll double click on the ignite user and change the Value data from 0 to 1 and, hit enter

Again, restart your system to see the changes. Your user is back on the sign-in page.

Hiding File Systems

Adversaries may use a hidden file system to conceal malicious attacks from users and security tools. File systems provide a structure to store and access data from physical storage. So, lets’ deep dive and have a look at how the above is accomplished.

Method 1: Over Command Prompt

 Let’s say we have an E drive which we want to hide.

Open disk partition into your command prompt with as “diskpart”

Let’s now list all the volumes available there using “list volume”

As the volumes are over at our screen, let’s choose the volume which contains the drive that needs to be hidden. In our case, we select volume 3 by running the command: select volume 3

Great!! We’re almost there, now to hide the drive, simply run the command:

From the below screenshot we can see that Drive E is successfully hidden.

 

 Further, to unhide the drive simply run the command “assign letter e”.

Method 2: Using Registry Editor

For this method, we’ll go back into the registry editor as explained in the “Hidden User” section and navigate to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

After navigating to the above-mentioned path, Right-click over on Explorer -> Select New -> DWORD (32-bit) Value as shown below.

A new key will be created which needs to be renamed as “NoDrives”

Now, that our new key has been renamed as “NoDrives”, let’s double click on it and change the base from Hexadecimal to Decimal and give input to the Value Data field according to the drive which we wish to hide.

In our case, as we’re hiding the E drive, we will set the Value data to “16” as the decimal value of the alphabet E is 16. You can set it according to yours.

Reboot your system again, and check for the drives.

Great!! From the below screenshot you can see that our drive has been hidden now. 

To unhide the drive, navigate back to “Regedit” as explained above and move to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Right-click on “NoDrives” and just Delete it. Again, restart your system and see that the drive is again visible.

Method 3: Using Disk Management

Let’s open Disk Management by running the command “compmgmt.msc” in the Run Dialog Box as shown below.

We’ll select the drive which we want to hide and right-click on it.

Then select “Change Drive Letters and Paths”.

After completing the above step, we’ll select the drive and click on the “Remove” button.

Reboot your system and you’ll notice that the drive is now hidden. In our case, drive “E” is not visible as we can see below.

Let’s unhide the drive by going back to disk management. Double click on New Volume and, select “Change Drive Letter and Paths”. Click on the Add button and add the drive you wish to by selecting “Assign the following drive letter” option and press ok.

NTFS File Attributes

Adversaries may use NTFS file attributes to hide their malicious data to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains records for every file/directory on the system. Let’s explore how the above attack can be executed.

Boot up your Command Prompt again as an administrator in order to generate up a file with some data in it:

From the below image, we can see that our file has been created with the data we entered.

Now, let’s create another file inside file.txt but this time we’ll make it as hidden with

From the below screenshot we can see that the file “hidden” is not visible at all.

Go ahead and type the command: type file.txt:hidden and hit Enter. You will notice that the file is still not visible to us.

But how to check the contents?

Simply run the command as more < file.txt:hidden and you will be there again.

Detection

The following methods can be used to detect such type of attacks:

  • Monitoring processes, and command-line arguments for actions indicative of hidden artifacts.
  • Monitoring event and authentication logs for records of hidden artifacts being used.
  • Monitoring the file system and shell commands for hidden attribute usage.

Source

Author: Tanish Bugnait is a Cyber Security enthusiast and a security researcher. Contact here

Windows Persistence: Port Monitors

Adversaries may use port monitors to run an attacker-supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. This DLL can be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions.

Mitre ID: T1547.010

Sub-technique of:  T1547

Let’s Check and try to perform this attack

Generate DLL Payload

In order to launch dll persistence attack, you need to execute the following command which will generate a malicious dll payload.

Inject DLL Payload

Now inject malicious dll file into victim’s machine inside /system32 through your meterpreter session with admin privilege and then execute the following command to make changes into the register for printer driver installation.

As you can see in the given below image that we have successfully changed the registry key.

Maintain Access

Now, in future when the attack will launch the listener for obtaining a reverse connection. So, as soon as the victim’s machine get reboots the .dll file get active and the attacker will get meterpreter session due to Monitor DLLs that are loaded by spoolsv.exe for DLLs.

Reference: https://attack.mitre.org/techniques/T1547/010/

Author: Chiragh Arora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

Abusing Kerberos Using Impacket

In this post, we are going to discuss how we can abuse Kerberos protocol remotely using Python libraries “Impacket” for conducting the lateral movement attack. You can download from here.

Table of Content

  • GetNPUSERs.py
  • GetUserSPN.py
  • Ticketer.py
  • TickerConverter.py
  • GetTGT.py
  • GetADUser.py

About Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

GetNPUSers.py

This script will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.

As a result, the attacker will able to obtain the NTLM Hashes inside the output file Hashes and with the help of John the ripper he can go for password cracking as done here.

This script is useful for abusing Kerberos against AS-REP Roasting attack.

GetUSERSPN.py

This module will try to find Service Principal Names that are associated with a normal user account. Since normal account’s password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the account the SPN is running under, this could be used for an offline brute-forcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs.

Ticketer.py

This script will create TGT/TGS tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, extrasids, etc.

This will generate the ticket into ccache format which can be converted further into kirbi.

This script can be helpful for abusing Kerberos against GOLDEN TICKET ATTACK.

TicketConverter.py

This script will convert kirbi files (commonly used by mimikatz) into ccache files used by impacket, and vice versa. As you can observe that the above script helps in generating the ccache file and with the of this script we can convert into kirbi.

GetTGT.py

This python script will request a TGT and save it as ccache for given a password, hash or aesKey. That we can be injected directory for access the requested service.

we have used getTGT to generate the ccache and used KERB5CCNAME pass the ccache file for the requested service. This is completely remote attack without using a local system of the compromised victim, but you need to compromise NTLM hashes for that, type following to conduct pass the ccache attack remotely.

And as result by injecting the ticket we have accessed the domain controller shell.

This script is useful in following attacks for abusing Kerberos:

GetADUser.py

This script will gather data about the domain’s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes. If no entries are returned that means users don’t have email addresses specified. If so, you can use the -all-users parameter.

As a result, it has dumped all username of the Activity Directory as shown in the image.

Remote Code Execution Using Impacket

In this post, we are going to discuss how we can connect to Victims machine remotely using Python libraries “Impacket” which you can download from here.

Table of Content

  • About Impacket
  • atexec.py
  • psexec.py
  • smbexec.py
  • wmiexec.py

About Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself.

Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

Atexec.py

Atexec.py: Impacket has a python library that helps an attacker to access the victim host machine remotely through DCE/RPC based protocol used by CIFS hosts to access/control the AT-Scheduler Service and execute the arbitrary system command.

Syntax: Python atexec.py domain/username:[email protected] command

As you can see we have obtained the system information with the help of the above command.

PsExec.py

PSEXEC like functionality example using RemComSvc, with the help of python script we can use this module for connecting host machine remotely thus you need to execute following command.

Syntax: Python psexec.py domain/username:[email protected]

As you can see we have obtained the system shell with the help of the above command.

Smbexec.py

Smbexec.py uses a similar approach to psexec w/o using RemComSvc. This script works in two ways:

  • share mode: you specify a share, and everything is done through that share.
  • server mode: if for any reason there’s no share available, this script will launch a local SMB server, so the output of the commands executed is sent back by the target machine into a locally shared folder. Keep in mind you would need root access to bind to port 445 in the local machine.

Syntax: Python smbexec.py domain/username:[email protected]

As you can see we have obtained the system shell with the help of the above command.

wmiexec.py

A similar approach to smbexec but executing commands through WMI. The main advantage here is it runs under the user (has to be Admin) account, not SYSTEM, plus, it doesn’t generate noisy messages in the event log that smbexec.py does when creating a service. The drawback is it needs DCOM, hence, I have to be able to access DCOM ports at the target machine.

Syntax: Python wmiexec.py domain/username:[email protected]

As you can see we have obtained the system information with the help of the above command.