Security
  • IT Security Knowledge Base
  • Blue team
    • Linux System Hardening
    • Phishing Analysis
    • Snort
    • Yara
  • Capture the Flag
    • OverTheWire
      • Bandit
        • Bandit Level 0
        • Bandit Level 0 → Level 1
        • Bandit Level 1 → Level 2
        • Bandit Level 2 → Level 3
        • Bandit Level 3 → Level 4
        • Bandit Level 4 → Level 5
        • Bandit Level 5 → Level 6
        • Bandit Level 6 → Level 7
        • Bandit Level 7 → Level 8
        • Bandit Level 8 → Level 9
        • Bandit Level 9 → Level 10
        • Bandit Level 10 → Level 11
        • Bandit Level 11 → Level 12
        • Bandit Level 12 → Level 13
        • Bandit Level 13 → Level 14
        • Bandit Level 14 → Level 15
        • Bandit Level 15 → Level 16
        • Bandit Level 16 → Level 17
        • Bandit Level 17 → Level 18
        • Bandit Level 18 → Level 19
        • Bandit Level 19 → Level 20
        • Bandit Level 20→ Level 21
        • Bandit Level 21→ Level 22
        • Bandit Level 22 → Level 23
        • Bandit Level 23 → Level 24
        • Bandit Level 24 → Level 25
        • Bandit Level 25 → Level 26
        • Bandit Level 26 → Level 27
        • Bandit Level 27 → Level 28
        • Bandit Level 28 → Level 29
        • Bandit Level 29 → Level 30
        • Bandit Level 30 → Level 31
        • Bandit Level 31 → Level 32
        • Bandit Level 32 → Level 33
    • OWASP Juice Shop
      • Installation
      • Level 1 - Challenges
      • Level 2 - Challenges
    • TryHackMe Rooms
      • Anthem
      • Capture!
      • Corridor
      • Gotta Catch'em All!
      • Mustacchio
      • Neighbour
      • Opacity
      • Source
    • CEH v12 practical resources
  • Cryptology
    • CryptoHack
      • Course: Introduction to CryptoHack
        • Introduction - Challenges
        • General - Encoding
        • General - XOR
      • Course: Modular Arithmetic
        • General - Mathematics
        • Mathematics - Modular Math
        • Mathematics - Brainteasers Part 1
      • Course: Symmetric Cryptography
        • How AES Works
        • Symmetric Starter
        • Block Ciphers
        • Stream Ciphers
  • Red Team
    • Reconnaissance
      • Foot-printing
      • Scanning (Nmap)
      • Enumeration
    • Vulnerability Analysis
    • Initial Access
      • Obtaining credentials
      • Vulnerability Exploitation
        • Buffer Overflow
        • Metasploit and Armitage
        • Ninja Jonin
    • Active Directory
      • Connect to AD
      • AD Explore
      • CMD and PowerShell enumeration
      • Certificates in AD
      • LDAP Pass-back Attacks
      • Cracking NetNTLM Challenge with Responder
      • Exploring Configuration Files for AD Credentials
      • Pass the hash with evil WinRM
      • Understanding Runas
    • Malware
    • Sniffing
      • Intercept HTTP traffic - Hetty
      • Intercept HTTP traffic - Bettercap
      • Wireshark
    • Social Engineering
    • Denial of Service
    • Web Hacking
      • Burp Suite
      • OWASP ZAP
      • Web servers
      • Web Server Footprinting
      • Directory Enumeration
      • Session Hijacking
      • Web Shells
      • Web vulnerability scanners
      • SQL Injection
    • Cloud
    • Wireless Networks
      • Attacking WEP
      • Attacking WPA/WPA2
    • Mobile Devices
    • Network Security Evasion
    • Privileges Escalation
    • Maintain Access and Hide Malicious Activity
      • Backdooring
    • Cover your Tracks
  • Internet of Things
    • IoT in general
    • Common IoT Protocols
      • CoAP
      • MQTT
      • ZIGBEE
      • Bluetooth
    • Scapy
      • Sniffing and spoofing
      • ARP cache Poisoning
  • Projects
    • Cybersecurity Roadshow
Powered by GitBook
On this page
  • Remote Access
  • Maintain Persistence by Abusing Boot or Logon Autostart Execution
  • Hiding files
  • Hide files using NTFS streams
  • Spyware
  1. Red Team

Maintain Access and Hide Malicious Activity

The next step after gaining access and escalating privileges on the target system is to maintain access for further exploitation on the target system.

Remote Access

Remote code execution methods are typically employed after an initial system compromise to extend access to remote systems within the target network. These techniques facilitate the execution of code on remote systems.

Outlined below are several remote code execution techniques:

  1. Client Exploitation: This approach involves exploiting vulnerabilities in client applications to execute malicious code on remote systems.

  2. Scheduled Task Execution: Leveraging scheduled tasks allows for automated code execution on remote systems, enabling persistence and remote access.

  3. Service Execution: Manipulating services running on remote systems can provide a means to execute code and maintain control over those systems.

  4. Windows Management Instrumentation (WMI): WMI allows for system administration tasks, and when misused, it can be utilized for remote code execution and control over target systems.

  5. Windows Remote Management (WinRM): WinRM is a Windows feature that enables remote management and execution of scripts on remote systems, providing a legitimate means for remote access and code execution.

Maintain Persistence by Abusing Boot or Logon Autostart Execution

The Windows startup folder is a repository of shortcuts to applications that automatically launch when a Windows machine is started. Introducing a malicious program into the startup folder triggers the program's execution upon user login. This technique assists in achieving two primary objectives: maintaining persistence, ensuring the malicious program continues to run after a system reboot.

Path to start up folder:

C:\\ProgramData\\Start Menu\\Programs\\Startup

Hiding files

The act of hiding files involves employing various techniques, such as rootkits, NTFS streams, and steganography, to hide malicious software. This is done to evade detection by protective applications like Antivirus, Anti-malware, and Anti-spyware programs that might be running on the target system.

Hide files using NTFS streams

NTFS is a file system that utilizes two data streams, referred to as NTFS data streams, in conjunction with file attributes to store files. The first data stream is responsible for storing the security descriptor, which includes information like file permissions. The second data stream is employed to store the actual data contained within a file. In addition to these data streams, alternate data streams are another category of named data streams that can coexist within each file, providing additional storage and organization capabilities.

You can hide data in the alternate data streams.

Say that we have the file test.txt

We can then hide an executable like calc.exe in this file.

type C:\Windows\System32\calc.exe > c:\test.txt:calc.exe

This command will hide calc.exe inside the test.txt

We can the create a symbolic link that will execute the calc.exe application.

mklink SOMEFILE.exe c:\test.txt:calc.exe

Spyware

The nice thing about spyware is that these are usually not flagged as malicious due to their "legitimate" purposes.

PreviousPrivileges EscalationNextBackdooring

Last updated 1 year ago

is a software application designed for monitoring computer activities discreetly. It operates by silently recording the actions of all users on a PC without their knowledge. Once the software is installed on the target PC, you gain the capability to remotely receive detailed log reports on any device through email or FTP. These reports can be reviewed immediately upon receipt or at your convenience. Additionally, you have the option to directly examine the logs using the built-in log viewer on the monitored computer.

is a robust computer monitoring software that empowers you to discreetly track all user activities on a computer. Operating in stealth mode, SpyAgent offers an extensive range of essential computer monitoring capabilities. This includes features like monitoring websites, applications, and chat clients, as well as the ability to block them. The software also supports lockdown scheduling and allows you to remotely receive logs via email or FTP for comprehensive monitoring.

Power Spy
Spytech SpyAgent