3.10 Attacks & exploits: Detection Avoidance Flashcards
Trojans and Backdoors: what is a Trojan?
▪ Any malicious computer program that is used to mislead a user about its true intent
▪ When the victim launched the game, it would actually call back to the system and remotely access the system
Trojans and Backdoors: what is a Backdoor?
A hidden mechanism that provides you with access to a system through some kind of alternative means
Trojans and Backdoors: what is a Remote Access Trojan (RAT)?
A type of malware that comes along with a legitimate software
● Back Orifice
● Blackshades
● DarkComet
● Sub7
● NetBus
● Pupy
Trojans and Backdoors: what is a Rootkit?
Any kind of technology that is used to infect the system at a very low-level using root access
Creating Persistence: explain Persistence
A method that you use to maintain access to a victim machine or a network for an extended period of time
Creating Persistence: how to create new user account and grant privilege access in Windows (2) and Linux (3) using the command line?
These are commands used in a Windows and Unix-like operating systems to create a new user account and grant administrative privileges.
In Windows:
- The “net user /add [username] [password]” command creates a new user account with the specified username and password.
- The “net localgroup administrators [username] /add” command adds the newly created user to the administrators group, granting them administrative privileges.
In Unix-like systems:
- “user# su -“ is used to switch to the root user for administrative tasks.
- “user# useradd hacked” creates a new user account with the username “hacked”.
- “user# passwd hacked” sets a password for the “hacked” user account.
Creating Persistence: explain how to list cronjobs and how to read the each line
To read a crontab, you can use the “crontab -l” command, which lists the cron jobs scheduled for the current user. Each line in the crontab represents a scheduled task and follows a specific format:
- Minute: The minute when the task will run (0-59)
- Hour: The hour when the task will run (0-23)
- Day of the month: The day of the month when the task will run (1-31)
- Month: The month when the task will run (1-12 or names like Jan, Feb, etc.)
- Day of the week: The day of the week when the task will run (0-7 or names like Sun, Mon, etc. where 0 and 7 represent Sunday)
Creating Persistence: explain “30 3 * * * /usr/bin/python3 /home/user/scripts/backup.py”
This line represents a scheduled task in a crontab file, specifying when and what command should be executed.
- Minute (30): The task will run when the minute is 30.
Hour (3): The task will run at 3 AM. - Day of the month (): The asterisk () means the task will run every day of the month. If a specific day was desired, a number (1-31) would be used instead of the asterisk.
- Month (): The asterisk () means the task will run every month. If a specific month was desired, a number (1-12) or a name abbreviation (e.g., Jan, Feb) would be used instead of the asterisk.
- Day of the week (): The asterisk () means the task will run every day of the week. If a specific day was desired, a number (0-7, where both 0 and 7 represent Sunday) or a name abbreviation (e.g., Sun, Mon) would be used instead of the asterisk.
- Command (/usr/bin/python3 /home/user/scripts/backup.py): This is the command or script that will be executed. In this case, it specifies that the Python 3 interpreter located at “/usr/bin/python3” will run the script “/home/user/scripts/backup.py”.
Creating Persistence: explain the Task Scheduler and how to create a scheduled task
▪ Works like crontabs but it is used for Windows
▪ schtasks create: for example “schtasks /create /sc <scheduletype> /tn <taskname> /tr <taskrun>"</taskrun></taskname></scheduletype>
Creating Persistence: explain Services and Daemons
Services and daemons are background processes that run without direct user interaction, providing specific functionality to the operating system or applications.
In the context of Windows, these background processes are often referred to as “services,” while in Unix-like operating systems such as Linux, they are commonly known as “daemons.”
Services and daemons typically perform tasks such as managing network connections, running system processes, providing file and print services, and performing other essential system functions.
Creating Persistence: how to manage Services and Daemons
- In Windows, services can be managed using the “Services” management console, where users can start, stop, configure, and monitor the status of various services. E.g you can create persistence by add an entry to the Windows Registry that will run a specific program when the system starts up (reg add HKLM\Softyware\Microsoft\Windows \CurrentVersion\Run /v malware /d c:\malware.exe).
- In Unix-like operating systems, daemons are usually controlled through initialization scripts and configuration files located in directories such as /etc/init.d/ and /etc/systemd/system/. The systemctl command is commonly used to manage daemons in modern Linux distributions.
Creating Persistence: explain Bind Shell and how is it related to persistence
A bind shell is a type of shell that allows a user to connect to a specific network port on a system and obtain a shell prompt, effectively gaining remote access to the system. It “binds” to a specific port on the system and awaits incoming connections. Once a connection is established, the user can interact with the system as if they were directly accessing the command line.
After an attacker gains unauthorized access to a system, they may want to maintain access for an extended period. By deploying a bind shell, the attacker can create a backdoor entry point that allows them to access the system in the future, even if the initial vulnerability that allowed access is patched or closed.
Creating Persistence: explain reverse shell and how is it related to persistence
A bind shell is a type of shell that allows a user to connect to a specific network port on a system and obtain a shell prompt, effectively gaining remote access to the system. It “binds” to a specific port on the system and awaits incoming connections. Once a connection is established, the user can interact with the system as if they were directly accessing the command line.
After an attacker gains unauthorized access to a system, they may want to maintain access for an extended period. By deploying a bind shell, the attacker can create a backdoor entry point that allows them to access the system in the future, even if the initial vulnerability that allowed access is patched or closed.
Creating Persistence: explain “nc -lp 443 -e /bin/sh”
Uses the netcat utility to listen for incoming connections on port 443 and, upon connection, executes the /bin/sh shell.
Living Off the Land: explain Living Off the Land
Refers to a technique used by cyber attackers to carry out malicious activities using legitimate tools and built-in functionalities of an operating system or software, rather than relying on custom malware. This approach makes it more difficult for traditional security solutions to detect and block malicious activities, as the attackers leverage tools that are already present on the targeted system.
