3.10 Attacks & exploits: Detection Avoidance Flashcards

1
Q

Trojans and Backdoors: what is a Trojan?

A

▪ Any malicious computer program that is used to mislead a user about its true intent
▪ When the victim launched the game, it would actually call back to the system and remotely access the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Trojans and Backdoors: what is a Backdoor?

A

A hidden mechanism that provides you with access to a system through some kind of alternative means

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Trojans and Backdoors: what is a Remote Access Trojan (RAT)?

A

A type of malware that comes along with a legitimate software
● Back Orifice
● Blackshades
● DarkComet
● Sub7
● NetBus
● Pupy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Trojans and Backdoors: what is a Rootkit?

A

Any kind of technology that is used to infect the system at a very low-level using root access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Creating Persistence: explain Persistence

A

A method that you use to maintain access to a victim machine or a network for an extended period of time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Creating Persistence: how to create new user account and grant privilege access in Windows (2) and Linux (3) using the command line?

A

These are commands used in a Windows and Unix-like operating systems to create a new user account and grant administrative privileges.

In Windows:
- The “net user /add [username] [password]” command creates a new user account with the specified username and password.
- The “net localgroup administrators [username] /add” command adds the newly created user to the administrators group, granting them administrative privileges.

In Unix-like systems:
- “user# su -“ is used to switch to the root user for administrative tasks.
- “user# useradd hacked” creates a new user account with the username “hacked”.
- “user# passwd hacked” sets a password for the “hacked” user account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Creating Persistence: explain how to list cronjobs and how to read the each line

A

To read a crontab, you can use the “crontab -l” command, which lists the cron jobs scheduled for the current user. Each line in the crontab represents a scheduled task and follows a specific format:
- Minute: The minute when the task will run (0-59)
- Hour: The hour when the task will run (0-23)
- Day of the month: The day of the month when the task will run (1-31)
- Month: The month when the task will run (1-12 or names like Jan, Feb, etc.)
- Day of the week: The day of the week when the task will run (0-7 or names like Sun, Mon, etc. where 0 and 7 represent Sunday)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Creating Persistence: explain “30 3 * * * /usr/bin/python3 /home/user/scripts/backup.py”

A

This line represents a scheduled task in a crontab file, specifying when and what command should be executed.

  • Minute (30): The task will run when the minute is 30.
    Hour (3): The task will run at 3 AM.
  • Day of the month (): The asterisk () means the task will run every day of the month. If a specific day was desired, a number (1-31) would be used instead of the asterisk.
  • Month (): The asterisk () means the task will run every month. If a specific month was desired, a number (1-12) or a name abbreviation (e.g., Jan, Feb) would be used instead of the asterisk.
  • Day of the week (): The asterisk () means the task will run every day of the week. If a specific day was desired, a number (0-7, where both 0 and 7 represent Sunday) or a name abbreviation (e.g., Sun, Mon) would be used instead of the asterisk.
  • Command (/usr/bin/python3 /home/user/scripts/backup.py): This is the command or script that will be executed. In this case, it specifies that the Python 3 interpreter located at “/usr/bin/python3” will run the script “/home/user/scripts/backup.py”.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Creating Persistence: explain the Task Scheduler and how to create a scheduled task

A

▪ Works like crontabs but it is used for Windows
▪ schtasks create: for example “schtasks /create /sc <scheduletype> /tn <taskname> /tr <taskrun>"</taskrun></taskname></scheduletype>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Creating Persistence: explain Services and Daemons

A

Services and daemons are background processes that run without direct user interaction, providing specific functionality to the operating system or applications.
In the context of Windows, these background processes are often referred to as “services,” while in Unix-like operating systems such as Linux, they are commonly known as “daemons.”
Services and daemons typically perform tasks such as managing network connections, running system processes, providing file and print services, and performing other essential system functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Creating Persistence: how to manage Services and Daemons

A
  • In Windows, services can be managed using the “Services” management console, where users can start, stop, configure, and monitor the status of various services. E.g you can create persistence by add an entry to the Windows Registry that will run a specific program when the system starts up (reg add HKLM\Softyware\Microsoft\Windows \CurrentVersion\Run /v malware /d c:\malware.exe).
  • In Unix-like operating systems, daemons are usually controlled through initialization scripts and configuration files located in directories such as /etc/init.d/ and /etc/systemd/system/. The systemctl command is commonly used to manage daemons in modern Linux distributions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Creating Persistence: explain Bind Shell and how is it related to persistence

A

A bind shell is a type of shell that allows a user to connect to a specific network port on a system and obtain a shell prompt, effectively gaining remote access to the system. It “binds” to a specific port on the system and awaits incoming connections. Once a connection is established, the user can interact with the system as if they were directly accessing the command line.
After an attacker gains unauthorized access to a system, they may want to maintain access for an extended period. By deploying a bind shell, the attacker can create a backdoor entry point that allows them to access the system in the future, even if the initial vulnerability that allowed access is patched or closed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Creating Persistence: explain reverse shell and how is it related to persistence

A

A bind shell is a type of shell that allows a user to connect to a specific network port on a system and obtain a shell prompt, effectively gaining remote access to the system. It “binds” to a specific port on the system and awaits incoming connections. Once a connection is established, the user can interact with the system as if they were directly accessing the command line.
After an attacker gains unauthorized access to a system, they may want to maintain access for an extended period. By deploying a bind shell, the attacker can create a backdoor entry point that allows them to access the system in the future, even if the initial vulnerability that allowed access is patched or closed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Creating Persistence: explain “nc -lp 443 -e /bin/sh”

A

Uses the netcat utility to listen for incoming connections on port 443 and, upon connection, executes the /bin/sh shell.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Living Off the Land: explain Living Off the Land

A

Refers to a technique used by cyber attackers to carry out malicious activities using legitimate tools and built-in functionalities of an operating system or software, rather than relying on custom malware. This approach makes it more difficult for traditional security solutions to detect and block malicious activities, as the attackers leverage tools that are already present on the targeted system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Living Off the Land: what tool can you use to perform Living Off the Land (5)?

A

● PsExec
o Uses the server message block suite to issue commands to remote systems without the need to install client software
o psexec \<IP> -s <command></command>
● Windows Management Instrumentation (WMI)
o Provides an interface for local and remote computer management
● PowerShell Remoting
o A command shell and scripting language built on the .NET framework
● Windows Remote Management (WinRM)
o Allows for the configuration of machines to access them using the command-line environment or through PowerShell
● Visual Basic Scripts (VBScripts)
o A command shell and scripting language built on the .NET framework that allows admins and developers to manage computers and add features to different toolsets</IP>

17
Q

Living Off the Land: explain Dropper

A

Malware that is designed to install or run other types of malware embedded in a payload on an infected host

18
Q

Living Off the Land: explain Downloader

A

A piece of code that connects to the Internet to retrieve additional tools after the initial infection by a dropper

19
Q

Living Off the Land: explain Shellcode

A

▪ Any lightweight code designed to run an exploit on the target, which may include any type of code format from scripting languages to binary code
▪ Shellcode originally referred to malware code that would give the attacker a shell (command prompt) on the target system

20
Q

Living Off the Land: explain Code Injection

A

Exploit technique that runs malicious code with the identification number of a legitimate process

21
Q

Living Off the Land: explain Masquerading

A

Occurs when the dropper replaces a genuine executable with a malicious one

22
Q

Living Off the Land: explain DLL Injection

A

Occurs when the dropper forces a process to load as part of a DLL

23
Q

Living Off the Land: explain DLL Sideloading

A

Occurs when the dropper exploits a vulnerability in a legitimate program’s manifest to load a malicious DLL at runtime

24
Q

Living Off the Land: explain Process Hollowing

A

Occurs when the dropper starts to process in a suspended state and rewrites the memory locations containing the process code with the malware code

25
Q

Data Exfiltration: explain Data Exfiltration

A

▪ The process by which an attacker takes data that is stored inside of a private network and moves it to an external network
▪ Data exfiltration can be performed over many different channel types

26
Q

Data Exfiltration: explain HTTP or HTTPS Transfers and how is it related to data exfiltration

A

An attacker uses commercial file sharing services to upload the exfiltrated data from a victim

27
Q

Data Exfiltration: explain HTTP Requests to Database Services and how is it related to data exfiltration

A

▪ An adversary may use SQL injection or similar techniques to copy records from the database to which they should not have access
▪ IoC: Spikes in requests to a PHP files or other scripts, and unusually large HTTP response packets

28
Q

Data Exfiltration: explain Overt Channels and how is it related to data exfiltration

A

Use of FTP, instant messaging, peer-to-peer, email, and other obvious file and data sharing tools

29
Q

Data Exfiltration: explain Explicit Tunnels and how is it related to data exfiltration

A

▪ Use of SSH or VPNs to create a tunnel to transmit the data across a given network
▪ IoC: Atypical endpoints involved in tunnels due to their geographic location

30
Q

Data Exfiltration: explain Warning and how is it related to data exfiltration

A

An adversary could use a different channel for data exfiltration than for command and control

31
Q

Data Exfiltration: what is the best mitigation to data exfiltration

A

Strong encryption of data at rest and data in transit

32
Q

Covert Channels: explain covert channels in details and how to prevent it?

A

▪ Communication path that allows data to be sent outside of the network without alerting any intrusion detection or data loss countermeasures
▪ Covert channels enable the stealthy transmission of data from node to node using means that your security controls do not anticipate
● Transmit data over nonstandard port
● Encoding data in TCP/IP packet headers
● Segmenting data into multiple packets
● Obfuscating data using hex
● Transmitting encrypted data
▪ Prevention: Advanced intrusion detection and user behavior analytics tools are your best option to detect covert channels, but they will not detect everything

33
Q

Covering Your Tracks: what methods can you use to cover your track after a system being compromised (4)?

A

▪ Erase, modify, or disable evidence
▪ Clear log files
▪ Delete installed malware
▪ Hide files and folders

34
Q

Covering Your Tracks: how to hide files in Linux, Unix, or OS X?

A

Create a folder beginning with a dot (.) to hide files in

35
Q

Covering Your Tracks: how to hide files in Windows?

A

▪ System32 folder
▪ Users folder
▪ Hidden attributes
▪ Alternate data streams:
- C:\ type notepad.exe > calc.exe:notepad.exe
- C:\ start calc.exe:notepad.exe

36
Q

Covering Your Tracks: should you delete the logs as a pentester and hacker? If yes, how and what logs for Windows (4) and Linux (1)?

A

▪ Windows: System logs, Application logs, Security logs, Event logs
▪ Linux: Usually stored in /var/logs
▪ Penetration testers do not usually modify or delete any of the logs:
● clearev
● wevtutil cl Application
● echo “ ” > /var/log/syslog

37
Q

Covering Your Tracks: explain Stream Editor (SED) and what command to use it?

A

▪ Has the ability to search, find, delete, replace, insert, or edit anything inside of a file without the need to open that file
▪ sed -i ‘malware’ /var/log/auth.log
● Use timestomp
● Change the files’ ownership

38
Q

Covering Your Tracks: explain Timestomping, how to do it (9)?

A

Changes the access time of a file to a time that you want as the attacker:
▪ touch: Updates time to the current time
▪ ctime: Changes the time to a given date/time
▪ Meterpreter has a built-in timestomp tool: timestamp log.txt -m “02/03/2022 10:11:12”
▪ Bash (prevent saving history): export HISTSIZE=0
▪ Bash (erase history): echo “ ” > ~.bash_history history -c
▪ Windows: ALT+F7
▪ PowerShell: Clear-History
▪ shred -zu <filename>
▪ format s: /fs:NTFS /p:1</filename>

39
Q

Post-Exploitation Tools: list the post-exploitation tools and their purposes

A

1- Empire
▪ A C2 framework that uses PowerShell for common post-exploitation tasks
▪ github.com/bc-security/empire
▪ Nowadays, most Empire tools and techniques can be detected by antivirus tools
▪ Empire is a collection of PowerShell exploits that can be used during post-exploitation
2- Mimikatz: An open-source tool that is focused on exploiting Microsoft’s Kerberos protocols
3- BloodHound: A tool used to explore Active Directory trust relationships and abuse rights on AD objects
4- Other Tools
▪ PowerShell
▪ VBScript
▪ Python
▪ Bash
▪ Perl
▪ Other