Showing Articles About
persistence
-
Riccardo Ancarani - 4 May 2022
Scheduled Task Tampering
This article explores techniques for manipulating Windows scheduled tasks through direct registry modifications. Multiple methods were demonstrated to create and modify tasks without generating standard Task Scheduler logging and event records. The techniques include registry manipulation and Event Tracing for Windows (ETW) tampering, which can be used to establish persistence or execute malicious actions while evading detection.
-
Tim Carrington - 3 Aug 2021
Playing with PuTTY
This article explores techniques for manipulating PuTTY's source code and session sharing mechanism to capture credentials and execute remote commands. Multiple methods are demonstrated for backdooring PuTTY, including capturing user commands, stealing authentication details, and hijacking SSH sessions through named pipe communications. The techniques provide creative approaches for bypassing security controls during adversarial simulations without traditional keylogging methods.
- Alfie Champion
- 21 Apr 2021
Attack Detection Fundamentals 2021: AWS - Lab #2
This article details an AWS security lab demonstrating how an attacker can add an access key and login profile to a compromised user account. The lab explores using Pacu to create additional AWS credentials and gain web console access. CloudTrail log analysis reveals key detection indicators, including changes in user agent and console login without multi-factor authentication.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #1
This article explores macOS attack detection fundamentals using the Mythic post-exploitation framework. It demonstrates initial access via Office macros, persistence techniques using LaunchAgents, and sandbox breakout methods. The focus is on detecting malicious process trees and understanding macOS security mechanisms through practical attack scenarios.
- Calum Hall Luke Roberts
- 14 Apr 2021
Attack Detection Fundamentals 2021: macOS - Lab #2
This article explores LaunchAgent persistence techniques on macOS, demonstrating how attackers can abuse system functionality to maintain access. Detection methods using Endpoint Security Framework and osquery are discussed to identify suspicious LaunchAgent behavior. Key strategies include monitoring file creation events and analyzing unsigned binaries executed by LaunchAgents.
- Luke Roberts
- 16 Oct 2020
Operationalising Calendar Alerts: Persistence on macOS
A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #1
This article details a cybersecurity lab simulating the Astaroth malware attack chain using Living-off-the-Land (LOLBins) techniques. The lab demonstrates how attackers can exploit Windows utilities like BITSAdmin and ExtExport.exe, along with Alternate Data Streams, to stealthily download and execute malware. Multiple detection strategies are explored, including Sigma rules, event log analysis, and tools like Sysmon for identifying these sophisticated attack methods.
- 3 Jul 2020
Attack Detection Fundamentals: Code Execution and Persistence - Lab #2
This article explores persistence techniques used by attackers in Windows environments. Two primary methods are demonstrated: adding files to the Startup folder and modifying Windows Registry Run Keys. The guide provides technical insights into malware persistence strategies and detection approaches for cybersecurity professionals.
- Tim Carrington
- 22 Feb 2019
AutoCAD - Designing a Kill Chain
A detailed analysis of potential cybersecurity vulnerabilities in AutoCAD reveals multiple attack vectors across the cyber kill chain. The research demonstrates how malicious actors can exploit AutoCAD's features like ActionMacros, AutoLisp scripts, and remote text functionality to gain code execution, establish persistence, and perform lateral movement. Multiple attack techniques were identified that could potentially compromise users in high-value industries through targeted AutoCAD-specific exploitation methods.
- William Knowles
- 18 Sep 2017
Land, Configure Microsoft Office, Persist
This presentation explores native Microsoft Office add-in mechanisms that can be exploited for persistence on compromised workstations. Various techniques for abusing Office add-ins are analyzed from a red teaming perspective. The talk examines deployment complexity, privilege requirements, and effectiveness in different computing environments.
- William Knowles
- 21 Apr 2017
Add-In Opportunities for Office Persistence
This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.
- Kostas Lintovois
- 11 Nov 2016
One Template To Rule 'Em All
A presentation explored how Microsoft Office VBA and templates can be exploited as a persistent malware delivery mechanism. The talk demonstrated vulnerabilities in locked-down environments through a proof-of-concept tool called WePWNise. VBA-enabled files remain an attractive attack vector due to business requirements and human factors in targeted attacks.
- Dave Hartley Luke Roberts
- 2 Sep 2016
Malicious Outlook Rules
XRulez is a tool that enables programmatic creation of malicious Outlook rules by injecting rules directly into Exchange servers. The tool allows attackers to create persistent remote code execution mechanisms via email triggers without requiring direct credential access. By exploiting MAPI sessions, malicious rules can be set up to execute payloads when specific email conditions are met.
- Stuart Morgan
- 21 Apr 2016
Safer Shellcode Implants
This article discusses techniques for creating safer shellcode implants by implementing runtime security controls. The proposed methods include ensuring single execution through mutex checks, validating the target endpoint using host-specific identifiers, and adding an expiry time to control the implant's lifecycle. Implementation examples are provided in both assembly and C languages to demonstrate these security controls.
- Stuart Morgan
- 15 Apr 2016
Masquerading as a Windows System Binary Using Digital Signatures
This article demonstrates a technique for creating fake digital certificates that mimic Microsoft's code signing certificates. By generating certificates that look like they are from Microsoft and installing a custom root CA, malicious Windows binaries can be signed to appear legitimate. The method allows attackers to create executables that blend in with system processes and potentially evade initial detection.
- Stuart Morgan
- 1 Apr 2016
Persistence Architecture Matters
This article explores the Windows-on-Windows (WOW) redirection layer in 64-bit Windows systems. It explains how filesystem and registry paths are dynamically remapped depending on the process architecture. The technical explanation reveals how 32-bit and 64-bit processes interact with system directories and registry keys differently.