a Hacker's Backdoor: Service Control Manager
Vložit
- čas přidán 6. 08. 2024
- j-h.io/plextrac || PlexTrac makes pentest reporting a breeze -- try their premiere reporting & collaborative platform in a FREE one-month trial! j-h.io/plextrac 😎
00:00 - SCManager Persistence
00:27 - Explaination
01:21 - How it works
05:18 - Demo begin
08:00 - Changing security descriptor
12:12 - Creating a service
16:18 - Final Thoughts
Grzegorz Tworek Tweet: / 1628720819537936386
0xvln Write-up: 0xv1n.github.io/posts/scmanager/
Security Descriptor Lang: learn.microsoft.com/en-us/win...
Sc sdset: learn.microsoft.com/en-us/pre...)
🔥 CZcams ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware
These videos are always a great way to learn something without too much detail that I lose interest. Thanks for making such helpful content
Loving these living off the land videos, I'm starting to get more and more into Windows Internals for sysadmin and security, really awesome timing that this video showed up.
I'm studying computer engineering now and this is honestly very cool. I may consider a minor in cyber security now
Found this the other day on linkedin and was dismissed as it needing admin, however this has been informative! thanks!
Information about access control list (ACL). Thanks John!
An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and an SACL.
A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object doesn't have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL doesn't allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.
A system access control list (SACL) allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in an SACL can generate audit records when an access attempt fails, when it succeeds, or both.
Don't try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs.
ACLs also provide access control to Microsoft Active Directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs.
Good god you have so much time in your hands to write that down as a comment
This video is full of powerful experiences!!! thanks for making such content!
Great explanation and also great real example John. Thank you.
Thanks for the video, John!
Very practical! 💪🏻
Great way to start the morning.
John I love your work and you inspire me daily.
i need try it😊 john thank you for tutorial!!
Thank you so much
For sc sdset should not be as loud based on the parameters provided. So that’s the 3rd layer of detection via winevent logs - cheers! Happy hunting
I did not understand much honestly.... But great video again! Thanks!
wow ....ty so much boss
nice job!!!
Thanks
Way to go!!! My best friend
This tech gives many ideas :)..........
Nice oneliner :)
Bravo 👏🏼 Always fantastic content. Does a simple “revert all to defaults, e.g., fresh install” command(s) exist? Appreciate ya!
This video really spoke to me, Ive been working in IT for a few years and am basically a beginner with some novice understanding of Microsoft and barely any knowledge in Linux. Does anyone here have any recommendations on where to start working in security with my profile? Like what courses (paid is fine, or free) should I start in order to get going?
2 Books; Linux Bible 9th Edition, and The Ultimate Kali Linux Guide 2nd Edition.
Both books spoon feed and assume you know nothing. I didn't learn anything in the Kali guide until page 300 and some as I've worked rhel support for more than 4 years. I read it all anyway as Glen does a great job at summarizing the endless acronyms and industry buzzwords. Some of his tutorials could use a little updating but the book is free if you google the pdf and if you've never used the aircrack-ng suite and have no clue what command syntax is, then these are the books for you.
I'm no cyber security expert but this seems like very overcomplicated UBA... You really have to dedicate yourself to the Microsoft world to fully understand the access control in Windows.
Well, yes... of course. Microsoft still dominates the corporate landscape, so having deep knowledge of Windows security is very valuable.
@@JohnDoe-sp3dc Even complex systems can be managed, so it's not an excuse. Know what should be running on your systems, set baselines, monitor activity, etc.
@@JohnDoe-sp3dc in that scenario windows genealogy comes in hand. Windows genealogy gives you map of every process and their exact number of instances running after booting a system. Every blue Teamer should know about windows genealogy so he can easily detect the malicious extra instance or process.
@@MrGh0sT_8124 nice
Mickeysoft dominates because of the intellectual bell curve. Same holds for other aspects in society.
Nice!
Windows services such as web access login and another service were running my CPU at 100 percent consistently on idle till I used process explorer to find which service was running the highest with svchost and killed off each service in the tree one by one till it stopped. My computers been running at 0% to 1% cpu usage consistently when in idle.i use a amd 3800x cpu.
Master of edureka master
POG
can you make a video about must tools need to know for cyber security or ethical hacking ?
Would love to see more videos on MacOS/iOS.. your videos are great but I’m not sure if they apply to me :(
nice
best bro ever
Always here before John
We need a linux version of this. How hackers backdoor into linux desktops please!
For the most part, they don't.
In theory, Linux is less vulnerable to malware by the design philosophy, and smaller target demographic. Additionally, if you're running a linux distro, you're likely more aware of security practices.
Those combined make it not worth the time and effort to attack, as there are more high value, and softer, targets in the Windows side.
How about making a video explaining how to combatant against this backdoor, and what to do if it has already been executed on your pc?
this backdoor virus compromised my pc, and its been stuck on the windows loading screen since. i dont know why people think ruining a pc someone paid for is funny.
@@whencat6171nobody "ruined" your pc, just reinstall. infact they did you a favour so you can get rid of windows and install linux
Any smart admin would have blocked admin prev on a work system, which at my work, they do, as you need to enter super admin credentials most of the time this won't work. And if the user is working from home, they would most likely be using Windows Virtual Desktop, again hard to use this command.
John why do you look so happy about this YT Video?
Amazing video
🎉🎉
I go for priv esc before maintaining access as i think the access will be much more reliable, But this seems like 1 cmd to rule them all xD
hmmm, what do you do? unethical hacking? lol
@@HadronCollisionYT what makes you say that ? Can't someone be interested in learning red team without being ethical ? Much harder for Blue to defend if your access has priv esc nothing unethical there, "The best defence is a good offence" without knowing how to attack you can't defend and working local only get's you so far,, VM's are great but it don't have the same feel
you need admin privs to install this backdoor, anyways, I believe.
@@sud0gh0st I was just joking bruh. Why did you take it so seriously ;-;
Please do a video on how to use pwncat
Do you need a discrete gpu in order to get windows 11 to run smoothly in a virtual machine. I have an AMD 5700G running Fedora and all my Windows VMs are relatively quick but motion is choppy and ugly.
Having a decent GPU will help, but you may need to tinker with your VM settings. QEMU/KVM works fine for me.
try giving your VM more ram and more CPU cores, maybe?
@@nordgaren2358 no, overcommiting hurts performance. use a type 1 hypervisor like qemu/kvm and use a rdp client with gpu acceleration for connection. see someordinarygamers video on that
the Sc sdset link is dead, anyone has the sigma rule? Thanks
Microsoft still says (IIRC) that basically administrators are expected to be able to do this sort of thing, so if such an account is allowed to be run by a malicious actor, that's basically game over. On the other hand, if that's really the expectation, why do they keep trying to stop Mimikatz?
I love the activate windows water mark lol
The "GoogleUpdater" Service doesn't start. Error 1053! 🤔
It's all fun and games until the FBI kicks in your door at 4am
Can anyone recommend more twitter accounts with cool new techniques of attacks like in the video?
Per TCP/IP protocol, the system needs to open a listening port first in order to accept an incoming connection. you can easily find all listening ports using the netstat command. There is no "secret back door" per se.
Most backdoors periodically phone out instead of listening for a connection from the C&C server. That also solves the issue of getting past some firewalls and NATs.
@@anonimenkolbas1305 "phone out"? What is that mean in TCP/IP? Today, all the computer does not support modem anymore. Or, are you saying the backdoor is a TCP/IP client that initiate a connection to a Internet Server? If so, you can easily find out any TCP/IP connections on a server.
@@danielchien7274 Sorry, yes, "phone out" is a casual expression. I meant that malware nowadays makes an outbound connection to its command & control server as opposed to listening for one, meaning it will not open a socket. However, if one were to monitor outbound traffic the same way they would monitor open sockets over time, they would still spot the outbound connections made to suspicious IPs.
@@anonimenkolbas1305 So, this is not a true backdoor for anyone anywhere to get in. BTW, it is very easy to stop malware. Just don't let it run. A program that can't run will do nothing. Using a whitelist, it can stop all unauthorized programs from running.
So this is how i can be an admin in my local network
This worries me. It makes me uncertain which services are real and are just a clone of the name of an application that I have installed...
I downloaded hickvisions desktop client and used proccess explorer after unistalling the application. I killed the ivs service (it was still running after unistalling everything) and it crashed my windows computer so it was doing something.
If you suspecting a service, check the "path" of the service you will directly see if he is dangerous
Hi John! What is your email I got a phishing email with malware attach and want you to investigate!
Is this Seth Trojan
Is there not a way to become Trusted Installer and take over the system? That info is probably too spicy for CZcams.
daka would he really would
Could you include ways to prevent the things you talk about in your videos from happening as well?
One could always just run a linux distro and not worry about this sort of thing.
@@Chad_Thundercock how would that prevent the malware running? Just because it isnt created for Linux?
@@ohrayoe3858
That is one part of it, yes. The other is from the way most distros are designed to segregate processes and permissions. It's a bit nebulous to explain here, but the short of it is that it's less easy to trick your machine in to running anything you don't ask it to run.
@@Chad_Thundercock so things are less likely to run when you click on a link(malware pdf) than on another OS that isnt Linux?
@@ohrayoe3858
Exactly.
Now, don't take to mean your system is bulletproof, but it will be much less vulnerable to such attacks.
Up places coling.
Skills and binary numbers c, css code file's comment
i thought this was an old video lol
What made it seem like an old video, if I may ask?
@@_JohnHammond good question i really don't know,the flow of your videos hasn't really changed to so i couldn't see differences but yeah still a good explanation
@@_JohnHammond hey also i watched the video fully now and the sponsorship is little bit too long
Nothing sir, it's fresh and useful as always.
@@user-kp9es9ul2l yup i agree it's good as always
That’s actually pretty old stuff
u should activate windows
on a VM ? why.....
@@sud0gh0st my bad i didn't kw
Why ?
When you buy a PC you get a licence
Who cares about the licence on a virtual machine ?
It's a bullshit thing they have thrown in for telemetry.
If you charge me $150 for the licence when I buy the computer I don't care about what Mr Gates wants
@@WSLEEPS So dont talk about stuff you dont know.
@@seanfaherty you're saying Windows has other usecase then testing exploits... Not sure I believe that
OK, but you need an admin user in the first place. Kinda pointless?!
finally the first comment
This shouldn't be built into Windows. That's the reason why we move to Linux.
Nod how to cing coling fills up sum cing coling fills name and files tool files open coling fills to file account add files open tool diagram, group, Jenkins files open tool explain files open vejal
can you teach how to hack cctv or security cameras
Activate Windows 😭
yet again : no compromised, privileged account = this entire method is useless
There is a balance between being informative and glorifying criminal behaviour.. You are crossing that line a lot of times in you videos and can't really understand why this is allowed to stand.
How else are you supposed to raise awareness to sys admins or anyone who wants to protect their computer, about this vulnerability? Just tell them it exists, but not how it works, so they can't defend against it at all? This is standard practice for cyber security.
12:10 😆😆
Second
Persistence via Windows Service T1543.003