A Story of Persistance – Windows Part 2

By Ahmed Kasmani
Add comment
January 29, 2021
2 Min read
In Uncategorized
A

This is the second part, first part is here.

Malwares use persistence mechanisms to keep access on a system across restarts. Mitre Att&ack talks about Persistence as a tactic, and all the persistence mechanisms are the techniques.

The way the articles will flow is the same as the first article:

  1. Name and some details of the persistence mechanism.
  2. How it works.
  3. Threat actors or malware who use this consistently.
  4. How to set it up.
  5. How to detect it from the event logs.
  6. How to get more details about it, using tools like PowerShell, Autoruns or any other tool.
  7. How to remove it.

First persistence mechanism:

Name: Service

Microsoft Windows services, formerly known as NT services, enable you to create long-running executable applications that run in their own Windows sessions. These services can be automatically started when the computer boots, can be paused and restarted, and do not show any user interface. These features make services ideal for use as persistence mechanism in malware. (Most of this paragraph is copied from MSDN Link.

There are different startup types for services, they can be setup to start manually, automatic or automatic delayed. Automatic services start first, automatic delayed services start after all automatic services have been started.

Long list of malware use this persistance mechanism, most prevalent these days would be :

  1. Emotet.
  2. Netwalker.
  3. Remcom.
  4. Many more mentioned here.

Lets first enable the audit logs which will enable us to see the service creation in the Security Event Logs.

Command to enable required Audit logs:

auditpol /set /category:"System" /success:enable /failure:enable

Setting up a service is pretty straight forward, the steps I followed are:

  1. Created a windows service using the metasploit template from this location.
  2. Updated the code to logging instead of running malicious code.
  3. Compiled the service on Visual Studio 2019.
  4. Created a service using the following command:
sc.exe create asktest binpath= service.exe

5. Check that the service is created from services.msc in windows:

How to check for presence in the event logs:

Get-WinEvent -FilterHashtable @{LogName="Security";ID=4697;} | Select *

As you may have guessed 4697 is the windows event id for the service creation.

I think these details are enough for this blog.

Chao!!!

About the author

Ahmed Kasmani
View all posts

Add comment

Read more

A Story of Persistance – Windows Part 1

By Ahmed Kasmani
In Uncategorized
2 Min read
A

For a while I wanted to do a series of blog posts where I discuss the different types of persistence mechanisms in Windows, Linux and MacOS. Some procrastination has had the better of me. This is the first part, hopefully more to come. I am going to try and add some more pertinent details. Malwares use persistence mechanisms to keep access on a system across restarts. Mitre Att&ack talks...

Read onRead later

Home LAB for Security Research

By Ahmed Kasmani
In Uncategorized
5 Min read
H

In my first post, I want to talk about the setup for the homelab. As an InfoSec consultant it is imperative to have some semblance of a homelab. It serves as a playground for all things you want to learn and go deep into. Introduction My experience with setting up a homelab, has had its ups and down. Before moving to Australia my homelab was my beefed up MacBook Pro i7 – 16GB RAM and 1TB...

Read onRead later
By Ahmed Kasmani January 29, 2021
Add comment

Recent Posts

Recent Comments