Open zero77 opened 6 years ago
ThePirateWhoSmellsOfSunflowers
commented
6 years ago Hi,
I don't really understand the difference between your links and the modules already implemented such as persistence/userland/registry. This module is already fileless if I remember correctly.
The solution provided by the malware only add the encoding of the payload within the key but, in the other hand, the user cannot delete this key.
Maybe I miss the point.
Cheers, :sunflower:
zero77
commented
6 years ago @ThePirateWhoSmellsOfSunflowers
Hi Maybe I have mis understood the ‘persistence/userland/registry’ module.
To clarify the module stores the PowerShell agent/payload within the start up registry key, and the key is then saved with a NULL value so, the user cannot see the key so, they can’t delete it.
If so, I have mis understood and there’s already a module that dose this.
poopaapoopaa
commented
6 years ago The "persistence/userland/registry" module saves the code in HKCU:Software\Microsoft\Windows\CurrentVersion\Debug - it is fully visible and modifiable by the user.
ThePirateWhoSmellsOfSunflowers
commented
6 years ago Hi,
To clarify the module stores the PowerShell agent/payload within the start up registry key,
the existing module already does that
key is then saved with a NULL value so
the existing module doesn't perform this trick
the user cannot see the key so, they can’t delete it.
Ok, but what's the goal/advantage? From a forensic point of view, in one hand, the user can "see" the key but the attacker can delete this key (cleaning is important), on the other hand, the user "cannot see" (ok not really but let assume this) but the attacker cannot delete this key (and so leave trace on client/victim/test computer). The gain is null ?
it is fully visible and modifiable by the user.
If your victim monitor his registry maybe registry persistence is not enough OPSEC safe for you...
But ok, maybe it's a good idea, but I suggest you to add this feature as an optional toggle and with a warning text.
:sunflower:
zero77
commented
6 years ago Hi @ThePirateWhoSmellsOfSunflowers
It sounds like the existing module already has most of what I am looking for, except for hiding the key.
Although, you have made some interesting points and I am unsure whether hiding the key, would be an efficient option for both a forensic and evasion point of view.
kkar
commented
5 years ago @zero77 you can try two different things, to create a hidden registry entry. Which, by the way, it will be only hidden from RegEdit (the registry editor), not the Registry itself.
The first one is to create a new String (REG_SZ) and null-terminate it (\0).
The second one is to create a new String (REG_SZ) with >= 255 characters as its name.
Both are used in the past and both are working on certain versions of Windows.
Again, the only thing that you can achieve by using one of the above methods, is to hide the entry from the default registry editor of windows. Registry keys cannot be completely "hidden", if the System itself can see them, any serious Administrator can too.
EDIT: You should hit F5 to "update" the view of RegEdit and verify the changes, if any.
zero77
commented
5 years ago @kkar Thanks, I wasn’t aware of both those methods. I know they are not completely hidden but, would it still not help with evasion.
kkar
commented
5 years ago @zero77 it would probably help with any manual inspection. Not with evasion.
Can you add the option to start up and hide completely within the registry inside a key and not as a script or dell or exe, anywhere else on disk, this is explained better by a report from trendmicro.
https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/TROJ_POWELIKS.A - shows the key near the bottom Thanks