georgeneokq
commented
1 year ago After working on the task scheduling feature for clearing shimcache, I found that it is possible to specify the task to run as SYSTEM. This way, the attacker will not be required to provide admin credentials for it to work, but our program will need to be ran as admin.
Assuming that the attacker manages to get our program running with administrator rights, he will also need to provide administrator account credentials to our program, if not we won't be able to schedule a task to clear the shimcache with administrator privileges.
We could continue building our program under the assumption that the attacker understands that the shimcache removal cannot happen if he is not able to provide the required credentials. The attacker would have to use a tool like Mimikatz to acquire the required credentials before he can utilize our program to the fullest extent.
Our program will still come in handy in the case of the attacker having access to administrator credentials prior him launching the attack, for example, if the attacker is a manager in the IT team of a company, or the attacker has conducted reconnaissance to retrieve admin credentials. Either way, our program is simply a tool which can be used by attackers to conduct non-destructive anti-forensics as covertly as possible - we are not writing malware that does "hacker things" like privilege escalation for the attacker.
With that, the program should accept command line arguments for the attacker to specify administrator credentials, so that we can schedule a task to clean the shimcache upon system reboot with administrator privileges. (Linked to issue #6)