Hide process(es) from task manager

[mvrozanti]

This hides a process in some Windows versions. May be worth implementing even if it's not generic.

[dudeisbrendan03]

This requires the RAT to launch with administrative privileges. Sorry I haven't done anything, lots of work lately and after it's done I'll get back to this.

[dudeisbrendan03]

Need to exploit something to obtain administrative privileges if the user doesn't have them (as we're installing driver's). Also the driver won't be signed so it will not install on most machines, you'll need to disable driver signing (and that will only apply after a reboot).

[mvrozanti]

I hadn't seen that, thanks for pointing that out @dudeisbrendan03 Maybe that funcionality could be enabled/disabled on compile time (i.e.: if the user knows he's got admin priv.)

In case the user has admin priviledges, couldn't we install the drivers, persist the RAT and then wait for the reboot (using only one reboot) before activation?

It may be a cost some users are willing to take on

[dudeisbrendan03]

We would have to disable signed driver enforcement (which requires elevated permissions)

[mvrozanti]

For Windows 7 I think it's something like that:

bcdedit.exe -set loadoptions DDISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING [ON|OFF?]

For Windows 10:

bcdedit.exe /set nointegritychecks on

[dudeisbrendan03]

bcdedit.exe -set TESTSIGNING ON

[dudeisbrendan03]

Also requires admin ^

Another idea, try and embed into another process. I've seen RATs that can embed themselves into another process without privilege escalation.

Maybe worth looking into it?

[mvrozanti]

Definitely, but is it possible to maintain? That is, hasn't micro$oft patched this yet??

[dudeisbrendan03]

It's not something that Microsoft would look into solving. It's up to the process rather than the OS.

Electron apps are usually easy to inject into and are pretty common (e.g. Discord).

[mvrozanti]

I didn't know. I thought it was the other way around. Great idea though, definitely worth looking into