Covering Tracks on Windows like a pro
Covering track is an integral and final part of malware functioning. This blogs describe a situation wherein live training is given to the security experts, where a dummy hostile agent is asked to break security features and clear all security mechanisms that may aid forensic investigations.This will tell users the real life methods used by malware authors to clear their digital footprint.
1) Event logs have a allotted space, on exceeding the limit of space allocated for logs, either logging stops or old logs are eliminated( depends on policy set). Thus filling the space with a lot of gibberish data like including all unnecessary logging events.( that hold no or very less forensic value)
You can view the Windows Power-Shell event log in Event Viewer or by using the Get-EventLog and Get-WmiObject cmdlets. To view the contents of the Windows PowerShell log, type:
PowerShell
Get-EventLog -LogName "Windows PowerShell"2) Real time detection prevention by communicating to Command and control server using google sub-domains and social networking websites like facebook, orkut, pastebin etc.
- > Exfiltering through social media sites is very easy and stealthy way of leaking data
3) Using Dual-Use Tools: Most of the Interaction with the system should happen by using dual -purpose tools ( they leave proper digital artifacts, but they do not look suspicious)
-> Internal network reconnaissance : net (net user, net start, net view), systeminfo, whoami, hostname, quser, ipconfig
-> Credential harvesting : Mimkatz( try not use this one), WCE, pwdump
-> Lateral movement : RDP, PsExec, PowerShell
-> Data exfiltration : FTP, RAR, ZIP, iExplorer, PuTTY, PowerShell, rdpclip
- > Fallback backdoor : Net User, RDP, Telnet server
4) Establishing a VPN for C2 communication may facilitate bypassing some network monitoring measures. (try to set up personal VPN servers rather than using some 3rd parties help)
5) Find busy servers: they act as perfect cover for internal hop-points and for lateral movement of malware configuration files.
6) Network between infected system should be of mesh type.
Destroying or removing malware on some or a group of systems shouldn’t break link between malware author and rest of the infected machines.( used in botnets )
Depending solely on Tor to hide Command and Control Server is not advised, as many attack methods have surfaced where old infrastructure or capturing of significant amount of end-nodes of Tor service may reveal your identity.
7)Use Multi-Layered defense procedures to hide your identity, never rely on one-service like proxy-chains, Single VPN or Tor.
8) There are also various direct memory access (DMA) related attacks, such as PCI leech or the Thunderbolt attack on Macs, as well as complete bootkits like Thunderstrike. Attackers can step up to the next level of sophistication with firmware malware inside devices or even the CPU itself. Such attacks are rare as they are not easy to pull off.
Do you think DMA problem have been resolved by using sophisticated hardware like TPM, then give your knowledge a review….
9) Even if staged dropper is implemented, staged malware components should be downloaded by using data hiding techniques like stegnography, strong encryption.
10) Always use ReFUD’s and Crypters to reduce detection probability of the malware.
11) Always try to enumerate as much as possible network connections as sometimes back-up facilities are also connected through the network, in this way backups could also be encrypted or cleared.
12) If using a ransomware simulation, always includes a script to deletes shadow volumes and backup files.
Do not straight-away disable all the logs on first point infection, it raises several alarms on internal IDS/IPS systems.
13) Try to keep movement of malware as dormant as possible, this includes staying dormant for a few hours after performing a downloading or uploading function.
14)A simple way to clear the log files on Windows systems is to use the clearlogs.exe file.
clearlogs.exe -sec
Don’t forget to remove clearlogs.exe before leaving the system as the mere presence of the clearlogs file will be telltale evidence that someone has compromised their system.
WAY TO REMOVE CMD, Powershell and removin these logs are given in link below:
15) Whenever using encryption on malware, always store the asymmetric private key on the server, never leave it hard-coded in the malware or the infected system.
Apart from these methods, there are a tons of more anti-forensics memory and hardware methods, which i will cover in next parts of this blog.
