Tag Archives: Windows

Persistence via Creating a Windows Service

In this scenario, we assumed that we have a reverse shell to the victim’s machine and want persistence on the machine. For this, we will use Windows services.

First, we start with creating a malicious .exe file called mal.exe with msfvenom.

With this payload, we will be able to create a service running our malicious executable.

As the second step, I need to download it to the victim’s machine. For this, I create a web server on my Kali and run the command below in the victim’s machine;

This command can download anything with powershell. As you can see, I run it with my first reverse shell on the victim.

Now, I need to create a Windows service for persistence, using my mal.exe file. So when this service run, mal.exe file will execute on the machine;

After creating the service called MalService, I started it with the second command above.

While I am listening port 4445, when I started the MalService on the victim’s machine, I got the reverse shell as you can see below;

Windows Defender may block it as Trojan:Win64/Meterpreter.E so it is important to make tests according to victim’s antivirus or EDR before running.

Are You Ready for EOS of Win Server 2012?

Microsoft is ending its support of Windows Server 2012 R2 on 10th of October 2023. Its official EOS date was 9th of October 2018 but 2023 will also be the extended EOS date. Microsoft will stop providing technical support and bug fixes for newly discovered issues that may impact the usability or stability of servers.

As we remember from past experiences, big decisions like that causes serious risks for organizations. After EOS of Windows 7, most of the organizations were late in adapting to this change and Win7 became the most vulnerable operating system because of its widely usage. Attackers are focusing more on these operating systems because of their vulnerable situations.

Operating system changes on servers are really big effort for IT teams. Many night work, upgrades of several applications, tests, and finally stress of passing to the production. So it may take long time to get ready if the organization has a big structure of this operating system. So, any business running Windows Server 2012 and 2012 R2 should plan and upgrade their systems as soon as possible with not waiting the EOS date.

A New Multi-OS RAT?

A threat actor calling herself as ‘0xFF’ advertised a new RAT in HackForums.

According to the threat actor, this new RAT tool is supporting Windows (amd64, i386, arm, arm64), Linux (amd64, i386, arm, arm64), Darwin (MacOS) (amd64(Intel), arm64(m1)) and Android (bin) (amd64, i386, arm, arm64).

This Multi-OS RAT has features below;

– No need to lower AV settings to keep running

– Everything is being automatically compiled for you.

– Remote non-interactive shell

– No need to remember all the different OSes when doing simple tasks

– Downloading files from external server to host

– Uploading files from computer to the tool’s panel

– Taking screenshots (automatic (every x seconds) or manual)

– Custom scripts that can execute different written code on demand in the targeted devices.

– Get notified when devices go online/offline, when a new device connects or command finish executing.

– Custom installer

– Commands on boot and on new connect

The actor also mentioned that they can create postloads for the customer.

It seems like the RAT has several licensing options, and not so expensive. Tools like that make it easier for people without technical knowledge and software skills to carry out attacks on their own. This situation seems to be pushing institutions more and more each day.

Still Have 445 Port Open to Internet?

CVE-2022-26809 is a vulnerability exists within the Remote Procedure Call Runtime component in Microsoft Windows. If an attacker successfully exploits the vulnerability, then she/he could run arbitrary code on the affected system.

To exploit this vulnerability, an attacker would need to send a specially crafted RPC call to an RPC host. This could result in remote code execution on the server side with the same permissions as the RPC service.

The vulnerable system can be exploited without any interaction from any user.

This is a really contains a high risk and should be patched immediately.

Vulnerable Technologies:
Microsoft reports that the following products and versions are vulnerable:

Windows 7 32-bit SP 1
Windows 7 x64 SP 1
Windows 8.1 32-bit
Windows 8.1 x64
Windows 10 32-bit
Windows 10 x64
Windows 10 20H2 32-bit
Windows 10 20H2 ARM64
Windows 10 20H2 x64
Windows 10 21H1 32-bit
Windows 10 21H1 ARM64
Windows 10 21H1 x64
Windows 10 21H2 32-bit
Windows 10 21H2 ARM64
Windows 10 21H2 x64
Windows 10 1607 32-bit
Windows 10 1607 x64
Windows 10 1809 32-bit
Windows 10 1809 ARM64
Windows 10 1809 x64
Windows 10 1909 32-bit
Windows 10 1909 ARM64
Windows 10 1909 x64
Windows 11 ARM64
Windows 11 x64
Windows RT 8.1
Windows Server 2008 32-bit SP 2
Windows Server 2008 x64 SP 2
Windows Server 2008 R2 x64 SP 1
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server Version 20H2

Mitigation:

Microsoft recommends blocking port 445 at the perimeter firewall as a technique to mitigate the possibility of internet-based exploitation.

Remediation:

Organizations need a continuous port/vulnerability scan to detect to see if any port is open momentarily to the outside. If a continuous scan is not possible because of sensitive systems, an Attack Surface Management system should be used for instant detection.

How to Disable IP Autoconfiguration

If DHCP service is enabled and DHCP server is temporarily or permanently unavailable, TCP/IP assigns a class B IP address from 169.254.0.0 to 169.254.255.255 to the machine. This function in Windows is called “Automatic Private IP Addressing”.

If you want to use static IP addresses in the machine, you need to disable IP autoconfiguration. To disable;

1- Check in which interface autoconfiguration is on.

2- Check for index number of the interface with the command;

netsh interface ipv4 show inter

Our index is ‘2’ in this example.

3- Run the command below with changing the ‘2’ with your index number;

netsh interface ipv4 set interface 2 dadtransmits=0 store=persistent

4- Disable DHCP Client service

5- Reboot

How to Download Windows 11 ISO

Windows 11 was made available for users with Insider. Microsoft released the Windows 11 ISO file for test users today.

To test Windows 11 with the Insider program, users had to update from Windows 10 build 21354. Windows 11, which is still in beta, has finally been released. It is expected that the new version will be available to all users by the end of this year.

How to download ISO

  • Click here and login with the insider account.
  • Choose “Windows 11 Insider Preview (Beta Channel) 22000.132
  • You can use this downloaded ISO file on your virtual environment or to create a bootable USB

*Please do not trust to any third party download sites and download the file from Microsoft’s site.

Requirements

This new operating system may not work on all systems, so it is important to check the requirements for Windows 11.

  • Processor: 1 gigahertz (GHz) or faster with two or more cores on a compatible 64-bit processor or system on a chip (SoC).
  • RAM: 4 gigabytes (GB) or greater.
  • Storage: 64 GB* or greater available storage is required to install Windows 11.
    • Additional storage space might be required to download updates and enable specific features.
  • Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver.
  • System firmware: UEFI, Secure Boot capable.
  • TPM: Trusted Platform Module (TPM) version 2.0.
  • Display: High definition (720p) display, 9″ or greater monitor, 8 bits per color channel.
  • Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features.
    • Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use.

Please visit here for more information about the requirements.

Zone Identifier Commands

With Zone Identifier, we can say whether a file downloaded from internet or not.

A file with zone.identifier extension is an ADS (Alternate Data Stream) file that contains information about another file. It describes the security zone for the file. Zone identifier files are generated by Internet Explorer and Outlook when saving files to a Windows operating system. These files are normally hidden and cannot be opened directly.

Via powershell, we can find Zone Identifiers of a file;

PS C:\Progs\Forensics> Get-Content -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream zone.identifier

PS C:\Progs\Forensics> Get-Item -Path C:\Progs\Forensics\autopsy-4.17.0-64bit.msi -Stream *

How To Remove Zone Identifier

For several reasons, you may choose to delete zone.identifiers. It is very easy to do it. Just right click the file and click “Unblock” tick in “Properties > General” menu.

If you want to remove multiple files, it is still easy. Just navigate to folder including files you want to remove with Powershell and type;

dir .* | Unblock-File

This will clear zone identifier from this folder.