MODULE 7:

SYSTEM HACKING
(PART - 2)
ITOP
Maintaining Access

• After gaining access and escalating privileges on the target system, attackers try to maintain their access
for further exploitation of the target system or make the compromised system a launchpad from which to
attack other systems in the network.

• Attackers remotely execute malicious applications such as keyloggers, spyware, and other malicious
programs to maintain their access to the target system and steal critical information such as usernames and
passwords.

• Attackers hide their malicious programs or files using rootkits, steganography, NTFS data streams, etc. to
maintain their access to the target system.
Maintaining Access: Executing Applications

• Once attackers gain higher privileges in the target system by trying various privilege escalation attempts,

they may attempt to execute a malicious application by exploiting a vulnerability to execute arbitrary code.

• By executing malicious applications, the attacker can steal personal information, gain unauthorized access

to system resources, crack passwords, capture screenshots, install a backdoor for maintaining easy

access, etc.
Maintaining Access: Executing Applications

• The malicious programs attackers execute on target systems can be:

- Backdoors: Program designed to deny or disrupt the operation, gather information that leads to exploitation or loss

of privacy, or gain unauthorized access to system resources.

- Crackers: Components of software or programs designed for cracking a code or passwords.

- Keyloggers: These can be hardware or software. In either case, the objective is to record each keystroke made on

the computer keyboard.

- Spyware: Spy software may capture screenshots and send them to a specified location defined by the hacker. For

this purpose, attackers have to maintain access to victims’ computers. After deriving all the requisite information from

the victim’s computer, the attacker installs several backdoors to maintain easy access to it in the future.
Remote Code Execution Techniques:
Exploitation for Client Execution

• Remote code execution techniques are various tactics that can be used by attackers to execute
malicious code on a remote system. These techniques are often performed after compromising
a system initially and further expanding access to remote systems present on the target
network.
• Some examples of remote code execution techniques are as follows:

Exploitation for Client Execution

• Insecure coding practices in software can make it vulnerable to various attacks. Attackers can exploit these
underlying vulnerabilities in software through focused and targeted exploitations with an objective of
arbitrary code execution to maintain access to the target remote system.
Remote Code Execution Techniques:
Exploitation for Client Execution

Web-Browser-Based Exploitation
• Attackers target web browsers through spearphishing links and drive-by compromise. The remote systems
can be compromised through normal web browsing or through several users who are targeted victims of
spearphishing links to attacker-controlled sites used to exploit the web browser.
• This type of exploitation does not need user intervention for execution.

Office-Applications-Based Exploitation
• Attackers target common office applications such as Microsoft Office through different variants of
spearphishing. Emails containing links to malicious files are directly sent to the end-users for downloading.
To run the exploit, end-users are required to open a malicious document or file.
Remote Code Execution Techniques:
Scheduled Task

Scheduled Task
• Scheduled tasks allow users to perform routine tasks chosen for a computer automatically. There are two
utilities, at and schtasks, that can be used along with Windows Task Scheduler to execute specific code or
script at a scheduled date and time. Using task scheduling, attackers can execute malicious programs at
system startup, or schedule it for a specific date and time to maintain access to the target system and
further perform remote code execution to gain admin-level privileges to the remote system.
Remote Code Execution Techniques:
Service Execution

Service Execution
• System services are programs that run and operate at the backend of an OS. Attackers run binary files or
commands that can communicate with Windows system services such as Service Control Manager. This
code execution technique is performed by creating a new service or by modifying an existing service at the
time of privilege escalation or maintaining access.
 Tools for Executing Applications
RemoteExec
Source: https://www.isdecisions.com
• RemoteExec remotely installs applications,
executes programs/scripts, and updates files and
folders on Windows systems throughout the
network.
• This allows an attacker to modify the registry,
change local admin passwords, disable local
accounts, and copy/ update/delete files and
folders.
• As shown in the screenshot, attackers use the
RemoteExec tool to remotely execute files by
selecting the target OS and the file to be executed.
Tools for Executing Applications

Some of the privilege escalation tools are listed as follows:

• Pupy (https://github.com)

• PDQ Deploy (https://www.pdq.com)

• Dameware Remote Support (https://www.dameware.com)

• ManageEngine Desktop Central (https://www.manageengine.com)

• PsExec (https://docs.microsoft.com)
Keylogger

• Keyloggers are software programs or hardware devices that record the keys struck on the computer keyboard
(also called keystroke logging) of an individual computer user or a network of computers.

• It records almost all the keystrokes on a keyboard of a user and saves the recorded information in a text file.

• As keyloggers hide their processes and interface, the target is unaware of the keylogging. Offices and
industries use keyloggers to monitor employees’ computer activities, and they can also be used in home
environments for parents to monitor children’s Internet activities.
Keylogger
Keylogger

A keylogger can:
• Record every keystroke typed on the user’s keyboard
• Capture screenshots at regular intervals, showing user activity such as typed characters or clicked mouse
buttons
• Track the activities of users by logging Window titles, names of launched applications, and other information
• Monitor the online activity of users by recording addresses of the websites visited and with keywords entered
• Record all login names, bank and credit card numbers, and passwords, including hidden passwords or data
displayed in asterisks or blank spaces
• Record online chat conversations  Make unauthorized copies of both outgoing and incoming email messages
Types of Keystroke Loggers

• Keyloggers save captured keystrokes to a file for reading later, or transmit them to a place where the attacker
can access it.
• As these programs record all the keystrokes that are provided through a keyboard, they can capture
passwords, credit card numbers, email addresses, names, postal addresses, and phone numbers. Keyloggers
can capture information before it is encrypted. This gives the attacker access to passphrases and other “well-
hidden” information.
Types of Keystroke Loggers
Hardware Keyloggers

These types of keyloggers include:

• PS/2 keylogger

• USB keylogger

• Wi-Fi keylogger

• Keylogger embedded inside the keyboard

• Bluetooth keylogger

• Hardware keylogger
How to Defend against Keyloggers

• Different countermeasures to defend against keyloggers are listed as follows:

• Use pop-up blockers and avoid opening junk emails.

• Install anti-spyware/antivirus programs and keep the signatures up to date.

• Install professional firewall software and anti-keylogging software.

• Recognize phishing emails and delete them.

• Regularly update and patch system software.

• Do not click on links in unsolicited or dubious emails that may direct you to malicious sites.

• Use keystroke interference software that insert randomized characters into every keystroke.
 How to Defend against Keyloggers
• Keep your hardware systems secure in a locked environment and frequently check the keyboard cables for attached connectors,

USB port, and computer games such as the PS2 that may have been used to install keylogger software.

• Use software that frequently scan and monitor changes in your system or network.

• Install a host-based IDS, which can monitor your system and disable the installation of keyloggers.

• Use one-time password (OTP) or other authentication mechanisms such as two-step or multi-step verification to authenticate

users.

• Enable application whitelisting to block downloading or installing of unwanted software such as keyloggers.

• Use VPN to enable an additional layer of protection through encryption.

• Use process-monitoring tools to detect suspicious processes and system activities.

• Regularly patch and update software and the OS.

 Anti-Keyloggers
• Anti-keyloggers, also called anti-keystroke loggers, detect and disable keystroke logger software. The special

design of these loggers helps them to detect software keyloggers. Many large organizations, financial institutions,

online gaming industries, and individuals use anti-keyloggers to protect their privacy while using systems.

• This software prevents a keylogger from logging every keystroke typed by the victim, and thus keeps all personal

information safe and secure. An anti-keylogger scans a computer and detects and removes keystroke logger

software. If the software (anti-keylogger) finds any keystroke-logging program on your computer, it immediately

identifies and removes the keylogger, whether it is legitimate or illegitimate.

 Anti-Keyloggers

Zemana AntiLogger

Source: https://www.zemana.com

• Zemana AntiLogger is a software application that blocks

attackers. It detects any attempts to modify your computer’s

settings, record your activities, hook to your PC’s sensitive

processes, or inject malicious code into your system.

• The AntiLogger detects the malware at the time it attacks

your system, rather than detecting it based on its signature

fingerprint.
Anti-Keyloggers

Some examples of anti-keyloggers are listed as follows:

• GuardedID (https://www.strikeforcecpg.com)

• KeyScrambler (https://www.qfxsoftware.com)

• Oxynger KeyShield (https://www.oxynger.com)

• Ghostpress (https://schiffer.tech)

• SpyShelter Free Anti-Keylogger (https://www.spyshelter.com)

Rootkits

• All files contain a set of attributes. There are different fields in the file attributes. The first field determines the

format of the file if it is a hidden, archive, or read-only file. The other field describes the time of the file creation,

access, and its original length. The functions GetFileAttributesExA() and GetFileInformationByHandle() are

used for the aforementioned purposes. ATTRIB.exe displays or changes the file attributes. An attacker can

hide or even change the attributes of a victim’s files so that the attacker can access them.
 Rootkits

The attacker places a rootkit by

• Scanning for vulnerable computers and servers on the web

• Wrapping the rootkit in a special package like a game

• Installing it on public or corporate computers through social engineering

• Launching a zero-day attack (privilege escalation, Windows kernel exploitation, etc.)

 Rootkits

Objectives of a rootkit:

• To root the host system and gain remote backdoor access

• To mask attacker tracks and presence of malicious applications or processes

• To gather sensitive data, network traffic, etc. from the system for which attackers might be restricted or have no

access

• To store other malicious programs on the system and act as a server resource for bot updates
 Types of Rootkits
There are six types of rootkits available:

1. Hypervisor-Level Rootkit:

• Attackers create hypervisor-level rootkits by exploiting hardware features such as Intel VT and AMD-V. These rootkits run in

Ring-1 and host the OS of the target machine as a virtual machine, thereby intercepting all hardware calls made by the

target OS. This kind of rootkit works by modifying the system’s boot sequence so that it is loaded instead of the original

virtual machine monitor.

2. Hardware/Firmware Rootkit:

• Hardware/firmware rootkits use devices or platform firmware to create a persistent malware image in hardware, such as a

hard drive, system BIOS, or network card. The rootkit hides in firmware as the users do not inspect it for code integrity. A

firmware rootkit implies the use of creating a permanent delusion of rootkit malware.
 Types of Rootkits
3. Kernel-Level Rootkit:

• The kernel is the core of an OS. A kernel-level rootkit runs in Ring-0 with the highest OS privileges. These cover backdoors on

the computer and are created by writing additional code, or by substituting portions of kernel code with modified code via device

drivers in Windows or loadable kernel modules in Linux. If the kit’s code contains mistakes or bugs, kernel-level rootkits affect

the stability of the system. These have the same privileges as the OS; hence, they are difficult to detect and can intercept or

subvert the operation of an OS.

4. Boot-Loader-Level Rootkit:

• Boot-loader-level rootkits (bootkits) function either by modifying the legitimate boot loader or replacing it with another one. The

bootkit can activate even before the OS starts. Therefore, bootkits are serious threats to security because they facilitate the

hacking of encryption keys and passwords.

 Types of Rootkits
5. Application-Level/User-Mode Rootkit:

• An application-level/user-mode rootkit runs in Ring-3 as a user along with other applications in the system. It

exploits the standard behavior of APIs. It operates inside the victim’s computer by replacing the standard

application files (application binaries) with rootkits or by modifying the behavior of present applications with

patches, injected malicious code, etc.

6. Library-Level Rootkits

• Library-level rootkits work high up in the OS, and they usually patch, hook, or supplant system calls with backdoor

versions to keep the attacker unknown. They replace the original system calls with fake ones to hide information

about the attacker.

 How a Rootkits Work

System hooking is the process of changing and replacing the original function pointer with a pointer provided by the
rootkit in stealth mode. Inline function hooking is a technique in which a rootkit changes some of the bytes of a
function inside the core system DLLs (kernel32.dll and ntdll.dll), placing an instruction so that any process calls hit
the rootkit first.
 Popular Rootkits
The following are some of the most popular rootkits:

LoJax

Source: https://www.welivesecurity.com

• LoJax is a type of UEFI rootkit that is widely used by attackers to perform cyber-attacks. LoJax is created to inject

malware into the system and is automatically executed whenever the system starts up. It exploits UEFI, which

acts as an interface between the OS and the firmware. It is extremely challenging to detect LoJax as it evades

traditional security controls and maintains its persistence even after OS reinstallation or hard disk replacement.
 Popular Rootkits
Scranos

Source: https://www.bitdefender.com

• Scranos is a trojanized rootkit that masquerades as cracked software or a legitimate application, such as anti-

malware, a video player, or an ebook reader, to infect systems and perform data exfiltration that damages the

reputation of the target and steals intellectual property.

• When this rootkit executed, a rootkit driver is automatically installed, which then starts installing other malicious

components into the system. Apart from installing malicious components, Scranos also interacts with various

websites on the behalf of the victim.

 Popular Rootkits
Horse Pill

Source: http://www.pill.horse

• Horse Pill is a proof of concept of a ramdisk-based containerizing rootkit. It resides inside “initrd,” and before the

actual init starts running, it puts it into a mount and PID namespace that allows it to run covert processes and

storage. This also allows it to run covert networking systems, such as DNS tunnels.
 Popular Rootkits
Necurs

Source: https://www.f-secure.com

• Necurs is a kernel-mode driver component that can be used by an attacker (or added as a component to

another malicious program) to perform unauthorized actions to take control of an OS, without alerting the

system’s security mechanisms. Necurs contains backdoor functionality, which allows remote access and control

of the infected computer.

• It also allows the monitoring and filtering of network activity and has been observed to send spam and install

rogue security software.

 Detecting Rootkits
Integrity-Based Detection

• Integrity-based detection can be regarded as a substitute for both signature-based and heuristic-based

detection. Initially, the user runs tools such as Tripware and AIDE on a clean system. These tools create a

baseline of clean system files and store them in a database. Integrity-based detection functions by comparing a

current filesystem, boot records, or memory snapshot with that trusted baseline. They detect the evidence or

presence of malicious activity based on dissimilarities between the current and baseline snapshots.
 Detecting Rootkits
Signature-Based Detection

• Signature-based detection methods work as rootkit fingerprints. They compare the characteristics of all system

processes and executable files with a database of known rootkit fingerprints. It can compare a sequence of

bytes from a file with another sequence of bytes that belong to a malicious program. The method mostly scans

system files. It can easily detect invisible rootkits by scanning the kernel memory. The success of signature-

based detection is lower owing to the rootkit’s tendency to hide files by interrupting the execution path of the

detection software.
 Detecting Rootkits
Heuristic/Behavior-Based Detection

• Heuristic-based detection works by identifying deviations in normal OS patterns or behaviors. This type of

detection is also known as behavioral detection. Heuristic detection can identify new, previously unidentified

rootkits by recognizing deviants in “normal” system patterns or behaviors. Execution path hooking is one such

deviant that helps heuristic-based detectors identify rootkits.

 Detecting Rootkits
Runtime Execution Path Profiling

• The runtime execution path profiling technique compares runtime execution path profiling of all system

processes and executable files. The rootkit adds a new code near to a routine’s execution path to destabilize it.

The method hooks several instructions executed before and after a certain routine, as these can be significantly

different.
 Detecting Rootkits
Alternative Trusted Medium

• The alternative trusted medium technique is the most reliable method used for detecting rootkits at the OS level.

In this technique, the infected system is shut down and then booted from alternative trusted media, such as a

bootable CD-ROM or USB flash drive. After booting, the OS storage is checked to find traces of the rootkit,

which can further be removed, to restore the system to its normal state.
 Detecting Rootkits
Analyzing Memory Dumps

• In memory dump analysis, the volatile memory (RAM) of the suspected system is dumped and analyzed to

detect the rootkit in the system. Using this technique, one can create a static snapshot of a single process,

system kernel, or the entire system. To detect a rootkit, the entire system memory is dumped to analyze and

capture active rootkits. This memory dump can further be used to perform offline forensic analysis. Creating

memory dumps may require specialized hardware.

 Steps for Detecting Rootkits
Steps to detect rootkits by examining the filesystem are as follows.

1. Run "dir /s /b /ah" and "dir /s /b /a-h" inside the potentially infected OS and save the results.

2. Boot into a clean CD, run "dir /s /b /ah" and "dir /s /b /a-h" on the same drive, and save the obtained results.

3. Run the latest version of the WinMerge tool on the two sets of results to detect file-hiding ghostware (i.e.,

invisible inside, but visible from the outside).

 Steps for Detecting Rootkits
Steps to detect rootkits by examining the registry are as follows.

1. Run regedit.exe from inside the potentially infected OS.

2. Export HKEY_LOCAL_MACHINE\SOFTWARE and HKEY_LOCAL_MACHINE\SYSTEM hives in text file

format.

3. Boot into a clean CD (such as WinPE).

4. Run regedit.exe.

5. Create a new key, such as HKEY_LOCAL_MACHINE\Temp.

 Steps for Detecting Rootkits
6. Load the registry hives named Software and System from the suspect OS. The default location will be

7. c:\windows\system32\config\software c:\windows\system32\config\system.

8. Export these registry hives in text file format. (The registry hives are stored in binary format and Steps 6 and 7

convert the files to text.)

9. Launch the WinMerge tool from the CD and compare the two sets of results to detect file-hiding malware (i.e.,

invisible inside, but visible from the outside).

 How to Defend against Rootkits
A few techniques adopted to defend against rootkits are as follows.

• Reinstall OS/applications from a trusted source after backing up critical data

• Maintain well-documented automated installation procedures

• Perform kernel memory dump analysis to determine the presence of rootkits

• Harden the workstation or server against the attack

• Educate staff not to download any files/programs from untrusted sources

• Install network-and host-based firewalls and frequently check for updates

• Ensure the availability of trusted restoration media

 How to Defend against Rootkits
• Update and patch OSs, applications, and firmware

• Regularly verify the integrity of system files using cryptographically strong digital fingerprint technologies

• Regularly update antivirus and anti-spyware software

• Keep anti-malware signatures up to date

• Avoid logging into an account with administrative privileges

• Adhere to the least privilege principle

• Ensure that the chosen antivirus software possesses rootkit protection

• Do not install unnecessary applications, and disable the features and services not in use
 Anti-Rootkits

GMER

Source: http://www.gmer.net

• GMER is an application that helps security

professionals to detect and remove rootkits by

scanning processes, threads, modules,

services, files, disk sectors (MBR), ADSs,

registry keys, driver hooking – SSDT, IDT, and

IRP calls, and inline hooks.

Anti-Rootkits

A few more important anti-rootkits are listed as follows.

• Stinger (https://www.mcafee.com)

• Avast Free Antivirus (https://www.avast.com)

• TDSSKiller (https://usa.kaspersky.com)

• Malwarebytes Anti-Rootkit (https://www.malwarebytes.com)

• Rootkit Buster (http://www.trendmicro.co.in)

What is Steganography?

• Steganography refers to the art of hiding data “behind” other data without the knowledge of the victim. Thus,

steganography hides the existence of a message. It replaces bits of unused data into ordinary files, such as

graphics, sound, text, audio, and video with other surreptitious bits.

• The hidden data can be in the form of plaintext or ciphertext, and sometimes, an image. Utilizing a graphic

image as a cover is the most popular method to conceal the data in files. Unlike encryption, the detection of

steganography can be challenging.

• Thus, steganography techniques are widely used for malicious purposes. For example, attackers can hide a

keylogger inside a legitimate image; thus, when the victim clicks on the image, the keylogger captures the

victim’s keystrokes.
What is Steganography?

• Attackers also use steganography to hide information when encryption is not feasible. In terms of security, it

hides the file in an encrypted format, so that even if the attacker decrypts it, the message will remain hidden.

Attackers can insert information such as source code for a hacking tool, a list of compromised servers, plans

for future attacks, communication and coordination channels, etc.

Clearing Tracks: Covering Tracks

• Covering tracks is one of the main stages during system hacking. In this stage, the attacker tries to hide and

avoid being detected or “traced out” by covering all “tracks,” or logs, generated while accessing the target

network or computer. We now look at how the attacker removes traces of an attack on a target computer.

• Erasing evidence is a must for any attacker who would like to remain obscure. It is a method used to evade

a traceback. It starts with erasing the contaminated logs and possible error messages generated in the

attack process. The attacker makes changes to the system configuration such that it does not log the future

activities.
Clearing Tracks: Covering Tracks

• Attackers must make the system appear as it did before access was gained and a backdoor was

established. This allows them to change any file attributes back to their original state. The information listed,

such as file size and date, is just attribute information contained in the file.

• Protection against attackers trying to cover their tracks by changing file information can be difficult. However,

it is possible to detect whether an attacker has done so by calculating the file’s cryptographic hash. This type

of hash is a calculation of the entire file before encryption.

• Attackers may not wish to delete an entire log to cover their tracks, as doing so may require admin

privileges. If attackers can delete only attack event logs, they will still be able to escape detection
Techniques Used for Covering Tracks

The main activities that an attacker performs toward removing his/her traces on a computer are as follows:

• Disabling Auditing: An attacker disables auditing features of the target system.

• Clearing Logs: An attacker clears/deletes the system log entries corresponding to his/her activities.

• Manipulating Logs: An attacker manipulates logs in such a way that he/she will not be caught in legal

action.

• Covering Tracks on the Network: An attacker uses techniques such as reverse HTTP shells, reverse ICMP

tunnels, DNS tunneling, and TCP parameters to cover tracks on the network.
Techniques Used for Covering Tracks

• Covering Tracks on the OS: An attacker uses NTFS streams to hide and cover malicious files in the target

system.

• Deleting Files: An attacker uses a command-line tool such as Cipher.exe to delete the data and prevent

recovery of that data in future.

• Disabling Windows Functionality: An attacker disables Windows functionality such as last access

timestamp, hibernation, virtual memory, system restore points, etc. to cover tracks
Disabling Auditing: Auditpol

Source: https://docs.microsoft.com

• One of the first steps for an attacker who has command-line capability is to determine the auditing status of

the target system, locate sensitive files (such as password files), and implant automatic information-

gathering tools (such as a keystroke logger or network sniffer).

• Windows records certain events to the event log (or associated syslog). The log can be set to send alerts

(email, SMS, etc.) to the system administrator. Therefore, the attacker will want to know the auditing status

of the system he/she is trying to compromise before proceeding with his/her plans.
Disabling Auditing: Auditpol

Enabling system auditing:

C:\>auditpol /set /category:”system”,”account logon” /success:enable /failure:enable

Disabling system auditing:

C:\>auditpol /set /category:”system”,”account logon” /success:disable /failure:disable

This will make changes in the various logs that might register the attacker’s actions. He/she can choose to hide

the registry keys changed later on.

Attackers can use AuditPol to view defined auditing settings on the target computer, running the following

command at the command prompt: auditpol /get /category:*

Disabling Auditing: Auditpol
Clearing Logs

Clear_Event_Viewer_Logs.bat is a utility that can be used to wipe out the logs of the target system. This utility

can be run through command prompt, PowerShell, and using a BAT file to delete security, system, and

application logs. Attackers might use this utility to wipe out the logs as one method of covering their tracks on

the target system.

Steps to clear logs using Clear_Event_Viewer_Logs.bat utility are as follows.

1. Download the Clear_Event_Viewer_Logs.bat utility from https://www.tenforums.com.

2. Unblock the .bat file.

3. Right-click or press and hold on the .bat file and click/tap on Run as administrator.
Clearing Logs

4. If prompted by UAC, click/tap on Yes.

5. A command prompt will now open to clear

the event logs. The command prompt will

automatically close when finished.

 Clearing Logs
Steps to clear logs using Meterpreter shell are as

follows.

If the system is exploited with Metasploit, the attacker

uses a Meterpreter shell to wipe out all the logs from a

Windows system:

1. Launch the meterpretershell prompt from the

Metasploit Framework.

2. Type clearev command in the Meterpreter shell

prompt and press Enter. The logs of the target

system will start being wiped out.

Clearing Logs

Steps to clear PowerShell logs using Clear-EventLog command are as follows.

Source: https://docs.microsoft.com

Using the Clear-EventLog command, the attacker can clear all the PowerShell event logs from local or remote

computers:

1. Launch Windows PowerShell with administrator privileges.

2. Use the following command to clear the entries from the PowerShell event log on the local or remote

system: >Clear-EventLog "Windows PowerShell"

Clearing Logs

3. Use the following command to clear specific multiple log types from local or remote systems:

>Clear-EventLog-LogName ODiag, OSession localhost, Server02

(This command clears all the log entries in Microsoft Office Diagnostics (ODiag) and Microsoft Office Sessions

(OSession) on the local computer and Server02 remote computer.)

4. Use the following command to clear all the logs on the specified systems, and then display the event log list:

>Clear-EventLog -LogName application, system -confirm

 Clearing Logs
Steps to clear event logs using wevtutil utility are as follows.

1. Launch command prompt with administrator privileges.

2. Use the following command to display a list of event logs:

>wevtutil el

3. Use the following command to clear the event logs:

>wevtutil cl <log_name>

log_name: name of the log to clear, ex: system, application, security.

As shown in the screenshot, the attacker can view the list of event

logs using the wevtutil utility and clear the system, application, and

security event logs.

 Manually Clearing Event Logs
Once attackers gain administrative access to a target system, they can manually wipe out the log entries

corresponding to their activities on both Windows and Linux computers. The steps to clear event logs on Windows and

Linux OSs are as follows:

For Windows

• Navigate to Start  Control Panel  System and Security  Administrative Tools  double-click Event Viewer

• Delete the all the log entries logged while compromising the system

For Linux

Navigate to the /var/log directory on the Linux system  Open the plaintext file containing log messages with text

editor /var/log/messages  Delete all the log entries logged while compromising the system
Covering Tracks on a Network

Using Reverse HTTP Shells

• An attacker starts this attack by first infecting a victim’s machine with malicious code, and thereby installing a

reverse HTTP shell on the victim’s system. This reverse HTTP shell is programmed in such a way that it asks

for commands to an external master, which controls the reverse HTTP shell on a regular basis. This type of

traffic is considered normal by an organization’s network perimeter security controls like DMZ, firewall, etc.

• HTTP GET commands, whereas the attacker behaves like a web server and responds to the requests. Once

the previous commands are executed, the results are sent in the next web request.

• All the other users in the network can normally access the Internet; therefore, the traffic between the attacker

and the victim is seen as normal.

Covering Tracks on a Network

Using Reverse ICMP Tunnels

• Internet Control Message Protocol (ICMP) tunneling is a technique in which an attacker uses ICMP echo and

reply packets as carriers of TCP payload, to stealthily access or control a system. This method can be used to

easily bypass firewall rules, because most organizations have security mechanisms that only check incoming

ICMP packets but not outgoing ones.

• An attacker first configures the local client to connect with the victim. The victim’s system is triggered to

encapsulate a TCP payload in an ICMP echo packet, which is forwarded to the proxy server. The proxy server

de-encapsulates and extracts the TCP payload, and then sends it to the attacker.
Covering Tracks on a Network

Using DNS Tunneling

• Attackers can use DNS tunneling to encode malicious content or data of other programs within DNS queries

and replies. DNS tunneling usually includes data payload that can be added to the victim’s DNS server to create

a backchannel to access a remote server and applications.

• Attackers can employ this backchannel to exfiltrate stolen, confidential, or sensitive information from the server.

• Attackers perform DNS tunneling in various stages; first, they compromise an internal system to create a

connection with an external network. Then, they use that compromised system as a command and control

server to remotely access the system and transfer files covertly from within to outside the network.
 Covering Tracks on a Network

Using TCP Parameters

TCP parameters can be used by the attacker to distribute the payload and to create covert channels. Some of the TCP

fields where data can be hidden are as follows:

• IP Identification Field: This is an easy approach in which a payload is transferred bitwise over an established

session between two systems. In this approach, one character is encapsulated per packet.

• TCP Acknowledgement Number: This approach is quite difficult as it uses a bounce server that receives packets

from the victim and sends it to an attacker. Here, one hidden character is relayed by the bounce server per packet.

• TCP Initial Sequence Number: This method also does not require an established connection between the two

systems. Here, one hidden character is encapsulated per SYN request and reset packet.
 Covering Tracks on an OS

UNIX

• Files in UNIX can be hidden just by appending a dot (.) in front of a file name. In UNIX, each directory is

subdivided into two directories: current directory (.) and parent directory (..). Attackers give these a similar name

like “. ” (with a space after . ). These hidden files are usually placed in /dev, /tmp, and /etc.

• An attacker can also edit the log files to cover their tracks. However, sometimes, using this technique of hiding

files, an attacker can leave his/her trace behind because the command he/she used to open a file will be

recorded in a .bash_history file. A smart attacker knows how to overcome such a problem; he/she does so by

using the export HISTSIZE=0 command.

 Defending against Covering Tracks

The various countermeasures against covering tracks are listed as follows:

• Activate logging functionality on all critical systems

• Conduct a periodic audit on IT systems to ensure logging functionality is in accordance with the security policy

• Ensure new events do not overwrite old entries in the log files when the storage limit is exceeded

• Configure appropriate and minimal permissions necessary to read and write log files stored on critical systems

• Maintain a separate logging server on the DMZ, so that all the critical servers, such as the DNS server, mail

server, web server, etc., forward and store their logs on that server
 Defending against Covering Tracks

• Regularly update and patch OSs, applications, and firmware

• Close all unused open ports and services

• Encrypt the log files stored on the system, so that altering them is not possible without an appropriate

decryption key

• Set log files to “append only” mode to prevent unauthorized deletion of log entries

• Periodically back up the log files to unalterable media