Persistence Mechanisms
Рет қаралды 17,767
Күн бұрын
@doncorleone6182 6 жыл бұрын
Thanks for keeping it free. God bless you. Will donate on patreon.
@arreinsbeta 6 жыл бұрын
IKR
@carlsaiyed1097 6 жыл бұрын
Great video, thank you for sharing.
@cyberkeshav Жыл бұрын
great explanation sir, but i have a question where i have to look for new persistence mechanism?
@bairammamedov570 Жыл бұрын
Great Video , Thanks a lot
@dip9995 Жыл бұрын
Does the evil.exe running example only work with notepad.exe?
@13Cubed Жыл бұрын
No, that was just the example used.
@sami9348 6 жыл бұрын
Great video, thanks Sir
@SecureTheWorld 6 жыл бұрын
Great video, thanks a lot 👍
@minasalib1951 2 жыл бұрын
Would a hidden or deleted scheduled task show up in autoruns?
@13Cubed 2 жыл бұрын
Deleted, no -- hidden, maybe -- depends on how it was hidden. See "The Case of the Disappearing Scheduled Task" episode.
@NoEgg4u 6 жыл бұрын
I would like to be able to detect when anything new is added that will automatically start. The only solution I know of is to compare autorun results, from time to time. This, however, is too cumbersome, and is prone to human error, due to the number of items that are listed by autoruns (too difficult to identify new items). Is there a tool that can alert you whenever a new item is added? ...By that, I mean, any new item that Windows will run automatically. It would be great to be able to review every new item, and do so as soon as that item gets added to any auto-start part of Windows. Granted, it would not help with the Global Flags, Start Process Exit feature that is reviewed in this video. That aside, it would still be a great help to catch every new start-up item, and catch it right away. Thank you.
@13Cubed 6 жыл бұрын
Good question -- not that I'm aware. Diffing Autoruns output would be my first thought as well, but you may be able to leverage Sysmon with some custom filters to accomplish this.
@NoEgg4u 6 жыл бұрын
Greetings, Due to your area of expertise, you likely run in social circles with folks that have the skills to create the tool -- or perhaps if you do not know someone directly, your contacts might know folks that can create such a tool (or know if one exists). Your reply, above, was appreciated, and your videos are very good. Cheers!
@WebCreatorBrk 4 жыл бұрын
very cool!! but how i hook my win10 for hide process and netstat connections? send please
@monnombre6547 3 жыл бұрын
thank you !!!!
@arreinsbeta 6 жыл бұрын
Another hit
@WebCreatorBrk 4 жыл бұрын
very cool!! but how i hook my win10 for hide process and netstat connections? send please
@robinhood3841 4 жыл бұрын
How we can remove the silent process exit because its not show up in the Registery
@13Cubed 4 жыл бұрын
Not sure I understand your question?
@haroldgar12 6 жыл бұрын
where do I go to create the evil.exe file
@13Cubed 6 жыл бұрын
That was just an example. In real life, if this were to be abused, evil.exe would presumably be some type of malware.
@haroldgar12 6 жыл бұрын
@@13Cubed ya, I know. I just wanted to know how I would create a fake evil.exe file, like yours, where it would only display a message. I found out how to do it. Another question I have is, how would I install the commands in the command line of my victim if it requires admin privileges. I setup a victim laptop in my test environment and I'm able to create a session using an exploit, which allows me to access my victims laptop(my own), but when I try to use those 3 commands, it fails saying that I don't have privileges(which I figured it would). My victim laptop runs windows 10.
@13Cubed 6 жыл бұрын
hdawg12 Yes, as you noted this does require local admin privileges. You would have to use some other exploit to attempt privilege escalation on the target. In this case you are modifying HKLM, not HKCU (hence the admin requirement).
@haroldgar12 6 жыл бұрын
@@13Cubed , ya thats what I figured. So once I find an exploit that give me admin privileges, I would use this method to install a backdoor payload in my Victim(which is my own laptop) allowing me access whenever my Victim turns on his laptop, correct?
@13Cubed 6 жыл бұрын
hdawg12 In theory that’s how a malicious actor would exploit this, yes. My normal disclaimer applies - only do this in a lab environment, and only with proper permission. :)
@witoldawacz6818 6 жыл бұрын
Great video as usual. Some time ago i have found oddvar's article and i did update my forensics tools ;-) ... one of them is here: github.com/wit0k/regparser/blob/master/plugins/autoruns.py (but it's meant to be used on offline registry hives only)
@13Cubed 6 жыл бұрын
Nice - thanks!
@WebCreatorBrk 4 жыл бұрын
@@13Cubed very cool!! but how i hook my win10 for hide process and netstat connections? send please
HackerSploit
Рет қаралды 23 М.