To avoid these persistence techniques, implementing a multi-layered defense strategy including regular system updates, strong password policies, and reputable security software can significantly reduce the risk of falling victim to malware persistence attacks. Additionally, network segmentation can help prevent lateral movement by attackers who have gained access to one part of your infrastructure.
In special cases like WMI, cleanup is not straightforward due to null byte values in the Windows registry. To remove backdoors using PowerSponse, follow these steps: 1) Remove binding using `Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Object { $_.filter -match ‘evil’} | Remove-WmiObject;`
2) Remove event consumer using `Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -Filter “name=’evil’” | Remove-WmiObject`
3) Remove event filter using `Get-WmiObject -Namespace root\Subscription -Class __EventFilter -Filter “Name=’evil’” | Remove-WmiObject -Verbose`.
To test your collection tools, prevention mechanisms in place and awesome detections, execute the following for adding a debugger value for the corresponding registry key: `REG ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe” /v Debugger /t REG_SZ /d “cmd /c tasklist”`
Now you can click multiple times on the shift-key on your keyboard to trigger execution of cmd.
In order to evade detection, we will create a user account with a name that is clandestine, in this case, we will be creating a user account named ftp in order to blend in as a service account.
We can create the user account on the target by running the following command: `useradd -m -s /bin/bash ftp`
After creating the account, we will need to add the user to the sudo group, this will provide the user with administrative privileges, this can be done by running the following command: `usermod -aG sudo ftp`
After adding the user account to the “sudo” group, we will need to setup a password for the account, this can be done by running the following command: `passwd ftp`
After specifying the password, we can list out the contents of the /etc/passwd file to confirm that the user account has been added. You can now authenticate with the server via SSH password authentication, alternatively, you can also add the ssh public key we generated in the first section to the authorized_keys file in the user account’s home directory.
After authenticating with the server via SSH, we can confirm that the user account has administrative privileges by using the sudo command. As shown in the preceding screenshot, the user account has administrative privileges and can run any command on the system without accessing or interacting with a “root” account.
This account can be used for backdoor access whenever you want to avoid using the “root” account or any other legitimate user accounts on the target system and ensures that you have overt access to the target.