https://j-h.io/plextrac || PlexTrac makes pentest reporting a breeze — try their premiere reporting & collaborative platform in a FREE one-month trial! https://j-h.io/plextrac 😎
00:00 – SCManager Persistence
00:27 – Explaination
01:21 – How it works
05:18 – Demo begin
08:00 – Changing security descriptor
12:12 – Creating a service
16:18 – Final Thoughts
Grzegorz Tworek Tweet: https://twitter.com/0gtweet/status/1628720819537936386
0xvln Write-up: https://0xv1n.github.io/posts/scmanager/
Security Descriptor Lang: https://learn.microsoft.com/en-us/windows/win32/secauthz/security-descriptor-definition-language
Sc sdset: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11)
Help the channel grow with a Like, Comment, & Subscribe!
❤️ Support ➡ https://j-h.io/patreon ↔ https://j-h.io/paypal ↔ https://j-h.io/buymeacoffee
Check out the affiliates below for more free or discounted learning!
🐱👤SEKTOR7 ➡ Malware Development, AV Evasion https://j-h.io/sektor7
🖥️ Zero-Point Security ➡ Certified Red Team Operator https://j-h.io/crto
💻Zero-Point Security ➡ C2 Development with C# https://j-h.io/c2dev
🐜Zero2Automated ➡ Ultimate Malware Reverse Engineering https://j-h.io/zero2auto
⛳Point3 ESCALATE ➡ Top-Notch Capture the Flag Training https://j-h.io/escalate
📗Humble Bundle ➡ https://j-h.io/humblebundle
🐶Snyk ➡ https://j-h.io/snyk
🌎Follow me! ➡ https://j-h.io/discord ↔ https://j-h.io/twitter ↔ https://j-h.io/linkedin ↔ https://j-h.io/instagram ↔ https://j-h.io/tiktok
📧Contact me! (I may be very slow to respond or completely unable to)
🤝Sponsorship Inquiries ➡ https://j-h.io/sponsorship
🚩 CTF Hosting Requests ➡ https://j-h.io/ctf
🎤 Speaking Requests ➡ https://j-h.io/speaking
💥 Malware Submission ➡ https://j-h.io/malware
❓ Everything Else ➡ https://j-h.io/etc
source
This worries me. It makes me uncertain which services are real and are just a clone of the name of an application that I have installed…
I downloaded hickvisions desktop client and used proccess explorer after unistalling the application. I killed the ivs service (it was still running after unistalling everything) and it crashed my windows computer so it was doing something.
Windows services such as web access login and another service were running my CPU at 100 percent consistently on idle till I used process explorer to find which service was running the highest with svchost and killed off each service in the tree one by one till it stopped. My computers been running at 0% to 1% cpu usage consistently when in idle.i use a amd 3800x cpu.
Way to go!!! My best friend
As always John, I love your videos, and I'm always a fan of living of the land techniques. I just have one, possibly noob question. If the scenario is that we already have a priveleged account/user, then what is the benefit of this post-exploit? Couldn't we already do everything we wanted using the priveledged account? Sorry if there's an obvious answer to this that I'm missing. Thanks
Microsoft still says (IIRC) that basically administrators are expected to be able to do this sort of thing, so if such an account is allowed to be run by a malicious actor, that's basically game over. On the other hand, if that's really the expectation, why do they keep trying to stop Mimikatz?
how can i detect psexec.exe in my pc ?
Nice oneliner 🙂
Nice!
Very practical! 💪🏻
nice
We need a linux version of this. How hackers backdoor into linux desktops please!
Loving these living off the land videos, I'm starting to get more and more into Windows Internals for sysadmin and security, really awesome timing that this video showed up.
This shouldn't be built into Windows. That's the reason why we move to Linux.
i need try it😊 john thank you for tutorial!!
Great explanation and also great real example John. Thank you.
Is there not a way to become Trusted Installer and take over the system? That info is probably too spicy for YouTube.
Hi John! What is your email I got a phishing email with malware attach and want you to investigate!
Skills and binary numbers c, css code file's comment
Master of edureka master
Up places coling.
Nod how to cing coling fills up sum cing coling fills name and files tool files open coling fills to file account add files open tool diagram, group, Jenkins files open tool explain files open vejal
That’s actually pretty old stuff
This video is full of powerful experiences!!! thanks for making such content!
I did not understand much honestly…. But great video again! Thanks!
The "GoogleUpdater" Service doesn't start. Error 1053! 🤔
Per TCP/IP protocol, the system needs to open a listening port first in order to accept an incoming connection. you can easily find all listening ports using the netstat command. There is no "secret back door" per se.
psexec -s -i cmd.exe is one iOa or detection opportunity. T1548.002
Second
Persistence via Windows Service T1543.003
For sc sdset should not be as loud based on the parameters provided. So that’s the 3rd layer of detection via winevent logs – cheers! Happy hunting
can you teach how to hack cctv or security cameras
I had malware one time and it was in the folder persistence in start menu I had it for months and I never had any accounts hacked even though I’m pretty sure it was probably a rat. I was a kid back then so I wonder if the person saw that and left me alone