a Hacker's Backdoor: Service Control Manager

Подписаться 1,7 млн

Просмотров 92 тыс.

50% 1

j-h.io/plextrac || PlexTrac makes pentest reporting a breeze -- try their premiere reporting & collaborative platform in a FREE one-month trial! j-h.io/plextrac 😎
00:00 - SCManager Persistence
00:27 - Explaination
01:21 - How it works
05:18 - Demo begin
08:00 - Changing security descriptor
12:12 - Creating a service
16:18 - Final Thoughts
Grzegorz Tworek Tweet: / 1628720819537936386
0xvln Write-up: 0xv1n.github.io/posts/scmanager/
Security Descriptor Lang: learn.microsoft.com/en-us/win...
Sc sdset: learn.microsoft.com/en-us/pre...)
🔥 RU-vid ALGORITHM ➡ Like, Comment, & Subscribe!
🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
💥 SEND ME MALWARE ➡ jh.live/malware

Опубликовано:

3 июл 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 117

@DarkFaken Год назад

These videos are always a great way to learn something without too much detail that I lose interest. Thanks for making such helpful content

@fraznofire2508 Год назад

Loving these living off the land videos, I'm starting to get more and more into Windows Internals for sysadmin and security, really awesome timing that this video showed up.

@boruch4986 Год назад

I'm studying computer engineering now and this is honestly very cool. I may consider a minor in cyber security now

@chrisweaver7989 Год назад

Found this the other day on linkedin and was dismissed as it needing admin, however this has been informative! thanks!

@tomasgorda Год назад

Great explanation and also great real example John. Thank you.

@perryuploads776 Год назад

Information about access control list (ACL). Thanks John! An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and an SACL. A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object doesn't have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL doesn't allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. A system access control list (SACL) allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in an SACL can generate audit records when an access attempt fails, when it succeeds, or both. Don't try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs. ACLs also provide access control to Microsoft Active Directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs.

@adhamfouad68 11 месяцев назад

Good god you have so much time in your hands to write that down as a comment

@natemorales2978 Год назад

Thanks for the video, John!

@obaidullahnoori7066 Год назад

This video is full of powerful experiences!!! thanks for making such content!

@donathanratcliffe7316 Год назад

Great way to start the morning.

@knowhowtodo Год назад

Very practical! 💪🏻

@NahImPro Год назад

John I love your work and you inspire me daily.

@bnk28zfp Год назад

i need try it😊 john thank you for tutorial!!

@blackhathacking9103 Год назад

Thank you so much

@Hakkee1980 Месяц назад

wow ....ty so much boss

@Polandisch Год назад

I did not understand much honestly.... But great video again! Thanks!

@udotcarter Год назад

For sc sdset should not be as loud based on the parameters provided. So that’s the 3rd layer of detection via winevent logs - cheers! Happy hunting

@sassywoocooo Год назад

Way to go!!! My best friend

@jaxson8262 Год назад

This tech gives many ideas :)..........

@sam-ur7rz Год назад

I'm no cyber security expert but this seems like very overcomplicated UBA... You really have to dedicate yourself to the Microsoft world to fully understand the access control in Windows.

@B-a_s-H Год назад

Well, yes... of course. Microsoft still dominates the corporate landscape, so having deep knowledge of Windows security is very valuable.

@B-a_s-H Год назад

@@JohnDoe-sp3dc Even complex systems can be managed, so it's not an excuse. Know what should be running on your systems, set baselines, monitor activity, etc.

@MrGh0sT_8124 Год назад

@@JohnDoe-sp3dc in that scenario windows genealogy comes in hand. Windows genealogy gives you map of every process and their exact number of instances running after booting a system. Every blue Teamer should know about windows genealogy so he can easily detect the malicious extra instance or process.

@realguapo_mma Год назад

@@MrGh0sT_8124 nice

@KramerEspinoza Год назад

Mickeysoft dominates because of the intellectual bell curve. Same holds for other aspects in society.

@NeverGiveUpYo Год назад

Nice oneliner :)

@user-tf9ie2re9x Год назад

Thanks

@bhagyalakshmi1053 Год назад

Master of edureka master

@mrfriendly9956 Год назад

nice job!!!

@mmm-cake 11 месяцев назад

Bravo 👏🏼 Always fantastic content. Does a simple “revert all to defaults, e.g., fresh install” command(s) exist? Appreciate ya!

@didko258 Год назад

Always here before John

@IsaiahGondon1 Год назад

POG

@vinceb557 Год назад

This video really spoke to me, Ive been working in IT for a few years and am basically a beginner with some novice understanding of Microsoft and barely any knowledge in Linux. Does anyone here have any recommendations on where to start working in security with my profile? Like what courses (paid is fine, or free) should I start in order to get going?

@userhandle3378 Год назад

2 Books; Linux Bible 9th Edition, and The Ultimate Kali Linux Guide 2nd Edition. Both books spoon feed and assume you know nothing. I didn't learn anything in the Kali guide until page 300 and some as I've worked rhel support for more than 4 years. I read it all anyway as Glen does a great job at summarizing the endless acronyms and industry buzzwords. Some of his tutorials could use a little updating but the book is free if you google the pdf and if you've never used the aircrack-ng suite and have no clue what command syntax is, then these are the books for you.

@AnotherSkyTV Год назад

Nice!

@gregsayshi Год назад

Would love to see more videos on MacOS/iOS.. your videos are great but I’m not sure if they apply to me :(

@cr4zy326 Год назад

best bro ever

@realMattGavin Год назад

Windows services such as web access login and another service were running my CPU at 100 percent consistently on idle till I used process explorer to find which service was running the highest with svchost and killed off each service in the tree one by one till it stopped. My computers been running at 0% to 1% cpu usage consistently when in idle.i use a amd 3800x cpu.

@orca2162 Год назад

🎉🎉

@dcriley65 Год назад

John why do you look so happy about this YT Video?

@therealb888 Год назад

We need a linux version of this. How hackers backdoor into linux desktops please!

@Chad_Thundercock Год назад

For the most part, they don't. In theory, Linux is less vulnerable to malware by the design philosophy, and smaller target demographic. Additionally, if you're running a linux distro, you're likely more aware of security practices. Those combined make it not worth the time and effort to attack, as there are more high value, and softer, targets in the Windows side.

@haXez_org Год назад

nice

@MD4564 Год назад

Any smart admin would have blocked admin prev on a work system, which at my work, they do, as you need to enter super admin credentials most of the time this won't work. And if the user is working from home, they would most likely be using Windows Virtual Desktop, again hard to use this command.

@liljoker0732 Год назад

How about making a video explaining how to combatant against this backdoor, and what to do if it has already been executed on your pc?

@whencat6171 11 месяцев назад

this backdoor virus compromised my pc, and its been stuck on the windows loading screen since. i dont know why people think ruining a pc someone paid for is funny.

@ggsap 3 месяца назад

@@whencat6171nobody "ruined" your pc, just reinstall. infact they did you a favour so you can get rid of windows and install linux

@mahdihasan42 Год назад

can you make a video about must tools need to know for cyber security or ethical hacking ?

@ayylmao1558 Год назад

Please do a video on how to use pwncat

@HTWwpzIuqaObMt Год назад

Amazing video

@logiciananimal Год назад

Microsoft still says (IIRC) that basically administrators are expected to be able to do this sort of thing, so if such an account is allowed to be run by a malicious actor, that's basically game over. On the other hand, if that's really the expectation, why do they keep trying to stop Mimikatz?

@sud0gh0st Год назад

I go for priv esc before maintaining access as i think the access will be much more reliable, But this seems like 1 cmd to rule them all xD

@HadronCollisionYT Год назад

hmmm, what do you do? unethical hacking? lol

@sud0gh0st Год назад

@@HadronCollisionYT what makes you say that ? Can't someone be interested in learning red team without being ethical ? Much harder for Blue to defend if your access has priv esc nothing unethical there, "The best defence is a good offence" without knowing how to attack you can't defend and working local only get's you so far,, VM's are great but it don't have the same feel

@nordgaren2358 Год назад

you need admin privs to install this backdoor, anyways, I believe.

@HadronCollisionYT Год назад

@@sud0gh0st I was just joking bruh. Why did you take it so seriously ;-;

@jimmyscott5144 Год назад

I love the activate windows water mark lol

@maddogmaz1576 Год назад

It's all fun and games until the FBI kicks in your door at 4am

@kinloo3778 Год назад

the Sc sdset link is dead, anyone has the sigma rule? Thanks

@eaglefn4918 Год назад

The "GoogleUpdater" Service doesn't start. Error 1053! 🤔

@danielchien7274 Год назад

Per TCP/IP protocol, the system needs to open a listening port first in order to accept an incoming connection. you can easily find all listening ports using the netstat command. There is no "secret back door" per se.

@anonimenkolbas1305 Год назад

Most backdoors periodically phone out instead of listening for a connection from the C&C server. That also solves the issue of getting past some firewalls and NATs.

@danielchien7274 Год назад

@@anonimenkolbas1305 "phone out"? What is that mean in TCP/IP? Today, all the computer does not support modem anymore. Or, are you saying the backdoor is a TCP/IP client that initiate a connection to a Internet Server? If so, you can easily find out any TCP/IP connections on a server.

@anonimenkolbas1305 Год назад

@@danielchien7274 Sorry, yes, "phone out" is a casual expression. I meant that malware nowadays makes an outbound connection to its command & control server as opposed to listening for one, meaning it will not open a socket. However, if one were to monitor outbound traffic the same way they would monitor open sockets over time, they would still spot the outbound connections made to suspicious IPs.

@danielchien7274 Год назад

@@anonimenkolbas1305 So, this is not a true backdoor for anyone anywhere to get in. BTW, it is very easy to stop malware. Just don't let it run. A program that can't run will do nothing. Using a whitelist, it can stop all unauthorized programs from running.

@rahimuddin8012 Год назад

So this is how i can be an admin in my local network

@guyhavia1730 Год назад

Can anyone recommend more twitter accounts with cool new techniques of attacks like in the video?

@tyroneslothdrop9155 Год назад

Do you need a discrete gpu in order to get windows 11 to run smoothly in a virtual machine. I have an AMD 5700G running Fedora and all my Windows VMs are relatively quick but motion is choppy and ugly.

@sam-ur7rz Год назад

Having a decent GPU will help, but you may need to tinker with your VM settings. QEMU/KVM works fine for me.

@nordgaren2358 Год назад

try giving your VM more ram and more CPU cores, maybe?

@ggsap 3 месяца назад

@@nordgaren2358 no, overcommiting hurts performance. use a type 1 hypervisor like qemu/kvm and use a rdp client with gpu acceleration for connection. see someordinarygamers video on that

@realMattGavin Год назад

This worries me. It makes me uncertain which services are real and are just a clone of the name of an application that I have installed... I downloaded hickvisions desktop client and used proccess explorer after unistalling the application. I killed the ivs service (it was still running after unistalling everything) and it crashed my windows computer so it was doing something.

@nhkz753 Год назад

If you suspecting a service, check the "path" of the service you will directly see if he is dangerous

@TheTheThewillow Месяц назад

Is this Seth Trojan

@geist453 Год назад

Hi John! What is your email I got a phishing email with malware attach and want you to investigate!

@whtiequillBj Год назад

Is there not a way to become Trusted Installer and take over the system? That info is probably too spicy for RU-vid.

@lifetutorials4495 Год назад

daka would he really would

@gogeroger930 Год назад

That’s actually pretty old stuff

@bhagyalakshmi1053 Год назад

Up places coling.

@bhagyalakshmi1053 Год назад

Skills and binary numbers c, css code file's comment

@ohrayoe3858 Год назад

Could you include ways to prevent the things you talk about in your videos from happening as well?

@Chad_Thundercock Год назад

One could always just run a linux distro and not worry about this sort of thing.

@ohrayoe3858 Год назад

@@Chad_Thundercock how would that prevent the malware running? Just because it isnt created for Linux?

@Chad_Thundercock Год назад

@@ohrayoe3858 That is one part of it, yes. The other is from the way most distros are designed to segregate processes and permissions. It's a bit nebulous to explain here, but the short of it is that it's less easy to trick your machine in to running anything you don't ask it to run.

@ohrayoe3858 Год назад

@@Chad_Thundercock so things are less likely to run when you click on a link(malware pdf) than on another OS that isnt Linux?

@Chad_Thundercock Год назад

@@ohrayoe3858 Exactly. Now, don't take to mean your system is bulletproof, but it will be much less vulnerable to such attacks.

@takipsizad Год назад

i thought this was an old video lol

@_JohnHammond Год назад

What made it seem like an old video, if I may ask?

@takipsizad Год назад

@@_JohnHammond good question i really don't know,the flow of your videos hasn't really changed to so i couldn't see differences but yeah still a good explanation

@takipsizad Год назад

@@_JohnHammond hey also i watched the video fully now and the sponsorship is little bit too long

@user-kp9es9ul2l Год назад

Nothing sir, it's fresh and useful as always.

@takipsizad Год назад

@@user-kp9es9ul2l yup i agree it's good as always

@ColiDog Год назад

This shouldn't be built into Windows. That's the reason why we move to Linux.

@tommasovietina Год назад

OK, but you need an admin user in the first place. Kinda pointless?!

@WSLEEPS Год назад

u should activate windows

@sud0gh0st Год назад

on a VM ? why.....

@WSLEEPS Год назад

@@sud0gh0st my bad i didn't kw

@seanfaherty Год назад

Why ? When you buy a PC you get a licence Who cares about the licence on a virtual machine ? It's a bullshit thing they have thrown in for telemetry. If you charge me $150 for the licence when I buy the computer I don't care about what Mr Gates wants

@variouselite Год назад

@@WSLEEPS So dont talk about stuff you dont know.

@sud0gh0st Год назад

@@seanfaherty you're saying Windows has other usecase then testing exploits... Not sure I believe that

@smokestudio1408 Год назад

finally the first comment

@bhagyalakshmi1053 Год назад

Nod how to cing coling fills up sum cing coling fills name and files tool files open coling fills to file account add files open tool diagram, group, Jenkins files open tool explain files open vejal

@Kumar-yy1fg Год назад

can you teach how to hack cctv or security cameras

@mitchdog_com Год назад

Activate Windows 😭

@ololh4xx 9 месяцев назад

yet again : no compromised, privileged account = this entire method is useless

@JPEaglesandKatz Год назад

There is a balance between being informative and glorifying criminal behaviour.. You are crossing that line a lot of times in you videos and can't really understand why this is allowed to stand.

@nordgaren2358 Год назад

How else are you supposed to raise awareness to sys admins or anyone who wants to protect their computer, about this vulnerability? Just tell them it exists, but not how it works, so they can't defend against it at all? This is standard practice for cyber security.

@udotcarter Год назад

Second Persistence via Windows Service T1543.003