a Hacker's Backdoor: Service Control Manager

Поделиться
HTML-код
  • Опубликовано: 4 авг 2024
  • j-h.io/plextrac || PlexTrac makes pentest reporting a breeze -- try their premiere reporting & collaborative platform in a FREE one-month trial! j-h.io/plextrac 😎
    00:00 - SCManager Persistence
    00:27 - Explaination
    01:21 - How it works
    05:18 - Demo begin
    08:00 - Changing security descriptor
    12:12 - Creating a service
    16:18 - Final Thoughts
    Grzegorz Tworek Tweet: / 1628720819537936386
    0xvln Write-up: 0xv1n.github.io/posts/scmanager/
    Security Descriptor Lang: learn.microsoft.com/en-us/win...
    Sc sdset: learn.microsoft.com/en-us/pre...)
    🔥 RUclips ALGORITHM ➡ Like, Comment, & Subscribe!
    🙏 SUPPORT THE CHANNEL ➡ jh.live/patreon
    🤝 SPONSOR THE CHANNEL ➡ jh.live/sponsor
    🌎 FOLLOW ME EVERYWHERE ➡ jh.live/discord ↔ jh.live/twitter ↔ jh.live/linkedin ↔ jh.live/instagram ↔ jh.live/tiktok
    💥 SEND ME MALWARE ➡ jh.live/malware

Комментарии • 117

  • @DarkFaken
    @DarkFaken Год назад +39

    These videos are always a great way to learn something without too much detail that I lose interest. Thanks for making such helpful content

  • @fraznofire2508
    @fraznofire2508 Год назад +11

    Loving these living off the land videos, I'm starting to get more and more into Windows Internals for sysadmin and security, really awesome timing that this video showed up.

    • @boruch4986
      @boruch4986 Год назад

      I'm studying computer engineering now and this is honestly very cool. I may consider a minor in cyber security now

  • @chrisweaver7989
    @chrisweaver7989 Год назад +2

    Found this the other day on linkedin and was dismissed as it needing admin, however this has been informative! thanks!

  • @tomasgorda
    @tomasgorda Год назад +4

    Great explanation and also great real example John. Thank you.

  • @obaidullahnoori7066
    @obaidullahnoori7066 Год назад

    This video is full of powerful experiences!!! thanks for making such content!

  • @perryuploads776
    @perryuploads776 Год назад +19

    Information about access control list (ACL). Thanks John!
    An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and an SACL.
    A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object doesn't have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL doesn't allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.
    A system access control list (SACL) allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in an SACL can generate audit records when an access attempt fails, when it succeeds, or both.
    Don't try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs.
    ACLs also provide access control to Microsoft Active Directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs.

    • @adhamfouad68
      @adhamfouad68 Год назад

      Good god you have so much time in your hands to write that down as a comment

  • @natemorales2978
    @natemorales2978 Год назад +2

    Thanks for the video, John!

  • @NahImPro
    @NahImPro Год назад

    John I love your work and you inspire me daily.

  • @knowhowtodo
    @knowhowtodo Год назад +3

    Very practical! 💪🏻

  • @donathanratcliffe7316
    @donathanratcliffe7316 Год назад +1

    Great way to start the morning.

  • @bnk28zfp
    @bnk28zfp Год назад

    i need try it😊 john thank you for tutorial!!

  • @sam-ur7rz
    @sam-ur7rz Год назад +61

    I'm no cyber security expert but this seems like very overcomplicated UBA... You really have to dedicate yourself to the Microsoft world to fully understand the access control in Windows.

    • @B-a_s-H
      @B-a_s-H Год назад +25

      Well, yes... of course. Microsoft still dominates the corporate landscape, so having deep knowledge of Windows security is very valuable.

    • @B-a_s-H
      @B-a_s-H Год назад +6

      @@JohnDoe-sp3dc Even complex systems can be managed, so it's not an excuse. Know what should be running on your systems, set baselines, monitor activity, etc.

    • @MrGh0sT_8124
      @MrGh0sT_8124 Год назад +4

      @@JohnDoe-sp3dc in that scenario windows genealogy comes in hand. Windows genealogy gives you map of every process and their exact number of instances running after booting a system. Every blue Teamer should know about windows genealogy so he can easily detect the malicious extra instance or process.

    • @realguapo_mma
      @realguapo_mma Год назад

      ​@@MrGh0sT_8124 nice

    • @KramerEspinoza
      @KramerEspinoza Год назад +1

      Mickeysoft dominates because of the intellectual bell curve. Same holds for other aspects in society.

  • @blackhathacking9103
    @blackhathacking9103 Год назад +1

    Thank you so much

  • @udotcarter
    @udotcarter Год назад

    For sc sdset should not be as loud based on the parameters provided. So that’s the 3rd layer of detection via winevent logs - cheers! Happy hunting

  • @Polandisch
    @Polandisch Год назад

    I did not understand much honestly.... But great video again! Thanks!

  • @NeverGiveUpYo
    @NeverGiveUpYo Год назад

    Nice oneliner :)

  • @mmm-cake
    @mmm-cake Год назад

    Bravo 👏🏼 Always fantastic content. Does a simple “revert all to defaults, e.g., fresh install” command(s) exist? Appreciate ya!

  • @sassywoocooo
    @sassywoocooo Год назад

    Way to go!!! My best friend

  • @user-tf9ie2re9x
    @user-tf9ie2re9x Год назад

    Thanks

  • @Hakkee1980
    @Hakkee1980 2 месяца назад

    wow ....ty so much boss

  • @mrfriendly9956
    @mrfriendly9956 Год назад

    nice job!!!

  • @jaxson8262
    @jaxson8262 Год назад

    This tech gives many ideas :)..........

  • @vinceb557
    @vinceb557 Год назад +2

    This video really spoke to me, Ive been working in IT for a few years and am basically a beginner with some novice understanding of Microsoft and barely any knowledge in Linux. Does anyone here have any recommendations on where to start working in security with my profile? Like what courses (paid is fine, or free) should I start in order to get going?

    • @userhandle3378
      @userhandle3378 Год назад +1

      2 Books; Linux Bible 9th Edition, and The Ultimate Kali Linux Guide 2nd Edition.
      Both books spoon feed and assume you know nothing. I didn't learn anything in the Kali guide until page 300 and some as I've worked rhel support for more than 4 years. I read it all anyway as Glen does a great job at summarizing the endless acronyms and industry buzzwords. Some of his tutorials could use a little updating but the book is free if you google the pdf and if you've never used the aircrack-ng suite and have no clue what command syntax is, then these are the books for you.

  • @gregsayshi
    @gregsayshi Год назад

    Would love to see more videos on MacOS/iOS.. your videos are great but I’m not sure if they apply to me :(

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Год назад

    Master of edureka master

  • @AnotherSkyTV
    @AnotherSkyTV Год назад

    Nice!

  • @therealb888
    @therealb888 Год назад +2

    We need a linux version of this. How hackers backdoor into linux desktops please!

    • @Chad_Thundercock
      @Chad_Thundercock Год назад +1

      For the most part, they don't.
      In theory, Linux is less vulnerable to malware by the design philosophy, and smaller target demographic. Additionally, if you're running a linux distro, you're likely more aware of security practices.
      Those combined make it not worth the time and effort to attack, as there are more high value, and softer, targets in the Windows side.

  • @didko258
    @didko258 Год назад +3

    Always here before John

  • @realMattGavin
    @realMattGavin Год назад

    Windows services such as web access login and another service were running my CPU at 100 percent consistently on idle till I used process explorer to find which service was running the highest with svchost and killed off each service in the tree one by one till it stopped. My computers been running at 0% to 1% cpu usage consistently when in idle.i use a amd 3800x cpu.

  • @cr4zy326
    @cr4zy326 Год назад

    best bro ever

  • @logiciananimal
    @logiciananimal Год назад

    Microsoft still says (IIRC) that basically administrators are expected to be able to do this sort of thing, so if such an account is allowed to be run by a malicious actor, that's basically game over. On the other hand, if that's really the expectation, why do they keep trying to stop Mimikatz?

  • @sud0gh0st
    @sud0gh0st Год назад +2

    I go for priv esc before maintaining access as i think the access will be much more reliable, But this seems like 1 cmd to rule them all xD

    • @HadronCollisionYT
      @HadronCollisionYT Год назад

      hmmm, what do you do? unethical hacking? lol

    • @sud0gh0st
      @sud0gh0st Год назад +3

      @@HadronCollisionYT what makes you say that ? Can't someone be interested in learning red team without being ethical ? Much harder for Blue to defend if your access has priv esc nothing unethical there, "The best defence is a good offence" without knowing how to attack you can't defend and working local only get's you so far,, VM's are great but it don't have the same feel

    • @nordgaren2358
      @nordgaren2358 Год назад

      you need admin privs to install this backdoor, anyways, I believe.

    • @HadronCollisionYT
      @HadronCollisionYT Год назад

      @@sud0gh0st I was just joking bruh. Why did you take it so seriously ;-;

  • @haXez_org
    @haXez_org Год назад

    nice

  • @IsaiahGondon1
    @IsaiahGondon1 Год назад

    POG

  • @MD4564
    @MD4564 Год назад

    Any smart admin would have blocked admin prev on a work system, which at my work, they do, as you need to enter super admin credentials most of the time this won't work. And if the user is working from home, they would most likely be using Windows Virtual Desktop, again hard to use this command.

  • @liljoker0732
    @liljoker0732 Год назад +3

    How about making a video explaining how to combatant against this backdoor, and what to do if it has already been executed on your pc?

    • @whencat6171
      @whencat6171 Год назад

      this backdoor virus compromised my pc, and its been stuck on the windows loading screen since. i dont know why people think ruining a pc someone paid for is funny.

    • @ggsap
      @ggsap 4 месяца назад

      @@whencat6171nobody "ruined" your pc, just reinstall. infact they did you a favour so you can get rid of windows and install linux

  • @tyroneslothdrop9155
    @tyroneslothdrop9155 Год назад

    Do you need a discrete gpu in order to get windows 11 to run smoothly in a virtual machine. I have an AMD 5700G running Fedora and all my Windows VMs are relatively quick but motion is choppy and ugly.

    • @sam-ur7rz
      @sam-ur7rz Год назад

      Having a decent GPU will help, but you may need to tinker with your VM settings. QEMU/KVM works fine for me.

    • @nordgaren2358
      @nordgaren2358 Год назад +1

      try giving your VM more ram and more CPU cores, maybe?

    • @ggsap
      @ggsap 4 месяца назад

      @@nordgaren2358 no, overcommiting hurts performance. use a type 1 hypervisor like qemu/kvm and use a rdp client with gpu acceleration for connection. see someordinarygamers video on that

  • @mahdihasan42
    @mahdihasan42 Год назад +1

    can you make a video about must tools need to know for cyber security or ethical hacking ?

  • @HTWwpzIuqaObMt
    @HTWwpzIuqaObMt Год назад +1

    Amazing video

  • @dcriley65
    @dcriley65 Год назад

    John why do you look so happy about this YT Video?

  • @ayylmao1558
    @ayylmao1558 Год назад

    Please do a video on how to use pwncat

  • @orca2162
    @orca2162 Год назад

    🎉🎉

  • @eaglefn4918
    @eaglefn4918 Год назад

    The "GoogleUpdater" Service doesn't start. Error 1053! 🤔

  • @kinloo3778
    @kinloo3778 Год назад

    the Sc sdset link is dead, anyone has the sigma rule? Thanks

  • @jimmyscott5144
    @jimmyscott5144 Год назад

    I love the activate windows water mark lol

  • @guyhavia1730
    @guyhavia1730 Год назад

    Can anyone recommend more twitter accounts with cool new techniques of attacks like in the video?

  • @maddogmaz1576
    @maddogmaz1576 Год назад

    It's all fun and games until the FBI kicks in your door at 4am

  • @rahimuddin8012
    @rahimuddin8012 Год назад

    So this is how i can be an admin in my local network

  • @realMattGavin
    @realMattGavin Год назад

    This worries me. It makes me uncertain which services are real and are just a clone of the name of an application that I have installed...
    I downloaded hickvisions desktop client and used proccess explorer after unistalling the application. I killed the ivs service (it was still running after unistalling everything) and it crashed my windows computer so it was doing something.

    • @nhkz753
      @nhkz753 Год назад +1

      If you suspecting a service, check the "path" of the service you will directly see if he is dangerous

  • @danielchien7274
    @danielchien7274 Год назад

    Per TCP/IP protocol, the system needs to open a listening port first in order to accept an incoming connection. you can easily find all listening ports using the netstat command. There is no "secret back door" per se.

    • @anonimenkolbas1305
      @anonimenkolbas1305 Год назад

      Most backdoors periodically phone out instead of listening for a connection from the C&C server. That also solves the issue of getting past some firewalls and NATs.

    • @danielchien7274
      @danielchien7274 Год назад

      @@anonimenkolbas1305 "phone out"? What is that mean in TCP/IP? Today, all the computer does not support modem anymore. Or, are you saying the backdoor is a TCP/IP client that initiate a connection to a Internet Server? If so, you can easily find out any TCP/IP connections on a server.

    • @anonimenkolbas1305
      @anonimenkolbas1305 Год назад

      @@danielchien7274 Sorry, yes, "phone out" is a casual expression. I meant that malware nowadays makes an outbound connection to its command & control server as opposed to listening for one, meaning it will not open a socket. However, if one were to monitor outbound traffic the same way they would monitor open sockets over time, they would still spot the outbound connections made to suspicious IPs.

    • @danielchien7274
      @danielchien7274 Год назад

      @@anonimenkolbas1305 So, this is not a true backdoor for anyone anywhere to get in. BTW, it is very easy to stop malware. Just don't let it run. A program that can't run will do nothing. Using a whitelist, it can stop all unauthorized programs from running.

  • @geist453
    @geist453 Год назад +1

    Hi John! What is your email I got a phishing email with malware attach and want you to investigate!

  • @whtiequillBj
    @whtiequillBj Год назад

    Is there not a way to become Trusted Installer and take over the system? That info is probably too spicy for RUclips.

  • @TheTheThewillow
    @TheTheThewillow 2 месяца назад

    Is this Seth Trojan

  • @takipsizad
    @takipsizad Год назад +2

    i thought this was an old video lol

    • @_JohnHammond
      @_JohnHammond  Год назад +2

      What made it seem like an old video, if I may ask?

    • @takipsizad
      @takipsizad Год назад +2

      @@_JohnHammond good question i really don't know,the flow of your videos hasn't really changed to so i couldn't see differences but yeah still a good explanation

    • @takipsizad
      @takipsizad Год назад

      ​@@_JohnHammond hey also i watched the video fully now and the sponsorship is little bit too long

    • @user-kp9es9ul2l
      @user-kp9es9ul2l Год назад +2

      Nothing sir, it's fresh and useful as always.

    • @takipsizad
      @takipsizad Год назад

      @@user-kp9es9ul2l yup i agree it's good as always

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Год назад

    Up places coling.

  • @gogeroger930
    @gogeroger930 Год назад

    That’s actually pretty old stuff

  • @lifetutorials4495
    @lifetutorials4495 Год назад

    daka would he really would

  • @ohrayoe3858
    @ohrayoe3858 Год назад +3

    Could you include ways to prevent the things you talk about in your videos from happening as well?

    • @Chad_Thundercock
      @Chad_Thundercock Год назад

      One could always just run a linux distro and not worry about this sort of thing.

    • @ohrayoe3858
      @ohrayoe3858 Год назад

      @@Chad_Thundercock how would that prevent the malware running? Just because it isnt created for Linux?

    • @Chad_Thundercock
      @Chad_Thundercock Год назад +1

      @@ohrayoe3858
      That is one part of it, yes. The other is from the way most distros are designed to segregate processes and permissions. It's a bit nebulous to explain here, but the short of it is that it's less easy to trick your machine in to running anything you don't ask it to run.

    • @ohrayoe3858
      @ohrayoe3858 Год назад

      @@Chad_Thundercock so things are less likely to run when you click on a link(malware pdf) than on another OS that isnt Linux?

    • @Chad_Thundercock
      @Chad_Thundercock Год назад +1

      @@ohrayoe3858
      Exactly.
      Now, don't take to mean your system is bulletproof, but it will be much less vulnerable to such attacks.

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Год назад

    Skills and binary numbers c, css code file's comment

  • @ColiDog
    @ColiDog Год назад

    This shouldn't be built into Windows. That's the reason why we move to Linux.

  • @WSLEEPS
    @WSLEEPS Год назад

    u should activate windows

    • @sud0gh0st
      @sud0gh0st Год назад +1

      on a VM ? why.....

    • @WSLEEPS
      @WSLEEPS Год назад

      @@sud0gh0st my bad i didn't kw

    • @seanfaherty
      @seanfaherty Год назад

      Why ?
      When you buy a PC you get a licence
      Who cares about the licence on a virtual machine ?
      It's a bullshit thing they have thrown in for telemetry.
      If you charge me $150 for the licence when I buy the computer I don't care about what Mr Gates wants

    • @variouselite
      @variouselite Год назад

      @@WSLEEPS So dont talk about stuff you dont know.

    • @sud0gh0st
      @sud0gh0st Год назад +1

      @@seanfaherty you're saying Windows has other usecase then testing exploits... Not sure I believe that

  • @AnimeTransform-z4c
    @AnimeTransform-z4c Год назад

    can you teach how to hack cctv or security cameras

  • @smokestudio1408
    @smokestudio1408 Год назад +1

    finally the first comment

  • @tommasovietina
    @tommasovietina Год назад

    OK, but you need an admin user in the first place. Kinda pointless?!

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Год назад

    Nod how to cing coling fills up sum cing coling fills name and files tool files open coling fills to file account add files open tool diagram, group, Jenkins files open tool explain files open vejal

  • @mitchdog_com
    @mitchdog_com Год назад

    Activate Windows 😭

  • @ololh4xx
    @ololh4xx 10 месяцев назад

    yet again : no compromised, privileged account = this entire method is useless

  • @JPEaglesandKatz
    @JPEaglesandKatz Год назад

    There is a balance between being informative and glorifying criminal behaviour.. You are crossing that line a lot of times in you videos and can't really understand why this is allowed to stand.

    • @nordgaren2358
      @nordgaren2358 Год назад +2

      How else are you supposed to raise awareness to sys admins or anyone who wants to protect their computer, about this vulnerability? Just tell them it exists, but not how it works, so they can't defend against it at all? This is standard practice for cyber security.

  • @cacurazi
    @cacurazi Год назад

    12:10 😆😆

  • @udotcarter
    @udotcarter Год назад

    Second
    Persistence via Windows Service T1543.003