a Hacker's Backdoor: Service Control Manager

Поділитися
Вставка
  • Опубліковано 23 гру 2024

КОМЕНТАРІ •

  • @DarkFaken
    @DarkFaken Рік тому +39

    These videos are always a great way to learn something without too much detail that I lose interest. Thanks for making such helpful content

  • @chrisweaver7989
    @chrisweaver7989 Рік тому +2

    Found this the other day on linkedin and was dismissed as it needing admin, however this has been informative! thanks!

  • @perryuploads776
    @perryuploads776 Рік тому +19

    Information about access control list (ACL). Thanks John!
    An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and an SACL.
    A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object doesn't have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL doesn't allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied.
    A system access control list (SACL) allows administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in an SACL can generate audit records when an access attempt fails, when it succeeds, or both.
    Don't try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs.
    ACLs also provide access control to Microsoft Active Directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs.

    • @adhamfouad68
      @adhamfouad68 Рік тому

      Good god you have so much time in your hands to write that down as a comment

  • @fraznofire2508
    @fraznofire2508 Рік тому +11

    Loving these living off the land videos, I'm starting to get more and more into Windows Internals for sysadmin and security, really awesome timing that this video showed up.

    • @boruch4986
      @boruch4986 Рік тому

      I'm studying computer engineering now and this is honestly very cool. I may consider a minor in cyber security now

  • @tomasgorda
    @tomasgorda Рік тому +4

    Great explanation and also great real example John. Thank you.

  • @bart-i8k
    @bart-i8k Рік тому +61

    I'm no cyber security expert but this seems like very overcomplicated UBA... You really have to dedicate yourself to the Microsoft world to fully understand the access control in Windows.

    • @B-a_s-H
      @B-a_s-H Рік тому +25

      Well, yes... of course. Microsoft still dominates the corporate landscape, so having deep knowledge of Windows security is very valuable.

    • @B-a_s-H
      @B-a_s-H Рік тому +6

      @@JohnDoe-sp3dc Even complex systems can be managed, so it's not an excuse. Know what should be running on your systems, set baselines, monitor activity, etc.

    • @MrGh0sT_8124
      @MrGh0sT_8124 Рік тому +4

      @@JohnDoe-sp3dc in that scenario windows genealogy comes in hand. Windows genealogy gives you map of every process and their exact number of instances running after booting a system. Every blue Teamer should know about windows genealogy so he can easily detect the malicious extra instance or process.

    • @realguapo_mma
      @realguapo_mma Рік тому

      ​@@MrGh0sT_8124 nice

    • @KramerEspinoza
      @KramerEspinoza Рік тому +1

      Mickeysoft dominates because of the intellectual bell curve. Same holds for other aspects in society.

  • @knowhowtodo
    @knowhowtodo Рік тому +3

    Very practical! 💪🏻

  • @didko258
    @didko258 Рік тому +3

    Always here before John

  • @udotcarter
    @udotcarter Рік тому

    For sc sdset should not be as loud based on the parameters provided. So that’s the 3rd layer of detection via winevent logs - cheers! Happy hunting

  • @natemorales2978
    @natemorales2978 Рік тому +2

    Thanks for the video, John!

  • @donathanratcliffe7316
    @donathanratcliffe7316 Рік тому +1

    Great way to start the morning.

  • @maddogmaz1576
    @maddogmaz1576 Рік тому

    It's all fun and games until the FBI kicks in your door at 4am

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Рік тому

    Master of edureka master

  • @vinceb557
    @vinceb557 Рік тому +2

    This video really spoke to me, Ive been working in IT for a few years and am basically a beginner with some novice understanding of Microsoft and barely any knowledge in Linux. Does anyone here have any recommendations on where to start working in security with my profile? Like what courses (paid is fine, or free) should I start in order to get going?

    • @userhandle3378
      @userhandle3378 Рік тому +1

      2 Books; Linux Bible 9th Edition, and The Ultimate Kali Linux Guide 2nd Edition.
      Both books spoon feed and assume you know nothing. I didn't learn anything in the Kali guide until page 300 and some as I've worked rhel support for more than 4 years. I read it all anyway as Glen does a great job at summarizing the endless acronyms and industry buzzwords. Some of his tutorials could use a little updating but the book is free if you google the pdf and if you've never used the aircrack-ng suite and have no clue what command syntax is, then these are the books for you.

  • @dcriley65
    @dcriley65 Рік тому

    John why do you look so happy about this YT Video?

  • @kinloo3778
    @kinloo3778 Рік тому

    the Sc sdset link is dead, anyone has the sigma rule? Thanks

  • @obaidullahnoori7066
    @obaidullahnoori7066 Рік тому

    This video is full of powerful experiences!!! thanks for making such content!

  • @liljoker0732
    @liljoker0732 Рік тому +2

    How about making a video explaining how to combatant against this backdoor, and what to do if it has already been executed on your pc?

    • @whencat6171
      @whencat6171 Рік тому

      this backdoor virus compromised my pc, and its been stuck on the windows loading screen since. i dont know why people think ruining a pc someone paid for is funny.

    • @ggsap
      @ggsap 9 місяців тому

      @@whencat6171nobody "ruined" your pc, just reinstall. infact they did you a favour so you can get rid of windows and install linux

  • @Polandisch
    @Polandisch Рік тому

    I did not understand much honestly.... But great video again! Thanks!

  • @mahdihasan42
    @mahdihasan42 Рік тому +1

    can you make a video about must tools need to know for cyber security or ethical hacking ?

  • @therealb888
    @therealb888 Рік тому +2

    We need a linux version of this. How hackers backdoor into linux desktops please!

    • @Chad_Thundercock
      @Chad_Thundercock Рік тому +1

      For the most part, they don't.
      In theory, Linux is less vulnerable to malware by the design philosophy, and smaller target demographic. Additionally, if you're running a linux distro, you're likely more aware of security practices.
      Those combined make it not worth the time and effort to attack, as there are more high value, and softer, targets in the Windows side.

  • @bibbidi_bobbidi_bacons
    @bibbidi_bobbidi_bacons Рік тому

    Bravo 👏🏼 Always fantastic content. Does a simple “revert all to defaults, e.g., fresh install” command(s) exist? Appreciate ya!

  • @eaglefn4918
    @eaglefn4918 Рік тому

    The "GoogleUpdater" Service doesn't start. Error 1053! 🤔

  • @NeverGiveUpYo
    @NeverGiveUpYo Рік тому

    Nice oneliner :)

  • @NahImPro
    @NahImPro Рік тому

    John I love your work and you inspire me daily.

  • @logiciananimal
    @logiciananimal Рік тому

    Microsoft still says (IIRC) that basically administrators are expected to be able to do this sort of thing, so if such an account is allowed to be run by a malicious actor, that's basically game over. On the other hand, if that's really the expectation, why do they keep trying to stop Mimikatz?

  • @bnk28zfp
    @bnk28zfp Рік тому

    i need try it😊 john thank you for tutorial!!

  • @MD4564
    @MD4564 Рік тому

    Any smart admin would have blocked admin prev on a work system, which at my work, they do, as you need to enter super admin credentials most of the time this won't work. And if the user is working from home, they would most likely be using Windows Virtual Desktop, again hard to use this command.

  • @Hakkee1980
    @Hakkee1980 7 місяців тому

    wow ....ty so much boss

  • @jimmyscott5144
    @jimmyscott5144 Рік тому

    I love the activate windows water mark lol

  • @tyroneslothdrop9155
    @tyroneslothdrop9155 Рік тому

    Do you need a discrete gpu in order to get windows 11 to run smoothly in a virtual machine. I have an AMD 5700G running Fedora and all my Windows VMs are relatively quick but motion is choppy and ugly.

    • @bart-i8k
      @bart-i8k Рік тому

      Having a decent GPU will help, but you may need to tinker with your VM settings. QEMU/KVM works fine for me.

    • @nordgaren2358
      @nordgaren2358 Рік тому +1

      try giving your VM more ram and more CPU cores, maybe?

    • @ggsap
      @ggsap 9 місяців тому

      @@nordgaren2358 no, overcommiting hurts performance. use a type 1 hypervisor like qemu/kvm and use a rdp client with gpu acceleration for connection. see someordinarygamers video on that

  • @blackhathacking9103
    @blackhathacking9103 Рік тому +1

    Thank you so much

  • @sassywoocooo
    @sassywoocooo Рік тому

    Way to go!!! My best friend

  • @realMattGavin
    @realMattGavin Рік тому

    Windows services such as web access login and another service were running my CPU at 100 percent consistently on idle till I used process explorer to find which service was running the highest with svchost and killed off each service in the tree one by one till it stopped. My computers been running at 0% to 1% cpu usage consistently when in idle.i use a amd 3800x cpu.

  • @orca2162
    @orca2162 Рік тому

    🎉🎉

  • @sud0gh0st
    @sud0gh0st Рік тому +2

    I go for priv esc before maintaining access as i think the access will be much more reliable, But this seems like 1 cmd to rule them all xD

    • @HadronCollisionYT
      @HadronCollisionYT Рік тому

      hmmm, what do you do? unethical hacking? lol

    • @sud0gh0st
      @sud0gh0st Рік тому +3

      @@HadronCollisionYT what makes you say that ? Can't someone be interested in learning red team without being ethical ? Much harder for Blue to defend if your access has priv esc nothing unethical there, "The best defence is a good offence" without knowing how to attack you can't defend and working local only get's you so far,, VM's are great but it don't have the same feel

    • @nordgaren2358
      @nordgaren2358 Рік тому

      you need admin privs to install this backdoor, anyways, I believe.

    • @HadronCollisionYT
      @HadronCollisionYT Рік тому

      @@sud0gh0st I was just joking bruh. Why did you take it so seriously ;-;

  • @ayylmao1558
    @ayylmao1558 Рік тому

    Please do a video on how to use pwncat

  • @realMattGavin
    @realMattGavin Рік тому

    This worries me. It makes me uncertain which services are real and are just a clone of the name of an application that I have installed...
    I downloaded hickvisions desktop client and used proccess explorer after unistalling the application. I killed the ivs service (it was still running after unistalling everything) and it crashed my windows computer so it was doing something.

    • @nhkz753
      @nhkz753 Рік тому +1

      If you suspecting a service, check the "path" of the service you will directly see if he is dangerous

  • @geist453
    @geist453 Рік тому +1

    Hi John! What is your email I got a phishing email with malware attach and want you to investigate!

  • @jaxson8262
    @jaxson8262 Рік тому

    This tech gives many ideas :)..........

  • @gregsayshi
    @gregsayshi Рік тому

    Would love to see more videos on MacOS/iOS.. your videos are great but I’m not sure if they apply to me :(

  • @guyhavia1730
    @guyhavia1730 Рік тому

    Can anyone recommend more twitter accounts with cool new techniques of attacks like in the video?

  • @IsaiahGondon1
    @IsaiahGondon1 Рік тому

    POG

  • @rahimuddin8012
    @rahimuddin8012 Рік тому

    So this is how i can be an admin in my local network

  • @ohrayoe3858
    @ohrayoe3858 Рік тому +3

    Could you include ways to prevent the things you talk about in your videos from happening as well?

    • @Chad_Thundercock
      @Chad_Thundercock Рік тому

      One could always just run a linux distro and not worry about this sort of thing.

    • @ohrayoe3858
      @ohrayoe3858 Рік тому

      @@Chad_Thundercock how would that prevent the malware running? Just because it isnt created for Linux?

    • @Chad_Thundercock
      @Chad_Thundercock Рік тому +1

      @@ohrayoe3858
      That is one part of it, yes. The other is from the way most distros are designed to segregate processes and permissions. It's a bit nebulous to explain here, but the short of it is that it's less easy to trick your machine in to running anything you don't ask it to run.

    • @ohrayoe3858
      @ohrayoe3858 Рік тому

      @@Chad_Thundercock so things are less likely to run when you click on a link(malware pdf) than on another OS that isnt Linux?

    • @Chad_Thundercock
      @Chad_Thundercock Рік тому +1

      @@ohrayoe3858
      Exactly.
      Now, don't take to mean your system is bulletproof, but it will be much less vulnerable to such attacks.

  • @TheTheThewillow
    @TheTheThewillow 7 місяців тому

    Is this Seth Trojan

  • @mrfriendly9956
    @mrfriendly9956 Рік тому

    nice job!!!

  • @AnotherSkyTV
    @AnotherSkyTV Рік тому

    Nice!

  • @haXez_org
    @haXez_org Рік тому

    nice

  • @cr4zy326
    @cr4zy326 Рік тому

    best bro ever

  • @whtiequillBj
    @whtiequillBj Рік тому

    Is there not a way to become Trusted Installer and take over the system? That info is probably too spicy for UA-cam.

  • @danielchien7274
    @danielchien7274 Рік тому

    Per TCP/IP protocol, the system needs to open a listening port first in order to accept an incoming connection. you can easily find all listening ports using the netstat command. There is no "secret back door" per se.

    • @anonimenkolbas1305
      @anonimenkolbas1305 Рік тому

      Most backdoors periodically phone out instead of listening for a connection from the C&C server. That also solves the issue of getting past some firewalls and NATs.

    • @danielchien7274
      @danielchien7274 Рік тому

      @@anonimenkolbas1305 "phone out"? What is that mean in TCP/IP? Today, all the computer does not support modem anymore. Or, are you saying the backdoor is a TCP/IP client that initiate a connection to a Internet Server? If so, you can easily find out any TCP/IP connections on a server.

    • @anonimenkolbas1305
      @anonimenkolbas1305 Рік тому

      @@danielchien7274 Sorry, yes, "phone out" is a casual expression. I meant that malware nowadays makes an outbound connection to its command & control server as opposed to listening for one, meaning it will not open a socket. However, if one were to monitor outbound traffic the same way they would monitor open sockets over time, they would still spot the outbound connections made to suspicious IPs.

    • @danielchien7274
      @danielchien7274 Рік тому

      @@anonimenkolbas1305 So, this is not a true backdoor for anyone anywhere to get in. BTW, it is very easy to stop malware. Just don't let it run. A program that can't run will do nothing. Using a whitelist, it can stop all unauthorized programs from running.

  • @lifetutorials4495
    @lifetutorials4495 Рік тому

    daka would he really would

  • @takipsizad
    @takipsizad Рік тому +2

    i thought this was an old video lol

    • @_JohnHammond
      @_JohnHammond  Рік тому +2

      What made it seem like an old video, if I may ask?

    • @takipsizad
      @takipsizad Рік тому +2

      @@_JohnHammond good question i really don't know,the flow of your videos hasn't really changed to so i couldn't see differences but yeah still a good explanation

    • @takipsizad
      @takipsizad Рік тому

      ​@@_JohnHammond hey also i watched the video fully now and the sponsorship is little bit too long

    • @1337x-fs
      @1337x-fs Рік тому +2

      Nothing sir, it's fresh and useful as always.

    • @takipsizad
      @takipsizad Рік тому

      @@1337x-fs yup i agree it's good as always

  • @gogeroger930
    @gogeroger930 Рік тому

    That’s actually pretty old stuff

  • @ColiDog
    @ColiDog Рік тому

    This shouldn't be built into Windows. That's the reason why we move to Linux.

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Рік тому

    Up places coling.

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Рік тому

    Skills and binary numbers c, css code file's comment

  • @WSLEEPS
    @WSLEEPS Рік тому

    u should activate windows

    • @sud0gh0st
      @sud0gh0st Рік тому +1

      on a VM ? why.....

    • @WSLEEPS
      @WSLEEPS Рік тому

      @@sud0gh0st my bad i didn't kw

    • @seanfaherty
      @seanfaherty Рік тому

      Why ?
      When you buy a PC you get a licence
      Who cares about the licence on a virtual machine ?
      It's a bullshit thing they have thrown in for telemetry.
      If you charge me $150 for the licence when I buy the computer I don't care about what Mr Gates wants

    • @variouselite
      @variouselite Рік тому

      @@WSLEEPS So dont talk about stuff you dont know.

    • @sud0gh0st
      @sud0gh0st Рік тому +1

      @@seanfaherty you're saying Windows has other usecase then testing exploits... Not sure I believe that

  • @ktommyxyk
    @ktommyxyk Рік тому

    OK, but you need an admin user in the first place. Kinda pointless?!

  • @mitchdog_com
    @mitchdog_com Рік тому

    Activate Windows 😭

  • @bhagyalakshmi1053
    @bhagyalakshmi1053 Рік тому

    Nod how to cing coling fills up sum cing coling fills name and files tool files open coling fills to file account add files open tool diagram, group, Jenkins files open tool explain files open vejal

  • @smokestudio1408
    @smokestudio1408 Рік тому +1

    finally the first comment

  • @AnimeTransform-z4c
    @AnimeTransform-z4c Рік тому

    can you teach how to hack cctv or security cameras

  • @ololh4xx
    @ololh4xx Рік тому

    yet again : no compromised, privileged account = this entire method is useless

  • @JPEaglesandKatz
    @JPEaglesandKatz Рік тому

    There is a balance between being informative and glorifying criminal behaviour.. You are crossing that line a lot of times in you videos and can't really understand why this is allowed to stand.

    • @nordgaren2358
      @nordgaren2358 Рік тому +2

      How else are you supposed to raise awareness to sys admins or anyone who wants to protect their computer, about this vulnerability? Just tell them it exists, but not how it works, so they can't defend against it at all? This is standard practice for cyber security.

  • @HTWwpzIuqaObMt
    @HTWwpzIuqaObMt Рік тому +1

    Amazing video

  • @cacurazi
    @cacurazi Рік тому

    12:10 😆😆

  • @udotcarter
    @udotcarter Рік тому

    Second
    Persistence via Windows Service T1543.003