Metasploit mailing list archives
Thread shedding
From: mubix at room362.com (Rob Fuller)
Date: Tue, 12 May 2009 14:38:29 -0400
Just a crazy idea as I was reading through: https://metasploit.com/metasploit_bh2009.pdf On slide 25, wiping event logs is always good, but not very stealthy. Does Meterpreter have the ability to spawn threads in other processes, or dropping some execution into it's current process that runs even if meterpreter dies? My thoughts on this would be to have the ability to spawn off a event log generator, wouldn't be hard to have it generate a ton of events in each of the logs based on natural operation to mask anything that was being done on the host. But that idea doesn't have to stop there: Use a bind payload with fwknob, shed a keylogging exection thread on Winlogon. Leave, come back, knock the right way, and pull the logs. etc.etc.etc... -- Rob Fuller | Mubix | Room362.com | Hak5.org -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090512/5c1bc506/attachment.htm>
Current thread:
- Thread shedding Rob Fuller (May 12)