Re: some ideas, roadmap cleanup, and ugly jokes..

[Carlos Perez <carlos_perez () darkoperator com>]

Thanks for pointing out those tickets that where left open. some things to consider:

1. The use of any system executable will increase the number of artifacts left by your presence in it, specially in the 
registry, prefetch ...etc
2. if Monitoring system is present even do you rename the files it will be sent to the monitoring system like Event 
Collector in 2k8, WMI, SNMP ..etc you will have to take in to account that. 
3. Depending on the system you will require to first get the right privs, this venture might trigger HIPS, AV ..etc by 
it self.
4. Each AV, HIPS vendor out there have their own protection methods, there is not a a one size fits all approach to 
disable this countermeasures, you will have to install each in a lab and work a process for each one.
5. The use of Railgun will be a better approach since it does not interact with executables or writes to disk and only 
the DLL MACE is changed but this MACE is already changed by IR tools when they collect their volatile data off the 
system.
6. a good IR guy will notice the gap in time since windows just by running it is generating logs, not all logs are 
there. 

Just a couple of observations for your project. 

Cheers,
Carlos

On Sep 16, 2010, at 4:12 PM, Marco Polo wrote:

> Hi everybody!
>
> here is some request features, info about some bugs and questions about the roadmap.
>
>
> 1) About the stealthy script i made a proposition for:
>
> I thought it'd be great to add modifications to the "disable_audit.rb" script or making a new script that will rename 
> each logs files to $file.evt(x).old. 
> Renaming them doesn't change the mace time.
> Then for the roll back, just rename them to the original name so it'll overwrite the old files. It may change the 
> mace time but we can change them again,
> plus it'll leave no new event in the log.
>
> Forget about editing them automatically atm: i wasn't able to find any OS' build in exe, scripts or tools under BSD 
> licence that will allow us to convert them
> to an easily editable way (e.g: *.log , *.csv etc..) and running the event viewer under wine is a real pain depending 
> of the version you're using..
> But maybe the simple way is just to edit the disable_audit.rb so it'll display help and an option to rollback the 
> file :)
>
>
> Informations needed for it:
> ---------------------------
>
> files location under vista/seven/2008 = %SystemRoot%\System32\Winevt\Logs\*evtx
> files location under 2000/NT/XP/2003 = %SystemRoot%\System32\Config\*.Evt
>
> file format under 2000 / NT = .evt
> file format under xp / 2003 = .evt
> file format under vista/seven/server 2008 = .evtx
>
> vista/seven cli utility to convert logs' format: "wevtutil" (requires admin privileges) .evt <> .evtx
>
>
> 2) About http://www.metasploit.com/redmine/issues/390 : "Arpscan for Meterpreter"
>
> Shouldn't it be closed? i thought it was done in r9733 and last modded in r10321
>
> I mean, you guys accomplished more things that you want to tell us ;)
>
> 3) About http://www.metasploit.com/redmine/issues/608 : "Meterpreter should support a filesystem API for checking the 
> existence of a file/dir"
>
> As POSIX & java meterpreter have the stdapi_ext shouldn't it be closed or nearly? see:
>
> http://www.metasploit.com/redmine/issues/2418#change-9532 : "Complete support for the POSIX Meterpreter"
> http://www.metasploit.com/redmine/issues/406 : "Full Java Payload Support"
>
> I couldn't find a dedicated ticket for the php meterpreter but i don't think it support it as it's last rev is 9393. 
> Maybe create a ticket for the PHP
> meterpreter would help?
>
> 4) About http://www.metasploit.com/redmine/issues/2258 : "killav script fails to kill mcafee"
>
> Well... lots of mail in the mailing list about that atm :)
>
> In my last mail I made some propositions about the name of the A-V foundable in registry.. well it seems i was 
> mistaken as i couldnt find it. Neither my
> google-fu nor my tests( extracting the registry before and after a-v installation (avg, avast & g-data) and 
> compairing them) allowed me to find such a key..
>
> So the idea is instead of looking for a specific executable in the "ps" list, why not searching in the list of 
> installed software (already done in a script),
> then search with the new extension or by cmd all .exe's name in the installation path and then do as suggested in 
> video's and some mails in the mailing list:
> search related services, disable them, then kill exe's ?
>
> Instead of having a list of exe to find, it'd be a list of folders. But here again, some A-V have diferents versions 
> so diferents folders name.. But once in a 
> while the joker can be on the good side?..(sorry for this ugly joke but i felt like i have to...)
>
>
> As usual, sorry for the long time taken reading this and for my typos
>
> Thx again for bringing us this wonderful tool :)
>
> M.P.
>
> _______________________________________________
> https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework