Thread shedding

[mubix at room362.com (Rob Fuller)]

Just a crazy idea as I was reading through:
https://metasploit.com/metasploit_bh2009.pdf
On slide 25, wiping event logs is always good, but not very stealthy. Does
Meterpreter have the ability to spawn threads in other processes, or
dropping some execution into it's current process that runs even if
meterpreter dies? My thoughts on this would be to have the ability to spawn
off a event log generator, wouldn't be hard to have it generate a ton of
events in each of the logs based on natural operation to mask anything that
was being done on the host.

But that idea doesn't have to stop there:

Use a bind payload with fwknob, shed a keylogging exection thread on
Winlogon. Leave, come back, knock the right way, and pull the logs.

etc.etc.etc...

--
Rob Fuller | Mubix | Room362.com | Hak5.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090512/5c1bc506/attachment.htm>