Hidden Files - Red Teaming Experiments

Red Teaming Experiments

linkedin github @spotheplanet patreon

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

offensive security

Red Team Infrastructure

Code & Process Injection

Defense Evasion

AV Bypass with Metasploit Templates and Custom Binaries

Evading Windows Defender with 1 Byte Change

Bypassing Windows Defender: One TCP Socket Away From Meterpreter and Beacon Sessions

Bypassing Cylance and other AVs/EDRs by Unhooking Windows APIs

Windows API Hashing in Malware

Detecting Hooked Syscalls

Calling Syscalls Directly from Visual Studio to Bypass AVs/EDRs

Retrieving ntdll Syscall Stubs from Disk at Run-time

Full DLL Unhooking with C++

Enumerating RWX Protected Memory Regions for Code Injection

Disabling Windows Event Logs by Suspending EventLog Service Threads

Obfuscated Powershell Invocations

Masquerading Processes in Userland via _PEB

Commandline Obfusaction

File Smuggling with HTML and JavaScript

Alternate Data Streams

Encode/Decode Data with Certutil

Downloading Files with Certutil

Packed Binaries

Unloading Sysmon Driver

Bypassing IDS Signatures with Simple Reverse Shells

Preventing 3rd Party DLLs from Injecting into your Malware

ProcessDynamicCodePolicy: Arbitrary Code Guard (ACG)

Parent Process ID (PPID) Spoofing

Executing C# Assemblies from Jscript and wscript with DotNetToJscript

Enumeration and Discovery

Privilege Escalation

Credential Access & Dumping

Lateral Movement

reversing, forensics & misc

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

Powered By GitBook

Hidden Files

Defense Evasion, Persistence

Execution
Hiding the file mantvydas.sdb using a native windows binary:
[email protected]
1
PS C:\experiments> attrib.exe +h .\mantvydas.sdb
Copied!
Note how powershell (or cmd) says the file does not exist, however you can type out its contents if you know the file exists:
Note, that dir /a:h (attribute: hidden) reveals files with a "hidden" attribute set:
Observations
As usual, monitoring commandline arguments may be a good idea if you want to identify these events:
References
Hide Artifacts: Hidden Files and Directories, Sub-technique T1564.001 - Enterprise | MITRE ATT&CK®
​

Alternate Data Streams

Encode/Decode Data with Certutil

Last modified 3yr ago

Copy link

Contents