Monday, May 19, 2014

Modifying MAC properties with PowerShell

Laziness is the demise of Red Team engagements. Whether it is writing PsExec to a user's desktop or writing other arbitrary binaries to disk, not being careful can lead to being discovered. One of the competitors of this year's National CCDC mentioned to me that his team focused on discovering files created during the competition. If we were all being careful, that shouldn't work. Linux has the ability to modify file attributes with the "Touch" utility. Meterpreter has TimeStomp which works on Windows and makes it easy to blend your files with files around it by modifying the MACE attributes.

After a request to add the capability to PowerSploit, I wanted to figure out how to do it (I do prefer avoiding writing anything to disk, but there are times when it is unavoidable). I always thought that TimeStomp was black magic, but then I noticed the capability in Cobalt Strike's Beacon. I asked Raphael and he pointed me to a well-documented part of the Windows API. So naturally I headed over to pinvoke.net to check out the C# sample. It didn't take long to have a working function, but I got curious and found a .Net class to simplify the code. Armed with two working functions, I boarded the plane after ShowMeCon and wondered if it were possible to accomplish the task in a more "PowerShelly" (technical term) way.

Lets explore with Get-Member:


Wow, we can set the modified, accessed and created properties with Get-Item. That means we can simply run:


Nothing novel, but cool nonetheless. Some people would prefer a more "Touch" like capability, so I wrapped it all up in a function called Set-MacAttributes which will be added to PowerSploit soon:



I think its a prime example of why you should start by exploring cmdlets, then check out .Net and finally the API. It can save you a lot of time when you are building PowerShell tools. Obviously this won't stand up to forensic scrutiny like TimeStomp will, but it will definitely serve the purpose of hiding files in plain sight.

-Chris



2 comments:

  1. That's only half of the story from a forensics standpoint. This is already fairly commonly used by criminals, stomping the file attributes. However the raw MFT data will still have the original values of creation time. So to really leave no trace, those need to be stomped as well. :)

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa365230(v=vs.85).aspx

    ReplyDelete
    Replies
    1. Yep, I mentioned that in the last line but I guess its not clear. The tool "TimeStomp" modifies not only the (M)odified, (A)ccessed and (C)reated file properties but also the MFT (E)ntry which allows it to stand up to forensic scrutiny. Since I have no interest in standing up to forensic scrutiny, only hiding from admins, MAC is enough for me. Thanks for the comment.

      Delete