Pentester / Redteamer

The impotance of hard drive encryption

Protecting Your Digital Haven: The Vital Role of Hard Drive Encryption In our increasingly interconnected world, the safety of our digital data is paramount. Every file, photo, and piece of personal information stored on our devices represents a part of our lives, and the thought of it falling into the wrong hands is unsettling, to say the least. This is where hard drive encryption steps in as a crucial line of defense—a virtual fortress protecting our most sensitive information from prying eyes and potential threats. Think of your hard drive as a digital vault, safeguarding your valuable data from the outside world. Now, imagine that vault without a lock—an open invitation to anyone who stumbles upon it. Hard drive encryption acts as that lock, securing your data behind an impenetrable barrier unless you possess the key. By scrambling the contents of your hard drive into an unreadable format, encryption ensures that even if your device falls into the wrong hands, your data remains safe and inaccessible without the proper authorization. Below I will demonstrate step by step a technical threat actor compromise on a machine disabling its securities and infecting the system with malware.

I went ahead and created a virtualized environment to demonstrate a POC of how a full machine compromise can happen to anyone if they leave their machine unattended with physical access on how it can happen so from here on we will focus on the scenario a threat actor has a machine that they see unattended and stumbled onto “Bobs” account in the image above. Now the threat actor doesn’t know Bobs password but remembered a modern day flaw in windows that allows him to manually change local accounts passwords with ease due no encryption on the drive so here is what he did step by step. and step one is to restart WHILE HOLDING shift.

After the computer reboots by clocking trouble shoot

And then click advanced options

And then select command prompt.

Now the first thing you do is navigate to the system 32 folders on the primary drive or in this instance the C drive. Then by typing the commands shown in the images, it is renaming the utility tool in the Windows sign in called utilityman.exe is the executable name and you are just renaming cmd.exe into utilman.exe.

By doing this the next time the threat actor wants to access Bobs login page he can click on utility assistance and a cmd promt will appear instead.

After clicking the utility button we can see cmd popped up and now can be used to type whatever the threat actor wants. But for the time being they are going to reset Bobs local account password.

and just like that Bobs password was changed and the threat actor gets in.

Next the threat actor will check to see what defenses the endpoint has and sees its on the latest windows update.

Afterward most advanced threat actors at this point have method to either bypass defender to go undetected but this method is aimed towards removing defender from the system for permanent persistence and for this one i curated my own custom script that disables defender from the root. And will be displayed below for the scenario.

I then grabbed my custom powershell script named is 1.ps1 and for this to work we need to boot the system in safemode to execute and it should be easy since the password was changed. Then we go ahead and execute the powershell command disabling windows defender.

After running the powershell script reboot the machine back to normal windows and see the security state now.

After rebooting the machine and heading over to windows security we now see for the virus and threat protection it gives us unknown but we continue to dig more.

After a minute i went ahead and added a malicious binary that is hosted by Pentagon RAT while defender is still showing turned off with notifications and lets see if it connects.

And BOOM a connection was made to Bob's computer and its now fully pwned by the C2 Pentagon RAT shows its full capabilities on the right-hand side and no AV or EDR is there to stop it so it has good persistence.NOTE this method can be used with any malicious software on the system this one is an example .

After getting a pure foothold of the system with good persistence the threat actor might want to make it more discrete about the system he just hacked as windows defender the notification icon still shows defender is off and can warn the user.

In this senerio I created my own project i named Project Jericho essentially this project grabbs all Microsoft Security related registry keys with real time monitoring , UAC, Exploit guard, LSA protection etc.. and inverse the keys to reverse and remove the registry / brick defenders security.

After putting the folder in the desktop i went ahead and ran Jericho and got the notification that the system pwned and removed the remaining artifacts left of defender.

After fully removing Defender the threat actor would go ahead and reboot the system and now lets take a look and how windows security looks, and we can see now navigating the UI that it has changed and is different that what it was before.

After more navigating we see go into the Devise Security and see Now the defender does recognize the hardware to support security. With that noted the windows Defender icon has disappeared completely meaning no more notifications of defenders status to any user.

Now seeing the success of removing defender and its contents a threat actor would like to check back and see if the backdoor connection to the systen is still connected to the c2 RAT panel, and after checking back to their system they can see a successful connection still connected to their panel

Article By CrypticSploit

Feel free to message me on twitter for more info or questions.