Time
10 minutes
Difficulty
Intermediate

Video Transcription

00:00
Hey, everyone is Canada Hill Master Instructor, It's Ibori. In this video, we're gonna talk about being stealthy. So one thing that Attackers might do is and actually change. So if you have a right clicked on a file like in Windows and you've taken a look at when was it created? You know, when was the last modified?
00:15
That's what time stopping is right. So the attacker modifies that information. So as an example, let's say they
00:21
attacked my system today. They just go ahead and they change the date to maybe, you know, six months ago when the last update was so I don't know. I'm not suspicious, right? Well, I would be. But, you know, your average person is not suspicious. They may be right. Click, Click. OK, it was You know, obviously nothing happened today because his file says it was fine. You know, it was it was last night, 86 months ago.
00:40
It was a very simplistic example, but that's kind of a generalized idea.
00:44
We've got steganography, so that's Ah,
00:46
away essentially staking our if you just think of it as I hide something inside of something else, right? Ah, and so that might be me hiding a photo inside of something else that might be me hiding like secret text inside of something else. My might be me hiding like a photo inside of, you know, a video text inside of a video video inside of, you know, uh, image
01:06
a lot of different ways. We can do it.
01:07
And there's many, many tools out there. We'll have a quick demo in just a second to show you one of the many tools that could be used for that. But that's steganography. Kind of in a nutshell. Also, our logs. So one you'll see different,
01:22
I guess. Ah, schools of thought on it. Most of us have the common sense idea. Like if I go delete a bunch of logs,
01:30
any Lexus admin, you know, like, let's say I attack you today, right?
01:34
And I go in there and I delete all the logs from today Any Lexus admin or network engineer? Anybody looking at those logs is gonna be like, wait a minute, like we're missing the entire days logs. That doesn't make any sense. Right? So deleting all the locks, which you might see in different certification exams
01:49
Ah, and they may tell you like that's a good idea to leaving all the logs from a practical standpoint is not necessarily the best idea.
01:55
The better option is the leading out like, specific logs. There's a few ways you can do that, while many ways you can do that, of course, going in manually and trying to find those logs. You can also use one of the tools that was, you know, supposedly part of the N s. A leak is called dander spritz on. So as with that tool, there's a plug in
02:15
event. Look at it.
02:16
And so you could use that plug into basically going like individualize. It is basically surgically.
02:22
Well, yeah, we'll use that terminology surgically remove certain log files, you know, certain log entries. And so that way you can just remove the information you don't want. Um,
02:32
that type of stuff takes time. I think probably one of the easier ways is we all know if you've worked in I T or anything in any capacity, you know that log files could get corrupted. You know, sometimes things happen, right? It's technology. And so the easiest way of my Pantages corrupting logs and go back in time. Don't just just do it like today,
02:52
you know, Maybe make it like there's some kind of issue that that maybe wasn't noticed
02:55
over over, you know, a short period of time or whatever s. Oh, that's nuts. Logs in a nutshell. I don't recommend you delete like all the logs, because that's a big red flag for anybody with, you know, that with a pulse. But you get the general idea that we can we can really what we want and hopefully become a little more stealthy. And that way, nobody knows we even attack.
03:15
Now, the other thing we have is what's called covert channels. So lifetimes malware will use this s o. You know, if if you'll recall from, like, the media, like like laki um,
03:27
ransom Where,
03:29
uh, you know another some other names out there. The people in pen testing might be familiar with the ICMP backdoor Double seven shell. Eso lucky basically took the the pink packets or the ICMP echo packets on and use those to transmit data. Eso you know, they're ah ping Pocket
03:49
has a capacity to transmit data, right?
03:51
And but the normal function of that is me, like pinging your network, right? I want to see if I got a connection. And if I can't get to you know, your stuff that maybe it's a problem on my machine or my local network, whatever the case might be.
04:02
But in this example, what the attacker does a state issues like a channel that's
04:08
huh
04:10
used for normal purposes, Writes like a pink packet, Has an example ICMP packet on, then they because because of the fact that can carry data, they then use that to transmit whatever data you know that they want to send across, right? So it could be you know, payload is probably the most
04:26
common thing, but that's that's one thing that you can do The ICMP backdoor very similar. The difference is it instead of the echo So basically descending being packet it it doesn't reply version of it s so that way, you know, you could you could do that way and then double seven shell
04:44
The only difference, the main difference between that and ICMP backdoor is the fact that,
04:47
uh, the Double seven shell will
04:51
Ah, just the file size to make it look like it's unaltered. so that way, if that was like a determining factor from a investigator, maybe they wouldn't notice that That's what's going on. Um, of this list that's actually my favorite name. Double 07 I feel like I'm a spy, you know, from using that. Anyways, I digress.
05:09
So that's kind of a high level overview. Some different stealth message. Like Like I said, Evasion. Stealth. You know, we traditionally
05:15
would wrap that up into one during a pen test. So let's just jump in and take a quick look at a demonstration just to basically taking a look at an image file. And for those of you that taken any of my courses before, you know that this is going to be a cat image. So just prepare yourself for that. So if you're not a cat lover,
05:33
too bad you're going to see a cat image in this short devil. So let's take a look right now.
05:38
So let's take a look at an example of steganography now. This isn't not going to be an actual lab, and there's no step this guide for it. I'm just gonna be using a tool called Quick Crypto and what I've already done is I've put a message inside of one of those cat photos that you see there kind of near the bottom left,
05:55
and we'll take a look at both photos and then we'll actually go ahead and open one of them in the quick crypto tool and you'll be able to see what hidden information might be in there.
06:05
It's about to start off with a copy one here, the top We opened up. We see that. Hey, it's ah, you know, just a cat photo on and I'll give you a little hand Since we're doing a demo here, not in actual lab. These photos are visually the exact same things you see, it's a cap there. Looks like maybe on a table or something.
06:19
And if we look at this one here,
06:24
we also see that it's the exact same cat sitting on the table
06:28
looking for more food, right? That's all cats do all day long.
06:30
Okay, so let's go ahead, open it in the quick crypto tool and just take a look. And there's many different tools you can use, and I'm just ignoring that. I I, uh what I do when I want to use quick Crypto. I don't pay for a license. I just go ahead and download it in a new V M. And not basically it gives you a 14 day trial. And that's all I needed for. Um,
06:49
if you're going to need this like in real life forever, definitely. You know, Explorer, the pricing options. There's many, many tools that you can use for this type of thing. You notice this particular solution gives you many options. So if you want encrypt files, you want a decrypt? Um, if you want to encrypt drives or folders, et cetera, we could do all that stuff.
07:09
We're not covering any of that in this demo. Word is going over here to steganography stuff.
07:15
Well, go ahead and click on that. And, um,
07:16
quick, stay. Go actually used to be a stand alone free tool that you could download, and they've kind of looked into this, and now you have to pay for it. So anyways, I digress. Let's go ahead and open our file here. We're gonna open that cat three dot j. Paige. That's the one that I've hidden a little message in.
07:33
And so let's go and pull that up here real quick. All right, so you see the message right there. Now, what we can do if we want to encrypt this, we can just say encrypt text.
07:43
Ah, and so that way, it gives a little some measure of security.
07:47
Um, for us sending, like, our nefarious file to, you know, another party. Um, one thing to keep in mind if you encrypt something, generally speaking is going to change the file size. So that might be an avenue that somebody could use to take a look and see if you've done anything to it.
08:03
So we see here that, you know, we've encrypted it now, of course, if we want to decrypt it, we just had our password. But this is all we're doing. We're adding text into, well, text or an image we could do, or even a video inside of something else. Right. So, basically, saying steganography, as I mentioned, is just hiding something inside of something else,
08:22
and that's all we're doing here, right? So in this example,
08:24
I would just hide my secret message, which in this case, is just I am a cat. I would hide this inside of this photo. I can either just hide it and potentially not change the size of it or I can encrypt it on. So it's really up to you as the attacker
08:39
how you're going to do it, right If you're gonna use steganography. I It's not necessarily something that a pen tester uses on on kind of a daily or weekly basis. But it is something you need to be familiar with on, especially on the flip side of things, right? If you're gonna work an incident response or even forensics, um,
08:56
like full time, then you definitely need to understand steganography and how to
09:01
find these files how to analyze them and determine if it's actually something hidden inside of those. You'll see a lot of, ah, you know, unfortunate conversation. But you'll you'll see a lot of the people that do like child ***. They'll hide that inside of other photos, you know, So it might be like, you know, a cat photo or, you know, a picture of, you know,
09:18
balloons or something like that. Whatever the case might be, they'll hide him a lot of times in there. So,
09:22
um, anyways, I digress. This was just a quick demo show. You try to give you visualized concept of what we're talking about when we talk about steganography again, really? Just hiding something inside of something else on this is one of the many tools you can do that really makes it pretty easy to do. So So, um,
09:41
definitely, you know, check out different tools out there for steganography. You could just do a quick Google search.
09:46
You'll find a lot of different ones. Quick. Crypto is just one I've used in the past way Decide to show the demo with that.
09:52
All right, so in this video, we just covered a little high level overview of being stealthy. So we talked about some different things. It, for example, like over channels and steganography.

Stealth Techniques for Incident Handlers

In Stealth Techniques for Incident Handlers, Cybrary Master Instructor Ken Underhill discusses the various techniques used around stealth like timestomping, steganography, logs, and covert channels, like Loki and 007Shell. Ken then dives into more detail with some walkthrough examples using the steganography tool, QuickCrypto.

Instructed By

Instructor Profile Image
Ken Underhill
Master Instructor at Cybrary
Master Instructor