Skip to content
Permalink
Browse files

Adding unicode/non-printable service tool

We can create services using Unicode and/or non-printable characters that function as intended but don't show in Task Manager, services.msc, sc.exe, etc, making them difficult for defenders to spot and remove. This tool allows us to check for and remove them. This is only the defensive portion. The offensive POC will be added shortly.
  • Loading branch information
matterpreter committed Jan 21, 2020
1 parent f917f29 commit 089c1db4909ab365b45fb69e45abb1adcac2861e
@@ -0,0 +1,50 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="15.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Import Project="$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props" Condition="Exists('$(MSBuildExtensionsPath)\$(MSBuildToolsVersion)\Microsoft.Common.props')" />
<PropertyGroup>
<Configuration Condition=" '$(Configuration)' == '' ">Debug</Configuration>
<Platform Condition=" '$(Platform)' == '' ">AnyCPU</Platform>
<ProjectGuid>{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}</ProjectGuid>
<OutputType>Exe</OutputType>
<RootNamespace>PhantomService</RootNamespace>
<AssemblyName>PhantomService</AssemblyName>
<TargetFrameworkVersion>v4.0</TargetFrameworkVersion>
<FileAlignment>512</FileAlignment>
<Deterministic>true</Deterministic>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Debug|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugSymbols>true</DebugSymbols>
<DebugType>full</DebugType>
<Optimize>false</Optimize>
<OutputPath>bin\Debug\</OutputPath>
<DefineConstants>DEBUG;TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|AnyCPU' ">
<PlatformTarget>AnyCPU</PlatformTarget>
<DebugType>pdbonly</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\Release\</OutputPath>
<DefineConstants>TRACE</DefineConstants>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
</PropertyGroup>
<ItemGroup>
<Reference Include="System" />
<Reference Include="System.Configuration.Install" />
<Reference Include="System.Core" />
<Reference Include="System.ServiceProcess" />
<Reference Include="System.Xml.Linq" />
<Reference Include="System.Data.DataSetExtensions" />
<Reference Include="Microsoft.CSharp" />
<Reference Include="System.Data" />
<Reference Include="System.Xml" />
</ItemGroup>
<ItemGroup>
<Compile Include="Program.cs" />
<Compile Include="Properties\AssemblyInfo.cs" />
</ItemGroup>
<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
</Project>
@@ -0,0 +1,25 @@

Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.29326.143
MinimumVisualStudioVersion = 10.0.40219.1
Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PhantomService", "PhantomService.csproj", "{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Any CPU = Debug|Any CPU
Release|Any CPU = Release|Any CPU
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Debug|Any CPU.Build.0 = Debug|Any CPU
{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Release|Any CPU.ActiveCfg = Release|Any CPU
{FF8D99A9-DF69-4DF5-8423-ADA62334C9BD}.Release|Any CPU.Build.0 = Release|Any CPU
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
GlobalSection(ExtensibilityGlobals) = postSolution
SolutionGuid = {0B98B26A-1374-479D-8E83-8146E519ABC4}
EndGlobalSection
EndGlobal
@@ -0,0 +1,61 @@
using System;
using System.ServiceProcess;
using System.Text;
using System.Configuration.Install;
using System.ComponentModel;

namespace PhantomService
{
class Program
{
public static void Main(string[] args)
{
string usage = "PhantomService.exe (audit|remove)";
if (args.Length == 1 && args[0].ToLower() == "audit")
{
RemovePhantomServices(false);
}
else if (args.Length == 1 && args[0].ToLower() == "remove")
{
RemovePhantomServices(true);
}
else
{
Console.WriteLine(usage);
}

}

static void RemovePhantomServices(bool remove)
{
Console.OutputEncoding = Encoding.Unicode;
ServiceController[] services = ServiceController.GetServices();

foreach (ServiceController service in services)
{
string serviceName = service.ServiceName;

if (Encoding.UTF8.GetByteCount(serviceName) != serviceName.Length)
{
Console.WriteLine("[*] Found non-ASCII service: " + service.ServiceName);
if (remove)
{
try
{
ServiceInstaller ServiceInstallerObj = new ServiceInstaller();
InstallContext Context = new InstallContext(null, null);
ServiceInstallerObj.Context = Context;
ServiceInstallerObj.ServiceName = service.ServiceName;
ServiceInstallerObj.Uninstall(null);
Console.WriteLine();
}
catch (Win32Exception w)
{
Console.WriteLine("[-] Failed to remove {0} -> {1}", service.ServiceName, w.Message);
}
}
}
}
}
}
}
@@ -0,0 +1,36 @@
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;

// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
[assembly: AssemblyTitle("PhantomService")]
[assembly: AssemblyDescription("")]
[assembly: AssemblyConfiguration("")]
[assembly: AssemblyCompany("")]
[assembly: AssemblyProduct("PhantomService")]
[assembly: AssemblyCopyright("Copyright © 2020")]
[assembly: AssemblyTrademark("")]
[assembly: AssemblyCulture("")]

// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]

// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("ff8d99a9-df69-4df5-8423-ada62334c9bd")]

// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly: AssemblyFileVersion("1.0.0.0")]
@@ -12,5 +12,6 @@ This is a collection of C# tooling and POCs I've created for use on operations.
| **ImplantSSP** | Installs a user-supplied Security Support Provider (SSP) DLL on the system, which will be loaded by LSA on system start. The DLL must export `SpLsaModeInitialize`. Inspired by [Install-SSP](https://powersploit.readthedocs.io/en/latest/Persistence/Install-SSP/) by [@mattifestation](https://twitter.com/mattifestation). | 3.5 |
| **JunctionFolder** | Creates a junction folder in the Windows Accessories Start Up folder as described in the Vault 7 leaks. On start or when a user browses the directory, the referenced DLL will be executed by `verclsid.exe` in medium integrity. | 3.5 |
| **MockDirUACBypass** | Creates a mock trusted directory, `C:\Windows \System32\`, and moves an auto-elevating Windows executable into the mock directory. A user-supplied DLL which exports the appropriate functions is dropped and when the executable is run, the DLL is loaded and run as high integrity. Technique discovered by [@ce2wells](https://twitter.com/ce2wells) and outlined in [this post.](https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e) | 3.5 |
| **PhantomService** | Searches for and removes non-ASCII services that can't be easily removed by built-in Windows tools. [Reference](https://twitter.com/matterpreter/status/1218290309500669952) | 4.0 |
| **SessionSearcher** | Searches all connected drives for PuTTY private keys and RDP connection files and parses them for relevant details. Based on [SessionGopher](https://github.com/Arvanaghi/SessionGopher) by [@arvanaghi](https://twitter.com/arvanaghi). | 4.0 |
| **UnquotedPath** | Outputs a list of unquoted service paths that aren't in System32/SysWow64 to plant a PE into. [ATT&CK Reference](https://attack.mitre.org/techniques/T1034/) | 3.5 |

0 comments on commit 089c1db

Please sign in to comment.
You can’t perform that action at this time.