Logon helper - ties2/Red-Team GitHub Wiki

Making access permanent to a system is a crucial aspect of red teaming. Logon-helper is one of the methods used to achieve this objective. Logon-helper is a type of malware that enables attackers to access a system even after the system has been restarted or the attacker's session has ended. The malware achieves this by modifying the Windows authentication process to allow unauthorized logins. In this essay, we will discuss how attackers can use logon-helper to make access permanent to a system.

Logon-helper malware works by modifying the authentication process in the Windows operating system. The malware adds a new authentication package to the system that is called before the standard authentication package. When a user logs in, the logon-helper intercepts the user's credentials and stores them in a file. This file is then used to authenticate the attacker's session every time they attempt to log in. This enables the attacker to bypass the standard authentication process and log in to the system using the stolen credentials.

The logon-helper malware can be deployed in several ways. One common method is to use a Trojan downloader. The attacker sends a spear-phishing email to the target that contains a malicious attachment or a link to a malicious website. When the target opens the attachment or clicks the link, the Trojan downloader is downloaded and installed on the system. The Trojan downloader then downloads and installs the logon-helper malware.

Another method of deploying logon-helper is to use a remote access Trojan (RAT). A RAT is a type of malware that provides attackers with remote access to a system. The attacker can use the RAT to download and install the logon-helper malware on the system.

Once the logon-helper malware is installed on the system, it can be difficult to detect and remove. The malware can hide its files and processes, making it difficult for antivirus software to detect it. Additionally, the malware can use rootkit techniques to hide itself from the operating system and antivirus software.

One way to detect logon-helper malware is to look for suspicious files and processes on the system. The malware may create a new DLL file in the Windows system directory or a new service that runs in the background. Additionally, the malware may create a new user account on the system that is used to authenticate the attacker's session.

To prevent logon-helper malware, organizations can take several measures. First, they should educate their employees about the dangers of phishing emails and how to identify them. Employees should be trained to avoid opening attachments or clicking links from unknown or suspicious sources. Second, organizations should use antivirus software that is capable of detecting and removing logon-helper malware. Additionally, organizations can use intrusion detection and prevention systems (IDPS) that can detect and block unauthorized logins.

In conclusion, logon-helper malware is a powerful tool that attackers can use to make access permanent to a system. The malware works by modifying the authentication process in the Windows operating system and adding a new authentication package. Once the malware is installed, it can be difficult to detect and remove. Organizations can take several measures to prevent logon-helper malware, including educating their employees, using antivirus software, and using IDPS. By taking these measures, organizations can reduce the risk of unauthorized access to their systems.