Creepy User-Centric Post-Exploitation

Audio Recording

Windows by default has a multimedia library baked into their SDK called “WinMM”. This library provides a range of features to interact with audio devices allowing you to play or record sound. One particular API, MCISendString allows you to send commands to an MCI device to accomplish the aforementioned actions. MCI Devices are Windows drivers that allow software device-independent access to multimedia functions such as playback or recording. Essentially, it is an easy front end to control with little knowledge of system-specific setups.

Webcam Capture

Working with webcams proved to be slightly more difficult. Luckily, I did not have to put in much work. Chris Ross ( ) had already created Capture-Minieye , a script that utilizes DirectX to perform a webcam capture and save it to disk. First, this module reflectively loads a .NET assembly for DirextXCapture and DirectShow . Next, it utilizes the included functionality to begin recording a video file to disk. I have used this module on engagements inside of Cobalt Strike and it has successfully captured videos as expected. One downside is that it produces large output files with little compression. There appear to be methods to use compression inside of the DirectX assembly, but those are not currently utilized by the script.

Defense

I feel a responsibility to attempt to address defensive mitigations for anything I talk about offensively; however, the options to combat the techniques described in this post are limited. Standard actions to monitor endpoints such as AV, HIDS, event logging ( WMF 5.0 & PS Scriptblock Logging, etc.) are your friends but will not specifically prevent or detect most post-exploitation actions. Event monitoring works best in context and certain events, user reports, or help desk tickets will be more useful when applied contextually with all data available. Some post-exploitation actions will make more sense when you look at the series of events leading up to the action (i.e. Interactive login with a service account to a terminal server, user helpdesk ticket for suspicious behavior, suspicious command line behavior, HIDS alert for injection, etc).

Legal Disclaimer

I highly recommend reviewing federal/state/local laws regarding the recording of personnel as well as coordinating all actions through your point of contact. Also, make sure these are in-scope items per the rules of engagement. Laws surrounding the recording of video/audio of personnel can be complicated and therefore you should definitely verify this is okay to do. International privacy laws should also be taken into account.

Conclusion

Red team: I challenge you to seek out new post-exploitation actions to accomplish your objectives. Not only will you discover or develop awesome techniques that successfully mimic adversaries, but you will also gather critical intel that will enrich your engagements. Plus, the creepiest things often make the most impact. Your job is to educate and prepare the blue team.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store