Home / malwarePDF  

Backdoor:PowerShell/Tarpeg.C


First posted on 28 March 2017.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:PowerShell/Tarpeg.C.

Explanation :

Installation
This threat is coded in PowerShell and can steal user credentials by using HackTool:Win32/Mimikatz!dha. It can perform remote fileless execution which enables the malware or malicious code to load into the process without writing to the hard disk.

Payload

Allows backdoor access and control

This threat can give a malicious hacker access and control of your PC. They can then perform a number of different actions, such as:

  • Bypass some Group Policy settings
  • Bypass basic Group Policy Objects
  • Bypass Microsoft AppLocker and Software Restriction Polices
  • Cause Blue Screen of Death on your PC
  • Disable some security and event monitoring services
  • Dump cached credentials
  • Export security certificates and keys
  • Run fileless malware through PowerShell
  • Gather critical data for security and instrumentation software running on the host
  • Get a list with loaded kernel drivers
  • Get a table with all service calls and corresponding kernel modules names
  • Inject DLLs into running processes
  • Impersonate a token
  • List running system and user processes
  • Modify privileges
  • Obtain all process tokens
  • Patch Terminal Server
  • Recover and export Windows credentials
  • Recover and export Windows passwords in clear-text by injecting a DLL into lsass.exe
  • Retrieve data about all callback modules that receive notifications for processes, images, threads, registry changes, objects, and file changes
  • Stop event monitoring


Dumps credentials from LSASS

This threat can also dump credentials from Local Security Authority Subsystem Service (Windows Local Security Account database) including:
  • DPAPI hashes and keys
  • Kerberos password, eKeys, tickets, and PIN
  • NT Lan Manager (NTLM) password hashes
  • LAN Manager password hashes
  • LiveSSP (clear-text password)
  • SSP (clear-text password)
  • TsPkg (password)
  • WDigest (clear-text password)


Generates foged Ticket-Granting Tickets (TGTs)

This threat also generates the following forged authentication tickets:
  • Kerberos Golden Tickets (Kerberos TGT logon token ticket attack)
  • Kerberos Silver Tickets (Kerberos TGS service ticket attack)






Analysis by Francis Tan Seng

Last update 28 March 2017

 

TOP