easy_install
.Execute the following in a cmd.exe shell on your Windows VM:
.Next, you’ll want to install the example service that my tech reviewers Dan Frisch and Cliff Janzen wrote for me. This service emulates a common set of vulnerabilities that we’ve uncovered in large enterprise networks and helps to illustrate the example code in this chapter.
Download the zip file from: .
Install the service using the provided batch script, install_service.bat. Make sure you are running as Administrator when doing so.
You should be good to go, so now let’s get on with the fun part!
The major drawback of the original El Jefe is that it used a DLL that was injected into every process to intercept calls to all forms of the native CreateProcess
function. It then used a named pipe to communicate to the collection client, which then forwarded the details of the process creation to the logging server. The problem with this is that most antivirus software also hooks the CreateProcess
calls, so either they view you as malware or you have system instability issues when El Jefe runs side-by-side with antivirus software. We’ll re-create some of El Jefe’s monitoring capabilities in a hookless manner, which also will be geared toward offensive techniques rather than monitoring. This should make our monitoring portable and give us the ability to run with antivirus software activated without issue.
GetOwner
, which we call ➍ to determine who spawned the process and from there we collect all of the process information we are looking for, output it to the screen, and log it to a file.[] Win32_Process
class documentation:
[] MSDN – Access Tokens:
[] For the full list of privileges, visit .
[] Carlos Perez does some amazing work with PowerShell; see .