I am currently working on an inter-team exercise as a red teamer against a Network Defender / Forensic Analysis team and we are all trying to get as much out of this as possible. I am getting plenty as I have a huge playground to hone my abilities on, but I wanted to also give them something a different to look at / analyze. This led me to creating a little script or two in powershell to make their job harder / more interesting than the typical stuff. I took a few techniques ( sticky keys backdoor / windows path canonicalization ) to achieve the desired affect with a little powershell seasoning to make things interesting.
My ideas were as follows:
1. Create a dropper which will download an unknown payload which can be dynamically changed and removed from the attacker’s machine to prevent analysis of it by the network defenders.
2. Try to obfuscate any files being transferred over the net to prevent file carving / figuring out what was transferred over the net.
3. Prevent AV from catching the payload.
4. Try to make it hard for them to delete said payload if they DO manage to find it.
5. USE POWERSHELL!