Remote control system (rcs)
•
2 likes•658 views
RCS Console is the GUI to manage and browse data collected on the RCSDB. Data is gathered on the Collection Node (ASP) that is captured by several backdoors configured to synchronize to that Collection Node. A backdoor instance is the software that is installed on a target device to collect several kind of information in order to conduct an investigation. Backdoor can be configured to collect different kind of information, i.e. it has different agents enabled. Each agent is responsible of collecting a single kind of information or performing a single task. A backdoor class is an abstraction of the backdoor instances. It contains only the configuration the instances will get the first time they synchronize with the collection node.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Similar to Remote control system (rcs)
Similar to Remote control system (rcs) (20)
More from Mehedi Hasan
More from Mehedi Hasan (20)
Recently uploaded
Recently uploaded (20)
Remote control system (rcs)
- 1. Mehedi Hasan RCS Remote Control System
- 3. RCS Architecture DB ASP RSS RLD Backdoor HCM Console Backdoor Backdoor
- 4. RCS Internals Backdoor Stealth monitoring program written both in C++ and ASM. Connects to ASP using an encrypted channel. It uses an event/actions paradigm and it is made up of different agents that can be activated separately. ASP RSS RLD It is composed by two different windows services: RSS and RLD. RSS is responsible for the communication with the Backdoor. RLD decrypts the logs and sends them to the DB. HCM It is used to create the configurations for the Backdoors. It communicates with ASP thru the DB in order to send the configurations to the Backdoors. It is used to create infection vectors such as melted executables, CD/USB, etc.
- 5. RCS Internals DB All the information about users, activities, targets, backdoors and logs are contained into the DB. All the other components talk to the DB thru an XML-RPC interface. Console This is the main visualization tool. It can be used to administrate users, groups, activities, targets and backdoors. It is used to browse the logs too. It is accessed by different users with different profiles (a user can only see logs from the activities assigned to him).
- 6. Backdoor
- 7. Backdoor Logic Events •Executed Processes •Network Connections •Screensaver start/stop •Time/Date •WinEvt •Quota Events are raised by the event manager based on the configuration file. Actions trigger •Synchronize •Start / stop agent •Uninstallation •Command execution Actions are triggered by Events. Each event is configured to trigger exactly one action. Sub- actions are available. Agents •Voip •Microphone •Webcam •Key logger •Instant Messaging •URL •Password •Snapshot •Print •Clipboard •File Capture Agents can be activated on startup or started/stopped by an action. Each agent has its own configuration and behavior
- 8. Backdoor Workflow Dropper Action Manager Event Manager Core Actions Table Actions Agents Logs to ASP
- 9. HCM
- 10. Configuration Module Remote DB HCM Remote DB Remote DB Single point management: • Select remote repository (DB) • Authenticate • Manage backdoor configuration • Create Infection media
- 11. Configuration Management Select DB & Authenticate Manage Backdoors Configurations Build Infection Tools Build Infection media: • Polymorphic Melted Executable • Offline installation tool (CDRom/USB pen) • INJ proxy: polymorphic core, plugin, etc. Manage configuration: • Add/Delete/Change events-actions, modifiy agent params, etc. • Save and update configuration on DB Repository selection: • Choose a repository of backdoor configuration • Authenticate with Username/Password Logout
- 12. InfectionVectors HCM INJ Proxy Intercepts all the HTTP connections of the target and inject the backdoor into any executable file downloaded. When the target execute the file, the backdoor will execute unnoticed and the target will be infected. Boot CD/USB The target PC will be booted with the provided CD or USB key and the offline installation will start. You can choose the users of the machine on which the backdoor will be installed. You can even retrieve the log already collected. EXE Melting The backdoor is melted within any executable. When the executable is launched the backdoor will install silently and the original executable will continue as usual. Hacking Resources The client target can be attacked thru exploits and forced to upload and execute the backdoor. Eg: malicious website, evilly crafted file
- 13. Injection Proxy
- 14. Injection Proxy HTTP Server Client http request HTTP transparent proxy Melter file download file + backdoor HCM configuration
- 15. ASP
- 16. ASP Workflow Identification Configuration Manager Log Retrieving SSL socket from Backdoor RSS Encrypted Logs Repository Offline Retrieving RLD Decryption Reassembly Send to DB Monitoring
- 17. ASP Internals • Encrypted communications • Mutual authentication with the backdoors (prevents MITM and spoofing attacks) • Multi-threaded • Two independent window services for communication (RSS) and decryption (RLD) • Hidden behind a fake web server
- 18. DB
- 20. DB data organization • Users and Groups • Activities,Targets and Backdoors • Logs • Audit Logs • Binaries and Certificates • Encryption Keys • Configurations
- 21. Console
- 22. Users Privileges User ADMN TECH VIEW ✓Manages Users and Groups ✓Manages Activities and Targets ✓Can access the Trace log xCannot create Backdoors xCannot view Logs ✓Creates Backdoors ✓Creates infection vectors ✓Manages configurations xCannot create Targets xCannot view Logs ✓Performs queries on logs ✓Views the Dashboard ✓Generates Blotters xCannot create Targets xCannot configure Backdoors
- 23. Object Hierarchy (users and group) ActivityGroupUsers Users Group Activity
- 24. Object Hierarchy (activity, target, backdoor) Activity Target Target Backdoor Backdoor Backdoor Backdoor Backdoor