Persistence
Various techniques for maintaining persistence. Includes methods that can be accomplished both with and without elevated privileges. Will provide commands for both cmd.exe and PowerShell if possible.
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Tools
SharPersist - C# Binary - persistence toolkit - @h4wkst3r
Has numerous modules built-in to automate many different persistence methods
TODO: add tab to each applicable method below
on-load/on-close persistence PowerShell module - @netbiosX
Powershell module which writes registry keys that execute a backdoor payload of your choice when a certain Windows binary loads or closes (in this case notepad.exe).
As a Low-Privilege User:
Set a file as hidden
Set a file as Hidden. This can also be used to change other file property flags such as Archive and ReadOnly
Registry - HKCU
Autoruns
The following registry keys can be used to create persistence by auto-running your backdoor. Keys in HKCU do not require elevation to modify.
Create key values in the Autoruns keys in HKCU:\Software\Microsoft\Windows\CurrentVersion
.
Run and RunOnce keys are run each time a new user logs in.
RunServices and RunServicesOnce are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.
By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails the associated program will not be asked to run the next time you start the computer.
By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Persistence via cmd.exe
If you want a defined set of commands to run every time a command prompt is launched, you can specify an init script in the Command Processor AutoRun registry value. Use an expandable string value (REG_EXPAND_SZ
), which allows you to use environment variables like %USERPROFILE%
.
Then create a file called init.cmd
in your %USERPROFILE%
folder:
These commands will be run every time a cmd prompt is started.
Warning!
This can cause an infinite loop if your init.cmd
causes another cmd window to be launched, as each one will again run all of the commands in the init file!
To disable this, delete the registry key.
Startup Folder
Create a batch script in the user startup folder to run when the user logs in.
Create start.ps1 in "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\"
. Then have this PowerShell script call your backdoor in $env:USERPROFILE\AppData\Local\Temp\
.
A better alternative would be to create a .lnk file in the startup folder which points to your script in another location. This may be more OPSEC-safe, especially if the link is disguised. Use the PowerShell script linked below to create a (potentially hidden?) .lnk file using an icon appropriate for the environment:
https://github.com/zweilosec/PowerShell-Administration-Tools/blob/master/New-Shortcut.ps1
Scheduled Tasks
These commands will allow your backdoor to be run when the specified user logs into the machine. Combined with the cmd init autorun above this scheduled task could do something helpful or innocuous to avoid suspicion.
Windows Services
May need some privileges for Windows services...
As an Elevated-Privilege User
All commands below this header require some sort of elevated account privileges. As I discover them, I will add which specific Windows privileges are required.
Windows Firewall
Disabling Windows Firewall
To view the state and settings of all Windows firewall profiles (this output is not as pretty as the netsh
command from cmd.exe, but can be manipulated like any PowerShell object):
To disable the Windows firewall for all network profiles:
If you only want to disable the firewall for a specific profile, you can remove the profile name (Domain, Public, or Private) from the command. This can be useful if you are unable to fully disable the firewall.
Create firewall rules
TODO: add more
Disable Windows Defender
TODO: add more info
Registry - HKLM
Autoruns
The following keys can be used for persistence in addition to the low-privileged ones above. Keys in HKLM require elevation to modify.
Create key values in the Autoruns keys in HKCU:\Software\Microsoft\Windows\CurrentVersion
.
Run and RunOnce keys are run each time a new user logs in.
RunServices and RunServicesOnce are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.
By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails the associated program will not be asked to run the next time you start the computer.
By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Winlogon Helper DLL
Run backdoor during Windows logon
GlobalFlag
add powershell
Add the following three keys to the registry to allow your backdoor to execute whenever Notepad.exe closes.
Debugger
You can also abuse this to run your backdoor whenever Notepad.exe is opened with two registry keys:
This process can be automated by using this PowerShell module from netbiosX.
Scheduled Tasks
Scheduled Task to run your backdoor as NT AUTHORITY\SYSTEM, everyday at 9am.
add cmd.exe
Windows Services
Create a service that can start automatically or on-demand as needed.
Execute (remote) commands with DCOM
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
Win32_DCOMApplication class. This COM object allows you to script components of MMC snap-in operations.
For this to work, you must also be local administrator of the remote system, Windows Defender must be bypassed or disabled, and (to do this remotely) the Windows Advanced Security Firewall must have the following rules enabled:
COM+ Network Access (port 135)
A rule to let dynamic ports for C:\windows\system32\mmc.exe in. Regular RPC-EPMAP rules from other services won’t work as they only allow traffic to svchost.exe.
If the firewall doesn’t let you in, you may receive messages such as:
Exception calling “CreateInstance” with “1” argument(s): “Retrieving the COM class factory for remote component with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} from machine target failed due to the following error: 800706ba target.”
The ShellExecute method of the object takes 4 parameters:
The complete path to the executable
The directory to be considered as current directory; you may want to usually pass NULL
A list of arguments to pass along to the executable. In case there is none, you can also pass NULL
The state of the windows (1 - Normal, 3 - maximized, 7 - minimized).
Usually, you will want to use 7 as a value (minimized). You do not get any output back.
Replacing Windows Binaries
Replace these binaries with your backdoor to enable easy persistence with minimal interference with normal users. However, beware using these on systems where the user needs these accessibility tools!
Feature
Executable
Sticky Keys
C:\Windows\System32\sethc.exe
Accessibility Menu
C:\Windows\System32\utilman.exe
On-Screen Keyboard
C:\Windows\System32\osk.exe
Magnifier
C:\Windows\System32\Magnify.exe
Narrator
C:\Windows\System32\Narrator.exe
Display Switcher
C:\Windows\System32\DisplaySwitch.exe
App Switcher
C:\Windows\System32\AtBroker.exe
In Metasploit : use post/windows/manage/sticky_keys
Enable RDP on a remote host with PowerShell:
Remove the -ComputerName $computername
property to run on the local machine.
Disable RDP on a remote host:
Check RDP status:
The first argument represents AllowTSConnections(0 – disable, 1 – enable) and the second one represents ModifyFirewallException (0 – don’t modify firewall rules, 1 – modify firewall rules). You can read more about it at https://docs.microsoft.com/en-us/windows/win32/termserv/win32-terminalservicesetting-setallowtsconnections
RDP Backdoors
utilman.exe
After adding this registry key, RDP or physically log into the machine. At the login screen, press Win+U
to get a cmd.exe prompt as NT AUTHORITY\SYSTEM.
sethc.exe
After adding this registry key, RDP or physically log into the machine. At the login screen, repeatedly press F5 when you are at the login screen to get a cmd.exe prompt as NT AUTHORITY\SYSTEM.
Skeleton Key
Mimikatz gives you the opportunity to backdoor an entire domain at once by using the skeleton key module. This must be run by a user with Domain Admin credentials to work properly.
Clear Windows Event Logs
Generates Windows event 1102 when you clear logs!
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil
Unblock-File -Path "<C:\Path\to\blocked\file>"
Legacy Windows Log format
The Clear-EventLog
cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers. To use Clear-EventLog
, you must be a member of the Administrators group on the affected computer.
-List
Displays the list of event logs on the computer.
To list logs on other systems
If the ComputerName parameter isn't specified, Get-EventLog
defaults to the local computer. The parameter also accepts a dot (.
) to specify the local computer. The ComputerName parameter doesn't rely on Windows PowerShell remoting, so you can use this even if your computer is not configured to run remote commands.
The Remove-EventLog
cmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can also use this cmdlet to unregister event sources without deleting any event logs.
Get-EventLog
uses a Win32 API that is deprecated so the results may not be accurate. Use the Get-WinEvent
cmdlet instead on systems running Windows Vista+.
List updated log formats in Windows Vista+
Warning! information overload! Lists each individual windows event rather than the log files
To clear all logs at once
Can disable logging prior to doing things that would alert defenders, or can clear logs afterwards to cover tracks...TODO add more details
Misc - to sort
Change File Modified Date and Time
(dir $file).LastWriteTime = New-object DateTime $YYYY,$MM,$DD
Resources
If you like this content and would like to see more, please consider buying me a coffee!
Last updated