Tuesday, June 3, 2025

Persistence Techniques

 


Command Explained

Let's break down the command from the image:

C:\Windows\System32\schtasks.exe /create /sc ONSTART /tn System /tr "rundll32 C:\Windows\System32\config\login.dll Test" /ru system

  • schtasks.exe: A legitimate Windows tool for managing scheduled tasks.
  • /create: An option to create a new task.
  • /sc ONSTART: Specifies the schedule. ONSTART means the task will run at every system startup.
  • /tn System: Assigns a task name. "System" is a deceptive name chosen to blend in with legitimate system tasks.
  • /tr "...": Specifies the task to run. In this case, it's rundll32 C:\Windows\System32\config\login.dll Test.
    • rundll32.exe: A Windows utility used to execute functions stored in Dynamic-Link Library (.dll) files.
    • C:\Windows\System32\config\login.dll: The path to a malicious DLL file. The name and location are chosen to appear legitimate.
    • Test: The specific malicious function inside the login.dll file that will be executed.
  • /ru system: Defines the user account to run the task. system (NT AUTHORITY\SYSTEM) grants the highest level of privileges on the local machine, allowing the malware to perform any action.

In short: This command creates a hidden, high-privilege task that executes malicious code from a DLL file every time the computer boots up.

Other Examples of Persistence Techniques

Attackers use many different methods to achieve persistence. Here are some of the most common ones on Windows systems:

1. Registry Run Keys

The Windows Registry has specific keys that cause programs to run automatically at startup. An attacker can simply add a new entry pointing to their malicious executable.

  • Path: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • Example Command:
    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Adobe Updater" /t REG_SZ /d "C:\Users\Public\malware.exe" /f
    This command adds a registry entry named "Adobe Updater" that runs malware.exe when the current user logs in.

2. Startup Folder

Windows has a Startup folder for each user and one for all users. Any program, script, or shortcut placed in this folder will automatically run when the user logs in.

  • Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
  • Example Action: An attacker could simply copy their malicious file, for instance backdoor.exe, into this directory.

3. Malicious Windows Services

Creating a new Windows Service is a very effective persistence method because services can run in the background, even without a user logged in, often with high privileges.

  • Example Command:
    sc create "SysHelper" binPath= "C:\Windows\Temp\malicious_service.exe" start= "auto" DisplayName= "System Helper Service"
    This command uses the sc (Service Control) tool to create a new service named "SysHelper". It's set to auto start at boot and points to a malicious executable.

4. WMI Event Subscription

A more advanced and stealthy technique involves using Windows Management Instrumentation (WMI). An attacker can create a subscription that triggers a malicious action in response to a specific system event (like a user logging on or at a certain time interval). This method is harder to detect because it doesn't leave traces in common locations like the Registry Run keys or Startup folder.

  • Concept: An attacker defines a filter (the event to watch for) and a consumer (the action to take).
  • Example Action: A WMI subscription could be configured to launch a PowerShell script that downloads and executes malware from the internet every hour.


at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

AI Agents

 

  • boardsi - summary - review
     Summarization of hundreds of comments on Reddit. Ineffective Service: The users explicitly states, "Confirmed that it doesn't w...
  • Como filtrar as bandeiras TCP. (Flags)
    Curso Wireshark na UDEMY https://www.udemy.com/curso-profissional-sobre-wireshark/learn/v4/overview A filtragem em sinalizadores...