Once you gain access to the host, it’s important to always be able to repeat that, but sometimes it’s hard to re-exploit a vulnerability that you just did because of its complexity or any other reason. sometimes you need specific conditions in the target machine to be able to exploit, or you just don’t want to exploit it again because it might get someone’s attention, so methods of persistence let you have the access whenever you please and most importantly, keep it hidden.
Most Common methods of persistence
- Startup directory
- Run, RunService, RunOnce registry keys
- Task Scheduler
Startup Directory
The startup directory seems to be the most common persistence mechanism in malware, it was used since I remember and still is being used as the method of persistence.
every single executable copied in the startup folder (located in %appdata%\Microsoft\Windows\Start Menu\Programs\Startup) will be automatically executed once windows start. but it’s easy to detect which is not cool.
Run And RunOnce registry keys
windows have Run And RunOnce registry keys which are also commonly used as a method of persistence, those keys are located in HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. their full locations are:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
every single item under those registry keys will be called automatically once the user logs in, there are only 3 things to keep in mind
- RunOnce as the name says, only will call the executable once, so you need to make sure it’ll rewrite itself in RunOnce if you decide to do it
- The main idea behind the current_user and local_machine keys is that it’ll be called for the current user only if you write in the current_user key, but to write in the local_machine key you most probably will need administrator privileges.
- the value must not be longer than 260 characters.
to write anything under those keys, it’ll be one simple query:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MyFile /t REG_SZ /d "C:\Users\sam\Documents\myfile.exe"
where MyFile is the name and “C:\Users\sam\Documents\myfile.exe” is its associated data.
you can read more about those registry keys here
Task Scheduler
The first and important thing to know is that you need to be an administrator on the machine to use the task scheduler, if you have this privilege it’s really simple to schedule your task.
first of all, let’s say what’s Task Scheduler is, when you want something to happen automatically on a specific even or after every X time, you need to use Task Scheduler, if you have ever had experience with cronjobs in Linux, it’s like the same idea but for windows.
and for its simplicity and efficiency task scheduler seems to be another common way of persistence.
to add a scheduled task in the machine, you’ll have to run just one command
schtasks /create /tn "My Task" /tr C:\Users\sam\Documents\myfile.exe /sc onstartwhere My Task stands for task name, “C:\Users\sam\Documents\myfile.exe” is executable, and onstart is an event when you want your executable to be called and as it says, we want it to happen once windows start.
Advanced methods of persistence
- COM Hijacking
- DLL Hijacking
Com Hijacking
The Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact.
COM was created in the 1990s as a language-independent binary interoperability standard that enables separate code modules to interact with each other. This can occur within a single process or cross-process, and Distributed COM (DCOM) adds serialization allowing Remote Procedure Calls across the network.
Each COM component is identified via a class ID (CLSID) and each component exposes functionality via one or more interfaces.
everything under HKEY_CURRENT_USER\Software\Classes\CLSID and HKEY_LOCAL_MACHINE\Software\Classes\CLSID can be used for COM Hijacking. but the best ones are the ones which are missing from the system, to find missing CLSID which is required by some windows functionality or 3rd party tools.
to find the missing CLSID of COM Components we’ll need a tool called procmon
set the filters to the following:
- Operation is RegOpenKey
- The result is NAME NOT FOUND
- The path ends with InprocServer32
- Exclude if the path starts with HKLM
These filters will let us see the software that is searching for COM objects but they are missing from the system, if we’ll create those missing keys and point them to our DLL, once the software will require those COM Objects our malicious DLL will be loaded, which is a quite cool way to have persistence on the host and keep it “hidden”, after few minutes you’ll have a lot of results in procmon, I’d suggest you to use the CLSID which doesn’t appear too often but also is not very rare.
also, you could use CLSIDs which are called by commonly used tools like browser, word, and excel.
I’ve picked the one “{18907f3b-9afb-4f87-b764-f9a4e16a21b8}” which is called from svchost.exe, now we’re gonna modify the value of the registry key and point it to our DLL, but first, we’ll need to add one other required key to make it work.
reg add "HKCU\SOFTWARE\Classes\CLSID\{18907f3b-9afb-4f87-b764-f9a4e16a21b8}" /v "ThreadingModel" /t REG_SZ /d "Both"
reg add "HKCU\SOFTWARE\Classes\CLSID\{18907f3b-9afb-4f87-b764-f9a4e16a21b8}\InprocServer32" /ve /t REG_SZ /d "C:\Users\Public\Files\notsuspicious.dll"
and now, once any software or windows by itself will require to load COM with this CLSID, it’ll call our DLL instead.
DLL Hijacking
DLL Hijacking is an efficient way of persistence and it’s my personal favorite method, the idea behind it is to trick applications to load arbitrary DLL.
this method can be used for executing commands, persistence, and elevating privileges, the least probable of those three is to use it as the method of elevating privilege. in order to be able to use it as a privilege escalation method, in order to use DLL hijacking as a privilege escalation method, you need to find an application that loads/searches DLL from a directory that is writeable for the low privileged user, which is not quite often.
Since we’re talking about persistence in this post, we’ll focus on it.
So, to use DLL hijacking as a persistence method, most probably you’ll need high privileged user and application which is searching for DLL which doesn’t exist (you can replace the existing DLL file but it will most probably break the application and will be easy to notice) but not to worry, missing DLL files can be found even in windows system processes, to find applications like that, you’ll need to use procmon
for example, we can take explorer.exe as our target, so set your filters in procmon like this:
- process name is “explorer.exe” – include
- path ends with “.dll” – include
- operation begins with “Reg” – exclude
- operation result contains “NOT FOUND” – include
then, I’ll open CMD and kill explorer.exe with command taskkill /f /im explorer.exe
and then rerun it with the command explorer.exe
for example, cscapi.dll is attempted to load from C:\Windows\ directory first, which fails, if you remove the filter of “NOT FOUND” then you’ll see that it succeeds from system32 directory if we’ll put malicious DLL in C:\Windows\ called cscapi.dll it means explorer.exe will load our DLL before the correct one.
most of the DLLs shown in the result can be used for persistence, you’ll need to make sure that your replaced DLL will not cause any issues in the system or application, I know replacing cscapi.dll doesn’t break anything or I’ve not noticed and it’s not mandatory to be explorer.exe, you can use any commonly used software or system process and there you go, you’ve perfectly hidden persistence in the host.
Final notes
those were only a few from many many amazing persistence methods, I hope you liked this post and I made everything clear.
Happy Hacking.