{"id":157,"date":"2021-11-12T17:08:19","date_gmt":"2021-11-12T17:08:19","guid":{"rendered":"https:\/\/www.davincivirus.com\/?p=157"},"modified":"2021-11-12T17:08:19","modified_gmt":"2021-11-12T17:08:19","slug":"persistence","status":"publish","type":"post","link":"https:\/\/www.davincivirus.com\/?p=157","title":{"rendered":"Persistence"},"content":{"rendered":"\n

Service Manipulation<\/strong><\/p>\n\n\n\n

(Can be run remotely)    \n**Spaces are important in WIN7.<\/span><\/em>\nsc create <servicename> binpath= \"<c:\\PATH>\" displayname= \"<NAME>\" start= auto\nsc description <servicename> \"<DESCRIPTION>\"\nsc qc <servicename>\nsc start <servicename>\nsc stop <servicename>\nsc delete <servicename>\nsc qfailure (shows value for service failures)<\/code><\/pre>\n\n\n\n
Registry<\/strong><\/p>\n\n\n\n
reg add \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" \/v \"<APP NAME>\" \/t REG_SZ \/f \/d \"c:\\<FILEPATH>\"\nreg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nreg delete \"HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" \/v \"<APP NAME>\"\nwmic useraccount where (name='guy.fleegman') get name,sid   (returns a user's SID if needed)<\/code><\/pre>\n\n\n\n
Startup Folder<\/strong><\/p>\n\n\n\n
c:\\users\\<username>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup<\/code><\/pre>\n\n\n\n
SCHTASKS<\/strong><\/p>\n\n\n\n
(IF PRIVILEGED - RU and SC ONLOGON options are available)\r\n<\/em>schtasks.exe \/Create \/F \/SC DAILY \/ST 09:22 \/TN \"<TASKNAME>\" \/TR \"<PAYLOAD_FILEPATH>\"\nschtasks.exe \/Create \/F \/RU SYSTEM \/SC ONLOGON \/TN \"<TASKNAME>\" \/TR \"<PAYLOAD_FILEPATH>\"\nschtasks.exe \/DELETE \/F \/TN \"<TASKNAME>\"<\/code><\/pre>\n\n\n\n
DLL Hijacking<\/strong><\/p>\n\n\n\n
- The \"ikeext\" service on windows permits persistence on Windows 7; using wlbsctrl.dll.  A wrapper dll (named wlbsctrl.dll) is created with a MUTEX that loads a cobalt strike payload (such as a CS DLL).\n\n- WptsExtensions.dll is affiliated with the \"schedule\" service. It does not exist anymore, and is therefore prone to a dll hijacking attack. The scheduler service starts on reboot.<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Service Manipulation Registry Startup Folder SCHTASKS DLL Hijacking<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/157"}],"collection":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=157"}],"version-history":[{"count":1,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/157\/revisions"}],"predecessor-version":[{"id":158,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=\/wp\/v2\/posts\/157\/revisions\/158"}],"wp:attachment":[{"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=157"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=157"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.davincivirus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=157"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}