I. INTRO
One of the daily tasks of Pentesters or Redteamers is to establish and
maintain persistence to ensure access to a compromised system across reboots,
user logoffs, or credential changes.
And this is also an issue that Endpoint Detection and Response (EDR) systems,
antivirus software, and Blueteams always pay close attention to.
Therefore, creating persistence that is stealthy and operates reliably is
always a critical issue for the attacking side.
In this article, I will demonstrate a new technique for creating persistence.
Instead of hiding it from scans and viewers, I will show how these persistence
methods can point to non-existent executable files while still ensuring that
the necessary files run each time they are activated.
Find me on X to get the latest pentest and red team tricks that I’ve been
researching:
Two Seven One Three (@TwoSevenOneT) / X
II. MAIN SECTION
1. Common Persistence Mechanisms Used in Pentesting or Red Team Activities
If you’ve ever worked in a security-related job such as malware analysis,
pentesting, or red teaming, you’re likely well-acquainted with various types
of persistence, right? Here are some common methods:
-
Registry Run Keys: Modifying Windows registry keys to execute
programs at startup. -
Scheduled Tasks: Creating tasks that run executables at specified
intervals or events. -
Startup Folder: Placing shortcuts to executables in the user’s
startup folder for automatic execution. -
Services: Installing malicious executables as Windows services that
start automatically.
In this article, I will experiment with persistence using Windows Scheduled
Tasks and Services. You can expand the experiment with various persistence
techniques.
2. A curious case about the CreateProcess API
When working with the Start-Process function in PowerShell (which
actually calls ShellExecute and ultimately leads to
CreateProcess), I made an interesting discovery when inadvertently
pointing to a non-existent executable file:
Do you see the image above? When CreateProcess cannot find the
executable file, it uses the QueryDirectory function to search for it.
Based on the filter of QueryDirectory above, if there are
“.exe.*” files in the same folder, these files will also meet the
condition.
If I call CreateProcess on the file “test.exe” (which does not
exist) and have a file “test.exe.exe” in the same folder as the
executable, what will happen?
As you can see in the image above, PowerShell will automatically search for
files matching the filter in the same folder when the executable file does not
exist, resulting in the file “test.exe.exe” being executed.
This, as I suspect, is due to the executable file handling function of
Windows. You will see more clearly that when CreateProcess is called on a
file without an extension, Windows will sequentially append extensions like
.COM, .EXE, and so on, in an attempt to execute the file until it can no
longer find any executable file.
3. Exploiting the automatic file search feature of the CreateProcess function
for stealthy persistence technique
At this point, if I create a scheduled task or a service with a non-existent
executable file “C:TMPtest.exe” and place the file
“test.exe.exe” in the “TMP” folder, when the task or service is
triggered, the file “test.exe.exe” is likely to be executed. However,
when you scan with tools like “Autorun“, the information about the
executable file of the task or service will not be present.
schtasks /create /tn "RUN-TEST" /tr "C:TMPtest.jpg" /sc onstart /f
If you use a file with a different extension than “.exe“, the same
effect will occur. For example, calling CreateProcess on the file
“test.jpg” while having the file “test.jpg.exe” in the same
folder will yield similar results.
Look at the Autorun tool from SysInternal, we will see that the
created task has an executable file that does not exist. If it doesn’t exist, it
will evade the radar scans of antivirus software and sample collection programs.
Don’t use the “.jpg” file extension for persistence, because when an
executable file with a “.jpg” extension is seen, it raises more
suspicion than an executable file with a “.exe” extension.
Continue experimenting with Windows Service:
sc create TestService binPath= "C:TMPtest.exe" start= auto
Although Autorun shows that the executable file of the service does not
exist, in reality, when the service is activated, our persistence file
is still executed.
III. SUMMARY
Persistence is always a crucial step that helps pentesters maintain a
connection with the target network, retain a foothold, and ensure stable
penetration testing activities without interruptions.
Especially for malware, persistence is a vital factor for surviving on
the target machine. Therefore, they constantly strive to innovate and
find ways to maintain connections that are stealthy and safe to avoid
detection by defensive software. Meanwhile, defensive software
continuously updates to detect the latest persistence methods.
By exploiting the mechanism that automatically searches for executable
files when Windows detects that the requested file does not exist, we
can create persistence with non-existent executable files. Allowing the
operating system to handle the execution of the required file helps us
avoid the scrutiny and judgment of antivirus software, scanning tools,
and sample collection programs. This contributes to greater safety for
the payload on the target machine.
IV. READING
Some books you should read to sharpen your cybersecurity skills,
especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium
Researchers
Essential hardware tools that every security researcher and hacker should have in their toolkit:
Hardware Tools For Security Researcher and Hacker
Author of the article: Two Seven One Three
