Home

Awesome

PersistBOF

A tool to help automate common persistence mechanisms. Currently supports Print Monitor (SYSTEM), Time Provider (Network Service), Start folder shortcut hijacking (User), Junction Folder (User), Xll Add-In (User).

Usage

Clone, run make, add .cna to Cobalt Strike client.

run: help persist-ice in CS console

Syntax:

Technique Overview

All of these techniques rely on a Dll file to be seperately placed on disk. It is intentially not part of the BOF.

Xll Add-in

Create Dll with export xlAutoOpen(). Rename .dll to .xll and place in %appdata%\Microsoft\Addins. Will be loaded any time Excel is opened with no notification. Writes a registry key to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\{version number}\Excel\Options , provide the correct version number as there may be multiple.

Example:

Print Monitor

The Dll MUST be on disk and in a location in PATH (Dll search order) BEFORE you run the BOF. It will fail otherwise. The Dll will immediately be loaded by spoolsv.exe as SYSTEM. This can be used to elevate from admin to SYSTEM as well as for persistence. Will execute on system startup. Must be elevated to run.

Example:

  1. upload NotMalware.dll to C:\Windows\NotMalware.dll
  2. persist-ice PrintMon persist TotesLegitMonitor NotMalware.dll
  3. Immediately executes as SYSTEM
  4. Will execute on startup until removed
  5. persist-ice PrintMon clean TotesLegitMonitor C:\Windows\NotMalware.dll > Will delete the registery keys and unload the Dll, then attempt to delete the dll if provided the correct path. Should succeed.

Time Provider

Loaded by svchost.exe as NETWORK SERVICE (get your potatoes ready!) on startup after running the BOF. Must be elevated to run.

Example:

Junction Folder

Same technique as demonstrated in Vault 7 leaks. Executed on user login. Non-elevated. Dll will be loaded into explorer.exe

NOTE: This needs to be a COM server dll to run properly. You can execute code out of DllRegisterServer, DllMain, or DllGetClassObject depending on what you are trying to do. Make sure to implement other required exports

Example:

Start Folder Hijack

Create a new, user writeable folder, copy a hijackable windows binary to the folder, then create a shortcut in the startup folder. Executed on user login. Non-elevated.

Example:

References

https://stmxcsr.com/persistence/print-monitor.html

https://stmxcsr.com/persistence/time-provider.html

https://pentestlab.blog/2019/10/28/persistence-port-monitors/

https://blog.f-secure.com/hunting-for-junction-folder-persistence/

https://attack.mitre.org/techniques/T1547/010/

https://attack.mitre.org/techniques/T1547/003/

https://attack.mitre.org/techniques/T1547/009/