A instrument to assist automate frequent persistence mechanisms. Presently helps Print Monitor (SYSTEM), Time Supplier (Community Service), Begin folder shortcut hijacking (Person), and Junction Folder (Person)
Utilization
Clone, run make, add .cna to Cobalt Strike consumer.
run: assist persist-ice in CS console
Syntax:
- persist-ice [PrintMon, TimeProv, Shortcut, Junction] [persist or clean] [key/folder name] [dll / lnk exe name];
Method Overview
All of those methods depend on a Dll file to be seperately positioned on disk. It’s intentially not a part of the BOF.
Print Monitor
The Dll MUST be on disk and in a location in PATH (Dll search order) BEFORE you run the BOF. It’ll fail in any other case. The Dll will instantly be loaded by spoolsv.exe as SYSTEM. This can be utilized to raise from admin to SYSTEM in addition to for persistence. Will execute on system startup. Should be elevated to run.
- Demo Print Monitor Dll in mission
Instance:
- add NotMalware.dll to C:WindowsNotMalware.dll
- persist-ice PrintMon persist TotesLegitMonitor NotMalware.dll
- Instantly executes as SYSTEM
- Will execute on startup till eliminated
- persist-ice PrintMon clear TotesLegitMonitor C:WindowsNotMalware.dll > Will delete the registery keys and unload the Dll, then try and delete the dll if supplied the proper path. Ought to succeed.
Time Supplier
Loaded by svchost.exe as NETWORK SERVICE (get your potatoes prepared!) on startup after working the BOF. Should be elevated to run.
- Demo Time Supplier Dll in mission
Instance:
- persist-ice TimeProv persist TotesLegitTimeProvider C:anywhereNotMalware.dll
- persist-ice TimeProv cleanup TotesLegitTimeProvider C:anywhereNotMalware.dll > Will delete the registry keys and try and delete the dll if supplied the proper path. Will in all probability fail as a result of the dll is just not unloaded by the method.
Junction Folder
Similar approach as demonstrated in Vault 7 leaks. Executed on person login. Non-elevated. Dll shall be loaded into explorer.exe
Instance:
- persist-ice Juction persist TotesLegitFolder C:user-writable-folderNotMalware.dll Save CLSID
- persist-ice Juction clear TotesLegitFolder C:user-writable-folderNotMalware.dll 6be5e092-90cc-452d-be83-208029e259e0 > Will delete the registry keys, junction folder, and try and delete the dll.
Begin Folder Hijack
Create a brand new, person writeable folder, copy a hijackable home windows binary to the folder, then create a shortcut within the startup folder. Executed on person login. Non-elevated.
Instance:
- persist-ice Shortcut persist C:TotesLegitFolder C:WindowsSystem32Dism.exe > add your Dll as a proxy dll to dismcore.dll into C:TotesLegitFolder
- persist-ice Shortcut persist C:TotesLegitFolder C:WindowsSystem32Dism.exe > Will try delete all information in new folder then delete the folder itself. If the Dll remains to be loaded within the course of then it will fail.
References
https://stmxcsr.com/persistence/print-monitor.html
https://stmxcsr.com/persistence/time-provider.html
https://pentestlab.weblog/2019/10/28/persistence-port-monitors/
https://weblog.f-secure.com/hunting-for-junction-folder-persistence/
https://assault.mitre.org/methods/T1547/010/
