PersistBOF: automate common persistence mechanisms
A tool to help automate common persistence mechanisms. Currently supports Print Monitor (SYSTEM), Time Provider (Network Service), Start folder shortcut hijacking (User), and Junction Folder (User)
All of these techniques rely on a Dll file to be separately placed on a disk. It is intentionally not part of the BOF.
The Dll MUST be on disk and in a location in PATH (Dll search order) BEFORE you run the BOF. It will fail otherwise. The Dll will immediately be loaded by spoolsv.exe as SYSTEM. This can be used to elevate from admin to SYSTEM as well as for persistence. Will execute on system startup. Must be elevated to run.
- Demo Print Monitor Dll in project
- persist-ice PrintMon persist TotesLegitMonitor NotMalware.dll
- persist-ice PrintMon clean TotesLegitMonitor C:\Windows\NotMalware.dll > Will delete the registry keys and unload the Dll, then attempt to delete the dll if provided the correct path. Should succeed.
Loaded by svchost.exe as NETWORK SERVICE (get your potatoes ready!) on startup after running the BOF. Must be elevated to run.
- Demo Time Provider Dll in project
- persist-ice TimeProv persist TotesLegitTimeProvider C:\anywhere\NotMalware.dll
- persist-ice TimeProv cleanup TotesLegitTimeProvider C:\anywhere\NotMalware.dll > Will delete the registry keys and attempt to delete the dll if provided the correct path. Will probably fail because the dll is not unloaded by the process.
Same technique as demonstrated in Vault 7 leaks. Executed on user login. Non-elevated.
- persist-ice Juction persist TotesLegitFolder C:\user-writable-folder\NotMalware.dll
- persist-ice Juction clean TotesLegitFolder C:\user-writable-folder\NotMalware.dll > Will delete the registry keys, junction folder, and attempt to delete the dll.
Start Folder Hijack
Create a new, user writeable folder, copy a hijackable windows binary to the folder, then create a shortcut in the startup folder. Executed on user login. Non-elevated.
- persist-ice Shortcut persist C:\TotesLegitFolder C:\Windows\System32\Dism.exe > upload your Dll as a proxy dll to dismcore.dll into C:\TotesLegitFolder
- persist-ice Shortcut persist C:\TotesLegitFolder C:\Windows\System32\Dism.exe > Will attempt to delete all files in the new folder then delete the folder itself. If the Dll is still loaded in the process then this will fail.
Copyright (c) 2022 Icebreaker Security