Stealthy Persistence With Non-Existent Executable File

Posted by on

 

steathy persistence post logo 2

I. INTRO

One of the daily tasks of Pentesters or Redteamers is to establish and maintain persistence to ensure access to a compromised system across reboots, user logoffs, or credential changes.

And this is also an issue that Endpoint Detection and Response (EDR) systems, antivirus software, and Blueteams always pay close attention to.

Therefore, creating persistence that is stealthy and operates reliably is always a critical issue for the attacking side.

In this article, I will demonstrate a new technique for creating persistence. Instead of hiding it from scans and viewers, I will show how these persistence methods can point to non-existent executable files while still ensuring that the necessary files run each time they are activated.

Find me on X to get the latest pentest and red team tricks that I've been researching: Two Seven One Three (@TwoSevenOneT) / X

II. MAIN SECTION

1. Common Persistence Mechanisms Used in Pentesting or Red Team Activities

If you've ever worked in a security-related job such as malware analysis, pentesting, or red teaming, you're likely well-acquainted with various types of persistence, right? Here are some common methods:

  • Registry Run Keys: Modifying Windows registry keys to execute programs at startup.
  • Scheduled Tasks: Creating tasks that run executables at specified intervals or events.
  • Startup Folder: Placing shortcuts to executables in the user’s startup folder for automatic execution.
  • Services: Installing malicious executables as Windows services that start automatically.

In this article, I will experiment with persistence using Windows Scheduled Tasks and Services. You can expand the experiment with various persistence techniques.

2. A curious case about the CreateProcess API

When working with the Start-Process function in PowerShell (which actually calls ShellExecute and ultimately leads to CreateProcess), I made an interesting discovery when inadvertently pointing to a non-existent executable file:

CreateProcess search for execute file using QueryDirectory

Do you see the image above? When CreateProcess cannot find the executable file, it uses the QueryDirectory function to search for it.

Based on the filter of QueryDirectory above, if there are ".exe.*" files in the same folder, these files will also meet the condition.

If I call CreateProcess on the file "test.exe" (which does not exist) and have a file "test.exe.exe" in the same folder as the executable, what will happen?

CreateProcess auto run file with extra .exe ext

As you can see in the image above, PowerShell will automatically search for files matching the filter in the same folder when the executable file does not exist, resulting in the file "test.exe.exe" being executed.

This, as I suspect, is due to the executable file handling function of Windows. You will see more clearly that when CreateProcess is called on a file without an extension, Windows will sequentially append extensions like .COM, .EXE, and so on, in an attempt to execute the file until it can no longer find any executable file.

3. Exploiting the automatic file search feature of the CreateProcess function for stealthy persistence technique

At this point, if I create a scheduled task or a service with a non-existent executable file "C:\TMP\test.exe" and place the file "test.exe.exe" in the "TMP" folder, when the task or service is triggered, the file "test.exe.exe" is likely to be executed. However, when you scan with tools like "Autorun", the information about the executable file of the task or service will not be present.

schtasks /create /tn "RUN-TEST" /tr "C:\TMP\test.jpg" /sc onstart /f

If you use a file with a different extension than ".exe", the same effect will occur. For example, calling CreateProcess on the file "test.jpg" while having the file "test.jpg.exe" in the same folder will yield similar results.

task schedule auto append .exe to execute file
Look at the Autorun tool from SysInternal, we will see that the created task has an executable file that does not exist. If it doesn't exist, it will evade the radar scans of antivirus software and sample collection programs.

 
task with execute entry not found


Don't use the ".jpg" file extension for persistence, because when an executable file with a ".jpg" extension is seen, it raises more suspicion than an executable file with a ".exe" extension.

Continue experimenting with Windows Service:

sc create TestService binPath= "C:\TMP\test.exe" start= auto

services.exe run non-exist file

windows service with file execute not found

Although Autorun shows that the executable file of the service does not exist, in reality, when the service is activated, our persistence file is still executed.

III. SUMMARY

Persistence is always a crucial step that helps pentesters maintain a connection with the target network, retain a foothold, and ensure stable penetration testing activities without interruptions.

Especially for malware, persistence is a vital factor for surviving on the target machine. Therefore, they constantly strive to innovate and find ways to maintain connections that are stealthy and safe to avoid detection by defensive software. Meanwhile, defensive software continuously updates to detect the latest persistence methods.

By exploiting the mechanism that automatically searches for executable files when Windows detects that the requested file does not exist, we can create persistence with non-existent executable files. Allowing the operating system to handle the execution of the required file helps us avoid the scrutiny and judgment of antivirus software, scanning tools, and sample collection programs. This contributes to greater safety for the payload on the target machine.

Author of the article: Two Seven One Three

Comments

Post a Comment