REVIEW: RED TEAM Operator: Windows Persistence Course by SEKTOR7 Institute

This is my review of the RED TEAM Operator: Windows Persistence Course offered by SEKTOR7 Institute. Full disclosure: as an affiliate, I make money with qualifying purchases.

At the time of this writing, RED TEAM Operator: Windows Persistence is my favorite course offering by SEKTOR7 Instutute. At my day job, I am a member of a blue team. The bulk of my work is remediating hosts which have been infected by malware and hunting for persistence left by malicious actors. This course goes over 27 different persistence techniques, some of which I had never seen before. I was able to use this new information to improve my hunting and remediation procedures.

The code presented is mostly in C, and is simple and well documented. Most of the outlined techniques can be implemented in other languages fairly easily. These examples do the bare minimum to demonstrate that the technique works, so if you want them to actually do something useful you will have to expand on them yourself.

I was able to complete this class in about a week, watching a little bit of it after work each day. The course ends with four assignments to solidify your knowledge of the material.

RTO Windows Persistence Word Cloud

What You Will Receive

Like the other courses by SEKTOR7, this course comes with:

  • A virtual machine with all the required tools required to complete the lessons.
  • A zip containing source code and examples of each persistence method.
  • Roughly 3 hours of video instruction.

I feel that the source code alone saved me enough time to justify purchasing this course. I could have found examples of all of these techniques online if I knew what to look for, but this would have taken me much longer to track down and research.

What is Covered?

The course is divided into two sections, Low Privilege, and Admin Level Privilege techniques.

Low Privilege Persistence

This section covers techniques that do not require Admin or SYSTEM level privileges such as startup items, modifying shortcuts, screen savers, PowerShell profiles, DLL and COM hijacks, etc.

Admin Level Persistence

If you achieve Administrator/SYSTEM on a system, you have many more options. This section covers some tricks you can do with scheduled tasks, services, Image File Execution Options techniques, Application Shimming, WMI, AppCert DLLs, AppInit DLLs, NetSh helpers, Time Providers, LSA, and more.

Assignments

There are four assignments at the end of the course. I was able to complete these in a couple of weekends. These assignments did not cover everything in the course, and I wish there were

  • Find a COM hijackable DLL within the course’s VM and leverage it.
  • Add missing functions to a hijacked DLL.
  • WMI Event persistence.
  • Recreating DarkPulsar persistence.

References

https://www.ired.team/offensive-security/credential-access-and-credential-dumping/t1174-password-filter-dll
https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/
https://blog.xpnsec.com/exploring-mimikatz-part-2/
https://docs.microsoft.com/en-us/windows/win32/api/sspi/nf-sspi-addsecuritypackagea
https://www.ired.team/offensive-security/credential-access-and-credential-dumping/intercepting-logon-credentials-via-custom-security-support-provider-and-authentication-package
https://github.com/Mattiwatti/PPLKiller
https://nathangau.wordpress.com/2017/11/
https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
https://posts.slayerlabs.com/monitor-persistence/
https://github.com/airzero24/PortMonitorPersist
https://www.hackingarticles.in/windows-persistence-port-monitors/
https://pentestlab.blog/2019/10/28/persistence-port-monitors/
https://docs.microsoft.com/en-us/windows/win32/sysinfo/time-provider?redirectedfrom=MSDN
https://github.com/scottlundgren/w32time
https://pentestlab.blog/2019/10/22/persistence-time-providers/
https://www.ired.team/offensive-security/persistence/t1209-hijacking-time-providers
https://www.ired.team/offensive-security/persistence/windows-logon-helper
https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/
https://github.com/outflanknl/NetshHelperBeacon
https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll
https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/
https://igorgarofano.wordpress.com/2020/11/17/app-appinit-dlls/
https://eforensicsmag.com/appinit-dll-injection-by-siddharth-sharma/
https://skanthak.homepage.t-online.de/appcert.html
https://www.chadduffey.com/2020/06/Windows-Persistence.html
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/
https://pentestlab.blog/tag/mof/
http://liashov.com/wp-content/uploads/2014/01/Start-to-Finish-Guide-to-MOF-Editing.pdf
https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format–mof-
https://pentestlab.blog/2020/01/21/persistence-wmi-event-subscription/
https://docs.microsoft.com/en-us/windows/deployment/planning/using-the-sdbinstexe-command-line-tool
https://github.com/Karneades/malware-persistence
https://sdb.tools/index.html
https://support.microsoft.com/en-us/topic/how-to-use-the-compatibility-administrator-utility-in-windows-9791a045-9b82-d954-3562-2d22ac973a80
https://sdb.tools/talks.html
https://pentestlab.blog/2019/12/16/persistence-application-shimming/
https://rioasmara.com/2020/10/17/invoke-malware-with-silentprocessexit/
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit
https://sensepost.com/blog/2020/masquerading-windows-processes-like-a-doubleagent./
https://github.com/Cybellum/DoubleAgent
https://blog.malwarebytes.com/101/2015/12/an-introduction-to-image-file-execution-options/
https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/
https://ss64.com/nt/sc.html
https://docs.microsoft.com/en-us/windows/win32/services/the-complete-service-sample?redirectedfrom=MSDN
https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/
https://securitybyexpert.com/windows-persistence-com-hijacks-and-proxies/
https://securitybyexpert.com/windows-persistence-multi-action-scheduled-task/
https://docs.microsoft.com/en-us/windows/win32/taskschd/taskschedulerschema-runleveltype-simpletype
https://adapt-and-attack.com/2019/08/29/proxying-com-for-stable-hijacks/
https://docs.microsoft.com/en-us/previous-versions/bb756926(v=msdn.10)?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/windows/win32/sysinfo/hkey-classes-root-key?redirectedfrom=MSDN
https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/
https://bohops.com/2018/06/28/abusing-com-registry-structure-clsid-localserver32-inprocserver32/
https://docs.microsoft.com/en-us/windows/win32/com/inprocserver32
https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm
https://docs.microsoft.com/en-us/windows/win32/services/service-control-manager
https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cogetclassobject
https://astr0baby.wordpress.com/2018/09/08/understanding-how-dll-hijacking-works/
https://www.netspi.com/blog/technical/adversary-simulation/adaptive-dll-hijacking/
https://en.wikipedia.org/wiki/Auto-linking
https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
https://flylib.com/books/en/4.419.1.140/1/
https://www.codeproject.com/Articles/325603/Injection-into-a-Process-Using-KnownDlls
https://docs.microsoft.com/en-us/archive/blogs/larryosterman/what-are-known-dlls-anyway
https://lucasg.github.io/2017/06/07/listing-known-dlls/
https://www.contextis.com/en/blog/dll-search-order-hijacking
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order
https://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence
https://kevinalmansa.github.io/application%20security/DLL-Proxying/
https://itm4n.github.io/dll-proxying/
https://pentestlab.blog/2019/11/05/persistence-powershell-profile/
https://devblogs.microsoft.com/scripting/understanding-the-six-powershell-profiles/
https://attack.mitre.org/techniques/T1546/002/
https://www.ired.team/offensive-security/persistence/t1180-screensaver-hijack
https://pentestlab.blog/2019/10/09/persistence-screensaver/
https://attack.mitre.org/techniques/T1037/001/
https://attack.mitre.org/techniques/T1547/001/
https://blog.menasec.net/2019/03/how-to-hunt-for-processes-starting-from.html
https://support.microsoft.com/en-us/windows/add-an-app-to-run-automatically-at-startup-in-windows-10-150da165-dcd9-7230-517b-cf3c295d89dd
https://docs.microsoft.com/en-us/cpp/build/reference/dumpbin-reference?view=msvc-160
https://docs.microsoft.com/en-us/windows/win32/api/combaseapi/nf-combaseapi-cocreateinstance

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s