Question 105 - PT0-003 discussion

To reenter the system remotely after the patch for the recently exploited RCE vulnerability has been deployed, the penetration tester can use schtasks.exe and sc.exe.

schtasks.exe:

Purpose: Used to create, delete, and manage scheduled tasks on Windows systems.

Persistence: By creating a scheduled task, the tester can ensure a script or program runs at a specified time, providing a persistent backdoor.

Example:

schtasks /create /tn 'Backdoor' /tr 'C:\path\to\backdoor.exe' /sc daily /ru SYSTEM

sc.exe:

Purpose: Service Control Manager command-line tool used to manage Windows services.

Persistence: By creating or modifying a service to run a malicious executable, the tester can maintain persistent access.

Example:

sc create backdoor binPath= 'C:\path\to\backdoor.exe' start= auto

Other Utilities:

rundll.exe: Used to run DLLs as applications, not typically used for persistence.

cmd.exe: General command prompt, not specifically used for creating persistence mechanisms.

chgusr.exe: Used to change install mode for Remote Desktop Session Host, not relevant for persistence.

netsh.exe: Used for network configuration, not typically used for persistence.

Pentest

Reference:

Post-Exploitation: Establishing persistence is crucial to maintaining access after initial exploitation.

Windows Tools: Understanding how to leverage built-in Windows tools like schtasks.exe and sc.exe to create backdoors that persist through reboots and patches.

By using schtasks.exe and sc.exe, the penetration tester can set up persistent mechanisms that will allow reentry into the system even after the patch is applied.