How to use PersistBOF to achieve persistence in red team activities

About PersistBOF

PersistBOF is a persistence tool for Windows system security that can automate common persistence techniques. The current version of PersistBOF supports Print Monitor (system service), Time Provider (network service), and startup directory shortcut hijacking (user service) and other features.

All the technologies implemented by PersistBOF depend on a DLL file, which is stored in a distributed manner on the target system disk.

Tool Download

Researchers can use the following command to clone the source code of this project locally:

git clone https://github.com/IcebreakerSecurity/PersistBOF.git

Next, we need to switch to the project directory and run the make command to build the source code:

make

Finally, add the generated .cna file to the Cobalt Strike client.

Reference Sentences:

persist-ice [PrintMon, TimeProv, Shortcut] [persist or clean] [key/folder name] [dll / lnk exe name];

Tool Usage

Print Monitor

The DLL files used by the tool must be stored on the target device's disk, and the path of the DLL must be set in the PATH environment variable before the BOF runs, otherwise persistence cannot be achieved normally.

This method can elevate administrator privileges to SYSTEM privileges and achieve persistence.

Example of PrintMonitorDll usage:

1. Upload NotMalware.dll to C:\Windows\NotMalware.dll;

2. NotMalware.dll will achieve persistence through PrintMon using TotesLegitMonitor;

3. The program will execute immediately with SYSTEM privileges;

4. The program will automatically execute at system startup;

Time Provider

After running PersistBOF, the program will execute in the form of svchost.exe as NETWORK SERVICE at system startup.

Example of TimeProvider usage:

The tool uses TimeProv and implements persistence through TotesLegitTimeProvider (C:\anywhere\NotMalware.dll);

Startup directory hijacking

Create a new, user-writable directory, copy the hijackable Windows code to this directory, and create a shortcut to this file in the startup directory. Finally, the program will execute when the user logs in.

License Agreement

The development and release of this project followMITOpen Source License Agreement.

Project address

PersistBOF：【GitHub link】

Reference materials

https://stmxcsr.com/persistence/print-monitor.html

https://stmxcsr.com/persistence/time-provider.html

https://pentestlab.blog/2019/10/28/persistence-port-monitors/

https://blog.f-secure.com/hunting-for-junction-folder-persistence/

https://attack.mitre.org/techniques/T1547/010/

https://attack.mitre.org/techniques/T1547/003/

https://attack.mitre.org/techniques/T1547/009/