Red Teaming: Persistence Techniques

Infosec Institute - 

Persistence is a technique widely used by red teaming professionals and adversaries to maintain a connection with target systems after interruptions that can cut off their access. In this context, persistence includes access and configuration to maintain the initial foothold of the systems.

Playing with a DLL proxy

The DLL proxy technique is commonly used for traffic interception, but it can also be a good friend for persistence. In short, a portable executable file (program.exe) can call a legitimate.dll file with some exported functions, such as exportedFunction1, exportedFunction2, and exportedFunction3. To perform this technique, we need to create a target DLL with the same exported functions, rename it to the original name, introduce the customized code, and forward the execution to the original DLL (legitimate1.dll). The next image presents the described scenario in detail.

Before the DLL proxy technique: program.exe calls the functions from the legitimate.dll.

After the DLL proxy technique: program.exe calls the “exportedFunction1” from the original DLL (legitimate.dll – the hooked DLL), the persistent code is loaded into the memory, for instance, a code capable of running a bind shell, and the execution is forwarded to the original DLL renamed to “legitimate1.dll”. 

A potential code

Read More: https://resources.infosecinstitute.com/topic/red-teaming-persistence-techniques/