Persistence – Windows Setup Script

When the Windows Operating system is installed via a clean installation or via an upgrade, the Windows Setup binary is executed. The Windows setup allows custom scripts to be executed such as the SetupComplete.cmd and ErrorHandler.cmd to enable the installation of applications or the execution of other tasks during or after the Windows setup process is completed. These scripts are stored in the following location: %WINDIR%\Setup\Scripts\SetupComplete.cmd %WINDIR%\Setup\Scripts\ErrorHandler.cmd Using the ErrorHandler.cmd script it is possible to execute arbitrary code when the Windows operating system is upgraded. Even though it could be considered as an unconventional tactic, it could be combined with scheduled tasks for example to run Windows Setup and establish persistence. The following code can be used as a proof of concept of code execution that will display a message box when the Windows Setup binary is initiated: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 using System; using System.Collections.Generic; using System.Linq; using System.Threading.Tasks; using System.Windows.Forms;   namespace Windows_setup1 {     internal static class Program     {         [STAThread]         static void Main()         {             string message = "Visit pentestlab.blog";             string title = "Pentestlaboratories";             MessageBox.Show(message, title);         }     } } Windows Setup Script – Message Box Code Since the Windows Setup will look during execution and when an error is caused in the setup process for the presence of ErrorHandler.cmd inside the Scripts folder, it is possible to use this script to execute arbitrary code. Windows Setup Script Path Running the setup.exe will cause an error which as a result will force the execution of ErrorHandler.cmd script. Windows Setup Script – Message Box Replacing the message box executable with an implant will allow a command and control session to be established. Windows Setup Script – C2 The process tree of the implant is specified below: Setup.exe --> cmd.exe --> demon.x64.exe Windows Setup Script – Process Tree References https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/ https://cocomelonc.github.io/persistence/2023/07/16/malware-pers-22.html Rate this: 1 Vote Share this: Loading... Related Persistence – Shortcut Modification October 8, 2019 In "Persistence" Command and Control – Web Interface January 3, 2018 In "Red Team" Persistence – WMI Event Subscription January 21, 2020 In "Persistence" Leave a comment