Tool aided persistence via Windows URI schemes abuse
Backoori ("Backdoor the URIs") is a Proof of Concept tool aimed to automate the fileless URI persistence technique in Windows 10 targets.
The widespread adoption of custom URI protocols to launch specific Windows Universal App can be diverted to a nefarious purpose. The URI schemes in Windows 10 can be abused in such a way to maintain persistence via the 'Living off the Land' approach. Backdooring a compromised Windows account in userland context is a matter of seconds. The operation is concealed to the unaware victim thanks to the URI intents being transparently proxyed to the legitimate default application. The subtle fileless payloads can be triggered in many contexts, from the Narrator available in the Windows logon screen (an undocumented Accessibility Feature abuse technique that set off this whole research) to the classical web 'attack surface'.
All this research started with a novel Accessibility Feature Abuse I discuss here:
https://www.secjuice.com/abusing-windows-10-for-fileless-persistence/
https://www.slideshare.net/GiulioComi/windows-10-uri-persistence-technique
-
URI persistence technique: User triggered persistence scenario https://www.youtube.com/watch?v=oR9cSs6Sw4g
-
URI persistence technique: Hijacking multiple Universal Apps https://www.youtube.com/watch?v=KLtDuhccfec&t=49s
-
URI persistence technique: Going beyond User triggered persistence via web 'attack surface' https://www.youtube.com/watch?v=W6FqUx8vi5c
- Implements the Windows 10 URI persistence technique
- Standalone
- 0 dependencies
go get github.com/giuliocomi/backoori
go run main.go
-
Windows x64: $ env GOOS=windows GOARCH=amd64 go build -o backoori main.go
-
Linux x64 : $ env GOOS=linux GOARCH=amd64 go build -o backoori main.go
-
MacOs x64 : $ env GOOS=darwin GOARCH=amd64 go build -o backoori main.go
Backoori0.92: tool aided persistence via Windows URI schemes abuse
| Generate a ready-to-launch Powershell agent that will backdoor specific Universal URI Apps with fileless payloads of your choice.
| -help
| Display help details
| -online string
| Provide 'true' if wants agent to fetch the payloads via the webserver, 'false' otherwise to store the payloads directly in the agent PS file (default "false")
| -payloads string
| Provide the JSON filename containing the payloads to use in the backdoored gadgets (default "./resources/payloads_sample.json")
| -protocols string
| Provide the JSON filename containing the URI protocols to backdoor on the target system (default "./resources/uri_protocols_sample.json")
| -psversion int
| Provide the Powershell version that the agent will use for the payloads (recommended v2) (default 3)
- Golang cli
- Powershell agent output
The template of the payloads can be specified via -payloads flag (the default file is ./resources/payloads_sample.json). You can place any payload you wish in the JSON file but you need to follow the conventions of other samples to set at program runtime the value you wish for certain placeholder.
e.g. {{IP}}, {{COMMAND}}, {{PORT}}, {{FILENAME}}, etc.
The tool will make irreversible changes to the registry and manual repair is necessary :-). Please test it on a VM or within the new Windows Sandbox App.
- Adding logging and symmetric payload encryption to the web server that deploys the gadgets
- Support gadget interactions
- Convert this standalone project to a Metasploit module
Spot a bug? Please create an issue here on GitHub (https://github.com/giuliocomi/backoori/issues)
This project is licensed under the GNU general public license Version 3.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent