Debuggers

The¬†persistence/debugger/*¬†modules allow you to set the “Image File Execution Options” (aka the debugger) for various executables that are accessible pre-login on the RDP prompt. By default the debugger is set to cmd.exe, which allows you to trigger a command prompt running as SYSTEM through RDP, without having to actually log into the machine. You can also specify the path to another binary with the Binary argument.

If you want a debugger to trigger a stager, set the Listener argument. This will generate an appropriate stager for the specified listener and store it into the specified RegPath. You can then trigger these stager from the RDP prompt pre-authentication, but note that the staged agent will be killed as soon as the RDP prompt closes, which happens after 30 seconds in inactivity.

The current trigger options available are:

  • persistence/debugger/sethc– the binary for the sticky-keys binary (sethc.exe). This can be launched from the ease-of-access center in the lower left hand of the login screen or by pressing shift 5 times.
  • persistence/debugger/utilman– the binary for ease-of-access center (Utilman.exe). This can be launched from the lower left hand of the login screen or by pressing win+U.
  • persistence/debugger/magnify– the binary for the on-screen magnifier (Magnify.exe). This can be launched from the ease-of-access center in the lower left hand of the login screen.
  • persistence/debugger/narrator– the binary for the text narrator (Narrator.exe). This can be launched from the ease-of-access center in the lower left hand of the login screen.
  • persistence/debugger/osk– the binary for the on-screen keyboard (osk.exe). This can be launched from the ease-of-access center in the lower left hand of the login screen.