Persistence Using Windows Terminal “Profiles”
While doing some research on persistence, I stumbled upon an interesting technique to persist on a windows machine using Windows Terminal profiles.
I’ve tweeted about this technique as the method fits in a single tweet 😅
But I decided to formalize everything in a blog so here it goes.
Windows Terminal
Let’s start with a quick definition for those who are not familiar with the tool.
Windows Terminal is a multi-tabbed terminal emulator that Microsoft has developed for Windows 10 and later as a replacement for Windows Console. It can run any command-line app in a separate tab. It is preconfigured to run Command Prompt, PowerShell, WSL, SSH, and Azure Cloud Shell Connector — Wikipedia
So basically Windows Terminal allows us to run multiple shells and commands in different tabs and have a lot of customization such as colors, fonts, text size…etc. It does this by using “profiles” that are stored in the settings file named “settings.json” located in the
“%localappdata%\Packages\Microsoft.WindowsTerminal_<PackageID>\LocalState\”Here is an example profile
{"backgroundImage": null,"colorScheme": "Andromeda","font":{"face": "Cascadia Mono"},"guid": "{07b52e3e-db1c-8db6-bd5d-bc133ed62373}","hidden": false,"name": "Ubuntu","source": "Windows.Terminal.Wsl","startingDirectory": "\\\\wsl$\\Ubuntu-20.04\\home\\myuser"},
You can see in this example that we can set a lot of options to make our experience very personal :)
Now looking at the doc we find this parameter called “CommandLine”
This means if we add this to our profile and specify any command line it would technically run. Let’s re-write our profile with this in mind and let “notepad.exe” be our testing APP
{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe"}
If we open this profile we’ll get a notepad (trust me).
Now running arbitrary commands isn’t something that useful in this context so far but what if we make this command run whenever someone opens “WindowsTerminal”? To do that we simply need to make this profile our default profile.
So we add this in our “settings.json” file and put the profile GUID
"defaultProfile": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}"This is becoming more interesting as now we can set this up and put a “malicious” command and wait for someone to open WindowsTerminal.
But the docs come to the rescue as there is an “open on startup” option
Once again we just need to add this option to our “settings.json”
"startOnUserLogin": trueWith this, we are all set up for persistence as the next we reboot the machine WindowsTerminal will be executed at startup and our default profile with our custom/malicious command will get executed
Additional Information
Running As Admin
There is another interesting option that’s available in the settings.
While this will not bypass any UAC or give us admin directly, it’s a “nice” option to add that could trick some admin or developers who are expecting Windows Terminal to be run as admin. We simply add this to our profile.
{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe","elevate": true}
On the next reboot, a UAC will be shown to ask for admin privileges
Run Profile From CLI
Again this is also documented but good to know if we just want to “infect” the setting file with a malicious profile that we could invoke whenever from the command line using “wt.exe”. We simply use the “--profile” argument
wt.exe --profile {GUID}Detection Opportunities
You can detect this technique in multiple ways. The original tweet I linked at the start has some good comments that you should read.
I’ve also written a SIGMA rule that you could use to detect suspicious process creation from Windows Terminal.
Conclusion
There is one more trick with Windows Terminal that I’m still working on that I hope I’ll be able to share soon. Other than that hope you enjoyed reading this quick post and as always if you wanna discuss anything related to infosec I’m on Twitter @nas_bench
