Persistence Using Windows Terminal “Profiles”

Windows Terminal

WT In Action
“%localappdata%\Packages\Microsoft.WindowsTerminal_<PackageID>\LocalState\”
{"backgroundImage": null,"colorScheme": "Andromeda","font":{"face": "Cascadia Mono"},"guid": "{07b52e3e-db1c-8db6-bd5d-bc133ed62373}","hidden": false,"name": "Ubuntu","source": "Windows.Terminal.Wsl","startingDirectory": "\\\\wsl$\\Ubuntu-20.04\\home\\myuser"},
https://docs.microsoft.com/en-us/windows/terminal/customize-settings/profile-general
{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe"}
https://docs.microsoft.com/en-us/windows/terminal/customize-settings/startup
"defaultProfile": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}"
"startOnUserLogin": true
Persistence via WT

Additional Information

Running As Admin

{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe","elevate": true}
https://twitter.com/nas_bench/status/1552101123611365376

Run Profile From CLI

wt.exe --profile {GUID}
https://twitter.com/nas_bench/status/1552102480976269312

Detection Opportunities

Conclusion

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store