Persistence Using Windows Terminal “Profiles”

Windows Terminal

Let’s start with a quick definition for those who are not familiar with the tool.

WT In Action
“%localappdata%\Packages\Microsoft.WindowsTerminal_<PackageID>\LocalState\”
{"backgroundImage": null,"colorScheme": "Andromeda","font":{"face": "Cascadia Mono"},"guid": "{07b52e3e-db1c-8db6-bd5d-bc133ed62373}","hidden": false,"name": "Ubuntu","source": "Windows.Terminal.Wsl","startingDirectory": "\\\\wsl$\\Ubuntu-20.04\\home\\myuser"},
https://docs.microsoft.com/en-us/windows/terminal/customize-settings/profile-general
{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe"}
https://docs.microsoft.com/en-us/windows/terminal/customize-settings/startup
"defaultProfile": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}"
"startOnUserLogin": true
Persistence via WT

Additional Information

Running As Admin

There is another interesting option that’s available in the settings.

{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe","elevate": true}
https://twitter.com/nas_bench/status/1552101123611365376

Run Profile From CLI

Again this is also documented but good to know if we just want to “infect” the setting file with a malicious profile that we could invoke whenever from the command line using “wt.exe”. We simply use the “--profile” argument

wt.exe --profile {GUID}
https://twitter.com/nas_bench/status/1552102480976269312

Detection Opportunities

You can detect this technique in multiple ways. The original tweet I linked at the start has some good comments that you should read.

Conclusion

There is one more trick with Windows Terminal that I’m still working on that I hope I’ll be able to share soon. Other than that hope you enjoyed reading this quick post and as always if you wanna discuss anything related to infosec I’m on Twitter @nas_bench

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.