Persistence Using Windows Terminal “Profiles”

While doing some research on persistence, I stumbled upon an interesting technique to persist on a windows machine using Windows Terminal profiles.

I’ve tweeted about this technique as the method fits in a single tweet 😅

But I decided to formalize everything in a blog so here it goes.

Windows Terminal

Let’s start with a quick definition for those who are not familiar with the tool.

Windows Terminal is a multi-tabbed terminal emulator that Microsoft has developed for Windows 10 and later as a replacement for Windows Console. It can run any command-line app in a separate tab. It is preconfigured to run Command Prompt, PowerShell, WSL, SSH, and Azure Cloud Shell Connector — Wikipedia

WT In Action

So basically Windows Terminal allows us to run multiple shells and commands in different tabs and have a lot of customization such as colors, fonts, text size…etc. It does this by using “profiles” that are stored in the settings file named “settings.json” located in the

“%localappdata%\Packages\Microsoft.WindowsTerminal_<PackageID>\LocalState\”

Here is an example profile

{"backgroundImage": null,"colorScheme": "Andromeda","font":{"face": "Cascadia Mono"},"guid": "{07b52e3e-db1c-8db6-bd5d-bc133ed62373}","hidden": false,"name": "Ubuntu","source": "Windows.Terminal.Wsl","startingDirectory": "\\\\wsl$\\Ubuntu-20.04\\home\\myuser"},

You can see in this example that we can set a lot of options to make our experience very personal :)

Now looking at the doc we find this parameter called “CommandLine”

https://docs.microsoft.com/en-us/windows/terminal/customize-settings/profile-general

This means if we add this to our profile and specify any command line it would technically run. Let’s re-write our profile with this in mind and let “notepad.exe” be our testing APP

{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe"}

If we open this profile we’ll get a notepad (trust me).

Now running arbitrary commands isn’t something that useful in this context so far but what if we make this command run whenever someone opens “WindowsTerminal”? To do that we simply need to make this profile our default profile.

https://docs.microsoft.com/en-us/windows/terminal/customize-settings/startup

So we add this in our “settings.json” file and put the profile GUID

"defaultProfile": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}"

This is becoming more interesting as now we can set this up and put a “malicious” command and wait for someone to open WindowsTerminal.

But the docs come to the rescue as there is an “open on startup” option

Once again we just need to add this option to our “settings.json”

"startOnUserLogin": true

With this, we are all set up for persistence as the next we reboot the machine WindowsTerminal will be executed at startup and our default profile with our custom/malicious command will get executed

Persistence via WT

Additional Information

Running As Admin

There is another interesting option that’s available in the settings.

While this will not bypass any UAC or give us admin directly, it’s a “nice” option to add that could trick some admin or developers who are expecting Windows Terminal to be run as admin. We simply add this to our profile.

{"guid": "{e61dfa6e-2fd4-40ff-86fe-19cccb2535f9}","name": "Proof Of Concept","commandline": "%SystemRoot%\\System32\\notepad.exe","elevate": true}

On the next reboot, a UAC will be shown to ask for admin privileges

https://twitter.com/nas_bench/status/1552101123611365376

Run Profile From CLI

Again this is also documented but good to know if we just want to “infect” the setting file with a malicious profile that we could invoke whenever from the command line using “wt.exe”. We simply use the “--profile” argument

wt.exe --profile {GUID}
https://twitter.com/nas_bench/status/1552102480976269312

Detection Opportunities

You can detect this technique in multiple ways. The original tweet I linked at the start has some good comments that you should read.

I’ve also written a SIGMA rule that you could use to detect suspicious process creation from Windows Terminal.

Conclusion

There is one more trick with Windows Terminal that I’m still working on that I hope I’ll be able to share soon. Other than that hope you enjoyed reading this quick post and as always if you wanna discuss anything related to infosec I’m on Twitter @nas_bench

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.