-
Notifications
You must be signed in to change notification settings - Fork 245
KeePass
This persistence technique will backdoor a KeePass configuration file, so that upon a user opening their KeePass database, it will execute a system command. In this module, you will provide the path to the user's KeePass configuration file, which is typically found in %AppData%\KeePass\KeePass.config.xml, and a system command and arguments to execute. This will allow the execution of your system command and arguments every time the target user unlocks a KeePass database.
Non-admin privileges
- -c - command to execute
- -a - arguments to command to execute (if applicable)
- -f - the file to backdoor/remove backdoor
- -m - method (add, remove, check, list)
- It will copy the user's current KeePass config file in the same directory as a ".bak" file.
- Provide full path to the KeePass configuration file. Do not pass environment variables in.
- KeePass configuration file will be modified by adding content within the "Triggers" tags.
- The file creation, modified and access time will remain the same as the original KeePass config file
- KeePass database cannot be currently open when backdooring config file (safe check in place for this)
- Modified KeePass config file will be deleted. The ".bak" file is then renamed to exclude the ".bak" extension.
- The file creation, modified and access time will remain the same as the original KeePass config file
- KeePass database cannot be currently open when removing backdoor from config file (safe check in place for this)
SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add
SharPersist -t keepass -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m remove
SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m check