My all time favorite talk is here:
Living Off the Land: A Minimalist’s Guide to Windows Post-Exploitation
So, this post, doesn't exactly stay true to the idea of living in memory, never touching disk, and only using native tools...
However, I think you might find this interesting.
Recently I mentioned on Twitter about .SCT files. I only found this recently. So, I think there is probably lots more cool stuff to explore here.
I really don't have time to go into all the gory COM details here. But the idea of the .SCT scriptlet, is to be able to back your COM object with a script, vb/js. Instead of a binary.
Who cares? Well, as you know there are lots of ways to detect, and block binary execution. Even log when a binary is written to disk. But if we can establish a foothold with say a text file or XML. Well we may have a chance to hide longer.
This document has some of the back story.
So I wrote a prototype, proof of concept. I probably won't have anymore time for this. :-)
Here's what my backdoor does.
1. Installs a COM Object into the registry
2. Overwrites the ScriptletURL, which normally points to a local file. Now points to URL
3. Invoke the COM Object and executes dynamically from the url.
This gives me complete persistence in the registry. I leave it up to the reader to expand and experiment.
I think its pretty cool. But who knows.
Proof of Concept Here