Persistence
When a computer or even the entire domain is compromised, how do you keep it that way? (note: not normally required in a pentest)
Last updated
When a computer or even the entire domain is compromised, how do you keep it that way? (note: not normally required in a pentest)
Last updated
With administrative privileges on a computer, you can do anything. If we want to keep control of this computer, even after someone's password changes, for example, we can create some "backdoors".
One simple way is to create a new local account on the computer and give it the BUILTIN\Administrators group:
This later allows you to log in as that user and dump cached creds like
Another method is creating a scheduled task that executes hourly or in another period and runs a program that gives you a reverse shell, for example.
Then another classic is Autoruns, programs that register themselves to start on startup. You can place binaries or scripts in the following shell:startup directory, and they will execute on startup:
The Windows Registry can also be a great sea of abusable keys that automatically run programs. The Software\Microsoft\Windows\CurrentVersion\Run path for HKCU and HKLM contains a key for every program that should start at startup, for only the current user or all users:
When an entire active directory is compromised, a lot of integrity is lost. Any secrets can be read out, and later used to log in as any user after your access has been revoked. Here are some well-known attacks that real threat actors use to persist after a breach if all the required secrets are not rotated.
On the Domain Controller, we will ask the LSA server for all known credentials using Mimikatz:
This finds the NTLM hash for the krbtgt user which can now be used to forge any ticket. When the time comes after vulnerabilities have been patched, the attacker can still get a new valid session.
We provide the domain and its SID (found using whoami /user), then choose a user with a lot of privileges like a Domain Admin, and give the krbtgt NTLM hash:
We've seen where we have the hash of an SPN and can forge a Kerberos ticket as any user for that service. Taking this one step further is possible when we compromise the NTLM hash of the krbtgt user. Because TGTs are encrypted with this secret, we can forge any ticket in the future if we know it.
This injects it into our current session, and the newly spawned cmd.exe will allow you to do anything on the domain through Kerberos, like with a hostname instead of an IP to get a shell.