Persistence

Local Computer

With administrative privileges on a computer, you can do anything. If we want to keep control of this computer, even after someone's password changes, for example, we can create some "backdoors".

One simple way is to create a new local account on the computer and give it the BUILTIN\Administrators group:

net user $USERNAME $PASSWORD /add
net localgroup Administrators $USERNAME /add

This later allows you to log in as that user and dump cached creds like Post-Exploitation: Mimikatz

Another method is creating a scheduled task that executes hourly or in another period and runs a program that gives you a reverse shell, for example.

# Run every 1 hour
schtasks /create /sc HOURLY /mo 1 /tn "Cleanup" /tr "C:\Windows\Tasks\backdoor.exe"
# Run on startup, as the SYSTEM user
schtasks /create /sc ONSTART /tn "Cleanup" /ru "SYSTEM" /tr "C:\Windows\Tasks\backdoor.exe"

Then another classic is Autoruns, programs that register themselves to start on startup. You can place binaries or scripts in the following shell:startup directory, and they will execute on startup:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

The Windows Registry can also be a great sea of abusable keys that automatically run programs. The Software\Microsoft\Windows\CurrentVersion\Run path for HKCU and HKLM contains a key for every program that should start at startup, for only the current user or all users:

# Run for the current user
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cleanup" /t REG_SZ /d "C:\Windows\Tasks\backdoor.exe" /f
# Run for all users
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cleanup" /t REG_SZ /d "C:\Windows\Tasks\backdoor.exe" /f

Active Directory

When an entire active directory is compromised, a lot of integrity is lost. Any secrets can be read out, and later used to log in as any user after your access has been revoked. Here are some well-known attacks that real threat actors use to persist after a breach if all the required secrets are not rotated.

Golden Ticket

We've seen Forge (Silver) Tickets where we have the hash of an SPN and can forge a Kerberos ticket as any user for that service. Taking this one step further is possible when we compromise the NTLM hash of the krbtgt user. Because TGTs are encrypted with this secret, we can forge any ticket in the future if we know it.

On the Domain Controller, we will ask the LSA server for all known credentials using Mimikatz:

This finds the NTLM hash for the krbtgt user which can now be used to forge any ticket. When the time comes after vulnerabilities have been patched, the attacker can still get a new valid session.

We provide the domain and its SID (found using whoami /user), then choose a user with a lot of privileges like a Domain Admin, and give the krbtgt NTLM hash:

This injects it into our current session, and the newly spawned cmd.exe will allow you to do anything on the domain through Kerberos, like Lateral Movement with a hostname instead of an IP to get a shell.