Introduction to Windows Persistence

In this post, we presented Windows Persistence Techniques and specifically Account Tampering methods as part of TryHackMe Windows Local Persistence.

Having an administrator’s credential would be the easiest way to achieve persistence in a machine. However, to make it harder for the blue team to detect us, we can manipulate unprivileged users, which usually won’t be monitored as much as administrators, and grant them administrative privileges somehow

Notice that we assume you have already gained administrative access somehow and are trying to establish persistence from there.

Windows Persistence is about maintaining access to a compromised machine, allowing re-entry even if the system reboots or if the initial session is terminated. Persistence is distinct from privilege escalation, which involves gaining higher privileges; persistence comes after securing admin access, though it can sometimes be achieved without it.

OSCP Study Notes

HackTheBox CPTS Study Notes

Account Tampering Techniques

  • Account Tampering:
    • Creating new privileged user accounts, assigning them to administrators or backup operators groups to gain access anytime.
    • Remote Access Setup: Adding the new user to Remote Management groups enables login via protocols like RDP or WinRM.
  • Cracking Account Hashes:
    • By downloading the SAM and SYSTEM hives, attackers can crack account hashes, gaining access to other accounts like Administrator. This method provides temporary access if it remains undetected.
  • RID Hijacking:
    • Changing the Relative Identifier (RID) of a lower-privileged account to match an admin account. This causes Windows to treat the hijacked user as an admin, offering stealthy elevated access.

Practical Walkthrough

  • The tutorial utilizes the TryHackMe Windows Local Persistence room for practical examples:
    • Creating Users: Commands are used to add new users to administrators, backup operators, and Remote Management groups.
    • Evil-WinRM for Remote Access: Users are configured to allow WinRM access, enabling Evil-WinRM to connect remotely.
    • UAC Adjustment: Disabling certain User Account Control (UAC) settings ensures smoother access and avoids errors during remote logins.
    • SAM and SYSTEM Hive Extraction: With elevated privileges, the SAM and SYSTEM hives are downloaded, and hashes are extracted using secretsdump, revealing the administrator hash for elevated access.

Room Answers | TryHackMe Windows Local Persistence

Insert flag1 here
 

Insert flag2 here

 

Insert flag3 here

 

Video Walk-Through

, , ,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles