Windows Red Team Persistence Techniques | Persistence With PowerShell Empire

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] you can register for part two of this series by clicking on the link in the description this will take you to a sign up page where you can register for part two all you need to provide is your first name last name email and company details uh once you provide the details all you need to do is hit on register and you'll be able to watch you know the rest of the videos within this particular series so we cover windows red team defense evasion techniques windows reading privilege escalation techniques you know for both windows and linux and then persistence techniques for linux and linux defensive agent as well as windows red team lateral movement techniques so once you hit register you will be redirected to the course page or the series page where you'll be able to access the videos immediately on demand so there we are we can see that it's actually opened up and we can go ahead and play the video like so and you can access uh you know all of the videos right over here within the table of contents so if i wanted to watch linux red team persistence techniques i can do that uh you can also again create a new linux account and get a hundred dollars in credit using this offer here and you can download uh the course or series slides by clicking on this link here so that's going to be it let's get started with today's video hey guys hackersploit here welcome back to the red team training series in this video we're going to be taking a look at red team persistence techniques and now that we've essentially explored reconnaissance as well as initial exploitation with essentially set up our c2 server we're going to be taking a look at how to set up assistance with empire right primarily because that is our c2 server of choice but in regards to what we'll be covering in this video we'll start off by getting an understanding of what persistence is and why it's so important we'll then talk about the various empire persistence modules available and how they can be utilized based on specific factors and then we'll take a look at the practical aspect of the video which will deal with setting up assistance with empire right so what exactly is persistence well based on the definition provided to us on the mitre attack website persistence essentially consists of techniques that adversaries used to keep access to systems across restarts changed credentials and other interruptions that could cut off the access techniques used for persistence include any access action or configuration changes that let them maintain their foothold on systems such as replacing or hijacking legitimate code or adding startup code right so this is a very important aspect of the red team lifecycle or the adversary lifecycle if you will because gaining access to a system is simply not enough or gaining an initial foothold is not enough the reason this is the case is uh primarily because when you're dealing with an environment or a target that you don't have control of you don't know what they're going to do to the target system or you don't know how they utilize their target systems and in this case we have we have essentially been able to exploit or to gain an initial foothold on a or an employee system or an employee computer right and uh it's very likely that at the end of their work day they're gonna turn off their pc and that means that our initial foothold we will actually lose that foothold right because we haven't set up assistance so it's very important that you learn how to how to set up and maintain persistent access to your targets so whenever they actually power on or reboot their system we get our our foothold back or we get our agent back right and again this may seem like a step that you'll probably skip whenever you're dealing with ctfs or you know a penetration test primarily because you're not required to maintain access over a long period of time and you know that's really not within your objectives but in regards to red teaming it's always important that you maintain access to your uh to your agents so that you can always go back assess them and exfiltrate data so on and so forth um that being said if we take a look at the miter attack persistence techniques or the the actual tactic and its techniques there are a few key persistence techniques that we're going to be exploring right and of course one of them is going to be persistence to the windows registry we also have persistence through scheduled tasks we can also create a local user account and we'll also explore back doors to a certain extent now it's very important to note that some persistence techniques will require an agent with elevated privileges however we can also set up assistance via unprivileged via an unprivileged agent right and that's very important because our initial foothold uh in regards to our scenario here is an unprivileged agent and that means that we can only do so much in regards to modifying uh operating system code or interacting with the registry so on and so so on and so forth now when it comes down to the persistence modules available for empire uh they typically split up into one to one or four or one to four categories based on how they um how they work and and how they should be utilized and under what parameters they can be utilized and in this case we're going to be focusing on three um three persistence modules or three categories of persistence modules the first one is user land persistence and this is very much uh you know relative to our particular case or our scenario in that persistence or user line persistence modules are used to set up reboot persistence for a non-privileged agent also known as userland right so that's essentially what they're used for we also have elevated persistence modules which are used to set up reboot persistence for agents with administrative privileges right and of course that's very different because you have more access and you can do much more and then of course you have the power breach modules which are a series of in-memory powershell back doors that can be used to set up assistance as well uh through various techniques like creating a a user back door so on and so forth and we'll explore all of this right that being said that's pretty much all that i wanted to make clear in regards to the theory for this video um let's get started i'll see you back on my calais vm and we can actually get started with setting up persistence all right so i'm back on my kali vm and i have uh my empire server running as well as my empire client and i also have starkiller set up so we're going to be again switching between starkiller and empire client just to show you that they can be used interchangeably although the empire client is much more stable in regards to executing certain modules however there are a few things that i wanted to take you through in regards to the starkiller gui or the interface rather and that is pertaining particularly to the agents right and um within the agent's screen you have the ability to hide stale agents so what is a stale agent stale agent is an agent that's not pinged back or that's not actually connected back for whatever reason it could be that that the client or the or the target has actually shut down the connection or it got shut down by an anti-malware service like windows defender or it could be that the security analysts have actually turned it down or have terminated that process and again one reason for that is primarily because you didn't have persistence otherwise you'd have got the agent callback so you have the ability to hide stale once which is quite helpful because you'll have quite a few stale agents over time the other aspect that i wanted to highlight here is the ability to customize the categories displayed in terms of information for a particular agent you can customize that by clicking on this little option here this little option menu and you have the ability to either enable uh the you can either display each of these categories or any one of them so you can display all of the categories here and this is information pertinent to your particular agent so you can display the host name of the agent the process process id architecture language language version working hours working hours is something that you you pretty much obtain by uh by monitoring and analyzing the activity of the agent uh like when the agent is turned on based on the office working hours etc you can also display the external ip if this is an external facing uh host or client um you can also display the delay and jitter so for example if i hit save here you can see the delay is five seconds and i can get rid of that and i just hit save and it displays the information that's important to me now when it comes down to agents and of course in this particular case we're only working with one agent so it's fairly simple to understand what's going on it can be quite cumbersome to manage a whole list of agents with their generic name that has been assigned by empire so we need to actually change that now there's multiple ways you can go about changing this one of the ways is by using starkiller clicking on the agent name and then clicking on view and within the name field here you can see there's a text box we can actually customize this based on its purpose function or who utilizes it within the target organization so for example let's say we have compromised the marketing one of the marketing representatives computers so we can say uh marketing marketing rep right and we can rename it so that we can easily identify it later and the name has to be alphanumeric so marketing rep um and you just click outside of that and you can see name has been updated so if i click on agents it's not going to say marketing rep and the same is going to be um it's going to be reflected within the empire client so again if i say agents you can see we have marketing rep there and again it displays the same table of information that you have in starkiller uh right now when it comes down to agents and uh you know whether or not your agent is a high integrity agent and when i and when i'm speaking about high integrity agents what i'm essentially referring to is whether this agent is privileged or unprivileged in our case we know that the agent is unprivileged and we can verify this by of course displaying the uh we can interact with the with this particular agent so we say marketing rep and then we we list out the information for this particular agent so i hit enter and you can see right over here as one of the agent options it's going to say high integrity right and again as i said high integrity means uh or essentially refers to whether this is a privileged or unprivileged agent if it's set to zero that means false so it's not a high integrity agent if it's set to one that means it is a high integrity agent furthermore whenever you display your agents you will have an asterisk appended or an asterisk will be appended to the name of the agent if it is privileged or if it is a high integrity agent so that's always a quick way of identifying uh you know your systems based on privileges now um again as i said within the slides we're going to explore both user land persistence modules and of course privileged persistence modules uh and in our particular case we only have one agent and it's currently not a high integrity agent so the first logical step would be to get uh a second agent you know on the on on the same on on the same target system um as a high privileged agent and we can do this uh through a multitude of techniques but one of the techniques we're going to um take a look at is through the use of the powershell framework or the power the partial tool power up right so powerup is a fairly simple module to utilize and i would recommend utilizing it or running it from the empire client primarily because starkiller i've had issues with this particular module with starkiller uh but so again what i'll do is let me just clear up my screen here if i interact with the the marketing rep pc and i can then use the module and again the module is fairly simple to understand if i just say use module and then i can search for it here power up you can see partial prives power up all checks what this will do is it will run a series of checks that are pertinent to privilege escalation and of course given the fact that we're dealing with a windows 10 target we're going to have very limited uh techniques that we can utilize out of the box we're not yet going to take a look at privilege escalation we're simply trying to obtain somewhat of a you know an elevated state on the target so we can utilize the first module there and we hit enter and now we can customize the module options um so the module options if you only have one agent it's going to set the that agent as the value here for the name of the agent and you can also set the output function the partial output function from out string which is simply going to display output in the form of a string you can also convert it to csv convert to xml convert to html so on and so forth all right so all that you need to do now is simply hit execute and again it really is very very simple and um we can just hit execute here and we hit enter and it's going to again task marketing rep to run task 1 which is going to run the module so i'm just going to wait for this particular module to run uh in the meantime i'm just going to interact with the agent itself marketing rep there we are and uh let's see whether you can see task 1 results received let's actually see whether we can obtain the results from power up all right so power up does provide us with the results within the empire client terminal interface and you can actually see that here so we'll just go through all the checks that it runs so you can see running invoke all checks checking if a user is in local group with administrative privileges we can see that the user is in a local group that grants administrative privileges which is great so that means that this user is part of the admin group on windows it's going to run it's going to tell us to run bypass user access control attack to elevate privileges to admin so we'll actually do that it's then going to check for common privilege escalation attack vectors on windows which in this case number one it checks for unquoted service parts it'll also check the service executable and argument permissions to identify a few vulnerabilities there it also checked for hijackable dll locations that we can actually utilize and that's where we can use stages or we can generate stages like windows dll and perform dll hijacking that way for certain programs that are missing dlls right uh it also checkpolis install elevated auto logon credentials modifiable registry autoruns and configs modifiable schedule tasks um checking for unattended install files that's interesting we find the unattended path here now the under attendant install files uh or rather the unattended install on windows is a fantastic system or utility that is utilized by administrators to install windows on a large number of workstations are unattended right so what that means is that they need to pre-configure the passwords for the users that they're creating on the systems and they specify that within a configuration file so unattend.xml so we can potentially find a credentials within that file uh it'll also check for it also perform password searches here to identify any plain text passwords and then of course i just ran an additional command here to essentially ensure that i still have communication or i still have contact with the target and that was just ipconfig that being said we can now utilize the technique that it actually um it actually recommends which is bypass uac to elevate our privileges to admin so we will again say use module and we can search for it here bypass uac and we're looking for the first one here partial prives bypass uac we hit enter the options we need to change are going to be whether we want any bypasses the listener we can use the http listener we can also obfuscate if we want but as i said we're not exploring obfuscation right now we'll explore it in a few in future videos um and we have the only option we we need to set in this case is the listener so we're going to say set listener to http so that's the http listener we set up earlier and then once we're ready to go all we need to do is hit execute so i'm just gonna run that so execute hit enter and that's going to task marketing rep to run task three and you can also check the tasks running on the empire server terminal interface so you can see it's going to give you a list of tasks that are being running um or that i've actually been run so i'm going to give this a few seconds and then we'll check the output to see whether that was successful all right so it looks like that was successful because we received a second agent that is going to be a a high integrity agent that checked in so if we go to starkiller and we check our agents we can see we have the high privilege or high integrity agent so if you highlight over that you can see that if it is a high integrity agent it's going to have this little icon with a cog or this little person with a cog here and that's going to say elevated process so again remember it's the same target but with an elevated um with an elevated session so you can actually see that um the process id is different the process it utilizes is different it's using powershell and again every everything else is pretty much the same although now it is in an elevated state so we can rename it so i'm going to do that right now i'm just going to say marketing rep marketing rep we're going to say marketing rep hi or we can just say uh marketing rep privileged or marketing privilege let's just keep it simple again you can rename it whatever is comfortable for you again if we go back to agents you can see marketing privileged and now we can begin the persistence techniques because we'll take a look at how to set up assistance for both of these agents so that even if the system is rebooted uh we will get back these these agents or they'll connect back when the system is rebooted or they will essentially get back a connection whenever we set our scripts uh to execute at a certain time all right so let's move on to persistence now all right so let's get started with the userland persistence modules for our unprivileged or um yeah our unprivileged agent which is just the marketing rep agent here um so we'll head back into the empire terminal or the empire client terminal and we'll go back we'll take a step back here and there we're currently within the marketing rep agent so we are currently interacting with it so let me just display that again we can now see as i mentioned before there will be an asterisk for the privileged agent and right so what we can do is we can say interact and then we say marketing rep and again i'll display the output from power up but in this case we're going to use a new module so we're going to say use module um and we are going to start off with the the persistence module um pertaining to the registry right or the registry key um so again i'm just going to locate it so persistence we can search for persistence modules and we're then looking for the user lend registry module so you can see there's a difference between elevated and user lend modules so we can click on userland and registry hit enter there are a few options that we need to configure of course a very important one number one we can see that we can provide an alternate data stream location we also have the default agent which is set correctly to marketing rep any bypasses the the cleanup switch if you want the external file for the payload instead of a stager we're going to utilize a stager now the key name option this is very important right this is the key name for the run trigger now when it comes down to registry keys i just wanted to explain one thing we have the run and run once registry keys here now run and run one's registry keys cause programs to run each time that the user logs on the data value for e for a key is uh is a command line no longer than 260 characters register programs to run by adding entries of the form description string command line you can write multiple entries under a key if more than one program is registered under a particular key the order in which these programs run is indeterminate so we can utilize the the following registry the registry keys rather or the following registry entries here and because we want to set up assistance for the current user we're going to say hk hkcu or current user hkey current user as it were and again software microsoft windows current version run now we need to specify the key name the key name should be as clandestine as possible so that you know the blue team can detect it so in our case we can leave it as updater or we can change it alternatively we can also set it to empire so that we can actually verify that it has been added but in our case we'll leave it as updater we then need to set the listener right the listener is very very important here so we're going to set the listener first uh the listener to we'll use the http listener we set up because it's working very well and you can also use http the http hop um listener which is great uh although i'll probably make another video covering how to use that because that allows you to proxy traffic really well uh we also need to set the registry path right now you can see it's currently set to debug uh we want to set that to run so software microsoft windows current version run and we're going to use the h key current user so again we can also use the hkey local machine if we want uh that'll work just as well so again we can just copy that uh depending on the type of persistence uh you want to set up in our case let's just set the registry path so reg path um let me type that in there we are so we're going to say h k l m h key local machine and then we can paste in what we had copied so we're going to say software microsoft windows current version run let me just get rid of that there and uh yeah so this what will happen is that this will when we're setting this particular registry key this will cause the script to run for any any user that logs in instead of the current user which again is great and you know again i'm using this option because it's the most comprehensive out of all the others um now as i said this persistence method or mo or technique isn't the recommended technique because again you're working with the registry there's a lot of logging for the registry so again in our case we're just using it just so that i can demonstrate how this works uh that being said once that is done we can then just hit execute and we hit enter and that's going to run it so again i'm just going to let this run all right so i ran the the persistence module with the options that i specified for the local machine but it looked like that didn't work so i ran the same module under hk current user software microsoft windows current version run and i've just run a registry query for the same uh run key just to to see whether that particular whether that particular a let me actually open that up let me just show you this here we can also do it using starkiller so again if i say persistence and we locate the user land registry um yeah so again the key name i utilized there was empire so that's the key name for the trigger so again if i just display the tasks here hopefully it actually loads up so that i can actually take you through this right now uh it doesn't look like that's working um let me just check the file browser here can we i think there's a module that can actually display certain registry keys that i want to actually view um if we say for example let me just clear that out let's just say registry just to verify that that is the case um so there we are um let's see uh c-sharp shops flight enumeration set registry key no we want to get registry key here uh h key current user uh or h key yep that's that's the correct one there and then of course we utilized a software uh we of course utilized this one here so we can just copy that even though there isn't any any of it much of a change there so i'll just paste that in there and let me just correct that and hopefully this will display that particular registry key the c-sharp server is not running so let me just start that there plug-ins uh c-sharp server and let's start that so i'm just going to wait for this to start up while the the c-sharp server is actually um starting up we can actually use the shell on the marketing rep pc uh and i'm just going to query that particular one so register reg query and we'll just uh try and identify whether that has actually uh provided any output there we are you can see that we added the empire uh run there we are and that's going to execute powershell and uh we have that done correctly so now we have been able to set up assistance for this currently use and of course we're working from an unprivileged uh state we also have the the updater one which seems like it worked because i set it although the registry [Music] the registry location doesn't seem to have the back slashes there there's probably an issue with the way i passed in the options uh within the uh the module options but in any case we have the empire we can see empire there and of course you can also run it through starkiller so again if we head over it to agents uh what i did was i used the same persistence module um so again you can locate it here userland registry will actually there it is that's the module there and i set the key name to empire and i simply changed it to uh hkcu current user and then run right and that seems to have set up correctly so let's move on to the next uh persistence technique uh pertaining to uh the user length modules and uh we can actually utilize starkiller which can alternate between the two um so yeah let's take a look at the next technique all right so the next persistence technique is uh through scheduled tasks and of course this is a user-length module so we'll utilize starkiller i'm just going to refresh my agents there marketing rep there we go and i'm just going to look for um i'm just going to look for it here so uh s ch tasks and you can see we have the user lend module not the elevated module but the use lend module so i'm going to specify or click on that the task name again i'm just going to call it empire just to keep things nice and simple and then we'll use a different one for the elevated or high integrity agent we can provide the daily time when we want the um when we want the script to be triggered so in hours and minutes so again this will uh play into the agent's working hours or you know the hours when the agent is actually on so you can get back an agent at that time uh whenever you know these uh the script is triggered uh you can also set up the idle time uh in minutes to trigger the script uh you can also use an external file for the payload instead of the stager the listener will utilize this http we don't want to obfuscate as i mentioned we're not um we're not going to use that right now um yeah and that's pretty much it in regards to the options the registry uh key path that we can utilize again can follow the same uh the same one we utilized so for example we can use the h key current user and the run or run once registry keys but we want the run registry key so let me just head back into starkiller and uh we can just change this to run i believe that is the same command there just to be sure we can actually just uh paste that in there there we are and i'll just get rid of that extra back slash and we simply hit submit all right so that is going to be queued for execution so again i'm just going to wait for that to complete execution and let's see whether that actually did it correctly um as a scheduled task right so again just gonna wait for that to complete and actually click on marketing rep for some reason i've not been getting any output displayed here within my uh output pane uh but i will probably have to see whether i can we can actually pop that out here so agent marketing rep let's see whether that actually works out here if i bring that over here uh does that work out um no it doesn't work out but probably can interact the same way with um we can interact the same way with the empire client uh that being said uh we can also um take a look at uh a few options that i haven't covered with with empire and that or with starkiller rather and that is the ability to upload or download files to the target and we'll be exploring that as we move along when we will be talking about exfiltration of course this is not a valid technique for exfiltrating data we want to always create a staging directory and stage the files that we are interested in um so again let me just check whether this has been executed successfully all right so i'm currently within the empire client terminal and you can see it's going to say when i interacted with the agent task 12 results received success the scheduled task empire successfully been created scheduled tasks persistence established using listener http stored in hkey current user etc under the run key with the empire daily trigger at uh nine um nine am right so that is how to use scheduled tasks for persistence now let's talk about the uh privileged agent here or the high integrity agent if we interact with the high integrity agent um there we are and we say marketing privileged and what we'll do is i'll just display the info here you can see that indeed it is a high integrity agent because the value is now set to one instead of zero which means we can we can pretty much uh you know run other modules that we couldn't before and let's explore some of these modules so again we can pretty much run the same persistence techniques that we did for the unprivileged agent which was you know through the windows registry or the scheduled tasks or through creating a scheduled task in this case we can also do it through the scheduled through a scheduled task or the registry but in an elevated sense so again it's the it's the same uh process or the same process repeats itself so we can click on marketing privilege here we can then search for the module so we can search for persistence and now you can see we're going to have the elevated the elevated module so we're going to have wmi wmi updater schedule tasks registry um rid hijack and then of course we have the userland ones which are just two right so in this particular case because we've already explored the the registry and scheduled tasks module um let's take a look at the wmi um the wmi module so what this module will do let me find it there we are what this module will do is um it'll essentially configure a permanent wmi subscription to fire the started uh script logic uh and then of course you have a time when the script will be executed uh on or you can also set it to run on system startup so again we'll set this up there and we'll provide it with a name uh we'll just call it wmi right and at startup can be set to true we can also set a daily time to trigger the script if we are setting the if we are using the the at startup option here or the ad startup options switch again the trigger script will be executed within five minutes or the script will be executed within five minutes of system startup uh you can also provide an external file instead of the payload as i mentioned trigger the script with a failed logon attempt for uh from a specific user uh this can be used when you're trying to to actually get it to execute by authenticating yourself either through um either through rdp or any other uh any any other techniques so that you can get the agent back uh but in this case uh this looks fine um so i'm just going to hit submit and again i'm just going to wait for this to be executed all right so um interacting with the marketing privileged agent reveals that wmi persistence is established using a listener http on startup wmi subscription trigger right so that looks like it was successful disregard this particular task this was just a a check using starkiller for the um for the current directory so again if i this is essentially what i was doing uh that being said we can actually again take a look at one more technique that of course is going to be based on on your current working environment and the target infrastructure and then what we're going to do is i'm going to restart the target system and let's see whether we actually get our agents back or we get a call back uh you know essentially verifying that the persistence techniques were legitimate all right so the next technique that i'm going to highlight will essentially deal with creating local user accounts as a means of persistence or maintaining some of some form of access although as i said this is not recommended if you're working in an environment that's that's constantly being monitored so again this will depend on on on the environment that you're dealing with and again we'll also take a look at how to set up a back door for a particular user um so what we'll do is we'll work with the privileged um with the privileged agent here and i can then search for it here persistence and we're looking for the module that allows us to add a user we'll also take a look at dead user but we can take a look at add net user here and you can also display the actual technique um for for this particular module on the miter website here so you can see system owner user discovery adversaries may attempt to identify the primary user currently logged in users set etc and then of course it provides us with the technique id which again will provide us with an idea of what this particular module does so what we can do is we search for t1033 let's see what that does you know this is always good to actually go through that t1033 let's actually search for that i can actually find that here let's head over to the matrix here t1 0 33 right um we're currently within uh we're currently within persistence if we click on account manipulation t1033 can we take a look at account manipulation there we have the sub techniques and we are essentially working on creating another user account here let's see if i can identify that just through this that we are create account although that's not the correct technique but again this process essentially involves create an account to maintain and access maintain access to victim systems right so let's head over back to starkiller so there we are misc miscellaneous ad net user the computer name uh hostname to add the um the local user to the domain the specified domain to other user to the group name which is administrators and then the password for that particular user and of course the back door or sorry the username which in this case is set to backdoor which i don't recommend if we head over to agents we can see that the host name is ms edge win10 there so again if i click on that there and then we search for ad user add user if i can find it there we are and again the no localhost name we provide we don't have a domain here because we're not dealing with domains or active directory the group name administrators that is correct there's the administrators group and then we provide a password and we can call this empire let's see if this works um all right so that's been queued for execution the other module that i wanted to highlight here was the process of creating a back door for a user and you can use that using the power breach module that i highlighted within the um within the slide so power bridge dead user what this does what this module will do is it will set up a script that will provide you with an agent uh if a particular user is deleted like for example we created our our empire user and we can then set up the dead user script here to actually provide us with a an agent or a essentially execute a script that will provide us with an agent uh sort of similar to a um a backdoor when the empire user is deleted right and we'll we'll get to this in a second before we do that i just want to make sure uh that the empire user has been created and as i said that's not something i recommend doing i'm just highlighting various techniques here all right so i'm back on the client here and you can see that it um it essentially added the user for us and we did that on the privileged agent for a reason uh so now if we open up a shell uh session and we say net user let's see whether that actually will will actually display that user for us and you can see we have the empire user there and we can then log in to it through whatever technique rdp or uh even smb using ps exec if we wish to do that and we can essentially authenticate so we've added it and it's part of the admin user or the administrators group sorry and yeah so that's how to set up the user account now as i mentioned i'm not going to be using the dead user script or the dead user module because again if i let me just uh display this to you so we can actually take a look at how to set it up so you set up your listener that's for the agent to connect back to you then have the the sleep time so this is the time in seconds to sleep between checks so it will check every 30 seconds whether that user has been deleted if it exists it will not run or trigger the script if it's been deleted it will then trigger it now in regards to the trigger of the script uh for the back door or you know the uh in in regards to the actual duration or timeout for the um for the back door to be run we can set it to zero to run forever or almost immediately the user account to check for existence is going to be empire and then we can specify a domain or an out file right so i'm not going to use this module because again in our case it's not really necessary but again if you are setting up another user on the system and you want to have a back door for that user you can do that as well and yeah those are pretty much all the techniques that i wanted to highlight at this point as i said these are not advanced techniques they're typically exploiting windows services like powershell or scheduled tasks the next step now would be to restart the target system and let's see whether we get our agents to actually connect back to us once the system is restarted so again we're moving now from our initial photo to actually setting up persistence and now testing the persistence so again we're going to assume that the target has shut down or has restarted the system so i'm going to restart the target system and let's see whether we get our agents back all right so i restarted the target system and i received the callback from i received the callback in the form of agents uh thanks to all the various uh persistence techniques that we had set up for the various modules that we had utilized and you can see that we have three agents now the reason we have three agents is because if you remember when we were setting up persistence we had set up or we had used two uh user lend modules for the unprivileged agent which was persistence through the registry and persistence through scheduled tasks tasks which is why we actually received two unprivileged agents from the marketing rep agent here and then we also set up persistence using the um using the privilege persistence module wmi that essentially again will provide us with a a persistent uh elevated agent or a privileged agent and you can see it right over here now of course as they reconnect they're going to be under new names and of course you can learn more about them you just click on them change their name here and every time the system restarts they will ping back so you need to be aware of that and of course we go back into our agents here you can now see for some reason that is a an elevated session that's weird uh we don't have any if we had the stale agents there we can see our current ones and their connection has been facilitated or the process they're utilizing is powershell and of course you can take you can take a look at their usernames here and they of course this indicates the user that they're currently using we can see that these are indeed privileged uh for some reason this one uh both of these look to be elevated uh or high integrity agents uh in any case you can see that the techniques we utilized with the modules we utilized worked uh in addition to the modules that we utilized we also set up a a another user on the system a local user that's part of the admin uh group and uh you know we we set the username to empire and that can again provide us with access when we need it if we need it and of course that can be utilized in a multitude of ways although as i mentioned uh that's not something that i would recommend doing in a highly secured or monitored environment uh that being said uh that's pretty much all that i wanted to cover in this video and i'll be seeing you in the next video a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defeam barry dustin on president michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music] you

Info

Channel: HackerSploit

Views: 17,678

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, windows persistence, windows persistence module, red team, red teaming, what is a red team, red team exploitation, red team initial access, powershell empire, powershell, empire, powershell empire tutorial, powershell empire macro, powershell empire 2.5, powershell empire 2.0 tutorial, powershell empire lateral movement, powershell empire privilege escalation, powershell empire persistence, powershell empire windows

Id: 7h_5BJHIpnU

Channel Id: undefined

Length: 44min 40sec (2680 seconds)

Published: Fri Nov 05 2021