Microsoft Backdoors

From WikiWiki
Jump to navigation Jump to search

The opposite of Hardening : where to hide backdoors and gain persistence


  • User accounts: create a new user account
  • Groups: add a user to a group
    • backup operators!
  • Startup scripts
  • Logon scripts
  • Scheduled tasks
  • Services
  • Change utilman to cmd
  • Firewall to do port knocking and execute command
  • Map file extention
  • Create certificate mapping for administrator account
  • all autorun values
  • security policy for normal accounts (backup)
  • BIOS password or intel ME
  • network share mappings
    • symlink to
  • explorer loaded dll's
  • malicious drivers
  • image file execution options

Active Directory vs ADDS_Security

  • Sidhistory
  • set ACL for random account on top root
  • set ACL for random account on adminSD holder
  • group policy
    • logon scripts
  • password filter to keep track of admin passwords
  • SPN
  • Golden/Silver kerberos tickets
  • DSRM mode (local administrator 500 account password)
  • Backup Key for DPAPI (MS-BKRP)
  • certificate mapping for admin accounts
  • Authentication Mechanism Assurance
  • LAPS