Miscellaneous Persistence Methods

Empire also implements several “miscellaneous” methods of persistence. These reside in persistence/misc/*.

  • persistence/misc/add_sid_history – adds sidhistory of a given group/user for a particular user. This is only applicable on a domain controller. It lets you create a “shadow domain admin”, where a given user can have access as a particular group/user without appearing to be a part of that group. This will be reboot persistent.
  • persistence/misc/skeleton_key – adds Mimikatz’s skeletonkey to a domain controller, allowing you to authenticate as any user with the ‘mimikatz’ password. This is memory-only (not reboot persistent).
  • persistence/misc/memssp – installs Mimikatz’s memssp module, which should log out all authentication events to C:\Windows\System32\mimisla.log. Should be reboot persistent.
  • persistence/misc/disable_machine_acct_change – disables a target from changing its machine account password. If you runmimikatz/credentials/logonpasswords first to dump the machine account pass (account ends with $), you should have persistent access to a given system. A CleanUp option is available as well.