🔨Persistence Notes
Low Privilege Persistence
Startup Folder Persistence
The following assumes the following:
Privilege escalation is not of concern
You have access to at least to a low privilege user account.
Dropping shell scripts / binaries into the following folder will execute them on user login:
Registry Persistence
Providing the current working user has permission to create registry keys under 'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run'
. A backdoor executable / script can be created to run on user logon.
The example below assumes a Backdoor executable is currently stored in "C:\Users\%username%\AppData\Roaming\"
CMD:
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Users\%username%\AppData\Roaming\backdoor.exe"
Privileged Persistence
RDP Temp
User Creation
Persistence may exist through user accounts. Privileged accounts are able to create new users on the target system.
Registry Persistence
Again, the registry can be used to maintain persistence. The command below will set a binary to execute when any user logs into to the system.
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\Users\Administrator\AppData\Roaming\backdoor.exe" /f
Scheduled Tasks
The command below will create a sheduled task that every minute will execute 'ReverseShell.exe'. This is set to run as the SYSTEM account.
PowerShell with custom payload
Services
PowerShell can be leveraged to create a new Service that, on boot will execute a defined binary / script.
Metasploit
Configured options shown below. The STARTUP value can be changed to SYSTEM from USER if correct permissions are in place to perform the action.
Successful execution:
Last updated