Lets be honest implementing persistence on an assessment can be hard, messy, and get you caught. Fuzzy Security did an excellent overview of some of the most common techniques used today and how to implement them. You can find that blog post here.
Some of the persistence techniques mentioned are:
- Persistence through the Registry
- Scheduled Backdoors using Scheduled Tasks
- Process Resource Hooking
- Persistence through the MSDTC Service
- WMI Permanent Event Subscriptions
Personally, I like to use WMI as my persistence mechanism. It is hard to detect, difficult to remove, doesn’t require payloads saved on disk, and can be implemented easily. So how does it work? Well, at a very high level to establish persistence it is a three step process.
- Establish an event filter to trigger on system boot
- Create a command line consumer to run the payload
- Set a Binding to active the command line consumer, when the event filter is activated
To make this process a little easier I decided to make a quick PowerShell script. The script is available on Github. Most of the code I used came from research done by Matt Graeber and some help from Andrew Luke. Specifically, here and here are two resources that I relied on heavily.
To use this script edit the Payload to match your current environment. Import the script and run Install-Persistence.
To make sure it installed correctly, simply run Check-WMI.
Finally, to remove persistence, ensure that the variables for $EventFilterName and $EventConsumerName match the names assigned when it was installed. By default, these values are ‘Cleanup’ and ‘DataCleanup’ Respectively. Then run Remove-Persistence to remove each element of persistence.
If you have any feedback, advice, or comments, let me know!