Windows

Persistence
Techniques
Joas Antonio
Details

Just an overview of some persistence techniques on windows

operating systems

https://www.linkedin.com /in /joas -antonio-dos-santos

Introduction
https://www.linkedin.com /in /joas -antonio -dos-santos
Addenum

h ttp s : / / me dia. ho wa rd .co m / C NET/ USE R_M ANUAL/ 2E 5 17 7A4 - 15 9 B- 4 A2E -

9 B D 8 - A AD9 0AC B0 9 81 .p df

h ttp s : / / nim ax - img .de / Pro du ktd ow nlo ad s / ad de nd um _1 88 7 7. pd f

h ttp s : / / w ww.eld oled .com / cms _ f ile .ph p?f ro mDB =55 6 7

h ttp s : / / w ww.micr os o f t. com /e n - u s /lice ns ing / p ro du ct - licen sin g / pr od ucts

h ttp s : / / w ww.en er gy tr us t.or g / wp -

co n te n t / up loa ds / 2 01 6 /1 0 /HE S_FM _ Win do w sAd de nd u m.p df

h ttp s : / / githu b. com /Ju anito9 9 /W ind ow s .C om pu te r. DataOn De man d .Add en du m

PrivEsc
Techniques
https://www.linkedin.com /in /joas -antonio -dos-santos
My ebook

https://drive.google.com /file /d /1Hjq_Hc8dQEF_ZhNFtGMrl2GELo

ryboyW/view?usp=sharing
Folder and Registre Keys

h ttp s : / / me diu m.co m / r 3d -b u ck3 t /a bu s e - s er vice - r egis tr y - a c ls - win do w s -

p r i ve s c -f 88 07 9 14 0 50 9

h ttp s : / / b ook .h acktricks . xyz / win do ws / w ind ow s -lo cal - pr ivile ge -

e s ca l a tio n / p rivileg e - es cala tion - with- au to ru n - bin ar ies

h ttp s : / / b ook .h acktricks . xyz / win do ws / w ind ow s -lo cal - pr ivile ge -e s calation

h ttp s : / / p en tes tla b. blog / ca teg or y /p rivile ge - e s calatio n /

h ttp s : / / d mcxb lue. gitb oo k.io / re d - te am - n otes / pe rs is tence / r egis tr y - ke ys -

s ta r tu p -fo lde r

h ttp s : / / w ww.s em pe ris .co m / blo g /g r ou p - po licy -p rivile ge - e s calatio n /

h ttp s : / / inf os ecw riteu ps . com /p rivileg e - es ca latio n - in- win d ow s -3 8 0b ee 3a 28 42

Logon Scripts

h ttp s : / / blo g. gd s s ecu rity. com /la bs / 2 01 5 /1 / 26 / ba ds a mb a - ex p loitin g-

w i n d o w s -s tar tup - s crip ts - us in g - a- maliciou .h tml

h ttp s : / / githu b. com /f riz b / Win do ws - Pr ivilege - Es cala tion

h ttp s : / / w ww.h ackin ga r ticles .in / win do w - p rivileg e - es cala tion - au to mated -
s cr i p t /

h ttp s : / / rah ma tn ur f au zi. med ium .com / win do ws - pr ivileg e - es cala tion - s cripts -
te ch n i qu es - 3 0fa 37 b d1 94

h ttp s : / / d mcxb lue. gitb oo k.io / re d - te am - n otes / pe rs is tence / log on - s crip ts

h ttp s : / / h akin 9. or g /p rives cch eck - p rivileg e - es cala tion - en ume ratio n - s crip t-
f o r - w in do w s /
Screensaver

https://blogs.msmvps.com /donna /2004/11/24/microsoft -

windows-logon-screensaver-local-privilege-escalation-
vulnerability /

https://packetstormsecurity.com /files /137387/League -Of-

Legends-Screensaver-File-Permission-Privilege-Escalation.html

https://www.w4rri0r.com /sequence -of-commands /privilege -

escalation-attacks.html
DLL Proxying

h t t p s :/ / it m4 n. g i thu b. i o / dl l - prox yin g /

h t t p s :/ / ke vi na l ma n sa . g i thu b. i o / a ppl i c a ti o n% 2 0 s e c u ri ty / D LL - P r ox y i n g /

h t t p s :/ / www. i re d . te a m / o f f e n si ve - s e c uri ty / pe r si s te n c e /dl l -p rox yin g - f o r -

p e r s i s t e nc e

h t t p s :/ / g i thu b. c o m / to thi / dl l -hi j a c k - b y - prox yi ng

h t t p s :/ / mil o s i lo. c o m /h a c k i ng / mic r o s o f t -te a ms -p rox y - dl l -hi j a c k i ng /

h t t p s :/ / www. yo u tub e . c o m / wa tc h ?v= ra LnL 4 D dvK U

h t t p s :/ / www. yo u tub e . c o m / wa tc h ?v= tS dyf a J 7 T 5 0

h t t p s :/ / www. c yne t. c o m /a tta c k - te c h ni que s - ha n ds - o n / dl ls - a nd - wa ys -t he y - c a n -

h u r t - us /
Component object model

https://research.nccgroup.com /2020/04/15/cve -2019-1381-and-

cve-2020-0859-how-misleading-documentation-led-to-a-broken-
patch-for-a-windows-arbitrary-file-disclosure-vulnerability/

https://www.elastic.co /guide /en /security/7.x /component -object-

model-hijacking.html

https://attack.mitre.org /techniques /T1559/001/

https://dmcxblue.gitbook.io /red -team-notes /execution /com

Persistence
Techniques
https://www.linkedin.com /in /joas -antonio -dos-santos
Eleveted Schedule Task

https://www.windowstricks.in/2018/08/how -to-run-the-powershell-script-in-scheduled-task-with-
run-as-administrator.html

https://stackoverflow.com/questions/62245797/how -to-setup-a-powershell-script-in-windows-task-
scheduler-with-admin-permission

https://superuser.com/questions/1640613/how -to-run-a-powershell-script-with-elevated-access-
using-task-scheduler

https://blog.netwrix.com/2018/07/03/how -to-automate-powershell-scripts-with-task-scheduler/

https://www.reddit.com/r/PowerShell/comments/6qvp30/task_schedule_powershell_script_with_ad
min_rights/

https://o365reports.com/2019/08/02/schedule -powershell-script-task-scheduler/

https://pentestlab.blog/2019/11/04/persistence -scheduled-tasks/

https://www.elastic.co/guide/en/security/current/persistence -via-telemetrycontroller-scheduled-
task-hijack.html

https://attack.mitre.org/techniques/T1053/005/
Multiaction Task

https://securitybyexper t.com /windows -persistence-multi-action-

scheduled-task /
https://www.f ireeye.com /blog /threat -research /2019/09/sharpersist -
windows-persistence-toolkit.html
https://www.igi -global.com /dictionary /assessment -of-task-
persistence /50930
https://techdocs.broadcom.com /us /en /symantec -security-
sof tware /identity -security /identity-manager/14-4/conf iguring /task -
persistence.html
https://www.elastic.co /guide /en /security /7.x /persistence -via-
telemetr ycontroller -scheduled-task-hijack.html
WMI Event Subscription

https://pentestlab.blog/2020/01/21/persistence -wmi-event-subscription/

https://www.elastic.co/guide/en/security/current/persistence -via-wmi-event-subscription.html

https://medium.com/threatpunter/detecting -removing-wmi-persistence-60ccbb7dff96

https://www.mdsec.co.uk/2019/05/persistence -the-continued-or-prolonged-existence-of-
something-part-3-wmi-event-subscription/

https://in.security/an -intro-into-abusing-and-identifying-wmi-event-subscriptions -for-persistence/

https://liberty-shell.com/sec/2019/06/16/wmi -persistence/

https://techcommunity.microsoft.com/t5/microsoft -defender-for-endpoint/asr-in-intune-for-quot-
block-persistence-through-wmi-event/m-p/2068130

https://microsoftintune.uservoice.com/forums/291681 -ideas/suggestions/40862476 -asr-rule-block-

persistence-through-wmi-event-subs

https://www.rapid7.com/db/modules/exploit/windows/local/wmi_persistence/
Appcert DLLS

https://www.elastic.co /guide /en /security /current /registry -

persistence-via-appcer t-dll.html
https://attack.mitre.org /techniques /T1546/009/
https://pentestlab.blog /2020/01/07/persistence -appinit -dlls /
https://eqllib.readthedocs.io /en /latest /analytics /14f90406 -10a0-
4d36-a672-31cabe149f2f.html
https://github.com /ewilded /Windows_persistence /blob /master/REGIS
TRY.md
https://dmfrsecurity.com /2021/01/02/review -red-team-operator-
windows-persistence-course-by-sektor7-institute /
Appinit DLLS

https://eforensicsmag.com /appinit -dll-injection-by-siddharth-sharma /

https://attack.mitre.org /techniques /T1546/010/

h t t p s : / / w w w. e l a s t i c . c o / g u i d e / e n / s e c u r i t y / c u r r e n t / r e g i s t r y - p e r s i s t e n c e - v i a - a p p i n i t -
dll.html

https://eqllib.readthedocs.io /en /latest /analytics /822dc4c5 -b355-4df8-bd37-

2 9 c 4 5 8 9 9 7 b 8 f. h t m l

https://github.com /redcanar yco /atomic -red-

team /blob /master/atomics /T1546.010/T1546.010.md

https://github.com /akapv/atomic -red-

t e a m / b l o b / m a s t e r / W i n d o w s / Pe r s i s t e n c e / A p p I n i t _ D L L s . m d

https://docs.microsoft.com /en -us /windows /win32/dlls /secure -boot-and-appinit-dlls

h t t p s : / / w w w. c y b e r h u n t i n g g u i d e . n e t / t 1 5 4 6 0 1 0 . h t m l
Netsh Helper DLL

https://pentestlab.blog /2019/10/29/persistence -netsh-helper-dll /

h t t p s : / / a t t a c k . m i t r e . o r g / t e c h n i q u e s / T 1 5 4 6 / 0 0 7/

h t t p s : / / w w w. i r e d . t e a m / o f f e n s i v e - s e c u r i t y / p e r s i s t e n c e / t 1 1 2 8 - n e t s h - h e l p e r - d l l

https://github.com /rtcrowley /Offensive -Netsh-Helper

https://dmcxblue.gitbook.io /red -team-notes-2-0/red-team-

techniques /persistence /t1546 -event-triggered-execution /netsh -helper-dll

h t t p s : / / w w w. h a c k i n g a r t i c l e s . i n / w i n d o w s - p e r s i s t e n c e - u s i n g - n e t s h /

h t t p s : / / w w w. r e d d i t . c o m / r / n e t s e c / c o m m e n t s / d o n w j 5 / p e r s i s t e n c e _ n e t s h _ h e l p e r _ d l l /

h t t p s : / / l i b e r t y - s h e l l . c o m / s e c / 2 0 1 8 / 0 7/ 2 8 / n e t s h l e p /

https://eqllib.readthedocs.io /en /latest /analytics /5f9a71f4 -f5ef-4d35-aff8-

f67d63d3c896.html
Time Provider Persistence

h ttp s : / / w ww.ire d.tea m / of f en sive - s ecu rity / pe rs is te nce / t1 2 09 - hijack ing -tim e-
p r ov i de rs

h ttp s : / / p en tes tla b. blog / 2 01 9 /1 0 /2 2 / p er sis ten ce - time -p rovid er s /

h ttp s : / / atta ck.mitre .or g / tech niq ue s / T1 5 47/ 0 03 /

h ttp s : / / githu b. com /e las tic / d ete ction - ru les / is s ue s /8 5 3

h ttp s : / / githu b. com /e nd ga mein c / eqllib / blo b /m as te r / eq llib / an alytics / p er s is ten

ce / T1 2 0 9 - p er s is te nce -tim e- pr ov ider s .toml

h ttp s : / / ins titute.s e kto r 7.n et / r to - win do ws - p ers is ten ce

h ttp s : / / me diu m.co m / @gab riel. pir jo les cu / de mys tifyin g - win do w s -m alwa re -
h u n ti ng - pa r t- 1 -d etectin g - p er sis ten ce - with- os q ue r y -b 53 5 73 c2 aac0
Port Monitors

https://pentestlab.blog /2019/10/28/persistence -port-

monitors /#:~:text=Interaction%20with%20 the%20 service%20is,conf
iguration%2C%20data%20and%20monitor%20f iles .

https://www.hackingar ticles.in /windows -persistence-port-monitors /

https://posts.slayerlabs.com /monitor -persistence /

https://github.com /air zero24/Por tMonitorPersist

https://www.ired.team /offensive -security /persistence /t1013 -

addmonitor

https://windows -internals.com /printdemon -cve-2020-1048/

lsa-as-a-persistence

h ttp s : / / ad s ecu rity.o rg / ?p =1 76 0

http s: / / atta ck.mitre .or g / tactics / TA00 0 3/

h ttp s : / / p en tes tla b. blog / 2 01 9 /1 0 /2 1 /p er s is ten ce - s ecu rity -s u pp or t- pr ovide r /

h ttp s : / / w ww.elas tic.co / gu ide / en / s ecu rity / cur re nt / po te ntial - ls a -

a u th e n tication -p ack ag e - ab us e .html

http s: / / lifar s .com / 20 2 1/ 0 1/ co mmo n - malwar e - p ersistence - techniq ues /

h ttp s : / / w ww.cs oo nlin e.co m / ar ticle /3 3 93 26 8 /h ow - to -o utwit -a tta cker s - us in g -

tw o - w i nd ow s - re gis tr y- s ettin g s .html

h ttp s : / / d ocs .micr os o f t.co m / en - us / p re viou s-ver sio n s /w ind ow s / it-

p r o / w i n do ws - s e r ve r- 2 01 2 - r 2- a nd -2 0 12 /h h 99 45 6 5( v=ws . 11 )

h ttp s : / / w ww.n ds s - s ymp os iu m.o rg / w p - co nte nt / up loa ds / 2 01 7/ 09 / P0 1_ 3 .pd f

Metasploit Persistence

h t t p s :/ / www. ha ck i n g a r ti c l e s . in / mul ti pl e - wa ys -to - p e rs i s te nc e - o n -wi n do w s - 1 0 -wi t h -

m e t a spl o i t /

h t t p s :/ / www. o f f e n si ve -s e c u ri ty. c o m /me t a s pl o i t -u nl e a s h e d /me te rp re t e r - s e r vi c e /

h t t p s :/ / www. o f f e n si ve -s e c u ri ty. c o m /me t a s pl o i t -u nl e a s h e d /p e rs i s te n t -b a c k do o r s /

h t t p s :/ / www. ha cke rs -a ri s e . c o m /h o w - t o - ma ke -th e -me te rp re t e r - pe r si s te nt

h t t p s :/ / s e c uri tyo nl i ne . in f o / a ut o ma te d - p e rs i s te nt -b a c k do o r - me ta s pl o i t /

h t t p s :/ / s e c nha ck . i n / te ch ni qu e -t o -p e rs i s te n ce -o n -wi n do w s -1 0 - wi th - me ta s pl o i t /

h t t p s :/ / pe n te s tl a b. bl o g / 2 0 2 0 / 0 2 / 0 4 / p e rs i s te nc e -wa i t f o r /

h t t p s :/ / www. ra pi d7 . c o m /d b /mo d ul e s / e x pl o i t /wi n do w s / lo c a l / pe r si s te n c e /

h t t p s :/ / way s2 ha c k . co m / me ta spl o i t -f ra me w o r k /