Persistent

Red Team, Windows

Keep Calm and Persistant

Empire Persistence Module

  • Userland
  • Privilege
  • PowerBreach
  • Miscellaneous

Userland

  • no need to be admin
  • there are 3 ways
    • registry
    • schtask
    • backdoor lnk

registry

  • two optins : default will be regpath which is write HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run and it will be executed when user login
  • another is ADSPath, store in txt file , to use this options have to set ADSPath and EventLogID both.

Schtask

  • Simple sheduletask, just set DailyTime 20:00

Backdoor LNK

  • take exsiting lnk path in order to create laucher from reg path

Privilege

  • need to be admin
  • registry module use HKLM registry which mean from system not from users
  • schtask include more OnLogin options , wont’ display prompt up
  • wmi module permanent wmi subscription with timer you set or 5 mins after system startup .

PowerBreach

  • focus on memory , not persist on reboot
  • include timeout , 0 is forever
  • it has 3 modules , eventlog , resolver , deaduser

EventLog

  • monitor fail RDP login with specified username to launch stager
  • username need to exist.

Resolver

  • continuously resolve the hostname
  • just A record for for trigger

Deaduser

  • periodacally poll specified AD user
  • if no user no longer exist , trigger stager

Invoke-WMIDebugger

  • sethc.exe
  • Utilman.exe
  • oks.exe
  • Narrator.exe
  • magnify.exe

Reference

https://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/