🔮Windows Persistence

Persistence Via Services

• Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code. – MITRE ATT&CK

• Gaining an initial foothold is not enough, you need to setup and maintain persistent access to your targets.

Creating a Persistent Service on the Victim System

To achieve persistence, you can create a new service on the victim system that connects back to your local machine every 5 seconds, even after a reboot. Use the Metasploit module /exploit/windows/local/persistence_service for this purpose.

Additionally, set up a listener on the same port and IP address specified in the payload to maintain the connection.

Persistence Via RDP

Creating a New User with Admin Permissions, Enabling RDP, and Hiding the User on a Victim Windows Machine

To create a new user with admin permissions, enable RDP (Remote Desktop Protocol) connection, and hide the user from appearing on the lock screen, run the following one-liner command in a Meterpreter shell:

run getgui -e -u <any_username> -p <any_pass>

Accessing the Victim Machine from Linux using xfreerdp

To access the victim machine from a Linux system, use xfreerdp with the following command:

xfreerdp /u:<given_user> /p:<given_pass> /v:<target_ip>

This command initiates an RDP connection from your Linux system to the target Windows machine using the provided username, password, and target IP address.

Hacker's Mantra:In the hands of a hacker, a computer becomes a masterpiece.