Listen to this Post
The Windows Persistence Map v0.1 is a comprehensive guide for cybersecurity professionals, red teams, and blue teams to understand various persistence techniques in Windows environments. Persistence mechanisms allow attackers to maintain access to a system even after reboots or logouts, making them a critical aspect of both offensive and defensive security strategies.
Read the full guide here: how2itsec.blogspot.com
You Should Know:
Common Windows Persistence Techniques
1. Registry Run Keys
Attackers often add malicious entries to Registry Run keys to execute payloads at startup.
Add a malicious entry reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Backdoor" /t REG_SZ /d "C:\malware.exe" /f
Detection & Removal:
Check Run keys reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" Remove malicious entry reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "Backdoor" /f
2. Scheduled Tasks
Persistence can be achieved by creating scheduled tasks that trigger malicious payloads.
Create a task to run malware daily schtasks /create /tn "UpdateTask" /tr "C:\malware.exe" /sc daily /mo 1 /st 00:00
Detection & Removal:
List all tasks schtasks /query /fo list Delete malicious task schtasks /delete /tn "UpdateTask" /f
3. Service Installation
Attackers may install a malicious service to maintain persistence.
Create a service sc create "FakeService" binPath= "C:\malware.exe" start= auto sc start "FakeService"
Detection & Removal:
List services sc query state= all Remove malicious service sc stop "FakeService" sc delete "FakeService"
4. Startup Folder
Placing a malicious executable in the startup folder ensures execution at login.
Copy malware to startup folder copy "C:\malware.exe" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\"
Detection & Removal:
Check startup folder dir "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" Remove malicious file del "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe"
5. WMI Event Subscription
Advanced attackers use WMI to trigger malicious scripts.
Create a WMI event subscription
$filterArgs = @{
EventNamespace = 'root\cimv2'
Name = 'MaliciousFilter'
Query = "SELECT FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
QueryLanguage = 'WQL'
}
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs
$consumerArgs = @{
Name = 'MaliciousConsumer'
CommandLineTemplate = "C:\malware.exe"
}
$consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $consumerArgs
$bindingArgs = @{
Filter = $filter
Consumer = $consumer
}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $bindingArgs
Detection & Removal:
List WMI subscriptions
Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding
Remove malicious WMI entries
Get-WmiObject -Namespace root\subscription -Class __EventFilter | Where-Object {$<em>.Name -eq "MaliciousFilter"} | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer | Where-Object {$</em>.Name -eq "MaliciousConsumer"} | Remove-WmiObject
What Undercode Say:
Understanding Windows persistence techniques is crucial for both attackers and defenders. Red teams use these methods to maintain access, while blue teams must detect and remove them. Regular monitoring of Registry keys, scheduled tasks, services, startup folders, and WMI events can prevent long-term compromises.
Defensive Commands Recap:
- Monitor Registry: `reg query`
- Check Tasks: `schtasks /query`
- Inspect Services: `sc query`
- Scan Startup: `dir “$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\”`
- Audit WMI: `Get-WmiObject -Namespace root\subscription`
Expected Output:
A secure system with no unauthorized persistence mechanisms.
References:
Reported By: Florian Hansemann – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
