> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/persistence/userland-persistence.md). # Userland Persistence These methods are only achievable by user-level permissions the operator wouldn't have access to anything that requires administrator privileges, but some techniques can be achieved as a user ### Registry Keys There are 2 categories of registry keys the SYSTEM and USER keys the user has access to edit the user keys and modify them as the user would like to but some that are to be mentioned are the Run and RunOnce keys, they are helpful since they would run when a user logs out or restarts the machine. An example of this technique using cmd is as follows this will execute a binary, but you can as well add a command to get executed instead of a binary on disk `reg add HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run /v 1 /d "C:\Windows\System32\calc.exe"` ![](/files/zxVrpmN4AFbDIRBN2lyf) We can verify this key created in the Registry ![](/files/FJPLN50jtEWjHVFpftSJ) Once added successfully the user once login back to the workstation by locking or restarting the binary should be executed ![](/files/3bR97YIrpZmW3EFKkrqU) Demo: ### Startup Folder The startup up folder is a folder that contains programs that will initiate at boot time once a user has logged onto their session, this is another great method for user persistence as the user has written permissions in their startup folder. A simple bat file left on the user's startup folder will execute once the user logs back in ![](/files/ScnB7t15lvK8h2pjXtn4) Demo: ![](/files/jLqYpJ3vxLuLN4cufrPe) ### Scheduled Tasks Utilities such as schtasks can be used to schedule programs or scripts to be executed at a date and time specified by the user. Operators can use this feature to have code execution or binaries executed at a certain time of day to receive their persistent shell on the workstation `schtasks /create /sc minute /mo 1 /tn "Taxes" /tr C:\Windows\System32\calc.exe` ![](/files/FMD1r73HHZUKn2gWJ31l) Demo: --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/persistence/userland-persistence.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.