Userland Persistence

These methods are only achievable by user-level permissions the operator wouldn't have access to anything that requires administrator privileges, but some techniques can be achieved as a user

Registry Keys

There are 2 categories of registry keys the SYSTEM and USER keys the user has access to edit the user keys and modify them as the user would like to but some that are to be mentioned are the Run and RunOnce keys, they are helpful since they would run when a user logs out or restarts the machine.

An example of this technique using cmd is as follows this will execute a binary, but you can as well add a command to get executed instead of a binary on disk

reg add HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run /v 1 /d "C:\Windows\System32\calc.exe"

We can verify this key created in the Registry

Once added successfully the user once login back to the workstation by locking or restarting the binary should be executed


Startup Folder

The startup up folder is a folder that contains programs that will initiate at boot time once a user has logged onto their session, this is another great method for user persistence as the user has written permissions in their startup folder.

A simple bat file left on the user's startup folder will execute once the user logs back in


Scheduled Tasks

Utilities such as schtasks can be used to schedule programs or scripts to be executed at a date and time specified by the user. Operators can use this feature to have code execution or binaries executed at a certain time of day to receive their persistent shell on the workstation

schtasks /create /sc minute /mo 1 /tn "Taxes" /tr C:\Windows\System32\calc.exe


Last updated