10 - Persistence
#Ethical Note
Persistence techniques should only be deployed when explicitly authorized in the engagement scope and rules of engagement. In most penetration tests, persistence is demonstrated as proof-of-concept and immediately cleaned up. Unauthorized persistence may constitute illegal access. Always document persistence mechanisms and remove them during the cleanup phase.
#Overview
Persistence ensures continued access to compromised systems across reboots, user logoffs, password changes, and other disruptions. In Windows environments, persistence mechanisms range from registry modifications to service creation, WMI event subscriptions, and Kerberos ticket forgery. In Linux environments, SSH keys, cron jobs, systemd services, and shared library injection are common methods. The choice of persistence mechanism balances reliability against stealth.
#Method Selection Criteria
| Factor | Impact on Choice |
|---|---|
| Privilege level | Kernel-level persistence requires root; user-level persistence is simpler |
| Reboot frequency | Methods that survive reboots (services, scheduled tasks) vs those that do not (memory-only) |
| Detection risk | Services and registry keys are monitored; WMI subscriptions and COM hijacking are stealthier |
| Recovery difficulty | Some methods are destructive (Skeleton Key) and hard to clean up |
| Engagement duration | Short-term persistence (days) vs long-term (weeks/months) |
#Windows Persistence Methods Summary
| Method | Requires Admin | Survives Reboot | Stealth | Cleanup Difficulty |
|---|---|---|---|---|
| Scheduled Task | No* | Yes | Medium | Easy |
| Registry Run Keys | No* | Yes | Low | Easy |
| WMI Event Subscription | Yes | Yes | High | Medium |
| Service Creation | Yes | Yes | Low | Medium |
| Startup Folder | No | Yes | Low | Easy |
| DLL Hijacking | Yes | Yes | Medium | Hard |
| Winlogon Replacement | Yes | Yes | Low | Hard |
| COM Hijacking | No | Yes | High | Medium |
| IFEO Debugger | Yes | Yes | Low | Easy |
| Golden Ticket | Domain Admin | Yes (10 years) | Medium | Hard |
| Silver Ticket | Service account hash | Yes (lifetime) | High | Medium |
| Skeleton Key | Domain Admin | No | Medium | Destructive |
| DSRM Password | Domain Admin | Yes | Low | Medium |
| AdminSDHolder | Domain Admin | Yes | Medium | Hard |
*For user-level scheduled tasks without SYSTEM trigger.
#Linux Persistence Methods Summary
| Method | Requires Root | Survives Reboot | Stealth | Cleanup Difficulty |
|---|---|---|---|---|
| SSH Authorized Keys | No | Yes | Low | Easy |
| Cron Jobs | No* | Yes | Medium | Easy |
| Systemd Service | Yes | Yes | Low | Medium |
| .bashrc/.profile | No | Yes (per-login) | Low | Easy |
| MOTD Tampering | Yes | Yes (per-login) | Medium | Medium |
| LD_PRELOAD | Yes | Yes | High | Medium |
| Web Shell | No | Yes | Low | Easy |
| PAM Backdoor | Yes | Yes | High | Hard |
*User-level crontab.
#Cleanup Principles
- Document every persistence mechanism during deployment
- Remove in reverse order (last created, first removed)
- Verify removal by rebooting and attempting reconnection
- Restore original file timestamps and permissions where possible
- Clear all related log entries
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| mimikatz | https://github.com/gentilkiwi/mimikatz |
| Rubeus | https://github.com/GhostPack/Rubeus |
| schtasks (built-in) | Windows native |
| systemctl (built-in) | Linux native |
#Source Machines
- Return (Easy, AD) - Service binary modification for persistence via Server Operators
- Jeeves (Medium, Windows) - Service manipulation for privilege escalation