Windows Persistence

Persistence is the act of setting up a back door to allow access in the future. If you go through all the effort of getting access to a target, you want to make sure you can get back in later. Maybe the exploit is fixed, the password is changed or the service is stopped.

Persistence can be achieved at initial access, but these tend to be more obvious to a defender than administrator persistence. One option can be to create persistence at initial access, and then to clean up once you have escalated and gained persistence at a higher level.

This page focuses on Admin Persistence, not user level.

A good chunk of this page comes from my practice in https://tryhackme.com/room/windowslocalpersistence

---

Modifying a lower level account

These methods focus on giving rights (both explicit and hidden) to low level accounts with the purpose of hiding as one of those users. In some situations, admin accounts are well known and highly monitored, with regular password changes and ‘JustInTime’ access. User accounts may be less closely guarded and monitored. Or maybe you are that user and want to escalate yourself now that you have escalated a console.