Episode Details

Back to Episodes
Course 16 - Red Team Ethical Hacking Beginner Course | Episode 6: Windows Persistence Strategies: Registry, Scheduled Tasks, Services, WMI

Course 16 - Red Team Ethical Hacking Beginner Course | Episode 6: Windows Persistence Strategies: Registry, Scheduled Tasks, Services, WMI

Published 4 months, 3 weeks ago
Description
In this lesson, you’ll learn about:
  • The purpose of persistence in red team operations
  • Common local Windows persistence mechanisms and how they function
  • Event-driven persistence using WMI
  • The difference between host-level and domain-level persistence
  • Why Kerberos Golden Tickets represent a critical enterprise risk
Overview This lesson provides a comprehensive technical explanation of Windows persistence strategies, focusing on how attackers maintain long-term access after an initial compromise. Persistence is a post-exploitation objective that ensures access survives:
  • System reboots
  • User logouts
  • Password changes
  • Partial remediation efforts
All techniques discussed are framed within authorized red team engagements, defensive awareness training, and detection engineering contexts. 1. Local System Persistence Techniques Local persistence mechanisms ensure continued execution of malicious code on a single compromised host. 1.1 Registry Run Keys Concept Windows supports registry keys that automatically launch applications when users log in. How It Works
  • A startup entry is added to a global registry location
  • The payload executes whenever any user logs in
  • The method survives reboots and user changes
Why It’s Effective
  • Simple and reliable
  • Commonly abused by malware
  • Often overlooked during basic incident response
Defensive Insight Security teams should monitor:
  • Startup registry locations
  • Unsigned or unusual binaries referenced by run keys
1.2 Scheduled Tasks Concept Scheduled Tasks allow programs to execute automatically based on time or system conditions. How It Works
  • A background task is created to run repeatedly
  • Execution can be time-based or event-based
  • The task operates independently of user interaction
Why It’s Effective
  • Blends in with legitimate administrative activity
  • Can execute frequently to re-establish access
  • Flexible timing and execution context
Defensive Insight Blue teams should audit:
  • Newly created or modified tasks
  • Tasks executing from unusual directories
1.3 Windows Services (SCM) Concept Windows services start automatically when the system boots and typically run with elevated privileges. How It Works
  • A service is configured to launch at startup
  • Execution occurs before user login
  • Often runs with SYSTEM-level permissions
Why It’s Effective
  • Highly persistent
  • Very powerful privilege context
  • Survives reboots consistently
Defensive Insight Detection should focus on:
  • New or modified services
  • Services running unsigned or unexpected executables
1.4 WMI Event Subscriptions (Advanced Persistence) Concept Windows Management Instrumentation (WMI) supports event-driven automation, which can be abused for stealthy persistence. Architecture WMI persistence consists of three logical components:
  1. Event Filter – Watches for a specific system condition
  2. Consumer – Defines the action to perform
  3. Binding – Connects the event to the action
Why It’s Effective
  • No visible startup entries
  • No scheduled tasks or services
  • Triggers only when specific events occur
Defensive Insight This is one of the hardest techniques to detect. Monitoring requires:
  • WMI repository inspection
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us