|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     

Last changed: 09.11.2018

Malware Persistence


Below I list a selection of the most presend persistend methods found in malware. A huge collection of persistence methods can be found on http://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/.

run keys (admin privileges)

Create a value my_program REG_SZ 'evil.exe' in


run keys (user privileges)

Create a value my_program REG_SZ 'evil.exe' in


or a value Run REG_SZ 'evil.exe' in

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

logon scripts

Create a value UserInitMprLogonScript in




custom shell

Create a value Shell in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon


HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The malware should run explorer.exe.

authentication packages

Create a value Authentication Package REG_MULTI_SZ 'mydll.dll' or Security Packages REG_MULTI_SZ 'mydll.dll' in


dll load order

If a program imports functions from a dll which is not in the program folder and not in

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs

a malicious dll with the same name in the program folder will get loaded instead.


All applications calling CreateProcess will load dlls from the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls

Create a value my_dll REG_EXPAND_SZ 'mydll.dll'


Affects all applications calling ShellExecute

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

A subkey cmd.exe value (Standard) REG_SZ 'c:\evil.exe' will run evil.exe if cmd.exe shall be executed by the affected application.


To create a service from the command line see the pentesting commands for windows.

Installed services can be found in the key


As drivers are installed as a service with type= kernel rootkits could be found here as well.

scheduled tasks

The command to create a scheduled task from the command line can also be found in the pentesting commands for windows.

The task will be run by the Scheduler service.

COM hijacking

Create/replace the InprocServer32 key for COM Object with the malicious dll.

Look at https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ for a nice summary.

WMI persistence

See https://github.com/n0pe-sled/WMI-Persistence/blob/master/WMI-Persistence.ps1 for powershell scripts which create and show WMI persistence.


rc files



cron and anacron

Every user can create its own jobs with crontab. The jobs are stored in a file in the folder /var/spool/cron/crontab/ with the name of the user.

echo '* * * * * /usr/bin/wall hello' | crontab -

As root user system wide jobs can be stored in /etc/crontab or in a crontab like file in /etc/cron.d. Alternatively an executables can be put into one of the folders /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly or /etc/cron.monthly.

If anacron is installed it will do the daily, weekly and monthly jobs instead of cron to ensure execution of jobs, which were missed due to system downtime. Jobs specifically for anacron can also be put in the file /etc/anacrontab.

systemd services

Services in systemd are configured in unit files. To show the path where systemd looks for unit files run

systemctl show --property=UnitPath | cat

To view the content of a unit file use the command

systemctl cat <name>.service

unit files can be created manually with a text editor or by running

systemctl edit --force --full example.service


Description=Set suid bit on sed
ExecStart=chmod 4755 `which sed`

Services are started automatically if their corresponding target is run (like SysV runlevels). To show the current targets use

systemctl list-units --type=target
systemctl get-default

To link a service to a certain target put a symlink in the folder /etc/systemd/system/<my_target>.target.wants/ or enable the service with

systemctl enable example.service

systemd timers

Systemd offers its own method of scheduling jobs called timers. Exsisting timers can by shown by running

systemctl list-timers

Timers consist of a timer unit file and a matching service unit file. When a service is started by a timer it does not need the [Install] section.


Description=Run example.service weekly


To load a library into every created process the environment variable LD_PRELOAD can be used.

#include <stdio.h>
void __attribute__ ((constructor)) init(void){

Compile and test this behavior with

gcc -fPIC -shared -o lib.so lib.c
LD_PRELOAD=$PWD/lib.so ls

To make this change permanent the export can be written into one of the rc files or the path to the library can be put into /etc/ld.so.preload.

networking hooks

Depending on the networking client different methods exist to automatically run a script when a connection is established.