Elevated Persistence

The persistence/elevated/* modules allow for reboot-persistence from an elevated context (i.e. with administrative privileges). If a Listener is specified, then the staging code for an Empire agent is automatically generated and used as the script logic to trigger. If an ExtFile is specified (e.g. if you wanted to generate a PowerBreach backdoor and use that instead), then the file is encoded appropriately and used instead.

The modules are broken up by trigger mechanism, and each one has various storage locations specifiable within it. For elevated modules, the storage locations are in the registry (within the HKLM hive), in an alternate-data-stream, within the Application event log, and (eventually) within WMI classes. Full cleanup is available if you specify the Cleanup command, which will remove the specified trigger and stored script logic. Note– if the logic is stored in the application event log, this stored script logic won’t be cleared.

The current trigger options available are:

  • persistence/elevated/registry – sets a value in HKLM:Software\Microsoft\Windows\CurrentVersion\Run to execute the script in whatever storage mechanism is selected. This will cause the script to run for any user who logs in. This has an easy detection/removal rating.
  • persistence/elevated/schtask – configures a scheduled task to execute the script in whatever storage mechanism is selected. The script can fire at aDailyTime (HH:mm form), when the user has been idle for IdleTime seconds, or when any user logs in with OnLogon. This has a moderate detection/removal rating.
  • persistence/elevated/wmi – configures a permanent WMI subscription to fire the stored script logic. The script can fire at a DailyTime (HH:mm form) or on system startup with AtStartup. This has a difficult detection/removal rating.