Userland Persistence

The persistence/userland/* modules allow for reboot-persistence from userland (i.e. without needing administrative privileges). If a Listener is specified, then the staging code for an Empire agent is automatically generated and used as the script logic to trigger. If an ExtFile is specified (e.g. if you wanted to generate a PowerBreach backdoor and use that instead), then the file is encoded appropriately and used instead.

The modules are broken up by trigger mechanism, and each one has various storage locations specifiable within it. For userland modules, the storage locations are in the registry (within the HKCU hive), in an alternate-data-stream, or within the Application event log. Full cleanup is available if you specify theCleanup command, which will remove the specified trigger and stored script logic. Note– if the logic is stored in the application event log, this stored script logic won’t be cleared.

The current trigger options available are:

  • persistence/userland/registry – sets a value in HKCU:Software\Microsoft\Windows\CurrentVersion\Run to execute the script in whatever storage mechanism is selected. This will cause the script to run when only this user logs in.
  • persistence/userland/schtask – configures a scheduled task to execute the script in whatever storage mechanism is selected. The script can fire at a DailyTime (HH:mm form), or when the user has been idle for IdleTime seconds.