Persistence¶
T1136.001 - Create Account: Local Account¶
Variations¶
Variation | Description |
1 | This module uses the Win32 API NetUserAdd to create a local account
with the specified parameters.
|
2 | This module uses the Win32 API CreateProcess to create a local account
with the specified parameters.
net user user password /add
|
Parameters¶
Parameter | Description |
user | The user to be created. |
password | The password to be used. |
cleanup | Bool parameter to delete the user after created. |
T1543.003 - Create or Modify System Process: Windows Service¶
Variations¶
Variation | Description |
1 | This module uses the Win32 API CreateService to create a Windows
Service with the specified parameters.
|
2 | This module uses the Win32 API CreateProcess to create a Windows
Service with the specified parameters.
sc create serviceName binpath= servicePath type= own start= auto
|
Parameters¶
Parameter | Description |
serviceName | The name of the Windows service to be created. |
servicePath | The path of the binary that will be executed by the service. |
serviceDisplayName | The service display name. |
cleanup | Bool parameter to delete the Service after created. |
T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys¶
Variation 1¶
This module uses the the Microsoft.Win32 .NET namespace to create a Registry Key.
Variation 2¶
This module uses the Win32 API CreateProcess to execute a specific command:
REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe
Variations¶
Variation | Description |
1 | This module uses the Microsoft.Win32 .NET namespace to create a
Registry Key with the specified parameters.
|
2 | This module uses the Win32 API CreateProcess to create a Registry
Key with the specified parameters.
reg add reg_ /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe
|
Parameters¶
Parameter | Description |
serviceName | The name of the Windows service to be created. |
servicePath | The path of the binary that will be executed by the service. |
serviceDisplayName | The service display name. |
cleanup | Bool parameter to delete the Service after created. |