Persistence

T1136.001 - Create Account: Local Account

Variations

Variation Description
1
This module uses the Win32 API NetUserAdd to create a local account
with the specified parameters.
2
This module uses the Win32 API CreateProcess to create a local account
with the specified parameters.
net user user password /add

Parameters

Parameter Description
user The user to be created.
password The password to be used.
cleanup Bool parameter to delete the user after created.

T1543.003 - Create or Modify System Process: Windows Service

Variations

Variation Description
1
This module uses the Win32 API CreateService to create a Windows
Service with the specified parameters.
2
This module uses the Win32 API CreateProcess to create a Windows
Service with the specified parameters.
sc create serviceName binpath= servicePath type= own start= auto

Parameters

Parameter Description
serviceName The name of the Windows service to be created.
servicePath The path of the binary that will be executed by the service.
serviceDisplayName The service display name.
cleanup Bool parameter to delete the Service after created.

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys

Variation 1

This module uses the the Microsoft.Win32 .NET namespace to create a Registry Key.

Variation 2

This module uses the Win32 API CreateProcess to execute a specific command:
REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe

Variations

Variation Description
1
This module uses the Microsoft.Win32 .NET namespace to create a
Registry Key with the specified parameters.
2
This module uses the Win32 API CreateProcess to create a Registry
Key with the specified parameters.
reg add reg_ /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe

Parameters

Parameter Description
serviceName The name of the Windows service to be created.
servicePath The path of the binary that will be executed by the service.
serviceDisplayName The service display name.
cleanup Bool parameter to delete the Service after created.

T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription

This module uses the System.Management .NET namespace to create the main pieces of a WMI Event Subscription: an Event Filter, an Event Consumer and a FilterToConsumerBinding.