Persistence

T1136.001 - Create Account: Local Account

Variation 1

This module uses the Win32 API NetUserAdd to create a local account.

Variation 2

This module uses the Win32 API CreateProcess to execute a specific command:

net user hax0r Passw0rd123El7 /add

T1543.003 - Create or Modify System Process: Windows Service

Variation 1

This module uses the Win32 API CreateService to create a Windows Service.

Variation 2

This module uses the Win32 API CreateProcess to execute a specific command:

sc create UpdaterService binpath= C:WindowsTempsuperlegit.exe type= own start= auto

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys

Variation 1

This module uses the the Microsoft.Win32 .NET namespace to create a Registry Key.

Variation 2

This module uses the Win32 API CreateProcess to execute a specific command:

REG ADD HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun /V BadApp /t REG_SZ /F /D C:WindowsTempxyz12345.exe

T1546.003 - Event Triggered Execution: Windows Management Instrumentation Event Subscription

This module uses the System.Management .NET namespace to create the main pieces of a WMI Event Subscription: an Event Filter, an Event Consumer and a FilterToConsumerBinding.