Working Persistence Module

[kapla0011]

For now the rrp library has been removed from the module. This is the usage of each of the techniques:

add_user: This methods adds a new user to the admin group

We can also specify some input credentials:

Checking if the credentials are valid:

file_upload:

This is just an upload function for file transfer purposes

malicious_binary

This technique involves copying a binary from a specified path to the user's startup folder.

proof:

registry_run:

This technique involves modifying the registry's Run key. Any executable path listed in the Run key will be executed when a user logs into the machine.

proof:

logon_scripts:

This techinique works by adding to the Logon Registry value the path of a .bat file with some custom commands inside.

proof:

scheduled_task:

creates a scheduled task that starts at every logon:

query the task:

win_logon_userinit:

the module adds to the UserInit value of winlogon the path of the malware:

query the registry:

[NeffIsBack]

Thanks for the PR! Having screenshots while reviewing definitely helps a lot :)