Advanced Red Teaming - Maintaining Persistence

Blog by: Grant Knoetze

Maintaining persistence as a tactic includes actions that will ensure that your program will run if the target machine is restarted, there are various techniques that can be used to acheive persitence.



  • Advanced - Targeted, coordinated, purposeful
  • Persistent - Month after month, year after year
  • Threat - Attacker with intent, opportunity, and capability

Cyber-Kill-Chain definition courtesy of: Lockheed Martin.

Lockheed Martin Cyber Kill Chain

Create a new registry key and acheiving persitence through modifying HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, using Windows API's in C++. The Microsoft Developer Network (MSDN) pages are comprehensive as reference material.

The following C++ code has been added to our C++ "RedTeamAgent". I have written a C++ trojan that utilizes Windows API's and core features of the C++ language as it leverages Windows API's and functions to perform tasks and remain undetected. The UpdateRegistry function is useful here, as seen in the Gist below:

Keep following me on social media to stay tuned for the follow up to this post...

Share with your network

Grant Knoetze

IT Support Specialist Cybersecurity Amalyst Software Developer

Useful Code for Red Teaming

This is code that I wrote to help me with red teaming. Disclaimer - Nothing on this page is intended for malicious purposes, anything that you do with any code is your own responsibility, never engage a target without written permission in the form of a signed contract.