PersistAssist: Your Persistence Assistant!
Persistence is a vital aspect of a pentest or red team and ensures you don't lose your access after you've worked so hard to get it. While performing persistence is important, cleaning up that persistence is just as vital. Enter PersistAssist, PersistAssist is a fully modular persistence framework written in C# which automates this process.
To skip this and get started with PersistAssist, check out the github repo here - https://github.com/FortyNorthSecurity/PersistAssist
PersistAssist is a fully modular framework, meaning everything can be easily extended. There are three main components to PersistAssist: Persist, Tradecraft, and Payload.
Persist is the main part and contains all the persistence modules available within the framework.
While the main objective of PersistAssist is to automate the persistence process, its Tradecraft component also includes utilities to perform operations relating to persistence or general post exploitation. These utilities include: functionality timestomping, reading registry keys, and listing services/scheduled tasks.
The Payload component houses payloads used by various persistence techniques, though currently only available for the
PersistAssist uses D/Invoke for all API operations. The code for this is contained in the Structs.cs and API.cs files, one contains all the required enumerations and variables. The other will house the delegates and D/Invoke code respectively.
To use PersistAssist, specify either an available persistence technique or tradecraft utility with the
-t flag and pass the flags specific to that option.
For a list of all the modules available, use the
-l option. This will return all the persistence techniques organized by category (this is determined by an enumeration value in the module), tradecraft utilities loaded into PersistAssist, and payloads we can use for various persistence techniques.
To return information on an option, use
-t to specify the technique/utility to use and pass the
-i flag. This will return information including the a quick description of the option, how to persist/cleanup in the case of a persistence technique or general usage for a tradecraft utility, and the category the option belongs to.
Like previously mentioned, PersistAssist allows for easy extending of just about every aspect of the tool. We can not only extend the main modules (Persist, Tradecraft, and Payload), but also the API part as well.
Each of the main components of PersistAssist inherit from their respective abstract class. An abstract class can be thought of as a "schematic" class that forces a class to be modeled after the class being inherited. In the example below, the class
InlineTasks is inheriting from (we can inherit classes in C# by using a colon (
:) and following it with the class to inherit) the
Persist abstract, and thus forcing it to have the variables
PersistCategory and the methods
On runtime, PersistAssist will search for all classes inheriting from the abstract
Persist and populate the framework with that data. This same mechanism is used for both the Tradecraft and Payload components.
PersistAssist only has three persistence techniques available at this time. These include
OverrideTask. If there's a technique or utility you'd like to see, feel free to let us know or submit a PR!