PersistAssist: Fully modular persistence framework

by do son · Published December 27, 2022 · Updated November 4, 2024

PersistAssist

PersistAssist is a fully modular persistence framework written in C#. All persistence techniques contain a cleanup method which will serve to remove the persistence aside from the persistence code. This is a WIP so there are many empty classes, the main object of this project initially was to build out a fully modular framework meant to make adding new features as simple as inheriting a class and adding the code.

Module

Persist

This module will store persistence techniques available to the framework

Registry:
- GenericRegAdd – Add any arbitrary registry key
- RunKeys – Registers a RunKey on either HKLM or HKCU
- UserInitMprLogonScript – Deploys UserInitMprLogonScript. Functions the same as a Run Key
MSBuild:
- InlineTasks – Deploys MSBuild InlineTask-based payload. Drops file to disk
  OverrideTask – Deploys MSBuild OverrideTask-based persistence. Drops file to disk and require admin access
  AccountOperations:
WMI:
- - ActiveScript – Create an ActiveScriptEventConsumer based WMI subscription
    CommandLine – Create an CommandLineEventConsumer based WMI subscription
Misc:
- NotepadPlugin – Backdoors notepad++ by creating a malicious plugin
- PSProfile – Backdoors PowerShell profile files
- StartupFolder – Drops a shortcut to a startup path

Tradecraft

This module will contain various post-exploitation capabilities available to the framework

SvcList – Lists services on a machine
Creds – Cred operations
FileRead – Reads a file in memory to get around having to download files for reading
ProcList – Lists running processes
RegList – Lists contents of specified registry key
SchList – Lists scheduled tasks on a machine
TimeStomp – Modifies file and directory time stamps. Does not modify Entry timestamp
WMIQuery – Run an arbitrary WMI Query