Course 16 - Red Team Ethical Hacking Beginner Course | Episode 6: Windows Persistence Strategies: Registry, Scheduled Tasks, Services, WMI

In this lesson, you’ll learn about:The purpose of persistence in red team operationsCommon local Windows persistence mechanisms and how they functionEvent-driven persistence using WMIThe difference between host-level and domain-level persistenceWhy Kerberos Golden Tickets represent a critical enterprise riskOverview This lesson provides a comprehensive technical explanation of Windows persistence strategies, focusing on how attackers maintain long-term access after an initial compromise. Persistence is a post-exploitation objective that ensures access survives:System rebootsUser logoutsPassword changesPartial remediation effortsAll techniques discussed are framed within authorized red team engagements, defensive awareness training, and detection engineering contexts. 1. Local System Persistence Techniques Local persistence mechanisms ensure continued execution of malicious code on a single compromised host. 1.1 Registry Run Keys Concept Windows supports registry keys that automatically launch applications when users log in. How It WorksA startup entry is added to a global registry locationThe payload executes whenever any user logs inThe method survives reboots and user changesWhy It’s EffectiveSimple and reliableCommonly abused by malwareOften overlooked during basic incident responseDefensive Insight Security teams should monitor:Startup registry locationsUnsigned or unusual binaries referenced by run keys1.2 Scheduled Tasks Concept Scheduled Tasks allow programs to execute automatically based on time or system conditions. How It WorksA background task is created to run repeatedlyExecution can be time-based or event-basedThe task operates independently of user interactionWhy It’s EffectiveBlends in with legitimate administrative activityCan execute frequently to re-establish accessFlexible timing and execution contextDefensive Insight Blue teams should audit:Newly created or modified tasksTasks executing from unusual directories1.3 Windows Services (SCM) Concept Windows services start automatically when the system boots and typically run with elevated privileges. How It WorksA service is configured to launch at startupExecution occurs before user loginOften runs with SYSTEM-level permissionsWhy It’s EffectiveHighly persistentVery powerful privilege contextSurvives reboots consistentlyDefensive Insight Detection should focus on:New or modified servicesServices running unsigned or unexpected executables1.4 WMI Event Subscriptions (Advanced Persistence) Concept Windows Management Instrumentation (WMI) supports event-driven automation, which can be abused for stealthy persistence. Architecture WMI persistence consists of three logical components:Event Filter – Watches for a specific system conditionConsumer – Defines the action to performBinding – Connects the event to the actionWhy It’s EffectiveNo visible startup entriesNo scheduled tasks or servicesTriggers only when specific events occurDefensive Insight This is one of the hardest techniques to detect. Monitoring requires:WMI repository inspectionEvent subscription auditingBehavioral correlation2. Domain-Level Persistence: Golden Tickets Concept Golden Tickets exploit Kerberos authentication to provide permanent domain-wide access. How It Works (High-Level)The Kerberos service account secret is compromisedA forged authentication ticket is createdThe ticket grants Domain Admin privileges to any chosen identityWhy This Is CriticalAccess persists even if:Passwords are resetAccounts are disabledAdministrators are removedThe attacker can generate new valid credentials at willImpact This technique effectively gives an attacker:Unlimited access to the domainFull control over users, systems, and policiesA near-undetectable persistence mechanism if not monitoredDefensive Insight Mitigation requires:Rotating Kerberos service secretsMonitoring authentication anomaliesImplementing strong domain hygiene and detection toolingHost vs Domain Persistence ComparisonPersistence TypeScopeRisk LevelRegistry / TasksSingle HostMediumServicesSingle HostHighWMI SubscriptionsSingle HostHigh (Stealthy)Golden TicketsEntire DomainCriticalWhy Persistence Matters in Red Teaming Persistence is not about destruction—it’s about testing resilience. Professional red teams use persistence to:Measure detection and response maturityTest cleanup effectivenessIdentify gaps in monitoringImprove blue team readinessEvery persistence mechanism must also include a clean removal path. Conceptual Analogy Think of persistence as hiding spare access keys:Registry & Services → A key hidden where you check every dayScheduled Tasks → A door that unlocks automatically on a timerWMI Subscriptions → A smart sensor that opens the door only under specific conditionsGolden Tickets → Access to the locksmith’s master system that can mint new keys on demandSome keys affect one door. Others open the entire city. Key Educational TakeawaysPersistence is a post-exploitation objective, not an exploitSimpler methods are more common, advanced methods are stealthierDomain-level persistence is exponentially more dangerousDetection is possible—but requires deep visibilityEthical red team operations prioritize documentation and cleanupYou can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy