05 September 2022

Persistence is a vital aspect of a pentest or red team and ensures you don't lose your access after you've worked so hard to get it. While performing persistence is important, cleaning up that persistence is just as vital. Enter PersistAssist, PersistAssist is a fully modular persistence framework written in C# which automates this process.

To skip this and get started with PersistAssist, check out the github repo here - https://github.com/FortyNorthSecurity/PersistAssist

PersistAssist Overview

PersistAssist is a fully modular framework, meaning everything can be easily extended. There are three main components to PersistAssist: Persist, Tradecraft, and Payload.

Persist is the main part and contains all the persistence modules available within the framework.

While the main objective of PersistAssist is to automate the persistence process, its Tradecraft component also includes utilities to perform operations relating to persistence or general post exploitation. These utilities include: functionality timestomping, reading registry keys, and listing services/scheduled tasks.

The Payload component houses payloads used by various persistence techniques, though currently only available for the OverrideTask technique.

PersistAssist uses D/Invoke for all API operations. The code for this is contained in the Structs.cs and API.cs files, one contains all the required enumerations and variables. The other will house the delegates and D/Invoke code respectively.

To use PersistAssist, specify either an available persistence technique or tradecraft utility with the -t flag and pass the flags specific to that option.

For a list of all the modules available, use the -l option. This will return all the persistence techniques organized by category (this is determined by an enumeration value in the module), tradecraft utilities loaded into PersistAssist, and payloads we can use for various persistence techniques.

To return information on an option, use -t to specify the technique/utility to use and pass the -i flag. This will return information including the a quick description of the option, how to persist/cleanup in the case of a persistence technique or general usage for a tradecraft utility, and the category the option belongs to.

Extending PersistAssist

Like previously mentioned, PersistAssist allows for easy extending of just about every aspect of the tool. We can not only extend the main modules (Persist, Tradecraft, and Payload), but also the API part as well.

Each of the main components of PersistAssist inherit from their respective abstract class. An abstract class can be thought of as a "schematic" class that forces a class to be modeled after the class being inherited. In the example below, the class InlineTasks is inheriting from (we can inherit classes in C# by using a colon (:) and following it with the class to inherit) the Persist abstract, and thus forcing it to have the variables PersistName, PersistDesc, PersistUsage, and PersistCategory and the methods PersistExec() and PersistCleanup().

On runtime, PersistAssist will search for all classes inheriting from the abstract Persist and populate the framework with that data. This same mechanism is used for both the Tradecraft and Payload components.

Final Thoughts

PersistAssist only has three persistence techniques available at this time. These include GenericRegAdd, RunKeys, and OverrideTask. If there's a technique or utility you'd like to see, feel free to let us know or submit a PR!

We hope that this is useful and if you have any questions at all, don't hesitate to contact us, or check out similar blog posts on our website.