Host Based Persistence Cheatsheet

Scheduled Task Removal

##Remove Schtask
schtasks /delete /tn "SCHTASK" /F

##Schtask Creation artifacts
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\NetService\network\netservices
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\taskcache\tasks{D6317C6E-2A57-4CC9-A7CF-63EBE4BE74BE}
C:\Windows\System32\Tasks\Microsoft\Windows\NetService\Network\NetServices

##Registry Removal
reg delete "<Registry Location>" <property value>

##Remote Registry Removal
reg delete \\ZODIAC\HKLM\Software\MyCo /v MTU


#remove WMI-CONSUMER 
pwsh -command "Get-WMIObject -Namespace root\Subscription -Class CommandLineEventConsumer -Filter "Name=''" | Remove-WmiObject"

#remove WMI-FILTER
pwsh Get-WMIObject -Namespace root\Subscription -Class __EventFilter -Filter \"__Path LIKE '%%<Windows Events Filter>%%'\" |  remove-wmiobject

#remove WMI-FilterToConsumer
pwsh Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -Filter

#Service Remover
pwsh "Get-WmiObject win32_service | ?{$_.name -match '<servicenamehere>'} |remove-wmiobject"

Discover

Scheduled Tasks

schtasks /query /tn 'SCHTASK' /F

Registy Query

reg query "<Registry Location>" <property value>

PreviousPersistence NextM365 Persistence Cheatsheet

Last updated 6 months ago