Editing Maintaining Access (section)

== Maintaining Access ==

Once initial access is achieved, attackers often need to maintain persistent access to the compromised system without detection. This phase involves deploying tools and methods that ensure continued control while evading monitoring systems and incident response.

Maintaining access is typically reserved for advanced engagements such as red teaming or adversary simulation, and focuses on stealth, resilience, and persistence. These techniques correspond to the Persistence and Defense Evasion tactics in the MITRE ATT&CK framework.

=== Common Techniques ===
* Creating hidden users or manipulating login mechanisms
* Establishing reverse shells or encrypted backdoors
* Installing persistence mechanisms such as cron jobs, services, or registry keys
* Leveraging legitimate tools for covert access (Living off the Land Binaries – [[LOLBins]])  
  * These are native binaries already present on the system, abused to avoid dropping custom tools.
* Abusing scheduled tasks, startup scripts, or init systems
* Using SSH keys, authorized_keys, or credential stuffing for future re-entry
* Employing webshells on reachable servers or admin panels
* Modifying boot processes or firmware for deeper persistence

=== Tools ===
* [[Metasploit]] – deploy persistent backdoors and remote shells
* [[Netcat]] – maintain reverse shells and listeners
* [[Socat]] – flexible relay tool for persistent tunnels
* [[Chisel]] – TCP/UDP tunnel over HTTP via client-server model
* [[ngrok]] – secure tunnels to localhost, useful for callback access
* [[Persistence scripts]] – like Empire’s persistence modules or custom Bash scripts
* [[SSH]] – persistent shell access via authorized_keys
* [[Plink]] – command-line connection tool part of PuTTY suite
* [[Systemd services]] – for persistence on modern Linux systems
* [[Scheduled Tasks]] / [[Cron]] / [[At jobs]] – time-based execution of payloads

=== Operating System Techniques ===

'''Linux:'''
* Add root cronjob: `echo "@reboot root /path/to/script.sh" >> /etc/crontab`
* Drop SSH key: `mkdir -p ~/.ssh && echo "[attacker_key]" >> ~/.ssh/authorized_keys`
* Create hidden user: `useradd -M -r -s /bin/bash hiddenuser`

'''Windows:'''
* Add user with admin privileges: `net user backdoor Pass123 /add && net localgroup administrators backdoor /add`
* Registry autorun: `reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v backdoor /t REG_SZ /d "C:\path\to\payload.exe"`
* Scheduled task: `schtasks /create /tn "Update" /tr "payload.exe" /sc onlogon`

=== Evasion Considerations ===
* Use [[obfuscation]] and [[encryption]] to hide payloads
* Rotate [[C2 channels]] and avoid static IP callbacks
* Mimic legitimate service names and binaries
* Limit noisy activity and privilege escalation attempts

=== Detection Countermeasures ===
* Use host-based firewalls to limit outbound connections
* Monitor cron jobs, startup scripts, and autostart locations
* Inspect SSH authorized_keys and user creation logs
* Review scheduled tasks and system services regularly

Maintaining access presents both operational advantages and detection risks—an essential concept for defenders to understand and red teamers to execute with precision.

→ See also: [[Initial Access]], [[Privilege Escalation]], [[Persistence Techniques]]