Forum Thread: Need Help Making Persistence Undetectable

I got into a meterpreter session without any issues, but now want to make sure I can reconnect to the victim (my desktop) after reboots. I tried using persistence but the AV caught it. I feel like there is a way to encode it that should work, but I am not sure how to encode a persistence payload.

I tried using Veil-Evasion backdoor factory(was 17 in the list) but AV detected that also. I tried using it with a custom exe payload(that was not detected by AV itself), but when I used it in conjunction with veil-evasion payload 17 as the ORIGINAL-exe it was detected as well.

My next thought was once connected to the meterpreter session, to immediately get into their startup folder and put my exe, so on reboots it would start my payload automatically. This works, but I always have to have a waiting meterpreter session listening, ready to connect.

Join the Next Reality AR Community

Get the latest in AR — delivered straight to your inbox.

5 Responses

there is no answe i posted 3 post about this issue and no one get an answer(the ideas i tried) the only thing you can do is to delete the VG feom victim's pc and make same icon file like AVG and upload to the victim' system

if you found another way easier i will be happy to hear

Try in msfconsole "show advanced" and use the exe::custom option or use sheduleme script from meterpreter

I think the best way to do is make a program that executes the shellcode than drop that into the startup folder or do something in the registry to run on startup

If the AV still detects it make it so the shellcode is encrypted and when the program is run it decrypts and runs

before you answer to someone make sure you tried to do it yourself if you upload the file to start up folder you can reconnect to the victims system only if he reboots his system but we are trying to reconnect to the system in any time...

you can delete all files of the AVG and then to upload a file with the same icon like AVG ..but its a hard way we are trying to find the easy way .. run persistence command is caght by AVG

someone else has another way?? its important not just for me...

Share Your Thoughts

  • Hot
  • Active