What is host compromise?

Aaron Goldstein
March 5, 2024

Persistence is a common tactic threat actors use to maintain a foothold within a computer or network. There are many kinds of persistence, one of which is known as host persistence.  

These methods allow them to regain access, steal data, or launch further attacks even after being detected or removed. Understanding these mechanisms is crucial for individuals and organizations alike to bolster their defenses and prevent attackers from establishing a foothold.

How does host persistence work?

With host persistence a threat actor compromises a host and establishes a foothold on the network. Threat actors want to accomplish this because it makes their jobs easier— if the system reboots or a user logs off, they don’t have to go through the phishing process or whatever actions gave them initial access.  

Persistence mechanisms automatically launch a script, malware, or remote access tool whenever a user logs on or uses a tool, etc.  

Types of host persistence  

There are multiple different types of host persistence that threat actors can achieve both with and without admin privileges.  

Persistence techniques in an unelevated context (without admin privileges):

  • New scheduled tasks
  • Startup folder
  • HKCU / HKLM registry autoruns
  • Browser helper objects (BHO)
  • DLL load order hijacking

Persistence techniques in an elevated context (with admin privileges):

  • WMI Event Subscriptions
  • Windows Services Abuse

Host persistence using scheduled tasks  

One persistence technique explained above is new scheduled tasks. Establishing host persistence via scheduled tasks can be accomplished using the "schtasks" command-line utility. The scheduled task triggers a PowerShell command that downloads and executes a malicious payload from the attacker’s web server. The payload execution will return a Meterpreter shell on the victim’s machine to the attacker’s Metasploit server. See figures one and two below.  

Figure one: creating a scheduled task using the “schtasks” command
Figure two: obtaining command execution on the victim system

Another way to establish host persistence using scheduled asks is through “SharPersist” toolkit (see figures three and four below):

  • A threat actor will create a scheduled task using “SharPersist”  
  • The scheduled task runs a Base64 encoded PowerShell command that downloads and executes a malicious payload from the attacker’s web server  
  • The payload execution will return to the attacker’s Metasploit server via a Meterpreter shell on the victim machine
Figure three: creating a Scheduled Task using the “SharPersist” Tool

Figure four: obtaining command execution on the victim system

How Todyl protects our partners  

Todyl’s Managed eXtended Detection and Response (MXDR) and Detection Engineering teams are constantly monitoring the threat landscape and proactively threat hunting to build new detections into the Todyl Security Platform and ensure our partners are safe.

A sample of the detection rules the Detection Engineering team has built include:  

Todyl’s experts continually monitor and alert across many persistence mechanisms, new scheduled tasks, WMI event consumers, etc, so this is a small subset of the larger data they receive.  

Not a Todyl MXDR partner? Click here to learn more about our MXDR capabilities and schedule a demo to learn more.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I Joined Todyl: Spotlight on David Dewey
How Todyl addresses the "Pandemic 11"
Understanding AMSI bypass techniques

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.