Skip to content

Main Navigation GUIDE MODULE TRAINING

3.1.3 - It's Not a Bug, It's a Feature !

3.1.2 - Pentest Agent and MCP Server

3.1.1 - Chaos is a Ladder

English

English

Sidebar Navigation

AI Agent

Pentest Agent

Phishing Agent

Viper Operations Agent

Resource Deployment

Random Identity Generator (Chinese)

DNSLOG Server

LDAP Server

TCPLOG Server

C2 via Tencent API Gateway

Initial Access

EXE Masquerading as Word Document

Office Macro Phishing Document

Execution

Upload & Execute Executable

Deploy Kit Suite to Target Host

AV Bypass via CreateThreadpoolWait

AV Bypass via CreateTimerQueue

AV Bypass via EnumChildWindows

AV Bypass via EnumWindows

Direct Connect REVERSE_HTTPS Bypass

Direct Connect REVERSE_TCP_RC4 Bypass

PPID Spoofing

Basic ShellcodeLoader (Linux)

Self-Guarded ShellcodeLoader (Linux)

Split ShellcodeLoader (Linux)

NtCreateSection Process Injection

Direct Syscall Injection

Syscall Visual Studio Project

Persistence

Add Local/Domain Account (Windows)

Self-Guarded Session (Windows)

Logon Script Persistence (Windows)

Windows Service Persistence

Office Application Startup (Windows)

Library-ms Persistence (Windows)

Registry Run Keys (C#)

Registry Run Keys (Windows)

Scheduled Task Persistence (Windows)

Winlogon Helper DLL (Windows)

Privilege Escalation

Windows UAC Bypass

Enumerate Windows Patches

CVE-2021-40449 Exploit

EfsPotato Exploit

SweetPotato Exploit

Search Exploitable CVEs

Windows System Privilege Escalation

Defense Evasion

Clear Last Log

Hijack Code Signing (Windows)

Spoof Microsoft Signature

Migrate to CobaltStrike

In-Memory C# Execution

In-Memory C# Execution (Bypass)

PostMSFCSharp Demo Module

In-Memory PE Execution (C++/C)

In-Memory PowerShell Execution

Process Manipulation

In-Memory Python Execution

Session Cloning

In-Memory Shellcode Execution

Inject into Windows System Process

Clone SSL Certificate

Credential Access

Dump Browser Passwords (C#)

Dump Memory Credentials (Windows)

Retrieve SunLogin Passwords

Dump Windows Hashes

Windows WDigest Toggle

Dump Browser Passwords (Golang)

Credential Input via UI Prompt

Discovery

Enumerate All Domain Users

Enumerate Windows Admin Group

Installed Software (Windows)

Retrieve SMS/Call History/Contacts

Mobile Camera Capture

Mobile Audio Recording

Internal ARP Scan

Netbios & SMB Scan

Async Netbios Scan

Internal Ping Scan

Internal Port Scan

Port Scan & Service Detection

Enumerate Network Shares (Windows)

Enumerate Permission Groups (Windows)

List .NET Framework Versions

Retrieve RDP Port (Windows)

Get Domain Host IPs

Enumerate Domain Hostnames

Retrieve Domain Info

Get Domain Controller Info

Find AV Processes

Retrieve Public IP

Get Last Logged-On User (Domain)

Get Locally Logged-On Users (Domain)

Check Container Environment

Lateral Movement

MS17-010 Scanner

MS17-010 Exploit (C#)

Ladon7.0 C# Plugin

Invoke-WMIExec Pass the Hash

WMI Pass the Hash

PSEXEC Pass Clear/Hash

SharpWMI Lateral Movement

WMI Pass Clear Text

Collection

Archive & Exfiltrate Directory

Split Archive via 7z

On this page

Windows Registry Run Key Persistence

The module achieves persistence by writing the Trojan file path in the registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Note

This method is not anti-detection.

Operation Method

Refer to Winlogon Helper DLL Persistence

Last updated:

Pager

Previous pageRegistry Run Keys (C#)

Next pageScheduled Task Persistence (Windows)

Terms Of Service · Privacy Policy · Support

Copyright © 2020-2025 Viper Red Team Platform