Windows Agent Persistence Issues

[CyberSecNB]

Hello,

I've begun to look at ways to keep agents alive for prolonged periods of time in my lab. Using the Sandcat agent and PowerShell deployment on Windows endpoints works fine, but after a client reboot the agents show as dead. If I re-run the installer a new Agent is created in the caldera console and the old one shows as dead/untrusted.

Is there a recommended deployment model to maintain agent persistence?

[uruwhy]

The typical deployment options you'll see in Caldera are not meant to persist across target host reboots. If you're interested in persistence across reboots, there are a few options on Windows:

• Create a Windows service that executes the sandcat agent binary with the desired parameters. This won't be 100% clean because the sandcat agent isn't designed to run as a service, so while the binary will run, the service controller will think that the service failed to start because it didn't get the necessary control response.
• Create registry run keys (either for the current user or for the local machine) that will execute the binary with desired parameters. You can read the MITRE ATT&CK® page on this technique here for reference. This will cause the agent to run when the user logs in.
• Create a scheduled task that will execute the binary on system startup or on user logon. There are several ways to do this (via the task scheduler UI, via the schtasks.exe utility, or via PowerShell cmdlets for scheduled tasks)

In terms of what's recommended, it depends on what you want to test or detect. Each of these methods will generate different telemetry, so if you're basing this activity on a specific adversary or trying to test a specific analytic, you'll have to choose accordingly.