Task 3.1: Persistence attack with registry key add

In this task, you’ll initiate a persistence attack on the connected Azure VM which has the Azure Monitor Agent pre-configured.

The following document may help you understand detecting persistent attacks.

• The two-pronged approach to detecting persistent adversaries

---

1. Maximize the WORKSTATION5 remote desktop session.

   Note: If the remote desktop session has been closed you can re-open it by selecting the WORKSTATION5.rdp file found in C:\Users\Admin\Downloads and using these credentials:

   Username	WinAdmin
   Password	Passw0rd!1234

2. If necessary, open a Command Prompt with the option Run as Administrator and then, in the User Account Control window that appears, select Yes.

3. To simulate program persistence run this command and select Enter.

   REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "SOC Test" /t REG_SZ /F /D "C:\temp\startup.bat"