Previously on The Purple Team Chronicles
A forgotten admin account gave the Shadow Syndicate their opening. The Red Team struck silently. The Blue Team detected the odd login and shut the account down just in time. The adversary was inside but not deep enough.
Alex, the Red Team lead, wasn’t one to give up. With the initial access path blocked, it was time to ensure that the door didn’t just swing shut behind him; it needed to stay ajar.
Building a Backdoor
Alex stared at the access logs and smirked. “Okay, Michelle. You spotted me. Let’s see how deep you’re watching.”
From his beachhead, he knew he had to anchor his presence before the Blue Team sealed off his entry point. He reached into his arsenal not for malware, but for Windows itself.
Red Team Technique:
- T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys
- reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "ShadowPersist" /t REG_SZ /d "powershell.exe -ExecutionPolicy Bypass -File C:\backdoor.ps1"
This backdoor wouldn’t trigger alarms from AV tools; it used native PowerShell execution. It was subtle, fast, and fileless.
The script? A lightweight listener that would open a covert reverse shell whenever the machine rebooted.
“Persistence established,” Alex whispered. “Now, let’s move laterally.”
Michelle Detects the Echo
While the attackers worked, Michelle ran routine endpoint audits through Vicarius vRx.
The platform had flagged a registry change as part of its behavioral baselining HKLM\Software\Microsoft\Windows\CurrentVersion\Run had a new entry: ShadowPersist.
She didn’t recognize it. That was enough.
Blue Team Response:
- Registry Inspection: Get-ItemProperty -Path HKLM:\...\Run
- Removal: Remove-ItemProperty -Path HKLM:\...\Run -Name "ShadowPersist"
- Correlated Alert from vRx: “Suspicious startup script detected on host VM-3478. Match: LOLBin pattern.”
“That’s not a normal IT script,” Michelle muttered. “We’ve got a sleeper implant.”
She triggered a targeted script rollback using vRx, isolating the host from domain assets and starting a timeline to investigate lateral activity.
Parallel Play: Red and Blue – Round 2
Red Team Actions:
- Attempted stealth persistence via autostart script injection
- Deployed PowerShell-based backdoor (fileless execution)
- Began probing neighboring machines on subnet
Blue Team Actions:
- Detected unauthorized registry persistence
- Used Vicarius to auto-remediate and roll back script
- Initiated host containment and alert correlation
Vicarius in Action: Cutting Off the Callback
Here’s how vRx helped Michelle stay ahead:
- Behavioral Monitoring: Flagged changes to registry autostart locations
- Live Asset Telemetry: Identified that the change happened outside normal operational hours
- Automated Response: Triggered policy to reverse registry tampering and notify the Blue Team via Slack + SIE
Real-World Parallel
APT29 (Cozy Bear), known for using similar fileless persistence via native Windows features in the SolarWinds campaign, leveraged LOLBins and registry keys to maintain footholds in targeted networks.
Lesson: Defenders must assume breach and monitor behavior not just known malware.
Key Takeaways
- Persistence doesn’t require malware just creativity
- Registry changes are a critical detection surface
- Vicarius vRx’s behavioral monitoring and policy automation catch changes that static tools miss
- Defense isn’t just about blocking it’s about removing the attacker’s tools before they’re used
Next Time on The Purple Team Chronicles
Episode 3: Shadow in the Hall – Lateral Movement Unleashed
With persistence denied, Alex shifts to aggressive credential theft. Michelle counters with endpoint telemetry and privilege escalation lockdowns. The chess match intensifies.
