Persistence techniques allow threat actors to maintain access to systems across changes. This includes using services, the registry, scheduled tasks, and startup folders. Services can be configured to run automatically at startup under privileged accounts. The registry stores program settings and entries in the Run subkey launch software automatically. Scheduled tasks launch programs or scripts on a defined schedule. Applications placed in startup folders run every time the system starts up, either for a single or all users.

1. Persistence
• Techniques that threat actors use to keep access to systems across
restarts, changed credentials, and other interruptions that could cut
off their access
• Service
• Registry
• Scheduled Tasks
• Startup Folder

2. Persistence - Service
• set to run automatically when the OS starts
• normally run as SYSTEM or another privileged account
• It is possible to list running services using net start at the command
line, but doing so will display only the names of running services

3. Persistence - Service
• Sc query *servicename*
• Powershell get-service

4. Persistence - Registry
Registry
• stores OS and program configuration data, such as settings and options

5. Persistence - Registry
Writing entries to the Run subkey sets up software to run
automatically.

6. Persistence – Scheduled Tasks
• Task Scheduler is a job scheduler in Microsoft Windows that launches
computer programs or scripts at pre-defined times or after specified
time intervals

7. Persistence – Startup Folder
• Any application placed inside it will automatically run when a
Windows machine is started
• %appdata%MicrosoftWindowsStart MenuProgramsStartup –
Single User
• C:ProgramDataMicrosoftWindowsStart MenuProgramsStartUp
– All users