Skip to content

Docs

Guides

Changelog

CtrlK
Docs

Advanced Knowledge

Windows Persistence Mechanisms

Windows Persistence Mechanisms

Detect and investigate attacker persistence techniques on Windows systems.

Last updated: February 2026

Purpose and Scope

Persistence allows attackers to maintain access across reboots and user logoffs. This playbook covers detecting common Windows persistence mechanisms using endpoint and registry telemetry.

Prerequisites

  • Endpoint telemetry: EDR or Sysmon with registry, file, and scheduled task monitoring
  • Windows event logs: Security, System, Task Scheduler, PowerShell
  • Baseline knowledge: Normal startup items, services, and scheduled tasks in your environment
  • SIEM access: For querying and correlating persistence events

Detection Goals

Identify persistence mechanisms including:

  • Registry run keys and startup folders
  • Scheduled tasks and services
  • WMI event subscriptions
  • DLL hijacking and search order abuse
  • Account manipulation

Registry Based Persistence

Run and RunOnce Keys

Programs listed in these keys execute at logon:

  • HKCUSoftwareMicrosoftWindowsCurrentVersionRun
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRun
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRunOnce
  • HKLMSoftwareMicrosoftWindowsCurrentVersionRunServices

Winlogon Keys

  • HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell
  • HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit
  • HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonNotify

Other Registry Locations

  • HKLMSystemCurrentControlSetControlSession ManagerBootExecute
  • HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShell Folders
  • HKLMSoftwareMicrosoftActive SetupInstalled Components
  • AppInit_DLLs keys

Detection Logic

Alert on:

  • New values added to run keys
  • Values pointing to unusual paths (temp, appdata, public)
  • Executables with suspicious names or random strings
  • Scripts (PowerShell, VBS, BAT) in run keys
  • Encoded command lines

Scheduled Tasks

Key Locations

  • Task files: C:WindowsSystem32Tasks
  • Registry: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionScheduleTaskCache
  • Event Log: Microsoft-Windows-TaskScheduler/Operational

Detection Logic

Monitor for:

  • Task creation via schtasks.exe or Task Scheduler COM objects
  • Tasks with SYSTEM privileges created by non-admin users
  • Tasks executing from unusual paths
  • Tasks with encoded PowerShell or download commands
  • Tasks triggered by user logon, system start, or short intervals

Event IDs

  • 4698: Scheduled task created
  • 4699: Scheduled task deleted
  • 4700/4701: Task enabled/disabled
  • 4702: Task updated

Windows Services

Detection Logic

Monitor for:

  • New service installation (Event ID 7045)
  • Service binaries in unusual locations
  • Services with random or suspicious names
  • Service binaries modified after installation
  • Services configured to run as SYSTEM with user-writable paths

Registry Locations

  • HKLMSystemCurrentControlSetServices
  • Look for ImagePath, Start type, ServiceDLL values

WMI Event Subscriptions

WMI persistence uses three components: Filter, Consumer, and Binding.

Detection

  • Monitor WMI repository changes
  • Query for EventConsumer and EventFilter instances
  • Look for CommandLineEventConsumer and ActiveScriptEventConsumer
  • Event ID 5861 in Microsoft-Windows-WMI-Activity/Operational

WMI Query Example

Get-WMIObject -Namespace rootSubscription -Class __EventConsumer
Get-WMIObject -Namespace rootSubscription -Class __EventFilter
Get-WMIObject -Namespace rootSubscription -Class __FilterToConsumerBinding

Startup Folder

Files in startup folders run at logon:

  • C:Users[Username]AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup
  • C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup

Monitor for new .lnk, .exe, .bat, .vbs, .ps1 files in these locations.

DLL Persistence

DLL Search Order Hijacking

Attackers place malicious DLLs where applications will load them before legitimate versions:

  • Application directory
  • Current directory
  • System directories
  • PATH directories

Detection

  • DLLs in unusual locations loaded by trusted processes
  • Unsigned DLLs loaded by signed executables
  • DLLs with mismatched metadata

Investigation Workflow

  1. Identify the persistence mechanism (registry, task, service, WMI)
  2. Determine when it was created and by what process
  3. Analyze the persisted payload (what does it execute?)
  4. Trace back to initial compromise (how did attacker get access?)
  5. Check for additional persistence mechanisms on the same host
  6. Search for the same persistence across other endpoints

Response Actions

  • Remove the persistence mechanism
  • Delete associated malicious files
  • Block the payload hash and C2 infrastructure
  • Hunt for the same persistence across the environment
  • Investigate how attacker gained initial access
  • Reset credentials if credential theft is suspected

References

Previous

Malware and Script Payload Triage

Next

Data Exfiltration Detection

Was this helpful?

Logo

Block phishing attacks instantly.

Built by RedPhish LLC. All Rights Reserved. Copyright 2025.

Terms & Conditions

Privacy Policy

Compare

Guardio AlternativeMalwarebytes AlternativeNorton AlternativeAvast AlternativeBitdefender Alternative

Resources

DocumentationBlogPricingFAQ