WINDOWS
PERSISTENCE
METHODS

Defenders look for newly created Run key values with unusual paths. Common evasion approaches:

• Value name camouflage — names like WindowsDefenderUpdate, MicrosoftEdgeUpdater, OneDriveSync blend in with legitimate entries
• Path camouflage — binaries in C:\Windows\System32\, C:\Program Files\, or %APPDATA%\Microsoft\ are less suspicious than arbitrary temp paths
• LOLBin chains — use a native Windows binary as the payload wrapper: wscript.exe C:\legit\update.vbs, mshta.exe http://..., or rundll32.exe
• RunOnce for single execution — auto-cleans itself; useful for one-shot stagers that re-register from within the payload

Beyond the standard Run keys, several other registry locations trigger execution on logon with lower monitoring coverage on some endpoints:

• HKCU\Environment\UserInitMprLogonScript — executes a script at logon, originally for network drive mapping
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit — comma-separated list of programs launched by winlogon.exe after logon; appending a path to the existing value is stealthy
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell — specifies the shell (default: explorer.exe); replacing or appending causes execution alongside explorer
• HKCU\SOFTWARE\Classes\*\shellex\ContextMenuHandlers — COM-based, fires on right-click; requires a registered COM object

Task names include their folder path. Nesting a malicious task inside a legitimate-looking Microsoft subfolder makes it visually identical to real Windows tasks in Task Scheduler's UI. Useful paths:

• \Microsoft\Windows\WindowsUpdate\
• \Microsoft\Windows\Maintenance\
• \Microsoft\Windows\Application Experience\
• \Microsoft\Windows\.NET Framework\

The XML definition also allows setting <Hidden>true</Hidden> which hides the task from the Task Scheduler GUI (it still shows in schtasks /query output and in the raw XML files on disk).

Running a task as SYSTEM requires administrator at creation time but the task then executes with full SYSTEM privileges on every trigger. CLI approach: schtasks /create ... /ru SYSTEM. COM API approach: set the principal's LogonType to TASK_LOGON_SERVICE_ACCOUNT and UserId to SYSTEM.

SYSTEM tasks are triggered even when no user is logged in — crucial for server persistence. They also bypass UAC since SYSTEM is above the administrator elevation boundary.

A standalone service binary is trivially visible: the SCM lists it, tasklist /svc shows the PID, and the binary path is in the registry. The svchost-DLL technique hides the malicious code inside svchost.exe — a process that always runs dozens of legitimate services. Incident responders must inspect the DLL load list of each svchost instance to find the malicious one.

The DLL must export ServiceMain(DWORD argc, LPTSTR* argv) and handle service control messages via a registered handler. If it doesn't, the SCM will mark the service as failed to start — a noisy indicator.

WMI subscription data is stored in the WMI Repository at C:\Windows\System32\wbem\Repository\ — a set of binary database files managed by the WMI service (winmgmt). These files are not human-readable and are not touched by most persistence-scanning tools that focus on registry and startup directories.

The repository persists across reboots. Deleting the repository files and letting Windows rebuild them (which it does automatically on next boot) is one of the more aggressive remediation approaches. The safer approach is deleting the specific subscription objects via PowerShell or WMI queries.

Instead of CommandLineEventConsumer, WMI also provides ActiveScriptEventConsumer which executes a VBScript or JScript payload stored directly in the WMI subscription object — the script text is embedded in the WMI repository, not on disk. This is fully fileless.

$consumer = Set-WmiInstance ... -Class ActiveScriptEventConsumer -Arguments @{
Name = 'MyConsumer';
ScriptingEngine = 'VBScript';
ScriptText = 'Set oShell = CreateObject("WScript.Shell") : oShell.Run "calc.exe"';
}

The VBScript text is stored inside the WMI repository binary files — there's no .vbs file anywhere on the filesystem. Detection requires either WMI auditing (Event ID 5861 in the Microsoft-Windows-WMI-Activity/Operational log) or active hunting in the repository.

Placing an .exe directly in the startup folder is maximally obvious — both Defender and any AV will scan it immediately on placement. A .lnk shortcut pointing to a payload elsewhere is slightly better: it splits the indicator (the shortcut in the startup folder) from the payload (the binary somewhere else).

• .lnk forensics: The shortcut file contains the full target path in plaintext — trivially readable. exiftool and lnk-parser both extract all fields including MAC address of the creating machine, timestamps, volume serial number, and SID of the creating user.
• Shell execute behavior: Windows uses the ShowCmd field from the .lnk — setting it to SW_MINIMIZE (7) hides the console window, reducing user visibility of the payload launching.
• Script alternatives: .bat, .cmd, .vbs, .ps1 files also execute from startup folders. PowerShell scripts require execution policy bypass — prepend powershell.exe -ExecutionPolicy Bypass -File in the shortcut arguments.

The ideal sideload host binary has four properties:

• Signed by a trusted vendor — Microsoft, Google, Adobe. The parent process signature is what EDR checks when evaluating child behavior. Execution under a Microsoft-signed binary inherits implicit trust from many detection heuristics.
• User-writable installation directory — Teams classic and OneDrive install into %LOCALAPPDATA%, not Program Files. Standard users own that directory and can freely write to it — no elevation required for the entire attack chain.
• Auto-starts on logon — Teams and OneDrive add themselves to the Run key during installation. This means the sideload fires automatically without the attacker needing to add any additional persistence entry (though adding one increases reliability).
• Imports a DLL not in its own directory — the DLL must be resolved by Windows search order rather than loaded from the app's own directory. CRYPTSP.dll for Teams, WSCAPI.dll for OneDrive, dbghelp.dll for various others.

Beyond Teams, these targets have been publicly documented as sideload-friendly and are commonly present on enterprise endpoints:

• OneDrive (%ProgramFiles%\Microsoft OneDrive\OneDrive.exe) — WSCAPI.dll. OneDrive's Run key entry means the chain works without adding any additional persistence.
• Notepad++ (%ProgramFiles%\Notepad++\notepad++.exe) — dbghelp.dll. Common developer tool; the app dir is writable by admins and sometimes standard users depending on install type.
• 7-Zip (%ProgramFiles%\7-Zip\7zFM.exe) — NETAPI32.dll. Similar install directory pattern.
• Adobe Reader — multiple DLL candidates depending on version; EAFCleanup.dll and icucnv*.dll have been identified in public research.
• PuTTY — commonly installed in user-writable locations, imports several DLLs that Windows resolves by search order.
• Windows system binaries in C:\Windows\ — wlrmdr.exe loads SlideShow.dll from the current working directory; sigverif.exe loads fveapi.dll from CWD. Useful when combined with CWD control techniques.

The #pragma comment(linker, "/export:Fn=RealDll.Fn") approach is the cleanest but requires knowing all export names at compile time. Two runtime alternatives:

GetProcAddress forwarding: In the proxy DLL, load the original DLL at runtime with LoadLibraryW(L"CRYPTSP_orig.dll"), then for each exported function create a stub that calls GetProcAddress(hOrig, "FunctionName") and jumps to it. More flexible — doesn't require compile-time export lists — but requires a stub per function and is more code.

Delay-load forwarding: Use /DELAYLOAD:CRYPTSP_orig.dll at link time so the original DLL is only loaded on first call to a forwarded function, not immediately on DLL load. Reduces startup time and avoids a double-load pattern if Teams also loads CRYPTSP through other means.

The .def file approach: Instead of pragma comments, write a CRYPTSP_proxy.def module definition file with all exports listed, then pass it to the linker: x86_64-w64-mingw32-g++ -shared -o CRYPTSP.dll CRYPTSP_proxy.cpp CRYPTSP_proxy.def -Wl,--kill-at. Cleaner for large export tables.

DLL sideloading detection is harder than Run key or service detection but several signals exist:

• Sysmon Event 7 (ImageLoad) with ImageLoaded containing a DLL path that doesn't match its expected location — e.g., CRYPTSP.dll loaded from %LOCALAPPDATA%\Microsoft\Teams\ instead of System32
• Unsigned or self-signed DLL loaded by a signed process — Signed = false or SignatureStatus != Valid in Sysmon Event 7
• New DLL file creation in a known application directory — Sysmon Event 11 with TargetFilename in the Teams/OneDrive/Edge directory that isn't a DLL the application ships
• Process spawned by a trusted parent with unexpected behavior — Teams spawning calc.exe, making outbound connections on unusual ports, or loading additional unsigned modules

ES|QL rule skeleton:

FROM logs-windows.sysmon_operational-*
WHERE event.code == "7" // ImageLoad
AND dll.path LIKE "%\\Microsoft\\Teams\\%"
AND NOT dll.pe.company == "Microsoft Corporation"
AND NOT dll.code_signature.trusted == true
KEEP host.name, process.name, dll.path, dll.code_signature.status

The detection rules above require these Sysmon event types to be enabled and ingested:

• Event 1 (ProcessCreate) — process execution with command line
• Event 11 (FileCreate) — file creation with target path
• Event 13 (RegistryValueSet) — registry value modifications
• Event 19 (WmiEventFilter) — WMI filter created
• Event 20 (WmiEventConsumer) — WMI consumer created
• Event 21 (WmiEventConsumerToFilter) — binding created

The SwiftOnSecurity Sysmon config (github.com/SwiftOnSecurity/sysmon-config) covers all of these by default. For Event 13 specifically, ensure the registry path filter includes \CurrentVersion\Run and the startup folder paths.

Reactive detection from logs is the floor. Proactive hunting means running these on demand against a live machine or via EDR query interfaces:

# All Run key entries
Get-ItemProperty HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# All scheduled tasks with actions
Get-ScheduledTask | ForEach {$_.Actions} | Select-Object Execute, Arguments

# All non-Microsoft services
Get-WmiObject Win32_Service | Where {$_.PathName -notlike "*System32\svchost*"} | Select Name, PathName

# WMI subscriptions
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer
Get-WmiObject -Namespace root\subscription -Class __EventFilter

# Startup folder contents
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

Sysinternals Autoruns (Mark Russinovich) enumerates every persistence location on a Windows machine in one tool — Registry Run keys, scheduled tasks, services, startup folders, browser extensions, codecs, AppInit DLLs, LSA providers, Winlogon entries, and dozens more. It also provides VirusTotal integration and highlights entries with missing or unsigned binaries.

• CLI version: autorunsc.exe -a * -h -s -c -accepteula > baseline.csv — exports all entries in CSV format; compare against a known-good baseline to find additions
• GUI version: Right-click any entry to jump to its registry path or file location; click Options → Scan Options to enable VT lookups
• Enterprise use: Run autorunsc via EDR sensor deployment and ingest the CSV into SIEM for fleet-wide persistence visibility