Persistence

Registry-Based

• RegOpenKeyEx

• RegCreateKeyEx

• RegSetValueEx

• RegQueryValueEx

• RegDeleteValue

• RegDeleteKey

Typical targets:

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\...\Run

• RunOnce

• Services

• IFEO

• Shell

Service Persistence

• OpenSCManager

• CreateService

• StartService

• ChangeServiceConfig

• DeleteService

Scheduled Tasks

• ShellExecute (invoking schtasks)

• CreateProcess (with schtasks command)

• ITaskService COM usage

WMI Persistence

• IWbemServices::PutInstance

• CoCreateInstance (WMI objects)

Startup Folder

• CopyFile

• MoveFile

• SHGetFolderPath

• SHGetKnownFolderPath