persistence-info.github.io

View on GitHub

The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
Expect more. I am doing my best to add new entries each day.

How it works. And how to contribute.


👨‍💼 HKCU Run and RunOnce registry keys

👨‍💼 ⚙ Task Scheduler

Image File Execution Options key

Windows Services

AeDebug

WER Debugger *

Natural Language Development Platform 6 DLLs *

GPO Client-side Extension

Filter Handlers for Windows Search

Disk Cleanup Handler

👨‍💼 .chm helper DLL *

hhctrl.ocx *

AMSI Providers

ServerLevelPluginDll

Password Filter

Credential Manager DLL

Authentication Packages

Code Signing DLL

👨‍💼 HKCU cmd.exe AutoRun

LSA Extension

Winlogon Notification Package

Print Monitor

👨‍💼 HKCU Load

MPNotify

Windows Platform Binary Table

Explorer tools *

👨‍💼 Windows Terminal Profile

👨‍💼 Startup Folder

👨‍💼 User Init Mpr Logon Script *

Autodial DLL *

.NET Startup Hooks

👨‍💼 PowerShell Profiles

👨‍💼 TS Initial Program

RDP WDS Startup Programs

IFilter

Recycle Bin COM Extension Handler *

TelemetryController

Monitoring Silent Process Exit

Want more? Check the list tomorrow. :)


* Based on a research made by @Hexacorn - one of the best persistence hunters.

⚙ It is enough to turn computer on to make the code run.
👨‍💼 End-user can do it.