What You'll Learn
- Explain how the Windows Service Control Manager (SCM) works and how services are configured to start at boot
- Identify the registry locations, Event IDs, and forensic artifacts associated with malicious service installation
- Describe how Scheduled Tasks work, including the XML task format and the Event IDs that track task lifecycle events
- List the most commonly abused persistence mechanisms: Registry Run Keys, WMI Event Subscriptions, Startup Folder, DLL hijacking, and COM hijacking
- Map each persistence technique to its corresponding MITRE ATT&CK sub-technique
- Perform a systematic persistence audit using Velociraptor's PersistenceSniper artifact and Sysinternals Autoruns
Why Persistence Is the Attacker's Priority
Once an attacker gains initial access to a Windows system, their first concern is survival. A reboot, a user logoff, or a crashed process could sever their foothold entirely. Persistence is the set of techniques attackers use to ensure their code re-executes automatically — surviving reboots, user logoffs, and even some remediation attempts.
Windows provides dozens of legitimate mechanisms for software to start automatically. Each of those mechanisms is a potential persistence vector. Understanding them is not optional for a SOC analyst — it is foundational. If you cannot enumerate every way code can persist on a Windows endpoint, you cannot confidently say a system is clean after an incident.
Persistence is ATT&CK Tactic TA0003. Nearly every intrusion involves at least one persistence technique. The techniques covered in this lesson map to four ATT&CK sub-techniques: T1543.003 (Create or Modify System Process: Windows Service), T1053.005 (Scheduled Task/Job: Scheduled Task), T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys), and T1546.003 (Event Triggered Execution: WMI Event Subscription).
Windows Services Architecture
How the Service Control Manager Works
The Service Control Manager (SCM), running as services.exe, is the central authority for Windows services. Every service on the system — from Spooler to Windows Defender — is registered with and controlled by the SCM.
When Windows boots, the SCM reads the service database from the registry (HKLM\SYSTEM\CurrentControlSet\Services\) and starts each service according to its configured start type:
| Start Type | Value | Behavior |
|---|---|---|
| Boot | 0 | Loaded by the kernel loader (device drivers only) |
| System | 1 | Started by the I/O subsystem during kernel init |
| Automatic | 2 | Started by SCM during boot — most common for persistence |
| Automatic (Delayed) | 2 + DelayedAutostart=1 | Started 1–2 minutes after boot to reduce startup load |
| Manual | 3 | Started only on demand (by another service or user action) |
| Disabled | 4 | Cannot be started |
Service Configuration in the Registry
Every service has a registry key under HKLM\SYSTEM\CurrentControlSet\Services\<ServiceName> containing:
ImagePath : REG_EXPAND_SZ : C:\Windows\System32\svchost.exe -k netsvcs
Start : REG_DWORD : 2 (Automatic)
Type : REG_DWORD : 32 (Win32 Share Process)
ObjectName : REG_SZ : LocalSystem
Description : REG_SZ : "Provides network connectivity..."
The ImagePath value is critical — it specifies the exact binary that runs when the service starts. Attackers who modify this value can execute arbitrary code with the service's privileges (often SYSTEM).
Service Types
| Type Value | Name | Description |
|---|---|---|
| 0x10 (16) | Win32 Own Process | Service runs in its own dedicated process |
| 0x20 (32) | Win32 Share Process | Service shares a svchost.exe process with other services |
| 0x100 (256) | Interactive | Service can interact with the desktop (rare, legacy) |
Services running as SYSTEM have unrestricted access. A malicious service configured with ObjectName: LocalSystem runs with the highest privileges on the machine. It can read any file, modify any registry key, and access any process. This is why unauthorized service creation is a critical detection target.
Service-Based Persistence
How Attackers Create Malicious Services
Attackers create services using built-in Windows tools, making the activity blend in with legitimate administrative operations:
Using sc.exe (command line):
sc create EvilSvc binPath= "C:\Users\Public\payload.exe" start= auto obj= LocalSystem
sc description EvilSvc "Windows Performance Data Helper"
sc start EvilSvc
Using PowerShell:
New-Service -Name "EvilSvc" -BinaryPathName "C:\Users\Public\payload.exe" -StartupType Automatic -Description "Windows Performance Data Helper"
Start-Service -Name "EvilSvc"
Direct registry manipulation (stealthier):
$key = "HKLM:\SYSTEM\CurrentControlSet\Services\EvilSvc"
New-Item -Path $key -Force
Set-ItemProperty -Path $key -Name "ImagePath" -Value "C:\Users\Public\payload.exe"
Set-ItemProperty -Path $key -Name "Start" -Value 2
Set-ItemProperty -Path $key -Name "Type" -Value 16
Set-ItemProperty -Path $key -Name "ObjectName" -Value "LocalSystem"
Detection: Event ID 7045
When a new service is installed, Windows logs Event ID 7045 in the System event log:
Log Name: System
Source: Service Control Manager
Event ID: 7045
Description: A service was installed in the system.
Service Name: EvilSvc
Service File Name: C:\Users\Public\payload.exe
Service Type: user mode service
Service Start Type: auto start
Service Account: LocalSystem
Event ID 7045 is one of the highest-value Windows events for SOC analysts. Any new service installation on a server or workstation outside of a known change window should be investigated. In Lab 3.5, you will hunt for malicious services by querying for 7045 events where the ImagePath points to unusual locations (C:\Users\, C:\Temp\, C:\ProgramData\).
| Indicator | Suspicious | Legitimate |
|---|---|---|
| ImagePath location | C:\Users\Public\, C:\Temp\, C:\ProgramData\ | C:\Windows\System32\, C:\Program Files\ |
| Service name | Random characters, mimics system services | Matches installed software |
| Service account | LocalSystem for non-system software | Dedicated service account or NetworkService |
| Description | Generic or missing | Matches vendor documentation |
| Timing | Outside change windows, after initial access | During software deployment |
Scheduled Tasks
Task Scheduler Architecture
The Task Scheduler service (Schedule) allows programs to run automatically based on triggers: time-based (daily, weekly), event-based (on logon, on event), or condition-based (on idle, on network connect).
Tasks are stored as XML files in C:\Windows\System32\Tasks\ and in the registry under HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\.
Creating Scheduled Tasks
Using schtasks.exe:
schtasks /create /tn "WindowsUpdateCheck" /tr "C:\Users\Public\payload.exe" /sc onlogon /ru SYSTEM
Using PowerShell:
$action = New-ScheduledTaskAction -Execute "C:\Users\Public\payload.exe"
$trigger = New-ScheduledTaskTrigger -AtLogon
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -RunLevel Highest
Register-ScheduledTask -TaskName "WindowsUpdateCheck" -Action $action -Trigger $trigger -Principal $principal
XML Task Definition
Every scheduled task is defined by an XML file. Understanding this structure is essential for forensic analysis:
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Principals>
<Principal>
<UserId>S-1-5-18</UserId> <!-- SYSTEM -->
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Actions>
<Exec>
<Command>C:\Users\Public\payload.exe</Command>
</Exec>
</Actions>
</Task>
Detection: Event IDs 4698, 4699, 4702
| Event ID | Description | Key Fields |
|---|---|---|
| 4698 | A scheduled task was created | TaskName, TaskContent (full XML), SubjectUserName |
| 4699 | A scheduled task was deleted | TaskName, SubjectUserName |
| 4702 | A scheduled task was updated | TaskName, TaskContent (new XML) |
Event ID 4698 contains the full task XML in the event data. This means you can reconstruct exactly what the task was configured to do — the trigger, the action, and the principal — directly from the event log, even if the attacker later deletes the task file from disk. In Lab 3.5, you will extract task XML from 4698 events to identify persistence tasks.
The legacy at.exe command can also create scheduled tasks but is deprecated in modern Windows. Some attackers still use it because older detection rules may not cover it. The equivalent Event ID is 4698 with a task path under \At\.
Registry Run Keys Persistence
The Classic Persistence Mechanism
Registry Run Keys are the most well-known persistence method on Windows. Programs listed in these keys execute automatically during user logon or system startup.
Primary Run Key locations:
| Key | Scope | Runs When |
|---|---|---|
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | All users | Any user logs on |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Current user only | That user logs on |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | All users | Next logon only (then deleted) |
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | Current user only | Next logon only (then deleted) |
Setting a Run Key (attacker perspective):
Set-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsHelper" -Value "C:\Users\Public\payload.exe"
Additional Registry Persistence Locations
Beyond the standard Run keys, attackers use these less-monitored locations:
| Registry Path | Purpose | ATT&CK |
|---|---|---|
HKLM\...\Winlogon\Shell | Replaces or extends the default shell (explorer.exe) | T1547.004 |
HKLM\...\Winlogon\Userinit | Runs before the shell — often used to inject a loader before Explorer starts | T1547.004 |
HKLM\...\Windows\AppInit_DLLs | DLLs loaded into every process that loads user32.dll | T1546.010 |
HKLM\...\Image File Execution Options\<exe>\Debugger | Intercepts execution of a target binary (IFEO hijack) | T1546.012 |
AppInit_DLLs is a system-wide persistence mechanism. Any DLL listed in this key gets loaded into every user-mode process that uses the Windows GUI subsystem. Attackers abuse this to inject malicious DLLs into hundreds of processes simultaneously. Modern Windows (8+) requires AppInit_DLLs to be code-signed when Secure Boot is enabled, but many environments still lack this protection.
WMI Event Subscriptions
The "Fileless" Persistence Method
Windows Management Instrumentation (WMI) Event Subscriptions are one of the stealthiest persistence mechanisms because they require no files on disk (the payload is stored entirely within the WMI repository database) and no registry modifications that traditional tools would flag.
A WMI persistence implant has three components:
| Component | WMI Class | Purpose |
|---|---|---|
| Event Filter | __EventFilter | Defines the trigger condition (e.g., "when a user logs on") |
| Event Consumer | CommandLineEventConsumer | Defines the action (e.g., "run this command") |
| Binding | __FilterToConsumerBinding | Links the filter to the consumer |
Creating a WMI persistence implant:
$filter = Set-WmiInstance -Namespace "root\subscription" -Class __EventFilter -Arguments @{
Name = "WindowsCoreUpdate"
EventNamespace = "root\cimv2"
QueryLanguage = "WQL"
Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240"
}
$consumer = Set-WmiInstance -Namespace "root\subscription" -Class CommandLineEventConsumer -Arguments @{
Name = "WindowsCoreUpdate"
CommandLineTemplate = "C:\Users\Public\payload.exe"
}
Set-WmiInstance -Namespace "root\subscription" -Class __FilterToConsumerBinding -Arguments @{
Filter = $filter
Consumer = $consumer
}
This implant triggers 4 minutes after boot (SystemUpTime >= 240 seconds) and runs the payload. There is no file in a Startup folder, no registry Run key, and no scheduled task visible in Task Scheduler.
WMI persistence survives most casual forensic inspections. The subscription data is stored in C:\Windows\System32\wbem\Repository\OBJECTS.DATA, which is a binary database not easily readable. Only specialized tools like Velociraptor, Autoruns, or direct WMI queries can enumerate active subscriptions. In Lab 3.5, you will use Velociraptor to discover WMI subscriptions that other tools miss.
Detection: Event ID 5861
Windows 10+ logs WMI Event Subscription activity in the Microsoft-Windows-WMI-Activity/Operational log:
| Event ID | Description |
|---|---|
| 5857 | WMI provider loaded |
| 5858 | WMI query error |
| 5859 | Temporary event consumer registered |
| 5860 | Temporary event consumer deregistered |
| 5861 | Permanent event subscription created — this is the key detection event |
Other Persistence Mechanisms
Startup Folder
The simplest persistence method — drop a shortcut (.lnk) or executable into the Startup folder:
| Path | Scope |
|---|---|
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ | Current user |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ | All users |
Easy to detect: any executable or shortcut in these folders that was not placed by IT is suspicious.
DLL Search Order Hijacking
When a program loads a DLL without specifying a full path, Windows searches for it in a predictable order:
- Directory of the calling application
- System directory (
C:\Windows\System32) - Windows directory (
C:\Windows) - Current directory
- PATH directories
An attacker who places a malicious DLL in the application directory (step 1) can hijack the load order, causing the legitimate application to load the malicious DLL instead of the system version.
COM Object Hijacking
Component Object Model (COM) objects are registered in the registry. Attackers modify COM registration entries to point to malicious DLLs. When a legitimate process instantiates the COM object, it loads the attacker's DLL instead.
Key registry locations: HKCU\SOFTWARE\Classes\CLSID\ and HKLM\SOFTWARE\Classes\CLSID\. The HKCU entries take precedence over HKLM, meaning a standard user can hijack COM objects without admin privileges.
Systematic Persistence Detection
The Detection Checklist
Individual persistence checks are necessary but not sufficient. Attackers layer multiple persistence mechanisms. A thorough audit must check all vectors systematically.
| Category | What to Check | Tool |
|---|---|---|
| Services | New/modified services (Event ID 7045, registry) | Wazuh, Velociraptor |
| Scheduled Tasks | Task files, Event ID 4698, TaskCache registry | Velociraptor, Autoruns |
| Registry Run Keys | All Run/RunOnce locations + Winlogon, AppInit_DLLs, IFEO | Velociraptor, Autoruns |
| WMI Subscriptions | __EventFilter, __EventConsumer, __FilterToConsumerBinding | Velociraptor, PowerShell |
| Startup Folder | Files in user and all-users Startup directories | File system listing |
| DLL Hijacking | Unsigned DLLs in application directories | Autoruns, SigCheck |
| COM Hijacking | Modified CLSID entries in HKCU | Velociraptor, Autoruns |
Velociraptor: PersistenceSniper Artifact
Velociraptor's Windows.Persistence.PersistenceSniper artifact automates the entire checklist above in a single hunt:
SELECT * FROM Artifact.Windows.Persistence.PersistenceSniper()
This artifact checks over 50 persistence locations including:
- All registry Run/RunOnce keys (including 32-bit and 64-bit views)
- Services with unusual
ImagePathvalues - Scheduled tasks pointing to non-standard locations
- Active WMI event subscriptions
- Startup folder contents
- Known COM hijack locations
- AppInit_DLLs and IFEO entries
- Boot Execute entries and LSA extensions
In Lab 3.5, you will run PersistenceSniper across a compromised endpoint and identify all planted persistence mechanisms. The lab environment has 5 different persistence techniques pre-planted — your job is to find all of them using Velociraptor, classify each by ATT&CK technique, and document the remediation steps for each.
Sysinternals Autoruns
Microsoft Sysinternals Autoruns is the gold standard GUI tool for persistence enumeration. It checks over 100 autostart locations and shows:
- The autostart entry location
- The binary or script that runs
- The digital signature status (unsigned binaries are flagged)
- The VirusTotal detection ratio (if enabled)
autorunsc.exe -accepteula -a * -c -h -s -v -vt > autoruns_output.csv
| Flag | Purpose |
|---|---|
-a * | Scan all autostart locations |
-c | Output as CSV |
-h | Show file hashes |
-s | Verify digital signatures |
-v | Verify VirusTotal |
-vt | Submit to VirusTotal |
ATT&CK Mapping Summary
| Technique | ID | Persistence Method | Key Detection |
|---|---|---|---|
| Create or Modify System Process: Windows Service | T1543.003 | sc create, New-Service, direct registry | Event ID 7045, new keys under CurrentControlSet\Services |
| Scheduled Task/Job: Scheduled Task | T1053.005 | schtasks /create, Register-ScheduledTask | Event ID 4698, task XML files |
| Boot or Logon Autostart: Registry Run Keys | T1547.001 | Run/RunOnce keys, Winlogon, AppInit_DLLs | Registry value changes in known autostart paths |
| Event Triggered Execution: WMI | T1546.003 | WMI __EventFilter + CommandLineEventConsumer + binding | Event ID 5861, WMI repository queries |
Key Takeaways
- Windows services are controlled by the SCM (
services.exe); every service's configuration lives inHKLM\SYSTEM\CurrentControlSet\Services\— monitor Event ID 7045 for new service installations - Scheduled Tasks provide time-based and event-based persistence; Event ID 4698 captures the full task XML at creation time, making it invaluable for forensic reconstruction
- Registry Run Keys (
HKLM/HKCU\...\Run) are the most common persistence vector — but do not stop there; also checkWinlogon\Shell,AppInit_DLLs, and IFEODebuggerentries - WMI Event Subscriptions are "fileless" persistence that stores payloads in the WMI repository database — invisible to basic file system and registry scans; detect via Event ID 5861
- Other vectors include Startup Folder, DLL search order hijacking, and COM object hijacking — each requiring specific enumeration techniques
- A thorough persistence audit must be systematic: use Velociraptor PersistenceSniper or Sysinternals Autoruns to check all 50+ autostart locations in a single pass
- Map every discovered persistence mechanism to its ATT&CK technique (T1543.003, T1053.005, T1547.001, T1546.003) for consistent reporting and coverage tracking
What's Next
You now understand the major persistence mechanisms on Windows and how to detect them systematically. In Lesson 3.6: Linux Internals for Defenders, you will shift to the Linux operating system and learn the equivalent persistence techniques — cron jobs, systemd services, init scripts, LD_PRELOAD hijacking, and .bashrc/.profile modifications — along with the detection strategies that SOC analysts use to hunt for Linux persistence in enterprise environments.
Knowledge Check: Windows Services, Tasks & Persistence
10 questions · 70% to pass
Which Windows process is responsible for managing all services and reading the service database from the registry at boot?
An attacker creates a new Windows service using 'sc create'. Which Event ID in the System log records this installation?
Where does Windows store the configuration for every registered service in the registry?
Which Event ID captures the full XML definition of a newly created Scheduled Task, allowing forensic reconstruction even if the task is later deleted?
WMI Event Subscriptions are considered 'fileless' persistence. What three WMI components must an attacker create to establish this persistence?
In Lab 3.5, you will run a Velociraptor artifact to audit all persistence mechanisms on a compromised endpoint. Which artifact performs this comprehensive check?
An analyst discovers a service with ImagePath pointing to C:\Users\Public\svc_helper.exe running as LocalSystem. Which combination of indicators makes this suspicious?
Which ATT&CK sub-technique ID corresponds to persistence via Windows Registry Run Keys?
In Lab 3.5, the compromised endpoint has 5 planted persistence mechanisms. Using Sysinternals Autoruns with the flags '-a * -c -h -s', what does the '-s' flag specifically check?
Why is WMI Event Subscription persistence harder to detect than Registry Run Key persistence?
0/10 answered