Persistence

Attackers replace or redirect accessibility binaries like sethc.exe or utilman.exe so a payload runs from the logon screen with SYSTEM privileges.

Malware registers a permanent WMI event subscription — a filter bound to a consumer — so the WMI service runs its payload: fileless SYSTEM persistence.

Malware registers a helper DLL with netsh so the library loads into the netsh.exe process whenever the tool runs, yielding stealthy registry-backed persistence.

Malware creates a Background Intelligent Transfer Service job that downloads and executes a payload on a trigger, abusing a trusted Windows service.

Malware installs or hijacks a Windows service so the Service Control Manager starts its payload automatically at boot, typically running as SYSTEM.

Malware registers a DLL in the AppInit_DLLs registry value so it is loaded into nearly every user-mode process that links against User32.dll.

Malware repoints the screensaver registry values at a malicious .scr executable so Windows launches the payload after a period of user inactivity.

Malware redirects a Component Object Model (COM) class to its own DLL by populating a per-user CLSID registry entry, so the payload loads whenever a legitimate program instantiates that COM object.

Malware modifies Winlogon's Userinit, Shell, or Notify registry values so its executable or DLL runs during the interactive logon sequence.

Malware drops a LaunchAgent or LaunchDaemon property list so macOS launchd starts its payload at login or boot, the dominant persistence mechanism on macOS.

Malware installs a systemd unit or timer so init re-launches its payload at boot or on a schedule, giving durable, often root-level persistence on modern Linux.

Malware registers a Windows scheduled task that re-launches its payload on a trigger — logon, a fixed interval, or system idle — providing durable, often privileged, persistence.

Malware sets a Debugger value under an Image File Execution Options key so its payload launches whenever the targeted executable is started.

Malware drops a program or shortcut into a Windows Startup folder so Explorer launches it automatically at user logon, a low-privilege persistence technique requiring only file-write access.

Malware adds a crontab entry or drops a file into a cron directory so the system re-launches its payload on a fixed schedule, surviving reboots on Linux.

Malware writes a value under a Run/RunOnce registry key so its executable launches automatically every time the user logs on, the oldest and most common Windows persistence mechanism.