The repository tries to gather an information about Windows persistence mechanisms to make the protection/detection more efficient. Most of the information is well known for years, being actively used within various scenarios.
Expect more. I am doing my best to add new entries each day.
How it works. And how to contribute.
๐จโ๐ผ HKCU Run and RunOnce registry keys
๐จโ๐ผ โ Task Scheduler
โ Image File Execution Options key
โ Windows Services
โ Natural Language Development Platform 6 DLLs *
โ Filter Handlers for Windows Search
๐จโ๐ผ .chm helper DLL *
โ AMSI Providers
๐จโ๐ผ HKCU cmd.exe AutoRun
โ LSA Extension
โ Winlogon Notification Package
โ Print Monitor
๐จโ๐ผ HKCU Load
โ Windows Platform Binary Table
๐จโ๐ผ Windows Terminal Profile
๐จโ๐ผ Startup Folder
๐จโ๐ผ User Init Mpr Logon Script *
โ Autodial DLL *
๐จโ๐ผ PowerShell Profiles
๐จโ๐ผ TS Initial Program
โ IFilter
Want more? Check the list tomorrow. :)
* Based on a research made by @Hexacorn - one of the best persistence hunters.
โ It is enough to turn computer on to make the code run.
๐จโ๐ผ End-user can do it.