In the event of a fileless malware attack, a Computer Hacking Forensics Investigator (CHFI) notes that the fileless malware has managed to persist even after the system reboots. What built-in Windows tool/utility might the attacker most likely have leveraged for this persistent behavior?
Windows AutoStart registry keys are commonly leveraged to achieve persistence in fileless malware attacks. These registry keys are used to ensure that certain programs or scripts are executed upon system startup, enabling malware to re-establish itself even after a reboot. This persistence mechanism is well-known and frequently exploited by attackers to maintain control over the compromised system.
Using task scheduler, attackers can set the malicious scripts to be triggered and executed automatically at a chosen time intervals.
Registry is most used