Persistence & Lateral movement

Services

processes will be executed under 'services.exe' - look through all services

PsExec

'Psexesvc.exe' - but can be renamed - runs as a service

Task Scheduler

when triggered scheduled task runs under 'svchost.exe' look for child processes named 'taskhostw.exe'. Scheduled tasks will fall under the following execution:

C:\Windows\System32\svchost.exe -k netsvcs -p -s Schedule

Registry Run key

designed during login - therefore, commonly run as child processes of user desktop 'explorer.exe'. most run under user context