| BH12240 | Deletes scheduled tasks and jobs. | |
| BH12346 | Executes script on startup. | |
| BH12601 | Tampers with autorun locations. | |
| BH12602 | Tampers with autorun registry keys. | |
| BH12718 | Tampers with remote scheduled tasks and jobs. | |
| BH12719 | Tampers with scheduled tasks and jobs. | |
| BH12720 | Tampers with scheduled tasks. | |
| BH12784 | Tampers with Windows Store Application Prelaunch settings. | |
| BH12878 | Enables a systemd service. | |
| BH12903 | Accesses an XDG autostart file. | |
| BH20102 | Uses a Nishang command that uses Alternate Data Streams and Windows Registry to achieve persistence. | |
| BH20148 | Uses a Nishang command to make execution of a PowerShell script from disk or URL reboot persistent using WMI permanent event consumer. | |
| BH20167 | Uses PowerSploit/Empire command to add persistence capabilities to a script. | |
| BH20172 | Uses PowerSploit/Empire command to configure elevated persistence options for the Add-Persistence function. | |
| BH20173 | Uses PowerSploit/Empire command to configure user-level persistence options for the Add-Persistence function. | |
