Which THREE of the following are indicators of malware persistence via registry run keys? (Choose three.)
RunOnce keys execute programs once at next logon, used for persistence.
Why this answer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce is a registry run key that executes programs once at user logon and then deletes the entry. Malware often uses this key to run a payload a single time, such as during initial infection or after a reboot, to establish persistence without leaving a continuous trace in the Run key.
Exam trap
EC-Council often tests the distinction between registry run keys (Run, RunOnce, RunOnceEx) and other persistence mechanisms like services (Services key) or scheduled tasks (TaskCache), tricking candidates into selecting non-run-key options that are valid persistence methods but not run keys.