Which attacker technique allows executing malicious programs at system startup to maintain persistence and enable remote execution?

Establishing persistence by running at startup is a common attacker goal because it ensures a malicious program loads even after a reboot and can reconnect to a command-and-control host. Scheduling tasks leverages a built-in system mechanism (Task Scheduler on Windows) to start programs automatically at specific triggers, such as system startup or user logon. An attacker can create a task that launches the payload with elevated privileges or under a different user context, making the malware persist across reboots and enabling remote execution without any user action. Relaying isn’t about persisting software on the host; it’s about forwarding traffic or credentials between systems. Runas lets a user execute a program with different credentials but doesn’t by itself make the program run automatically after boot. Access Token Manipulation focuses on impersonating another user's identity to gain privileges, not on setting up a program to start at startup.