Analytics Story: Windows Persistence Techniques
Description
Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.
Why it matters
Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 11 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 12 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 13 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Windows Event Log Application 3000 | Windows | XmlWinEventLog |
XmlWinEventLog:Application |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4698 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4738 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4742 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log TaskScheduler 200 | Windows | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
References
- http://www.fuzzysecurity.com/tutorials/19.html
- https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html
- http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://www.youtube.com/watch?v=dq2Hv7J9fvk
Source: GitHub | Version: 2