Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with maintaining persistence on a Windows system–a sign that an adversary may have compromised your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2018-05-31
  • Author: Bhavin Patel, Splunk
  • ID: 30874d4f-20a1-488f-85ec-5d52ef74e3f9

Narrative

Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.

Detections

Name Technique Type
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Certutil exe certificate extraction   TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path, Hijack Execution Flow TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification, File and Directory Permissions Modification TTP
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
Monitor Registry Keys for Print Monitors Port Monitors, Boot or Logon Autostart Execution TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness, Hijack Execution Flow TTP
Reg exe used to hide files directories via registry keys Hidden Files and Directories TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Registry Keys for Creating SHIM Databases Application Shimming, Event Triggered Execution TTP
Remote Registry Key modifications   TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks used for forcing a reboot Scheduled Task, Scheduled Task/Job TTP
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Shim Database File Creation Application Shimming, Event Triggered Execution TTP
Shim Database Installation With Suspicious Parameters Application Shimming, Event Triggered Execution TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows AD DSRM Account Changes Account Manipulation TTP
Windows AD Same Domain SID History Addition SID-History Injection, Access Token Manipulation TTP
Windows Event Triggered Image File Execution Options Injection Image File Execution Options Injection Hunting
Windows Mshta Execution In Registry Mshta TTP
Windows Registry Delete Task SD Scheduled Task, Impair Defenses Anomaly
Windows Scheduled Task Service Spawned Shell Scheduled Task, Command and Scripting Interpreter TTP
Windows Schtasks Create Run As System Scheduled Task, Scheduled Task/Job TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP

Reference

source | version: 2