Windows Persistence Techniques

Description

Monitor for activities and techniques associated with maintaining persistence on a Windows system–a sign that an adversary may have compromised your environment.

Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
Datamodel: Endpoint
Last Updated: 2018-05-31
Author: Bhavin Patel, Splunk
ID: 30874d4f-20a1-488f-85ec-5d52ef74e3f9

Narrative

Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.

Detections

Name	Technique	Type
Active Setup Registry Autostart	Active Setup, Boot or Logon Autostart Execution	TTP
Certutil exe certificate extraction		TTP
Change Default File Association	Change Default File Association, Event Triggered Execution	TTP
Detect Path Interception By Creation Of program exe	Path Interception by Unquoted Path, Hijack Execution Flow	TTP
ETW Registry Disabled	Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses	TTP
Hiding Files And Directories With Attrib exe	File and Directory Permissions Modification, Windows File and Directory Permissions Modification	TTP
Hiding Files And Directories With Attrib exe	Windows File and Directory Permissions Modification, File and Directory Permissions Modification	TTP
Logon Script Event Trigger Execution	Boot or Logon Initialization Scripts, Logon Script (Windows)	TTP
Monitor Registry Keys for Print Monitors	Port Monitors, Boot or Logon Autostart Execution	TTP
Print Processor Registry Autostart	Print Processors, Boot or Logon Autostart Execution	TTP
Reg exe Manipulating Windows Services Registry Keys	Services Registry Permissions Weakness, Hijack Execution Flow	TTP
Reg exe used to hide files directories via registry keys	Hidden Files and Directories	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Registry Keys for Creating SHIM Databases	Application Shimming, Event Triggered Execution	TTP
Remote Registry Key modifications		TTP
Sc exe Manipulating Windows Services	Windows Service, Create or Modify System Process	TTP
Schedule Task with HTTP Command Arguments	Scheduled Task/Job	TTP
Schedule Task with Rundll32 Command Trigger	Scheduled Task/Job	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Schtasks used for forcing a reboot	Scheduled Task, Scheduled Task/Job	TTP
Screensaver Event Trigger Execution	Event Triggered Execution, Screensaver	TTP
Shim Database File Creation	Application Shimming, Event Triggered Execution	TTP
Shim Database Installation With Suspicious Parameters	Application Shimming, Event Triggered Execution	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task, Scheduled Task/Job	Anomaly
Time Provider Persistence Registry	Time Providers, Boot or Logon Autostart Execution	TTP
WinEvent Scheduled Task Created Within Public Path	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Scheduled Task Created to Spawn Shell	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Windows AD DSRM Account Changes	Account Manipulation	TTP
Windows AD Same Domain SID History Addition	SID-History Injection, Access Token Manipulation	TTP
Windows Event Triggered Image File Execution Options Injection	Image File Execution Options Injection	Hunting
Windows Mshta Execution In Registry	Mshta	TTP
Windows Registry Delete Task SD	Scheduled Task, Impair Defenses	Anomaly
Windows Scheduled Task Service Spawned Shell	Scheduled Task, Command and Scripting Interpreter	TTP
Windows Schtasks Create Run As System	Scheduled Task, Scheduled Task/Job	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	TTP

Reference

source | version: 2

Twitter Facebook LinkedIn