Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with maintaining persistence on a Windows system–a sign that an adversary may have compromised your environment.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2018-05-31
- Author: Bhavin Patel, Splunk
- ID: 30874d4f-20a1-488f-85ec-5d52ef74e3f9
Narrative
Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.
Detections
Name |
Technique |
Type |
Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
TTP |
Certutil exe certificate extraction |
|
TTP |
Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
Detect Path Interception By Creation Of program exe |
Path Interception by Unquoted Path, Hijack Execution Flow |
TTP |
ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
Hiding Files And Directories With Attrib exe |
Windows File and Directory Permissions Modification, File and Directory Permissions Modification |
TTP |
Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
TTP |
Monitor Registry Keys for Print Monitors |
Port Monitors, Boot or Logon Autostart Execution |
TTP |
Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
TTP |
Reg exe Manipulating Windows Services Registry Keys |
Services Registry Permissions Weakness, Hijack Execution Flow |
TTP |
Reg exe used to hide files directories via registry keys |
Hidden Files and Directories |
TTP |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Registry Keys for Creating SHIM Databases |
Application Shimming, Event Triggered Execution |
TTP |
Remote Registry Key modifications |
|
TTP |
Sc exe Manipulating Windows Services |
Windows Service, Create or Modify System Process |
TTP |
Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
Schedule Task with Rundll32 Command Trigger |
Scheduled Task/Job |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Schtasks used for forcing a reboot |
Scheduled Task, Scheduled Task/Job |
TTP |
Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
Shim Database File Creation |
Application Shimming, Event Triggered Execution |
TTP |
Shim Database Installation With Suspicious Parameters |
Application Shimming, Event Triggered Execution |
TTP |
Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Windows AD DSRM Account Changes |
Account Manipulation |
TTP |
Windows AD Same Domain SID History Addition |
SID-History Injection, Access Token Manipulation |
TTP |
Windows Event Triggered Image File Execution Options Injection |
Image File Execution Options Injection |
Hunting |
Windows Mshta Execution In Registry |
Mshta |
TTP |
Windows Registry Delete Task SD |
Scheduled Task, Impair Defenses |
Anomaly |
Windows Schtasks Create Run As System |
Scheduled Task, Scheduled Task/Job |
TTP |
Windows Service Creation Using Registry Entry |
Services Registry Permissions Weakness |
TTP |
Reference
source | version: 2