Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with maintaining persistence on a Windows system–a sign that an adversary may have compromised your environment.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2018-05-31
  • Author: Bhavin Patel, Splunk
  • ID: 30874d4f-20a1-488f-85ec-5d52ef74e3f9

Narrative

Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.

Detections

Name Technique Type
Certutil exe certificate extraction   TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification TTP
Illegal Account Creation via PowerSploit modules Establish Accounts TTP
Illegal Enabling or Disabling of Accounts via DSInternals modules Valid Accounts, Account Manipulation TTP
Illegal Management of Active Directory Elements and Policies via DSInternals modules Account Manipulation, Rogue Domain Controller, Domain Policy Modification TTP
Illegal Management of Computers and Active Directory Elements via PowerSploit modules Account Manipulation, Rogue Domain Controller, Domain Policy Modification TTP
Illegal Privilege Elevation and Persistence via PowerSploit modules Scheduled Task/Job, Access Token Manipulation, Abuse Elevation Control Mechanism TTP
Monitor Registry Keys for Print Monitors Port Monitors TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Registry Keys for Creating SHIM Databases Application Shimming TTP
Sc exe Manipulating Windows Services Windows Service TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Schtasks used for forcing a reboot Scheduled Task TTP
Setting Credentials via DSInternals modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Setting Credentials via Mimikatz modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Setting Credentials via PowerSploit modules Exploitation for Privilege Escalation, Valid Accounts, Account Manipulation TTP
Shim Database File Creation Application Shimming TTP
Shim Database Installation With Suspicious Parameters Application Shimming TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP

Reference

source | version: 2