Persistence

Scheduled task creation

Scheduled tasks are self-explanatory : one sets up a program to run periodically for whatever reason ; could be an update, a script, whatever. The creation of said tasks can be spotted using event ID 4698, or, alternatively, the keywords "schtasks" or "Register-ScheduledTask" ;

host.name: WKSTN-* AND (winlog.event_id: 4698 OR (*schtasks* OR *Register-ScheduledTask*))

Modification of registry keys

Registry keys are often modified by attackers, so they can abuse the operating system, like using the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to automatically execute payloads at boot. We can find those using the event ID 13 and/or the winlog channel Microsoft-Windows-Sysmon/Operational

host.name: WKSTN-* AND winlog.event_id: 13 AND winlog.channel: Microsoft-Windows-Sysmon/Operational

Depending on the modus operandi of the threat actor we're hunting for, we can add specific keys to this above query. Keep an eye from keys changed/modified by weird processes, basically

PreviousDefense Evasion NextCommand and Control (C2)

Last updated 1 year ago