Hunting For Persistence Mechanisms In Windows | Skills Pool
Hunting For Persistence Mechanisms In Windows Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
mukul975 4,535 星標 2026年4月6日 When to Use
During periodic proactive threat hunts for dormant backdoors
After an incident to identify all persistence mechanisms an attacker planted
When investigating unusual services, scheduled tasks, or startup entries
When threat intel reports describe new persistence techniques in the wild
During security posture assessments to identify unauthorized persistent software
Prerequisites
Sysmon deployed with Event IDs 12/13/14 (Registry), 19/20/21 (WMI), 1 (Process Creation)
Windows Security Event forwarding for 4697 (Service Install), 4698 (Scheduled Task)
EDR with registry and file monitoring capabilities
PowerShell script block logging enabled (Event ID 4104)
Autoruns or equivalent baseline of legitimate persistent entries
Workflow
Enumerate Known Persistence Locations : Build a comprehensive list of Windows persistence points (Run keys, services, scheduled tasks, WMI, startup folder, DLL search order, COM hijacks, AppInit DLLs, Image File Execution Options).
快速安裝
Hunting For Persistence Mechanisms In Windows npx skillvault add mukul975/mukul975-anthropic-cybersecurity-skills-skills-hunting-for-persistence-mechanisms-in-windows-skill-md
星標 4,535
更新時間 2026年4月6日
職業
Collect Endpoint Data : Use EDR, Sysmon, or Velociraptor to collect current persistence artifacts from endpoints across the environment.
Baseline Legitimate Persistence : Compare collected data against known-good baselines (Autoruns snapshots, GPO-deployed entries, SCCM configurations).
Identify Anomalies : Flag new, unsigned, or unknown entries in persistence locations that deviate from the baseline.
Investigate Suspicious Entries : For each anomaly, examine the binary it points to, its digital signature, file hash, and creation timestamp.
Correlate with Process Activity : Link persistence entries to process execution, network activity, and user login events.
Document and Remediate : Record findings, remove malicious persistence, and update detection rules.
Key Concepts Concept Description T1547.001 Registry Run Keys / Startup Folder T1543.003 Windows Service (Create or Modify) T1053.005 Scheduled Task T1546.003 WMI Event Subscription T1546.015 Component Object Model (COM) Hijacking T1546.012 Image File Execution Options Injection T1546.010 AppInit DLLs T1547.004 Winlogon Helper DLL T1547.005 Security Support Provider T1574.001 DLL Search Order Hijacking TA0003 Persistence Tactic Autoruns Sysinternals tool showing persistent entries
Tool Purpose Sysinternals Autoruns Comprehensive persistence enumeration Velociraptor Endpoint-wide persistence artifact collection CrowdStrike Falcon Real-time persistence monitoring Sysmon Registry and WMI event monitoring OSQuery SQL-based persistence queries RECmd Registry Explorer for forensic analysis Splunk SIEM correlation of persistence events
Common Scenarios
Registry Run Key Backdoor : Malware adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry pointing to payload in %APPDATA%.WMI Event Subscription : Adversary creates WMI consumer/filter pair that executes PowerShell on system boot.Malicious Service : Attacker creates Windows service with sc create pointing to a backdoor binary.COM Object Hijack : Legitimate COM CLSID InprocServer32 path replaced with malicious DLL.IFEO Debugger Injection : Image File Execution Options key set with debugger pointing to implant for common utilities.
Hunt ID: TH-PERSIST-[DATE]-[SEQ]
Persistence Type: [Registry/Service/Task/WMI/COM/Other]
MITRE Technique: T1547.xxx / T1543.xxx / T1053.xxx
Location: [Full registry key / service name / task path]
Value: [Binary path / command line]
Host(s): [Affected endpoints]
Signed: [Yes/No]
Hash: [SHA256]
Creation Time: [Timestamp]
Risk Level: [Critical/High/Medium/Low]
Verdict: [Malicious/Suspicious/Benign]
02
Prerequisites
除錯
Node Connect Diagnose OpenClaw node connection and pairing failures for Android, iOS, and macOS companion apps. Use when QR/setup code/manual connect fails, local Wi-Fi works but VPS/tailnet does not, or errors mention pairing required, unauthorized, bootstrap token invalid or expired, gateway.bind, gateway.remote.url, Tailscale, or plugins.entries.device-pair.config.publicUrl.