hunting-for-persistence-mechanisms-in-windows

Hunting for Persistence Mechanisms in Windows

When to Use

• During periodic proactive threat hunts for dormant backdoors
• After an incident to identify all persistence mechanisms an attacker planted
• When investigating unusual services, scheduled tasks, or startup entries
• When threat intel reports describe new persistence techniques in the wild
• During security posture assessments to identify unauthorized persistent software

Prerequisites

• Sysmon deployed with Event IDs 12/13/14 (Registry), 19/20/21 (WMI), 1 (Process Creation)
• Windows Security Event forwarding for 4697 (Service Install), 4698 (Scheduled Task)
• EDR with registry and file monitoring capabilities
• PowerShell script block logging enabled (Event ID 4104)
• Autoruns or equivalent baseline of legitimate persistent entries

Workflow

1. Enumerate Known Persistence Locations: Build a comprehensive list of Windows persistence points (Run keys, services, scheduled tasks, WMI, startup folder, DLL search order, COM hijacks, AppInit DLLs, Image File Execution Options).
2. Collect Endpoint Data: Use EDR, Sysmon, or Velociraptor to collect current persistence artifacts from endpoints across the environment.
3. Baseline Legitimate Persistence: Compare collected data against known-good baselines (Autoruns snapshots, GPO-deployed entries, SCCM configurations).
4. Identify Anomalies: Flag new, unsigned, or unknown entries in persistence locations that deviate from the baseline.
5. Investigate Suspicious Entries: For each anomaly, examine the binary it points to, its digital signature, file hash, and creation timestamp.
6. Correlate with Process Activity: Link persistence entries to process execution, network activity, and user login events.
7. Document and Remediate: Record findings, remove malicious persistence, and update detection rules.

Key Concepts

Concept	Description
T1547.001	Registry Run Keys / Startup Folder
T1543.003	Windows Service (Create or Modify)
T1053.005	Scheduled Task
T1546.003	WMI Event Subscription
T1546.015	Component Object Model (COM) Hijacking
T1546.012	Image File Execution Options Injection
T1546.010	AppInit DLLs
T1547.004	Winlogon Helper DLL
T1547.005	Security Support Provider
T1574.001	DLL Search Order Hijacking
TA0003	Persistence Tactic
Autoruns	Sysinternals tool showing persistent entries

Tools & Systems

Tool	Purpose
Sysinternals Autoruns	Comprehensive persistence enumeration
Velociraptor	Endpoint-wide persistence artifact collection
CrowdStrike Falcon	Real-time persistence monitoring
Sysmon	Registry and WMI event monitoring
OSQuery	SQL-based persistence queries
RECmd	Registry Explorer for forensic analysis
Splunk	SIEM correlation of persistence events

Common Scenarios

1. Registry Run Key Backdoor: Malware adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry pointing to payload in %APPDATA%.
2. WMI Event Subscription: Adversary creates WMI consumer/filter pair that executes PowerShell on system boot.
3. Malicious Service: Attacker creates Windows service with sc create pointing to a backdoor binary.
4. COM Object Hijack: Legitimate COM CLSID InprocServer32 path replaced with malicious DLL.
5. IFEO Debugger Injection: Image File Execution Options key set with debugger pointing to implant for common utilities.

Output Format

Hunt ID: TH-PERSIST-[DATE]-[SEQ]
Persistence Type: [Registry/Service/Task/WMI/COM/Other]
MITRE Technique: T1547.xxx / T1543.xxx / T1053.xxx
Location: [Full registry key / service name / task path]
Value: [Binary path / command line]
Host(s): [Affected endpoints]
Signed: [Yes/No]
Hash: [SHA256]
Creation Time: [Timestamp]
Risk Level: [Critical/High/Medium/Low]
Verdict: [Malicious/Suspicious/Benign]