Hunting Persistence
Persistence
Used by attackers to maintain access to a machine once it is compromised
Things to look for
file creation
Registry modifications
Filter by the Rule Names in order to get past network noise
Hunting Startup Persistence
Detections for a file being placed in the
\Startup\or\Start Menudirectories
<RuleGroup name="" groupRelation="or">
<FileCreate onmatch="include">
<TargetFilename name="T1023" condition="contains">\\Start Menu</TargetFilename>
<TargetFilename name="T1165" condition="contains">\\Startup\\</TargetFilename>
</FileCreate>
</RuleGroup>For more information about this technique check out MITRE ATT&CK T1547
Hunting Registry Key Persistence
For more information about this technique checkout out MITRE ATT&CK T1112
<RuleGroup name="" groupRelation="or">
<RegistryEvent onmatch="include">
<TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\\Run</TargetObject>
<TargetObject name="T1484" condition="contains">Group Policy\\Scripts</TargetObject>
<TargetObject name="T1060" condition="contains">CurrentVersion\\Windows\\Run</TargetObject>
</RegistryEvent>
</RuleGroup>Last updated