Hunting Persistence

Persistence

Used by attackers to maintain access to a machine once it is compromised
Things to look for
- file creation
- Registry modifications
- Filter by the Rule Names in order to get past network noise

Hunting Startup Persistence

Detections for a file being placed in the \Startup\ or \Start Menu directories

<RuleGroup name="" groupRelation="or">  
	<FileCreate onmatch="include">  
		<TargetFilename name="T1023" condition="contains">\\Start Menu</TargetFilename>  
		<TargetFilename name="T1165" condition="contains">\\Startup\\</TargetFilename>  
	</FileCreate>  
</RuleGroup>

For more information about this technique check out MITRE ATT&CK T1547

Hunting Registry Key Persistence

For more information about this technique checkout out MITRE ATT&CK T1112

<RuleGroup name="" groupRelation="or">  
	<RegistryEvent onmatch="include">  
		<TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\\Run</TargetObject>  
		<TargetObject name="T1484" condition="contains">Group Policy\\Scripts</TargetObject>  
		<TargetObject name="T1060" condition="contains">CurrentVersion\\Windows\\Run</TargetObject>  
	</RegistryEvent>  
</RuleGroup>

PreviousHunting Metasploit NextFoundational

Last updated 11 months ago