hunting-for-persistence-mechanisms-in-windows

# Hunting for Persistence Mechanisms in Windows ## When to Use - During periodic proactive threat hunts for dormant backdoors - After an incident to identify all persistence mechanisms an attacker planted - When investigating unusual services, scheduled tasks, or startup entries - When threat intel reports describe new persistence techniques in the wild - During security posture assessments to identify unauthorized persistent software ## Prerequisites - Sysmon deployed with Event IDs 12/13/14 (Registry), 19/20/21 (WMI), 1 (Process Creation) - Windows Security Event forwarding for 4697 (Service Install), 4698 (Scheduled Task) - EDR with registry and file monitoring capabilities - PowerShell script block logging enabled (Event ID 4104) - Autoruns or equivalent baseline of legitimate persistent entries ## Workflow 1. **Enumerate Known Persistence Locations**: Build a comprehensive list of Windows persistence points (Run keys, services, scheduled tasks, WMI, startup folder, DLL search order, COM hijacks, AppInit DLLs, Image File Execution Options). 2. **Collect Endpoint Data**: Use EDR, Sysmon, or Velociraptor to collect current persistence artifacts from endpoints across the environment. 3. **Baseline Legitimate Persistence**: Compare collected data against known-good baselines (Autoruns snapshots, GPO-deployed entries, SCCM configurations). 4. **Identify Anomalies**: Flag new, unsigned, or unknown entries in persistence locations that deviate from the baseline. 5. **Inves...