Persistence (TA0003) Techniques

Introduction

Investigating persistence mechanisms in a network, Windows workstations, and server systems is crucial in understanding how attackers maintain access to compromised environments. Persistence allows attackers to regain entry even after initial entry points are closed, making it a critical aspect of forensic analysis.

Understand Common Persistence Techniques

• Registry Keys: Autoruns, Run keys, and other registry locations where programs can be set to run on startup.

• Startup Folders: Programs placed in these directories will automatically launch at startup.

• Scheduled Tasks: Malicious tasks can be scheduled to run at specific times or intervals.

• Service Creation: Malware can install itself as a service, which is automatically started by Windows.

• DLL Hijacking: Malware replaces legitimate DLLs or adds malicious DLLs referenced by legitimate programs.

• WMI Event Subscriptions: WMI can execute scripts or binaries in response to certain system events.

• Account Manipulation: Creation of new user accounts or modification of existing accounts for future access.

Data Collection and Preservation

• Forensic Imaging: Use tools like FTK Imager or dd to create images of affected systems.

• Live System Data: If possible, gather live data, including running processes, network connections, and currently loaded drivers.

• Log Collection: Collect security logs, system logs, application logs, and event logs.

Analysis Techniques

• Registry Analysis: Use tools like Registry Explorer or RegRipper to analyse registry hives for unauthorised modifications.

• File System Analysis: Tools like Autopsy or X-Ways can analyse file systems for suspicious files in startup directories, unusual file creation/modification dates, or hidden files.

• Scheduled Task Analysis: Review Windows Task Scheduler for any unrecognised or suspicious tasks.

• Service Analysis: Examine the list of installed services for unknown or modified services.

• Log Analysis: Investigate logs for evidence of account creation, modification, or other signs of unauthorised access.

Investigate Common Persistence Locations

• Autostart Locations: Check common autostart locations like HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

• Startup Directories: Inspect directories like %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.

• Task Scheduler: Look for tasks that execute on system start or at regular intervals.

• Services: Analyse the list of services (services.msc) for new or modified entries.

Network Analysis

• Endpoint Detection and Response (EDR): Use EDR tools to monitor network traffic for signs of C2 communication.

• SIEM Systems: Analyse aggregated logs for patterns indicative of persistence mechanisms.

6. Utilise Specialised Forensic Tools

• Sysinternals Suite: Tools like Autoruns can help identify programs configured to run during system bootup.

• PowerShell Scripts: Scripts like Get-Service, Get-ScheduledTask, or custom scripts can help identify anomalies.

Documentation and Reporting

• Detailed Documentation: Keep a detailed record of all findings, methods used, and evidence paths.

• Reporting: Prepare a comprehensive report outlining the persistence mechanisms found, their impact, and recommendations for remediation.

Remediation and Recovery

• Remove Persistence Mechanisms: Based on findings, remove or disable the identified persistence mechanisms.

• Strengthen Defenses: Update security policies, patch vulnerabilities, and adjust endpoint protection strategies.

Post-Incident Analysis

• Review and Learn: Analyse the incident to understand how the persistence was established and improve defences accordingly.

Key Considerations

• Legal and Compliance: Ensure compliance with legal and organisational guidelines.

• Chain of Custody: Maintain a clear chain of custody for all forensic evidence.

• Confidentiality: Ensure that sensitive data is handled appropriately.

Persistence investigation requires a comprehensive approach, leveraging various tools and techniques to uncover how attackers maintain access. Tailor your investigation to the specifics of the incident and the environment you are dealing with.

Using KQL to Investigate Persistence Activities in an Environment Using Defender/Sentinel

Persistence techniques allow adversaries to maintain access to a compromised system even after reboots or other interruptions.

1. T1547 - Boot or Logon Autostart Execution

Objective: Detect mechanisms that automatically execute code upon boot or user logon.

1. Detect Registry Run Key Modifications

DeviceRegistryEvents | where RegistryKey has_any ("\\Run", "\\RunOnce", "\\RunServices") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify changes to registry keys used to launch programs at startup.

1. Monitor Startup Folder for New Files

DeviceFileEvents | where FolderPath endswith "Startup" and FileOperation == "Create" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect new files added to the Startup folder.

1. Detect New Service Creation

    DeviceServiceEvents | where ActionType == "ServiceInstalled" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the installation of new services that could be used for persistence.

1. Identify New Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the creation of new scheduled tasks.

1. Monitor for Autorun Entries in the Registry

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData

Purpose: Identify autorun entries that can be used to persist malicious code.

1. Detect Creation of WMI Event Subscriptions

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "EventFilter" and ProcessCommandLine has "create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for the creation of WMI event subscriptions that can be used for persistence.

1. Identify Modifications to Userinit Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect modifications to the Userinit registry key, which can be used to launch programs at logon.

1. Monitor for DLLs Added to Startup Folders

DeviceFileEvents | where FolderPath endswith "Startup" and FileExtension == ".dll" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect DLL files added to startup folders for persistence.

1. Detect Modifications to Shell Registry Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to the Shell registry key that can be used to persist malware.

1. Identify New Logon Scripts

DeviceFileEvents | where FolderPath has "Scripts\\Logon" and FileOperation == "Create" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect new logon scripts that can be used for persistence.

2. T1053 - Scheduled Task/Job

Objective: Detect the creation or modification of scheduled tasks or jobs that persistently execute malicious code.

1. Detect Creation of New Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of new scheduled tasks.

1. Monitor for Changes to Existing Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /change" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect changes made to existing scheduled tasks.

1. Identify Scheduled Task Executing Suspicious Commands

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" and ProcessCommandLine has_any ("powershell.exe", "cmd.exe", "wscript.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for scheduled tasks executing commands commonly used in attacks.

1. Detect Scheduled Task Execution

DeviceProcessEvents | where ProcessCommandLine has "taskeng.exe" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the execution of scheduled tasks.

1. Monitor for Scheduled Task Executions by Non-Admin Users

DeviceProcessEvents | where ProcessCommandLine has "taskeng.exe" and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ProcessCommandLine

Purpose: Detect scheduled tasks being executed by non-administrative users.

1. Identify Scheduled Task Execution with Elevated Privileges

DeviceProcessEvents | where ProcessCommandLine has "taskeng.exe" and TokenElevationType == "Full" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for scheduled tasks running with elevated privileges.

1. Detect Suspicious Task Scheduler Executables

DeviceProcessEvents | where ProcessCommandLine has_any ("taskeng.exe", "taskschd.msc") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify suspicious use of task scheduler executables.

1. Monitor for AT Command Usage

DeviceProcessEvents | where ProcessCommandLine has "at" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect the use of the AT command to schedule tasks.

1. Identify Suspicious Scheduled Task Parameters

DeviceProcessEvents | where ProcessCommandLine has "schtasks" and ProcessCommandLine has_any ("/TN", "/TR", "/SC") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for suspicious parameters in scheduled tasks.

1. Detect Creation of Hidden Scheduled Tasks

DeviceProcessEvents | where ProcessCommandLine has "schtasks /create" and ProcessCommandLine has "/RU SYSTEM" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of hidden or system-level scheduled tasks.

3. T1060 - Registry Run Keys / Startup Folder

Objective: Detect the use of registry run keys or startup folders to maintain persistence on a system.

1. Detect New Entries in Registry Run Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify new or modified entries in registry run keys.

1. Monitor Startup Folder for New Executables

DeviceFileEvents | where FolderPath endswith "Startup" and FileExtension == ".exe" and FileOperation == "Create" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect new executable files added to the Startup folder.

1. Identify DLLs Added to Registry Run Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run") and RegistryValueData has ".dll" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect DLLs added to registry run keys for persistence.

1. Monitor for Suspicious Modifications to RunOnce Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify suspicious modifications to RunOnce registry keys.

1. Detect Executables Added to Startup Folders

DeviceFileEvents | where FolderPath endswith "Startup" and FileExtension == ".exe" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Monitor for executables added to Startup folders that could be used for persistence.

1. Identify Script Files Added to Startup Folders

DeviceFileEvents | where FolderPath endswith "Startup" and FileExtension in (".vbs", ".ps1", ".bat") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect script files added to Startup folders for persistence.

1. Monitor for Suspicious Entries in RunServices Keys

DeviceRegistryEvents | where RegistryKey has_any ("HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices", "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunServices") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Identify suspicious entries in RunServices registry keys.

1. Detect Modifications to Shell Registry Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Monitor for changes to the Shell registry key that may indicate persistence.

1. Identify Modifications to Userinit Key

DeviceRegistryEvents | where RegistryKey == "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect modifications to the Userinit registry key for persistence.

1. Monitor for Unusual Activity in Common Startup Locations

DeviceFileEvents | where FolderPath has_any ("C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", "C:\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect unusual activity in common startup locations.

4. T1543 - Create or Modify System Process

Objective: Detect the creation or modification of system processes for persistence.

1. Detect New Service Creation

DeviceServiceEvents | where ActionType == "ServiceInstalled" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the installation of new services that could be used for persistence.

1. Monitor for Service Configuration Changes

DeviceServiceEvents | where ActionType == "ServiceModified" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect changes to existing service configurations.

1. Identify Services Set to Auto Start

DeviceServiceEvents | where ActionType == "ServiceInstalled" and ServiceStartType == "Auto" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for services configured to start automatically, which may be used for persistence.

1. Detect Services Running Executables from Non-Standard Locations

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessFolderPath has_not "C:\\Windows\\System32" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify services running executables from unusual or non-standard locations.

1. Monitor for New Service Executables

DeviceFileEvents | where FilePath has "\\System32\\services.exe" | project Timestamp, DeviceName, FileName, FilePath, InitiatingProcessAccountName

Purpose: Detect new executables associated with services.

1. Identify Suspicious Service Descriptions

DeviceServiceEvents | where ActionType == "ServiceInstalled" and ServiceDescription has_any ("backdoor", "trojan", "rat") | project Timestamp, DeviceName, ServiceName, ServiceDescription, InitiatingProcessAccountName

Purpose: Monitor for suspicious service descriptions that may indicate malicious intent.

1. Detect Modifications to System Services

DeviceServiceEvents | where ActionType == "ServiceModified" and InitiatingProcessAccountName != "SYSTEM" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify modifications to system services by non-system accounts.

1. Monitor for Services with Elevated Privileges

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessAccountName == "SYSTEM" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine

Purpose: Detect services installed with elevated privileges.

1. Identify Services Executing Suspicious Commands

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessCommandLine has_any ("powershell.exe", "cmd.exe", "wscript.exe") | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for services executing suspicious commands.

1. Detect Services Executing Non-Executable Files

DeviceServiceEvents | where ActionType == "ServiceInstalled" and InitiatingProcessCommandLine has_any (".txt", ".log", ".pdf") | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify services configured to execute non-executable files.

5. T1176 - Browser Extensions

Objective: Detect the installation or modification of browser extensions that can be used for persistence.

1. Detect New Browser Extension Installation

DeviceProcessEvents | where ProcessCommandLine has_any ("chrome.exe", "firefox.exe", "edge.exe") and ProcessCommandLine has "ExtensionInstall" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the installation of new browser extensions.

1. Monitor for Changes to Existing Browser Extensions

DeviceFileEvents | where FolderPath has_any ("Chrome\\Extensions", "Firefox\\Profiles", "Edge\\Extensions") and FileOperation == "Modify" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect modifications to existing browser extensions.

1. Identify Browser Extensions with Suspicious Permissions

DeviceProcessEvents | where ProcessCommandLine has_any ("chrome.exe", "firefox.exe", "edge.exe") and ProcessCommandLine has_any ("<all_urls>", "activeTab") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for browser extensions requesting suspicious permissions.

1. Detect Browser Extensions Executing Scripts

DeviceProcessEvents | where ProcessCommandLine has_any ("chrome.exe", "firefox.exe", "edge.exe") and ProcessCommandLine has ".js" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify browser extensions executing JavaScript files.

1. Monitor for Unusual Activity in Browser Extension Folders

DeviceFileEvents | where FolderPath has_any ("Chrome\\Extensions", "Firefox\\Profiles", "Edge\\Extensions") and FileOperation == "Create" | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Detect unusual activity in browser extension folders.

1. Identify Browser Extensions Making Network Requests

DeviceNetworkEvents | where RemotePort == 443 and InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "msedge.exe") | project Timestamp, DeviceName, RemoteIP, InitiatingProcessCommandLine

Purpose: Monitor for network requests made by browser extensions.

1. Detect Extensions Accessing Sensitive Files

DeviceFileEvents | where InitiatingProcessFileName in ("chrome.exe", "firefox.exe", "msedge.exe") and FilePath has_any (".docx", ".xlsx", ".pdf") | project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessAccountName

Purpose: Identify browser extensions accessing sensitive files.

1. Monitor for Browser Extensions Installed by Non-Admin Users

DeviceProcessEvents | where ProcessCommandLine has_any ("chrome.exe", "firefox.exe", "edge.exe") and InitiatingProcessAccountName != "Administrator" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect browser extensions installed by non-administrative users.

1. Identify Browser Extensions Executing System Commands

DeviceProcessEvents | where ProcessCommandLine has_any ("chrome.exe", "firefox.exe", "edge.exe") and ProcessCommandLine has_any ("cmd.exe", "powershell.exe", "wscript.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for browser extensions executing system commands.

1. Detect Browser Extensions with Elevated Privileges

DeviceProcessEvents | where ProcessCommandLine has_any ("chrome.exe", "firefox.exe", "edge.exe") and TokenElevationType == "Full" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify browser extensions operating with elevated privileges.

6. T1546 - Event Triggered Execution

Objective: Detect the creation or modification of event triggers that persistently execute malicious code in response to specific events.

1. Detect Creation of WMI Event Filters

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "EventFilter" and ProcessCommandLine has "create" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of WMI event filters for persistence.

1. Monitor for Modification of WMI Event Filters

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "EventFilter" and ProcessCommandLine has "modify" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect modifications to existing WMI event filters.

1. Identify WMI Event Consumers Creating or Modifying Files

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "CommandLineEventConsumer" and ProcessCommandLine has_any ("cmd.exe", "powershell.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for WMI event consumers that create or modify files.

1. Detect WMI Event Consumers Executing Suspicious Commands

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "CommandLineEventConsumer" and ProcessCommandLine has_any ("explorer.exe", "taskeng.exe") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify WMI event consumers executing suspicious commands.

1. Monitor for New or Modified System Log Event Filters

DeviceRegistryEvents | where RegistryKey has "HKLM\\System\\CurrentControlSet\\Services\\EventLog" | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessAccountName

Purpose: Detect new or modified system log event filters.

1. Identify Task Scheduler Event Triggers

DeviceProcessEvents | where ProcessCommandLine has "schtasks" and ProcessCommandLine has "/SC ONLOGON" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for task scheduler event triggers associated with logon events.

1. Detect Creation of Hidden WMI Event Consumers

DeviceProcessEvents | where ProcessCommandLine has "wmic" and ProcessCommandLine has "CommandLineEventConsumer" and ProcessCommandLine has "/NOINTERACTIVE" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify the creation of hidden WMI event consumers.

1. Monitor for Suspicious Event Triggers Related to User Activity

DeviceProcessEvents | where ProcessCommandLine has "schtasks" and ProcessCommandLine has_any ("/SC ONIDLE", "/SC ONWORKSTATIONUNLOCK") | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Detect event triggers that execute in response to user activity.

1. Identify System Service Event Triggers

DeviceServiceEvents | where ActionType == "ServiceModified" and ServiceStartType == "TriggerStart" | project Timestamp, DeviceName, ServiceName, InitiatingProcessCommandLine, InitiatingProcessAccountName

Purpose: Monitor for system services configured to trigger on specific events.

1. Detect Scheduled Task Event Triggers with Elevated Privileges

DeviceProcessEvents | where ProcessCommandLine has "schtasks" and ProcessCommandLine has_any ("/SC ONSTART", "/SC ONLOGON") and TokenElevationType == "Full" | project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName

Purpose: Identify scheduled tasks with event triggers that run with elevated privileges.