Persistence Discovery

Introduction

PowerShell is an essential tool for SecOps teams, offering a powerful and versatile platform for managing systems, automating tasks, and investigating security incidents. Its integration with Windows, extensive library of cmdlets, and scripting capabilities make it particularly effective for uncovering Persistence Discovery activities during digital forensics and incident response (DFIR) investigations. Persistence techniques are used by attackers to maintain long-term access to compromised systems, enabling them to return even after detection or remediation. PowerShell empowers SecOps teams to identify these techniques efficiently, facilitating swift containment and strengthening the organisation’s security posture.

---

Capabilities of PowerShell for Persistence Discovery in DFIR

1. Startup and Autorun Location Analysis:

PowerShell enables analysts to investigate startup items, registry keys, and scheduled tasks that attackers might abuse to establish persistence. This includes inspecting common persistence points such as Run registry keys, startup folders, and HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

2. Scheduled Task Inspection:

Attackers often create or modify scheduled tasks to execute malicious payloads persistently. PowerShell can enumerate all scheduled tasks, analyse their configurations, and identify suspicious or unauthorised entries that deviate from normal operations.

3. Service Configuration and Abuse Detection:

Malicious actors may create or modify Windows services to run their code persistently. PowerShell allows for detailed inspection of service configurations, including service types, startup modes, and associated binaries, helping to uncover evidence of misuse.

4. Registry and WMI Persistence Monitoring:

Windows Management Instrumentation (WMI) and registry keys are common avenues for persistence. PowerShell provides the ability to query and analyse WMI event subscriptions and registry entries, helping to detect malicious alterations designed to maintain attacker footholds.

5. User Account and Credential Persistence:

PowerShell can monitor for the creation of rogue user accounts, unauthorised changes to user privileges, or misuse of credentials that attackers may leverage for persistent access. It can also help detect changes to Active Directory objects or policies related to persistence.

6. File and Binary Inspection:

Attackers may deploy or modify binaries, scripts, or libraries to ensure persistence. PowerShell allows for searching, analysing, and verifying the integrity of these files, including identifying anomalous or unsigned executables.

7. Event Log Analysis:

Persistence activities often leave traces in Windows event logs. PowerShell enables querying of security, application, and system logs for events indicative of persistence techniques, such as service creation, task scheduling, or registry modifications.

---

Efficiency Provided by PowerShell in Persistence Discovery

1. Comprehensive Visibility: PowerShell provides detailed insights into critical system components like registry keys, services, tasks, and user accounts, ensuring thorough persistence detection.

2. Scalability: With PowerShell Remoting, analysts can perform persistence discovery across multiple systems simultaneously, making it ideal for large-scale investigations.

3. Real-Time Analysis: PowerShell supports real-time querying of persistence mechanisms, enabling teams to identify and respond to ongoing threats more quickly.

4. Automation: PowerShell scripts can automate routine discovery tasks, such as scanning for scheduled tasks or analysing registry changes, ensuring efficiency and consistency.

5. Custom Detection Rules: PowerShell can be tailored to focus on specific persistence techniques outlined in the MITRE ATT&CK framework, enabling precise detection aligned with known adversarial tactics.

6. Integration with Security Tools: Seamless integration with security platforms like Microsoft Defender for Endpoint, Azure Sentinel, and SIEMs allows for enhanced detection and automated responses to persistence activities.

---

By leveraging PowerShell's capabilities, SecOps teams can efficiently uncover and analyse persistence techniques, minimising the attacker’s ability to maintain access and improving the enterprise network's overall resilience.

4o

Persistence Discovery

1. Registry-Based Persistence

1.1. Registry Run Key Modifications

Purpose: Detect changes to registry keys that run programs at startup.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, *

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, *

1.2. AppInit_DLLs Changes

Purpose: Identify modifications to the AppInit_DLLs registry value, often used for DLL injection.

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name AppInit_DLLs

2. Scheduled Tasks and Services

2.1. Listing Suspicious Scheduled Tasks

Purpose: Detect the creation of scheduled tasks that may indicate persistence.

Get-ScheduledTask | Where-Object {$_.State -eq 'Ready' -or $_.State -eq 'Running'} | Select-Object TaskName, @{n='Actions';e={$_.Actions}}

2.2. Service Installation Events

Purpose: Identify the installation of unusual services, which may be used for persistence.

Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} |  Where-Object {$_.Properties[1].Value -notin 'KnownGoodServices'}

3. WMI Persistence

3.1. Detecting WMI Event Consumers

Purpose: Identify WMI event consumers, which can be used for persistence.

Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer | Select-Object Name, CommandLineTemplate

3.2. Monitoring WMI Event Filters

Purpose: Detect suspicious WMI event filters.

Get-WmiObject -Namespace "root\subscription" -Class __EventFilter | Select-Object Name, Query

4. Startup Folder Persistence

4.1. Listing Items in Startup Folders

Purpose: Detect suspicious scripts or executables placed in startup folders.

Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object FullName, CreationTime

Get-ChildItem -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object FullName, CreationTime

5. GPO and Logon Scripts

5.1. Detecting GPO Logon Scripts

Purpose: Identify logon scripts configured via Group Policy Objects.

Get-GPRegistryValue -All | Where-Object {$_.ValueName -like '*logon*script*'} | Select-Object PolicyName, KeyPath, ValueName, Value

5.2. Enumerating Local Logon Scripts

Purpose: Detect logon scripts configured locally.

Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\User\Scripts\Logon" | Select-Object FullName, CreationTime

6. Binary and Script-Based Persistence

6.1. Monitoring Changes in Common System Directories

Purpose: Detect unauthorized binaries or scripts in common system directories.

Get-ChildItem -Path "C:\Windows\System32" -Filter "*.exe, *.dll" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}

6.2. Detecting PowerShell Profile Changes

Purpose: Identify modifications to PowerShell profiles, which can be used for persistence.

Get-Content -Path $PROFILE

7. Malicious Use of Scripting Languages

7.1. Monitoring for Suspicious PowerShell Scripts

Purpose: Detect suspicious PowerShell scripts, especially those that could establish persistence.

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-Mimikatz|New-Object'}

7.2. Detecting JScript and VBScript Persistence

Purpose: Identify suspicious JScript or VBScript files that may be used for persistence.

Get-ChildItem -Path "C:\Windows\Temp" -Filter "*.js, *.vbs" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}

8. Registry Persistence

8.1. Checking for Winlogon Shell Modifications

Purpose: Detect modifications to the Winlogon Shell registry key, which can be used to start malware.

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Shell

8.2. Investigating Userinit Key Modifications

Purpose: Identify unauthorized changes to the Userinit registry key.

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit

9. Boot and Auto-Start Configuration

9.1. Checking for Boot Configuration Data (BCD) Changes

Purpose: Detect unauthorized changes to the Boot Configuration Data.

bcdedit /enum all

9.2. Detecting Changes to Auto-Start Services

Purpose: Identify unauthorized changes to services set to auto-start.

Get-Service | Where-Object {$_.StartType -eq 'Automatic'} | Select-Object Name, DisplayName, Status

10. Persistence via Network and Remote Services

10.1. Monitoring Remote Desktop Protocol (RDP) Changes

Purpose: Detect changes to RDP settings that could indicate persistence mechanisms.

Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections

10.2. Detecting Changes to Remote Management Settings

Purpose: Identify changes to Windows Remote Management (WinRM) settings.

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client" -Name AllowBasic

Additional Discovery Techniques

1. Registry and Autoruns Monitoring

1.1. Detecting Autorun Entries in the Registry

Purpose: Identify suspicious autorun entries that may indicate persistence mechanisms.

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, @{n='Value';e={$_ -replace '.*\\'}}

1.2. Monitoring for Changes in Startup Folders

Purpose: Detect changes in startup folders that may indicate unauthorized persistence.

Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object FullName, LastWriteTime

2. Service and Scheduled Task Persistence

2.1. Detecting Creation of New Services

Purpose: Identify the creation of new services, which can be used for persistence.

Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='ServiceFile';e={$_.Properties[5].Value}}

2.2. Monitoring for New or Modified Scheduled Tasks

Purpose: Detect the creation or modification of scheduled tasks for persistence.

Get-ScheduledTask | Where-Object {$_.Principal.UserId -like "*"} | Select-Object TaskName, Principal, @{n='Actions';e={$_.Actions}}

3. WMI and COM Object Persistence

3.1. Detecting WMI Event Subscription Persistence

Purpose: Identify persistent WMI event subscriptions used for persistence.

Get-WmiObject -Namespace "root\subscription" -Class __EventFilter | Select-Object Name, Query

3.2. Monitoring for Suspicious COM Object Creation

Purpose: Detect the creation of suspicious COM objects that may indicate persistence.

Get-ItemProperty -Path "HKLM:\Software\Classes\CLSID" -Recurse | Where-Object {$_.PSChildName -match ".*\{.*\}.*"} | Select-Object PSChildName, @{n='Value';e={$_.Property}}

4. Startup Scripts and Logon Hooks

4.1. Detecting Changes in Group Policy Logon Scripts

Purpose: Identify changes to logon scripts set by Group Policy for persistence.

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon" | Select-Object ScriptList, GPOID

4.2. Monitoring for Logon Hook Injections

Purpose: Detect the injection of logon hooks for persistence.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4672} | Where-Object {$_.Properties[9].Value -match "SeTcbPrivilege"} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}

5. Malicious Use of Scheduled Jobs and Cron Jobs

5.1. Detecting Creation of New Scheduled Jobs

Purpose: Identify new scheduled jobs that may indicate persistence mechanisms.

Get-WmiObject -Class Win32_ScheduledJob | Select-Object JobID, Name, Status, Command

5.2. Monitoring for Changes in Existing Scheduled Jobs

Purpose: Detect modifications to existing scheduled jobs for persistence.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4698} | Select-Object TimeCreated, @{n='JobName';e={$_.Properties[0].Value}}, @{n='Operation';e={$_.Properties[1].Value}}

6. Persistence via System Services

6.1. Detecting Changes to System Services

Purpose: Monitor changes to system services that may indicate persistence.

Get-WinEvent -FilterHashtable @{LogName='System'; ID=7040} | Where-Object {($_.Properties[2].Value -match "start type changed")} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='Change';e={$_.Properties[2].Value}}

6.2. Monitoring for New or Suspicious Service Installations

Purpose: Detect the installation of new services that may be used for persistence.

Get-WinEvent -FilterHashtable @{LogName='System'; ID=7030} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='ServiceFile';e={$_.Properties[1].Value}}

7. Browser Extensions and Plug-Ins

7.1. Detecting Malicious Browser Extensions

Purpose: Identify browser extensions that may be used for persistence.

Get-ChildItem -Path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -Recurse | Select-Object FullName, LastWriteTime

7.2. Monitoring for New or Unusual Plug-Ins

Purpose: Detect the installation of new or unusual browser plug-ins.

Get-ChildItem -Path "C:\Program Files (x86)\Mozilla Firefox\browser\extensions" -Recurse | Select-Object FullName, LastWriteTime

8. DLL Hijacking and Injection

8.1. Detecting DLL Hijacking Attempts

Purpose: Monitor for attempts to hijack DLLs for persistence.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[9].Value -match "rundll32.exe") -and ($_.Properties[9].Value -match "DLL_Path")} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}

8.2. Monitoring for Suspicious DLL Injections

Purpose: Identify DLL injections used to maintain persistence.

Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {($_.Properties[9].Value -match "0x1F0FFF") -and ($_.Properties[5].Value -match "DLL_Path")} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}

9. Remote Access and Backdoors

9.1. Detecting Remote Access Tools (RATs)

Purpose: Identify the presence of remote access tools used for persistence.

Get-Process | Where-Object {$_.ProcessName -match "TeamViewer|AnyDesk|RAT_Tool"} | Select-Object ProcessName, Id, StartTime

9.2. Monitoring for Backdoor Installations

Purpose: Detect installations of backdoors for unauthorized remote access.

Get-WinEvent -FilterHashtable @{LogName='System'; ID=7035} | Where-Object {$_.Properties[0].Value -match "backdoor_service_name"} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}

10. Persistence via System and Network Configuration

10.1. Detecting Changes in Network Configuration

Purpose: Monitor changes in network configurations, such as proxy settings, which can be used for persistence.

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer

10.2. Monitoring System Boot Configuration Changes

Purpose: Detect changes to system boot configurations that may indicate persistence.

bcdedit /enum all | Select-String "path"