Persistence Discovery
Introduction
PowerShell is an essential tool for SecOps teams, offering a powerful and versatile platform for managing systems, automating tasks, and investigating security incidents. Its integration with Windows, extensive library of cmdlets, and scripting capabilities make it particularly effective for uncovering Persistence Discovery activities during digital forensics and incident response (DFIR) investigations. Persistence techniques are used by attackers to maintain long-term access to compromised systems, enabling them to return even after detection or remediation. PowerShell empowers SecOps teams to identify these techniques efficiently, facilitating swift containment and strengthening the organisation’s security posture.
Capabilities of PowerShell for Persistence Discovery in DFIR
1. Startup and Autorun Location Analysis:
PowerShell enables analysts to investigate startup items, registry keys, and scheduled tasks that attackers might abuse to establish persistence. This includes inspecting common persistence points such as Run registry keys, startup folders, and HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
2. Scheduled Task Inspection:
Attackers often create or modify scheduled tasks to execute malicious payloads persistently. PowerShell can enumerate all scheduled tasks, analyse their configurations, and identify suspicious or unauthorised entries that deviate from normal operations.
3. Service Configuration and Abuse Detection:
Malicious actors may create or modify Windows services to run their code persistently. PowerShell allows for detailed inspection of service configurations, including service types, startup modes, and associated binaries, helping to uncover evidence of misuse.
4. Registry and WMI Persistence Monitoring:
Windows Management Instrumentation (WMI) and registry keys are common avenues for persistence. PowerShell provides the ability to query and analyse WMI event subscriptions and registry entries, helping to detect malicious alterations designed to maintain attacker footholds.
5. User Account and Credential Persistence:
PowerShell can monitor for the creation of rogue user accounts, unauthorised changes to user privileges, or misuse of credentials that attackers may leverage for persistent access. It can also help detect changes to Active Directory objects or policies related to persistence.
6. File and Binary Inspection:
Attackers may deploy or modify binaries, scripts, or libraries to ensure persistence. PowerShell allows for searching, analysing, and verifying the integrity of these files, including identifying anomalous or unsigned executables.
7. Event Log Analysis:
Persistence activities often leave traces in Windows event logs. PowerShell enables querying of security, application, and system logs for events indicative of persistence techniques, such as service creation, task scheduling, or registry modifications.
Efficiency Provided by PowerShell in Persistence Discovery
Comprehensive Visibility: PowerShell provides detailed insights into critical system components like registry keys, services, tasks, and user accounts, ensuring thorough persistence detection.
Scalability: With PowerShell Remoting, analysts can perform persistence discovery across multiple systems simultaneously, making it ideal for large-scale investigations.
Real-Time Analysis: PowerShell supports real-time querying of persistence mechanisms, enabling teams to identify and respond to ongoing threats more quickly.
Automation: PowerShell scripts can automate routine discovery tasks, such as scanning for scheduled tasks or analysing registry changes, ensuring efficiency and consistency.
Custom Detection Rules: PowerShell can be tailored to focus on specific persistence techniques outlined in the MITRE ATT&CK framework, enabling precise detection aligned with known adversarial tactics.
Integration with Security Tools: Seamless integration with security platforms like Microsoft Defender for Endpoint, Azure Sentinel, and SIEMs allows for enhanced detection and automated responses to persistence activities.
By leveraging PowerShell's capabilities, SecOps teams can efficiently uncover and analyse persistence techniques, minimising the attacker’s ability to maintain access and improving the enterprise network's overall resilience.
4o
Persistence Discovery
1. Registry-Based Persistence
1.1. Registry Run Key Modifications
Purpose: Detect changes to registry keys that run programs at startup.
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, *Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, *1.2. AppInit_DLLs Changes
Purpose: Identify modifications to the AppInit_DLLs registry value, often used for DLL injection.
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" -Name AppInit_DLLs2. Scheduled Tasks and Services
2.1. Listing Suspicious Scheduled Tasks
Purpose: Detect the creation of scheduled tasks that may indicate persistence.
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready' -or $_.State -eq 'Running'} | Select-Object TaskName, @{n='Actions';e={$_.Actions}}2.2. Service Installation Events
Purpose: Identify the installation of unusual services, which may be used for persistence.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Where-Object {$_.Properties[1].Value -notin 'KnownGoodServices'}3. WMI Persistence
3.1. Detecting WMI Event Consumers
Purpose: Identify WMI event consumers, which can be used for persistence.
Get-WmiObject -Namespace "root\subscription" -Class __EventConsumer | Select-Object Name, CommandLineTemplate3.2. Monitoring WMI Event Filters
Purpose: Detect suspicious WMI event filters.
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter | Select-Object Name, Query4. Startup Folder Persistence
4.1. Listing Items in Startup Folders
Purpose: Detect suspicious scripts or executables placed in startup folders.
Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object FullName, CreationTimeGet-ChildItem -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object FullName, CreationTime5. GPO and Logon Scripts
5.1. Detecting GPO Logon Scripts
Purpose: Identify logon scripts configured via Group Policy Objects.
Get-GPRegistryValue -All | Where-Object {$_.ValueName -like '*logon*script*'} | Select-Object PolicyName, KeyPath, ValueName, Value5.2. Enumerating Local Logon Scripts
Purpose: Detect logon scripts configured locally.
Get-ChildItem -Path "C:\Windows\System32\GroupPolicy\User\Scripts\Logon" | Select-Object FullName, CreationTime6. Binary and Script-Based Persistence
6.1. Monitoring Changes in Common System Directories
Purpose: Detect unauthorized binaries or scripts in common system directories.
Get-ChildItem -Path "C:\Windows\System32" -Filter "*.exe, *.dll" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}6.2. Detecting PowerShell Profile Changes
Purpose: Identify modifications to PowerShell profiles, which can be used for persistence.
Get-Content -Path $PROFILE7. Malicious Use of Scripting Languages
7.1. Monitoring for Suspicious PowerShell Scripts
Purpose: Detect suspicious PowerShell scripts, especially those that could establish persistence.
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Where-Object {$_.Message -match 'Invoke-Mimikatz|New-Object'}7.2. Detecting JScript and VBScript Persistence
Purpose: Identify suspicious JScript or VBScript files that may be used for persistence.
Get-ChildItem -Path "C:\Windows\Temp" -Filter "*.js, *.vbs" | Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}8. Registry Persistence
8.1. Checking for Winlogon Shell Modifications
Purpose: Detect modifications to the Winlogon Shell registry key, which can be used to start malware.
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Shell8.2. Investigating Userinit Key Modifications
Purpose: Identify unauthorized changes to the Userinit registry key.
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name Userinit9. Boot and Auto-Start Configuration
9.1. Checking for Boot Configuration Data (BCD) Changes
Purpose: Detect unauthorized changes to the Boot Configuration Data.
bcdedit /enum all9.2. Detecting Changes to Auto-Start Services
Purpose: Identify unauthorized changes to services set to auto-start.
Get-Service | Where-Object {$_.StartType -eq 'Automatic'} | Select-Object Name, DisplayName, Status10. Persistence via Network and Remote Services
10.1. Monitoring Remote Desktop Protocol (RDP) Changes
Purpose: Detect changes to RDP settings that could indicate persistence mechanisms.
Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name fDenyTSConnections10.2. Detecting Changes to Remote Management Settings
Purpose: Identify changes to Windows Remote Management (WinRM) settings.
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Client" -Name AllowBasicAdditional Discovery Techniques
1. Registry and Autoruns Monitoring
1.1. Detecting Autorun Entries in the Registry
Purpose: Identify suspicious autorun entries that may indicate persistence mechanisms.
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object PSChildName, @{n='Value';e={$_ -replace '.*\\'}}1.2. Monitoring for Changes in Startup Folders
Purpose: Detect changes in startup folders that may indicate unauthorized persistence.
Get-ChildItem -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | Select-Object FullName, LastWriteTime2. Service and Scheduled Task Persistence
2.1. Detecting Creation of New Services
Purpose: Identify the creation of new services, which can be used for persistence.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7045} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='ServiceFile';e={$_.Properties[5].Value}}2.2. Monitoring for New or Modified Scheduled Tasks
Purpose: Detect the creation or modification of scheduled tasks for persistence.
Get-ScheduledTask | Where-Object {$_.Principal.UserId -like "*"} | Select-Object TaskName, Principal, @{n='Actions';e={$_.Actions}}3. WMI and COM Object Persistence
3.1. Detecting WMI Event Subscription Persistence
Purpose: Identify persistent WMI event subscriptions used for persistence.
Get-WmiObject -Namespace "root\subscription" -Class __EventFilter | Select-Object Name, Query3.2. Monitoring for Suspicious COM Object Creation
Purpose: Detect the creation of suspicious COM objects that may indicate persistence.
Get-ItemProperty -Path "HKLM:\Software\Classes\CLSID" -Recurse | Where-Object {$_.PSChildName -match ".*\{.*\}.*"} | Select-Object PSChildName, @{n='Value';e={$_.Property}}4. Startup Scripts and Logon Hooks
4.1. Detecting Changes in Group Policy Logon Scripts
Purpose: Identify changes to logon scripts set by Group Policy for persistence.
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Logon" | Select-Object ScriptList, GPOID4.2. Monitoring for Logon Hook Injections
Purpose: Detect the injection of logon hooks for persistence.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4672} | Where-Object {$_.Properties[9].Value -match "SeTcbPrivilege"} | Select-Object TimeCreated, @{n='AccountName';e={$_.Properties[5].Value}}5. Malicious Use of Scheduled Jobs and Cron Jobs
5.1. Detecting Creation of New Scheduled Jobs
Purpose: Identify new scheduled jobs that may indicate persistence mechanisms.
Get-WmiObject -Class Win32_ScheduledJob | Select-Object JobID, Name, Status, Command5.2. Monitoring for Changes in Existing Scheduled Jobs
Purpose: Detect modifications to existing scheduled jobs for persistence.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4698} | Select-Object TimeCreated, @{n='JobName';e={$_.Properties[0].Value}}, @{n='Operation';e={$_.Properties[1].Value}}6. Persistence via System Services
6.1. Detecting Changes to System Services
Purpose: Monitor changes to system services that may indicate persistence.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7040} | Where-Object {($_.Properties[2].Value -match "start type changed")} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='Change';e={$_.Properties[2].Value}}6.2. Monitoring for New or Suspicious Service Installations
Purpose: Detect the installation of new services that may be used for persistence.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7030} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}, @{n='ServiceFile';e={$_.Properties[1].Value}}7. Browser Extensions and Plug-Ins
7.1. Detecting Malicious Browser Extensions
Purpose: Identify browser extensions that may be used for persistence.
Get-ChildItem -Path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -Recurse | Select-Object FullName, LastWriteTime7.2. Monitoring for New or Unusual Plug-Ins
Purpose: Detect the installation of new or unusual browser plug-ins.
Get-ChildItem -Path "C:\Program Files (x86)\Mozilla Firefox\browser\extensions" -Recurse | Select-Object FullName, LastWriteTime8. DLL Hijacking and Injection
8.1. Detecting DLL Hijacking Attempts
Purpose: Monitor for attempts to hijack DLLs for persistence.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {($_.Properties[9].Value -match "rundll32.exe") -and ($_.Properties[9].Value -match "DLL_Path")} | Select-Object TimeCreated, @{n='CommandLine';e={$_.Properties[9].Value}}8.2. Monitoring for Suspicious DLL Injections
Purpose: Identify DLL injections used to maintain persistence.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4656} | Where-Object {($_.Properties[9].Value -match "0x1F0FFF") -and ($_.Properties[5].Value -match "DLL_Path")} | Select-Object TimeCreated, @{n='ProcessName';e={$_.Properties[5].Value}}9. Remote Access and Backdoors
9.1. Detecting Remote Access Tools (RATs)
Purpose: Identify the presence of remote access tools used for persistence.
Get-Process | Where-Object {$_.ProcessName -match "TeamViewer|AnyDesk|RAT_Tool"} | Select-Object ProcessName, Id, StartTime9.2. Monitoring for Backdoor Installations
Purpose: Detect installations of backdoors for unauthorized remote access.
Get-WinEvent -FilterHashtable @{LogName='System'; ID=7035} | Where-Object {$_.Properties[0].Value -match "backdoor_service_name"} | Select-Object TimeCreated, @{n='ServiceName';e={$_.Properties[0].Value}}10. Persistence via System and Network Configuration
10.1. Detecting Changes in Network Configuration
Purpose: Monitor changes in network configurations, such as proxy settings, which can be used for persistence.
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" -Name ProxyServer10.2. Monitoring System Boot Configuration Changes
Purpose: Detect changes to system boot configurations that may indicate persistence.
bcdedit /enum all | Select-String "path"Last updated