Threat Hunter’s Checklist for Persistence
🔍 Autostart & Registry Locations
Check all common Windows persistence paths:
Registry
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKLM\Software\Microsoft\Active Setup\Installed Components\
Startup folders
-
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
🗂 Scheduled Tasks
Hunt for suspicious tasks:
-
Look for tasks running every minute, every hour, or on logon
-
Check tasks running via:
powershell.exe,cmd.exe,wscript.exe,mshta.exe
Command lines:
schtasks /query /fo LIST /v
🛠 Windows Services
Check for:
-
Recently created services
-
Services pointing to unusual paths
-
Services not signed or not matching vendor names
Command:
⚙️ WMI Persistence
Indicators:
-
Event filters referencing PowerShell
-
Consumers executing external binaries
-
Temporary file execution
Commands:
🗄 File System Artifacts
Locations often abused:
-
C:\ProgramData\ -
C:\Users\<user>\AppData\Roaming\ -
C:\Users\<user>\AppData\Local\ -
Hidden scheduled task folders
-
Fake “driver” or “update” folders
🐧 Linux Persistence
-
Cron jobs (
/etc/cron.*,crontab -l) -
Systemd services (
/etc/systemd/system/*.service) -
~/.bashrcor~/.profilemodifications -
SSH key injection in
~/.ssh/authorized_keys
📡 Network Signals
-
Beaconing patterns
-
Unusual outbound DNS queries
-
Periodic HTTP POSTs with no user interaction
Persistence Techniques Mapped to MITRE ATT&CK
| Persistence Technique | Description | MITRE ATT&CK ID |
|---|---|---|
| Registry Run Keys | Auto-start on login | T1547.001 |
| Startup Folder | Shortcut-based persistence | T1547.009 |
| Scheduled Tasks | Recurrent task execution | T1053.005 |
| Windows Services | Rogue or modified services | T1543.003 |
| DLL Search Order Hijacking | Abuse DLL resolution | T1574.001 |
| WMI Event Subscriptions | Triggered persistence in WMI | T1546.003 |
| LNK File Manipulation | Using .lnk files as loaders | T1547.009 |
| Browser Extensions | Persistent malicious extensions | T1176 |
| SSH Authorized Keys | Passwordless backdoor | T1098.004 |
| Cron Jobs | Scheduled Linux execution | T1053.003 |
| Systemd Services | Persistent systemd unit | T1543.002 |
| Bootkits / UEFI | Pre-OS persistence | T1542.001 |
| Firmware Implants | Persistence in hardware/firmware | T1542 |
| Kernel Modules / Rootkits | Persistence at OS kernel layer | T1547.006 |
================ PERSISTENCE CHEAT SHEET ================
Windows ASEPs to Inspect:
HKCU/HKLM Run, RunOnce
Startup folders
Services (sc query, Get-Service)
Scheduled tasks (schtasks /query)
WMI subscriptions (root\subscription)
Linux Persistence Checks:
crontab -l, /etc/cron.*
systemctl list-units –type=service
~/.bashrc, ~/.profile
~/.ssh/authorized_keys
High-Signal Red Flags:
Unsigned binaries in ProgramData/AppData
Services pointing to non-system paths
Tasks running powershell/wscript/mshta
Newly added SSH keys
Hidden cron scripts in /opt, /tmp, /var/tmp
Advanced Threat Indicators:
Modified UEFI modules
Unexpected kernel modules
Bootloader tampering
Tools to Use:
Sysinternals Autoruns
Volatility / Rekall
Sysmon
EDR telemetry
==================== PERSISTENCE SUMMARY ====================
Key Windows Vectors:
– Registry Run Keys (T1547.001)
– Scheduled Tasks (T1053.005)
– Services (T1543.003)
– WMI (T1546.003)
– DLL Hijacking (T1574.001)
Key Linux Vectors:
– Cron (T1053.003)
– Systemd services (T1543.002)
– SSH keys (T1098.004)
Advanced:
– Kernel rootkits
– Bootkits
– UEFI implants (T1542.001)
Detection:
– Autoruns baseline
– EDR telemetry
– Memory forensics
– Service/task inspection
– WMI repository checks
Recommended Tools:
– Sysinternals Autoruns
– Sysmon
– Volatility
– OSQuery
