Asi hunting-for-persistence-mechanisms-in-windows
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
install
source · Clone the upstream repo
git clone https://github.com/plurigrid/asi
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/plurigrid/asi "$T" && mkdir -p ~/.claude/skills && cp -r "$T/plugins/asi/skills/hunting-for-persistence-mechanisms-in-windows" ~/.claude/skills/plurigrid-asi-hunting-for-persistence-mechanisms-in-windows && rm -rf "$T"
manifest:
plugins/asi/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.mdsource content
Hunting for Persistence Mechanisms in Windows
When to Use
- During periodic proactive threat hunts for dormant backdoors
- After an incident to identify all persistence mechanisms an attacker planted
- When investigating unusual services, scheduled tasks, or startup entries
- When threat intel reports describe new persistence techniques in the wild
- During security posture assessments to identify unauthorized persistent software
Prerequisites
- Sysmon deployed with Event IDs 12/13/14 (Registry), 19/20/21 (WMI), 1 (Process Creation)
- Windows Security Event forwarding for 4697 (Service Install), 4698 (Scheduled Task)
- EDR with registry and file monitoring capabilities
- PowerShell script block logging enabled (Event ID 4104)
- Autoruns or equivalent baseline of legitimate persistent entries
Workflow
- Enumerate Known Persistence Locations: Build a comprehensive list of Windows persistence points (Run keys, services, scheduled tasks, WMI, startup folder, DLL search order, COM hijacks, AppInit DLLs, Image File Execution Options).
- Collect Endpoint Data: Use EDR, Sysmon, or Velociraptor to collect current persistence artifacts from endpoints across the environment.
- Baseline Legitimate Persistence: Compare collected data against known-good baselines (Autoruns snapshots, GPO-deployed entries, SCCM configurations).
- Identify Anomalies: Flag new, unsigned, or unknown entries in persistence locations that deviate from the baseline.
- Investigate Suspicious Entries: For each anomaly, examine the binary it points to, its digital signature, file hash, and creation timestamp.
- Correlate with Process Activity: Link persistence entries to process execution, network activity, and user login events.
- Document and Remediate: Record findings, remove malicious persistence, and update detection rules.
Key Concepts
| Concept | Description |
|---|---|
| T1547.001 | Registry Run Keys / Startup Folder |
| T1543.003 | Windows Service (Create or Modify) |
| T1053.005 | Scheduled Task |
| T1546.003 | WMI Event Subscription |
| T1546.015 | Component Object Model (COM) Hijacking |
| T1546.012 | Image File Execution Options Injection |
| T1546.010 | AppInit DLLs |
| T1547.004 | Winlogon Helper DLL |
| T1547.005 | Security Support Provider |
| T1574.001 | DLL Search Order Hijacking |
| TA0003 | Persistence Tactic |
| Autoruns | Sysinternals tool showing persistent entries |
Tools & Systems
| Tool | Purpose |
|---|---|
| Sysinternals Autoruns | Comprehensive persistence enumeration |
| Velociraptor | Endpoint-wide persistence artifact collection |
| CrowdStrike Falcon | Real-time persistence monitoring |
| Sysmon | Registry and WMI event monitoring |
| OSQuery | SQL-based persistence queries |
| RECmd | Registry Explorer for forensic analysis |
| Splunk | SIEM correlation of persistence events |
Common Scenarios
- Registry Run Key Backdoor: Malware adds
entry pointing to payload inHKCU\Software\Microsoft\Windows\CurrentVersion\Run
.%APPDATA% - WMI Event Subscription: Adversary creates WMI consumer/filter pair that executes PowerShell on system boot.
- Malicious Service: Attacker creates Windows service with
pointing to a backdoor binary.sc create - COM Object Hijack: Legitimate COM CLSID InprocServer32 path replaced with malicious DLL.
- IFEO Debugger Injection: Image File Execution Options key set with debugger pointing to implant for common utilities.
Output Format
Hunt ID: TH-PERSIST-[DATE]-[SEQ] Persistence Type: [Registry/Service/Task/WMI/COM/Other] MITRE Technique: T1547.xxx / T1543.xxx / T1053.xxx Location: [Full registry key / service name / task path] Value: [Binary path / command line] Host(s): [Affected endpoints] Signed: [Yes/No] Hash: [SHA256] Creation Time: [Timestamp] Risk Level: [Critical/High/Medium/Low] Verdict: [Malicious/Suspicious/Benign]