Hunt Historical Dwell Time and Hidden Persistence
APT actors commonly dwell for months before detection. Hunt for historical activity going back at least as far as log retention allows, focus on low-and-slow patterns, and use the confirmed TTP profile to seed targeted hunts rather than generic scans.
Actions
- 1
Extend the investigation window to the full retention of each log source; document gaps where retention is shorter than suspected dwell.
- 2
Hunt for living-off-the-land patterns: anomalous parent-child process chains (w3wp.exe -> cmd.exe; winlogon.exe -> unexpected child; LSASS access from unusual processes), rare command-line patterns (powershell -enc with long-base64 payloads, rundll32 with unusual DLLs).
- 3
Hunt for persistence the APT commonly installs: WMI event subscriptions, scheduled-task XML with hidden flags, service DLLs in unusual paths, Registry Run keys pointing to user-writable paths, masquerading services, COM hijacking, AppInit_DLLs, Image File Execution Options debugger hijacks.
- 4
Hunt for C2 in DNS: rare-TLD lookups, long-tail domains, domains with high entropy, periodic beacon patterns (stddev of interval < threshold), DNS TXT-record C2 patterns.
- 5
For cloud/M365: hunt for long-dwell OAuth app grants, mailbox rule filters that forward to external addresses, audit-suppression toggles, administrative-role assignments that were never reviewed.
- 6
Build a dwell-time-adjusted timeline spanning the extended window and walk backward from the earliest known IoC to find prior activity.
Queries
DeviceProcessEvents | where Timestamp > ago(180d) | where ProcessCommandLine has "powershell" and ProcessCommandLine has_any ("-enc","-EncodedCommand") | where strlen(ProcessCommandLine) > 500 | summarize cnt=count() by DeviceName, InitiatingProcessFileName | order by cnt descDeviceRegistryEvents | where Timestamp > ago(180d) | where RegistryKey has_any ("\\Run","\\RunOnce","\\Winlogon","\\Image File Execution Options","\\Services\\") | where RegistryValueData has_any ("%AppData%","%Temp%","%Public%","\\Users\\Public\\") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueDataDeviceNetworkEvents | where Timestamp > ago(180d) | summarize beacon_stddev=stdev(datetime_diff("second", Timestamp, prev(Timestamp))), count() by DeviceName, RemoteIP | where count_ > 50 and beacon_stddev < 5AuditLogs | where TimeGenerated > ago(365d) | where OperationName has_any ("Add app role assignment","Consent to application","Add service principal") | project TimeGenerated, OperationName, InitiatedBy, TargetResourcesNotes
Historical hunts against old telemetry are noisy. Use the TTP profile to filter to specific patterns rather than generic anomaly detection.
Persistence techniques found late in the engagement often predate the trigger event by weeks or months -- check install timestamps on services, scheduled tasks, and WMI subscriptions.
APT actors routinely remove their own tooling after use. The absence of tooling now does not imply its prior absence.