Comprehensive Persistence Mechanism Sweep

Actions

1. 1

   Windows persistence sweep: Run Autoruns (`autorunsc.exe -a * -c -h -s -v -vt > autoruns_sweep.csv`), check: Run/RunOnce registry keys, Services, Scheduled Tasks, WMI Event Subscriptions, startup folder, DLL search order hijacking, COM object hijacking, AppInit_DLLs, Image File Execution Options, Winlogon helper DLLs.

2. 2

   Linux persistence sweep: Check crontab (all users), systemd services/timers, rc.local, .bashrc/.profile modifications, SSH authorized_keys, LD_PRELOAD, /etc/ld.so.preload, at jobs, inetd/xinetd, modified system binaries (verify against package manager: `rpm -Va` or `debsums -c`).

3. 3

   Cloud persistence sweep: Check Azure AD app registrations, OAuth consents, Service Principals, Conditional Access exceptions, mailbox rules and forwarding, Power Automate flows, SharePoint webhooks, and federation trust configurations.

4. 4

   Compare Autoruns output against a known-good baseline if available. Flag any new or modified entries that appeared during the compromise window.

5. 5

   For each persistence mechanism found, document: location, mechanism type, creation timestamp, associated attacker tools/IOCs, and remediation action taken.

6. 6

   Check all AutoStart Extensibility Points (ASEPs) systematically using RECmd against registry hives: `RECmd.exe -f NTUSER.DAT --bn BatchExamples\RECmd_Batch_MC.reb --csv .`. Key locations: `Run`/`RunOnce` (HKCU+HKLM), `Userinit`, `Shell`, `AppInit_DLLs`, `Winlogon\Notify`, `Image File Execution Options` (debugger hijack), `BootExecute` in `SYSTEM\CurrentControlSet\Control\Session Manager`. Check Event ID 7045 for malicious service installations during the compromise window.

7. 7

   Hunt for DLL search-order hijacking: identify unsigned DLLs in application directories that shadow legitimate system DLLs using `sigcheck.exe -u -e <app_directory>`. Compare DLL names against `C:\Windows\System32` -- if a non-Microsoft DLL shares a name with a system DLL, it may be a hijack. Also check for phantom DLL loading via Procmon or Sysmon EID 7 (ImageLoaded) with unsigned DLLs.

Queries

DeviceRegistryEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run","RunOnce","Winlogon","AppInit_DLLs","Image File Execution Options","Explorer\Shell Folders") | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName // Registry persistence

DeviceEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("ScheduledTaskCreated","ScheduledTaskUpdated","ServiceInstalled","WmiBindingCreated") | project Timestamp, DeviceName, ActionType, FileName, AdditionalFields // Service/task/WMI persistence

AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where OperationName in ("Add application","Add service principal","Add service principal credentials","Add delegated permission grant","Consent to application") | project TimeGenerated, OperationName, InitiatedBy, TargetResources // Cloud app persistence

index=wineventlog sourcetype=WinEventLog:Security EventCode=7045 OR EventCode=4698 | eval persistence_type=case(EventCode==7045, "Service Installed", EventCode==4698, "Scheduled Task Created") | stats count by persistence_type, Service_Name, Task_Name, Account_Name, ComputerName | sort -count

index=wineventlog sourcetype=WinEventLog:Sysmon EventCode=13 TargetObject="*\CurrentVersion\Run*" OR TargetObject="*\CurrentVersion\RunOnce*" OR TargetObject="*Winlogon*" OR TargetObject="*AppInit_DLLs*" | stats count by TargetObject, Details, Image, ComputerName | sort -count

Notes

Where to Go Next

Related Resources