Comprehensive Persistence Mechanism Sweep

EradicationP1120 min

🔒 Ransomware 🔑 Credential Theft 🌐 Web Application Compromise ☁️ Cloud & Identity Compromise

IR AnalystSwitch roles in the top navigation to see different perspectives.

Systematically sweep ALL known persistence locations across Windows, Linux, and cloud environments. This is the final verification that no attacker persistence remains before recovery.

Actions

1.Windows persistence sweep: Run Autoruns (`autorunsc.exe -a * -c -h -s -v -vt > autoruns_sweep.csv`), check: Run/RunOnce registry keys, Services, Scheduled Tasks, WMI Event Subscriptions, startup folder, DLL search order hijacking, COM object hijacking, AppInit_DLLs, Image File Execution Options, Winlogon helper DLLs.
2.Linux persistence sweep: Check crontab (all users), systemd services/timers, rc.local, .bashrc/.profile modifications, SSH authorized_keys, LD_PRELOAD, /etc/ld.so.preload, at jobs, inetd/xinetd, modified system binaries (verify against package manager: `rpm -Va` or `debsums -c`).
3.Cloud persistence sweep: Check Azure AD app registrations, OAuth consents, Service Principals, Conditional Access exceptions, mailbox rules and forwarding, Power Automate flows, SharePoint webhooks, and federation trust configurations.
4.Compare Autoruns output against a known-good baseline if available. Flag any new or modified entries that appeared during the compromise window.
5.For each persistence mechanism found, document: location, mechanism type, creation timestamp, associated attacker tools/IOCs, and remediation action taken.

Queries

DeviceRegistryEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where RegistryKey has_any ("Run","RunOnce","Winlogon","AppInit_DLLs","Image File Execution Options","Explorer\Shell Folders") | where ActionType in ("RegistryValueSet","RegistryKeyCreated") | project Timestamp, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName // Registry persistence

DeviceEvents | where Timestamp between (datetime(T_START) .. datetime(T_END)) | where ActionType in ("ScheduledTaskCreated","ScheduledTaskUpdated","ServiceInstalled","WmiBindingCreated") | project Timestamp, DeviceName, ActionType, FileName, AdditionalFields // Service/task/WMI persistence

AuditLogs | where TimeGenerated between (datetime(T_START) .. datetime(T_END)) | where OperationName in ("Add application","Add service principal","Add service principal credentials","Add delegated permission grant","Consent to application") | project TimeGenerated, OperationName, InitiatedBy, TargetResources // Cloud app persistence

Notes

A single missed persistence mechanism means the attacker can regain access after recovery. This sweep must be thorough.
Consider using automated tools like PersistenceSniper (Windows), linPEAS (Linux), or ROADtools (Azure AD) for comprehensive coverage.
Some persistence mechanisms are extremely subtle: WMI event subscriptions, COM hijacking, and Azure AD federation trusts are commonly missed.

Where to Go Next

No persistence found, proceed to recovery

Begin system recovery

System Rebuild

Persistence found, remove it

Remove identified persistence

Malware Removal

Cloud persistence found, revoke access

Revoke cloud persistence

Revoke Cloud Sessions

Related Artifacts

Run / RunOnce Persistence Keys

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run (per-user) and SOFTWARE\Microsoft\Windows\CurrentVersion\Run (machine-wide)

Azure AD (Entra ID) Audit Logs

Azure Portal > Entra ID > Monitoring > Audit logs (or Microsoft Graph API /auditLogs/directoryAudits)

Cron Jobs

/etc/crontab, /etc/cron.d/*, /var/spool/cron/crontabs/<user>

Suggested Acquisition

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical