-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathwindows_persistence_techniques.yml
27 lines (27 loc) · 1.24 KB
/
windows_persistence_techniques.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
name: Windows Persistence Techniques
id: 30874d4f-20a1-488f-85ec-5d52ef74e3f9
version: 2
date: '2018-05-31'
author: Bhavin Patel, Splunk
status: production
description: Monitor for activities and techniques associated with maintaining persistence
on a Windows system--a sign that an adversary may have compromised your environment.
narrative: Maintaining persistence is one of the first steps taken by attackers after
the initial compromise. Attackers leverage various custom and built-in tools to
ensure survivability and persistent access within a compromised enterprise. This
Analytic Story provides searches to help you identify various behaviors used by
attackers to maintain persistent access to a Windows environment.
references:
- http://www.fuzzysecurity.com/tutorials/19.html
- https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html
- http://resources.infosecinstitute.com/common-malware-persistence-mechanisms/
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
- https://www.youtube.com/watch?v=dq2Hv7J9fvk
tags:
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection