GitHub Repo

Analytics Story: Windows Persistence Techniques

Updated Date: 2026-05-13 ID: 30874d4f-20a1-488f-85ec-5d52ef74e3f9 Author: Bhavin Patel, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with maintaining persistence on a Windows system--a sign that an adversary may have compromised your environment.

Why it matters

Maintaining persistence is one of the first steps taken by attackers after the initial compromise. Attackers leverage various custom and built-in tools to ensure survivability and persistent access within a compromised enterprise. This Analytic Story provides searches to help you identify various behaviors used by attackers to maintain persistent access to a Windows environment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows New Default File Association Value Set Change Default File Association Hunting
Logon Script Event Trigger Execution Logon Script (Windows) TTP
Windows Mock Trusted Directory MSC File Creation MMC, Bypass User Account Control, Hijack Execution Flow TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Windows Scheduled Task with Suspicious Name Scheduled Task TTP
Windows AppCertDLL Modification Via Command Line AppCert DLLs Anomaly
Windows Schtasks Create Run As System Scheduled Task TTP
Windows Get-Variable.EXE Execution from WindowsApps Folder Path Interception by Search Order Hijacking Anomaly
Shim Database Installation With Suspicious Parameters Application Shimming TTP
Time Provider Persistence Registry Time Providers TTP
Schedule Task with HTTP Command Arguments Scheduled Task/Job TTP
Registry Keys for Creating SHIM Databases Application Shimming TTP
Screensaver Event Trigger Execution Screensaver TTP
Windows Guest Account Enabled Via Net.EXE Default Accounts Anomaly
Monitor Registry Keys for Print Monitors Port Monitors TTP
Shim Database File Creation Application Shimming TTP
Windows Scheduled Task Created in a Group Policy Object Scheduled Task, Group Policy Modification TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows PowerShell Module File Created PowerShell, Shared Modules, Hijack Execution Flow Anomaly
Windows Registry Delete Task SD Scheduled Task, Disable or Modify Tools Anomaly
Print Processor Registry Autostart Print Processors TTP
Windows Scheduled Task with Suspicious Command Scheduled Task TTP
Windows Mshta Execution In Registry Mshta TTP
Windows Set Custom DNS ServerLevelPlugin Via Dnscmd Hijack Execution Flow Anomaly
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Compatibility Telemetry Tampering Through Registry Scheduled Task, Event Triggered Execution TTP
Sc exe Manipulating Windows Services Windows Service TTP
ETW Registry Disabled Trusted Developer Utilities Proxy Execution, Disable or Modify Tools TTP
Schedule Task with Rundll32 Command Trigger Scheduled Task/Job TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows SymbolicLink-Testing-Tools Utility Execution File and Directory Permissions Modification, NTFS File Attributes TTP
Hiding Files And Directories With Attrib exe Windows Permissions TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path TTP
Windows AD Same Domain SID History Addition SID-History Injection TTP
Windows Compatibility Telemetry Suspicious Child Process Scheduled Task, Event Triggered Execution TTP
Windows Downdate Registry Activity Modify Registry, Downgrade Attack Anomaly
Schtasks used for forcing a reboot Scheduled Task TTP
Reg exe Manipulating Windows Services Registry Keys Services Registry Permissions Weakness TTP
Active Setup Registry Autostart Active Setup TTP
Certutil exe certificate extraction Steal or Forge Authentication Certificates TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Windows Scheduled Task Service Spawned Shell Scheduled Task, Command and Scripting Interpreter TTP
Windows Event Triggered Image File Execution Options Injection Image File Execution Options Injection Hunting
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4700 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 12 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4738 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4742 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 14 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Application 3000 Windows icon Windows XmlWinEventLog XmlWinEventLog:Application
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 3