hunting-for-persistence-mechanisms-in-windows
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
Best use case
hunting-for-persistence-mechanisms-in-windows is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
Teams using hunting-for-persistence-mechanisms-in-windows should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/hunting-for-persistence-mechanisms-in-windows/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How hunting-for-persistence-mechanisms-in-windows Compares
| Feature / Agent | hunting-for-persistence-mechanisms-in-windows | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Systematically hunt for adversary persistence mechanisms across Windows endpoints including registry, services, startup folders, and WMI subscriptions.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Hunting for Persistence Mechanisms in Windows ## When to Use - During periodic proactive threat hunts for dormant backdoors - After an incident to identify all persistence mechanisms an attacker planted - When investigating unusual services, scheduled tasks, or startup entries - When threat intel reports describe new persistence techniques in the wild - During security posture assessments to identify unauthorized persistent software ## Prerequisites - Sysmon deployed with Event IDs 12/13/14 (Registry), 19/20/21 (WMI), 1 (Process Creation) - Windows Security Event forwarding for 4697 (Service Install), 4698 (Scheduled Task) - EDR with registry and file monitoring capabilities - PowerShell script block logging enabled (Event ID 4104) - Autoruns or equivalent baseline of legitimate persistent entries ## Workflow 1. **Enumerate Known Persistence Locations**: Build a comprehensive list of Windows persistence points (Run keys, services, scheduled tasks, WMI, startup folder, DLL search order, COM hijacks, AppInit DLLs, Image File Execution Options). 2. **Collect Endpoint Data**: Use EDR, Sysmon, or Velociraptor to collect current persistence artifacts from endpoints across the environment. 3. **Baseline Legitimate Persistence**: Compare collected data against known-good baselines (Autoruns snapshots, GPO-deployed entries, SCCM configurations). 4. **Identify Anomalies**: Flag new, unsigned, or unknown entries in persistence locations that deviate from the baseline. 5. **Investigate Suspicious Entries**: For each anomaly, examine the binary it points to, its digital signature, file hash, and creation timestamp. 6. **Correlate with Process Activity**: Link persistence entries to process execution, network activity, and user login events. 7. **Document and Remediate**: Record findings, remove malicious persistence, and update detection rules. ## Key Concepts | Concept | Description | |---------|-------------| | T1547.001 | Registry Run Keys / Startup Folder | | T1543.003 | Windows Service (Create or Modify) | | T1053.005 | Scheduled Task | | T1546.003 | WMI Event Subscription | | T1546.015 | Component Object Model (COM) Hijacking | | T1546.012 | Image File Execution Options Injection | | T1546.010 | AppInit DLLs | | T1547.004 | Winlogon Helper DLL | | T1547.005 | Security Support Provider | | T1574.001 | DLL Search Order Hijacking | | TA0003 | Persistence Tactic | | Autoruns | Sysinternals tool showing persistent entries | ## Tools & Systems | Tool | Purpose | |------|---------| | Sysinternals Autoruns | Comprehensive persistence enumeration | | Velociraptor | Endpoint-wide persistence artifact collection | | CrowdStrike Falcon | Real-time persistence monitoring | | Sysmon | Registry and WMI event monitoring | | OSQuery | SQL-based persistence queries | | RECmd | Registry Explorer for forensic analysis | | Splunk | SIEM correlation of persistence events | ## Common Scenarios 1. **Registry Run Key Backdoor**: Malware adds `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` entry pointing to payload in `%APPDATA%`. 2. **WMI Event Subscription**: Adversary creates WMI consumer/filter pair that executes PowerShell on system boot. 3. **Malicious Service**: Attacker creates Windows service with `sc create` pointing to a backdoor binary. 4. **COM Object Hijack**: Legitimate COM CLSID InprocServer32 path replaced with malicious DLL. 5. **IFEO Debugger Injection**: Image File Execution Options key set with debugger pointing to implant for common utilities. ## Output Format ``` Hunt ID: TH-PERSIST-[DATE]-[SEQ] Persistence Type: [Registry/Service/Task/WMI/COM/Other] MITRE Technique: T1547.xxx / T1543.xxx / T1053.xxx Location: [Full registry key / service name / task path] Value: [Binary path / command line] Host(s): [Affected endpoints] Signed: [Yes/No] Hash: [SHA256] Creation Time: [Timestamp] Risk Level: [Critical/High/Medium/Low] Verdict: [Malicious/Suspicious/Benign] ```