Hey friend, welcome to this short series on hunting for persistence!
In this series, I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you with a virtualized battleground to test your cyber capabilities!
Each entry in this series will cover a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, but this series will cover:
1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
4. Startup Folder — where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
Previously we focused on Registry Run Keys with the accompanying campaign Registry Run Persistence. If you didn’t get a chance to check out this campaign then I highly recommend reading the first installment of this series and giving it a go here.
In this installment of the series, we will be focusing on scheduled tasks.
Scheduled Tasks
