Hey friend, welcome to this short series on hunting for persistence!
In this series, I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you with a virtualized battleground to test your cyber capabilities!
Each entry in this series will cover a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, but this series will cover:
1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
4. Startup Folder — where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
Previously we focused on Registry Run Keys and Scheduled Tasks. These posts were accompanied by the Registry Run Persistence and Scheduled Task Persistence campaigns, respectively. Both of these campaigns can be found on Cympire and it is highly recommended to tackle these to round out your knowledge of how attackers maintain persistence. Try out these campaigns for FREE by following this link.
In this installment of the series, we will be focusing on Windows Services as a persistence mechanism.
