Hey friend, welcome to the final installment in this short series on hunting for persistence!
In this series, I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you with a virtualized battleground to test your cyber capabilities!
Each entry in this series covers a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, this series will cover:
1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
4. Startup Folder— where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
In the three previous installments of this series, we focused on Registry Run Keys, Scheduled Tasks, and Services. These posts were accompanied by the Registry Run Persistence, Scheduled Task Persistence, and Service Persistence campaigns. All these campaigns can be found on Cympire and it is highly recommended to tackle these to round out your knowledge of how attackers maintain persistence. Try out these campaigns by following this link.
In this final installment, we will take a look at how adversaries use the Startup Folder for persistence.