Skill

hunting-for-persistence-mechanisms-in-windows

Hunts persistence mechanisms in Windows endpoints including registry run keys, services, scheduled tasks, startup folders, WMI subscriptions. For threat hunting, incident response, and posture assessments.

Powershell

security

npx claudepluginhub mukul975/anthropic-cybersecurity-skills --plugin cybersecurity-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- During periodic proactive threat hunts for dormant backdoors

Supporting Assets

LICENSEassets/template.mdreferences/api-reference.mdreferences/standards.mdreferences/workflows.mdscripts/agent.pyscripts/process.py

SKILL.md

Similar Skills

applying-brand-guidelines

41.6k

Applies Acme Corporation brand guidelines including colors, fonts, layouts, and messaging to generated PowerPoint, Excel, and PDF documents.

3 files

anthropics-claude-cookbooks

creating-financial-models

41.6k

Builds DCF models with sensitivity analysis, Monte Carlo simulations, and scenario planning for investment valuation and risk assessment.

2 files

anthropics-claude-cookbooks

analyzing-financial-statements

41.6k

Calculates profitability (ROE, margins), liquidity (current ratio), leverage, efficiency, and valuation (P/E, EV/EBITDA) ratios from financial statements in CSV, JSON, text, or Excel for investment analysis.

2 files

anthropics-claude-cookbooks

Stats

Stars5748

Forks783

Last CommitApr 6, 2026

Actions

View Source View Plugin View on GitHub View README

Hunting for Persistence Mechanisms in Windows

When to Use

During periodic proactive threat hunts for dormant backdoors
After an incident to identify all persistence mechanisms an attacker planted
When investigating unusual services, scheduled tasks, or startup entries
When threat intel reports describe new persistence techniques in the wild
During security posture assessments to identify unauthorized persistent software

Prerequisites

Sysmon deployed with Event IDs 12/13/14 (Registry), 19/20/21 (WMI), 1 (Process Creation)
Windows Security Event forwarding for 4697 (Service Install), 4698 (Scheduled Task)
EDR with registry and file monitoring capabilities
PowerShell script block logging enabled (Event ID 4104)
Autoruns or equivalent baseline of legitimate persistent entries

Workflow

Enumerate Known Persistence Locations: Build a comprehensive list of Windows persistence points (Run keys, services, scheduled tasks, WMI, startup folder, DLL search order, COM hijacks, AppInit DLLs, Image File Execution Options).
Collect Endpoint Data: Use EDR, Sysmon, or Velociraptor to collect current persistence artifacts from endpoints across the environment.
Baseline Legitimate Persistence: Compare collected data against known-good baselines (Autoruns snapshots, GPO-deployed entries, SCCM configurations).
Identify Anomalies: Flag new, unsigned, or unknown entries in persistence locations that deviate from the baseline.
Investigate Suspicious Entries: For each anomaly, examine the binary it points to, its digital signature, file hash, and creation timestamp.
Correlate with Process Activity: Link persistence entries to process execution, network activity, and user login events.
Document and Remediate: Record findings, remove malicious persistence, and update detection rules.

Key Concepts

Concept	Description
T1547.001	Registry Run Keys / Startup Folder
T1543.003	Windows Service (Create or Modify)
T1053.005	Scheduled Task
T1546.003	WMI Event Subscription
T1546.015	Component Object Model (COM) Hijacking
T1546.012	Image File Execution Options Injection
T1546.010	AppInit DLLs
T1547.004	Winlogon Helper DLL
T1547.005	Security Support Provider
T1574.001	DLL Search Order Hijacking
TA0003	Persistence Tactic
Autoruns	Sysinternals tool showing persistent entries

Tools & Systems

Tool	Purpose
Sysinternals Autoruns	Comprehensive persistence enumeration
Velociraptor	Endpoint-wide persistence artifact collection
CrowdStrike Falcon	Real-time persistence monitoring
Sysmon	Registry and WMI event monitoring
OSQuery	SQL-based persistence queries
RECmd	Registry Explorer for forensic analysis
Splunk	SIEM correlation of persistence events

Common Scenarios

Registry Run Key Backdoor: Malware adds HKCU\Software\Microsoft\Windows\CurrentVersion\Run entry pointing to payload in %APPDATA%.
WMI Event Subscription: Adversary creates WMI consumer/filter pair that executes PowerShell on system boot.
Malicious Service: Attacker creates Windows service with sc create pointing to a backdoor binary.
COM Object Hijack: Legitimate COM CLSID InprocServer32 path replaced with malicious DLL.
IFEO Debugger Injection: Image File Execution Options key set with debugger pointing to implant for common utilities.

Output Format

Hunt ID: TH-PERSIST-[DATE]-[SEQ]
Persistence Type: [Registry/Service/Task/WMI/COM/Other]
MITRE Technique: T1547.xxx / T1543.xxx / T1053.xxx
Location: [Full registry key / service name / task path]
Value: [Binary path / command line]
Host(s): [Affected endpoints]
Signed: [Yes/No]
Hash: [SHA256]
Creation Time: [Timestamp]
Risk Level: [Critical/High/Medium/Low]
Verdict: [Malicious/Suspicious/Benign]