Incident Response Playbook: Threat Hunting for Persistence

Note

Executive Summary: Threat Hunting is the proactive search for cyber threats that have successfully bypassed automated defenses (EDR, SIEM alerts). Instead of waiting for an alarm, analysts assume a breach has occurred and parse raw telemetry to validate a specific hypothesis. This playbook details the methodologies for hunting the most common, yet critical, post-compromise phase: Persistence.

1. The Threat Hunting Lifecycle

A successful threat hunting operation is never random; it follows a rigorous, repeatable methodology known as the Hunting Loop.

1. Hypothesis Generation: Formulate a specific assumption based on Threat Intelligence (CTI), known adversary Tactics, Techniques, and Procedures (TTPs), or environmental anomalies.
2. Data Collection: Identify and gather the specific log sources required to test the hypothesis (e.g., Sysmon, Windows Event Logs, EDR telemetry).
3. Data Analysis & Triage: Execute queries to sift through the noise, stack the data to find outliers, and isolate suspicious behaviors.
4. Validation & Response: If the hypothesis is validated, immediately transition from hunting to Incident Response. If invalidated, use the findings to refine future hypotheses and improve automated SIEM detection rules.

2. Hunting Grounds: Formulating Hypotheses

The following sections outline structured hypotheses targeting the most frequent Windows persistence mechanisms used by Advanced Persistent Threats (APTs) and ransomware operators.

Hypothesis 1: Registry Run Keys & Startup Folders

MITRE ATT&CK: T1547.001 - Boot or Logon Autostart Execution

Threat actors frequently manipulate registry run keys to ensure their payloads execute automatically upon user logon or system boot.

• Live Forensics: The Sysinternals Autoruns utility remains the gold standard for live endpoint triage.
• Telemetry Hunting: Analysts must query Sysmon Event ID 13 (RegistryValue Set) focusing on paths such as \CurrentVersion\Run, \RunOnce, and \Windows\Load.
• Anomalies: Filter out known, cryptographically signed binaries. A powershell.exe, wscript.exe, or an unsigned binary executing from a user’s AppData directory via a Run key is highly suspicious.

Hypothesis 2: Malicious Windows Services

MITRE ATT&CK: T1543.003 - Create or Modify System Process: Windows Service

Creating a hidden or masqueraded service allows an attacker to maintain SYSTEM level privileges across reboots. This is the primary persistence mechanism utilized by tools like PsExec.

• Log Source: Monitor the System log for Event ID 7045 (“A service was installed in the system”).
• Anomalies: Scrutinize the Service File Name (the executable path). A service pointing to world-writable directories like C:\Users\Public\, C:\PerfLogs\, or C:\Windows\Temp\ warrants immediate isolation. Additionally, hunt for typosquatting in service names (e.g., MicrosoftUpdaterService instead of MicrosoftUpdateService).

Hypothesis 3: Rogue Scheduled Tasks

MITRE ATT&CK: T1053.005 - Scheduled Task/Job: Scheduled Task

Scheduled tasks allow adversaries to execute payloads at specific times, upon specific events, or under highly privileged contexts without requiring an active logon session.

• Log Source: Monitor the Security log for Event ID 4698 (“A scheduled task was created”).
• Anomalies: Analyze the specific command line embedded within the task action. Tasks invoking living-off-the-land binaries (LOLBAS) or executing scripts from unusual locations must be triaged.

Hypothesis 4: Stealth Persistence via WMI

MITRE ATT&CK: T1546.003 - Event Triggered Execution: WMI Event Subscription

Windows Management Instrumentation (WMI) event subscriptions represent a highly stealthy, fileless persistence mechanism. It requires creating a “WMI Trio”: an Event Filter, an Event Consumer, and a FilterToConsumerBinding.

• Log Source: This is the prime hunting ground for Sysmon. Analysts must look for Sysmon Event IDs 19, 20, and 21. The mere presence of these events in a standard workstation environment is an anomaly that demands immediate investigation.

3. Threat Hunting Queries

Leverage the following queries in your SIEM to automate the initial data stacking for the hypotheses mentioned above.

Splunk (Event 7045 - Services)

hunt_malicious_services.spl

# Hunt for newly installed services executing from suspicious directories
index=windows sourcetype="WinEventLog:System" EventCode=7045
| eval ImagePath=lower(ImagePath)
| search ImagePath="*\\users\\public\\*" OR ImagePath="*\\perflogs\\*" OR ImagePath="*\\temp\\*" OR ImagePath="*\\appdata\\local\\*"
| table _time, host, ServiceName, ServiceType, ImagePath
| sort - _time

KQL (Sysmon 13 - Run Keys)

hunt_registry_run_keys.kql

// Microsoft Sentinel / Defender XDR
// Hunt for unsigned or suspicious binaries added to Registry Run keys
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryKey has_any ("\\CurrentVersion\\Run", "\\CurrentVersion\\RunOnce")
| where RegistryValueData has_any (".ps1", ".vbs", ".bat", "cmd.exe", "powershell.exe", "\\AppData", "\\Temp")
| project TimeGenerated, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData

---

References & Further Reading

• MITRE ATT&CK: Persistence Tactic (TA0003)
• SANS Institute: Advanced Incident Response and Threat Hunting
• Related Analysis: PsExec and Lateral Movement