In the MITRE ATT&CK matrix, TA0003 (Persistence) and TA0004 (Privilege Escalation) heavily overlap. When an adversary establishes persistence via a mechanism executed by the operating system during the boot sequence, that payload typically inherits the privileges of the invoking process—often NT AUTHORITY\SYSTEM on Windows or root on Linux.
By actively hunting for the artifacts generated by these system modifications, Security Operations Centers (SOCs) can detect advanced adversaries before they successfully transition to lateral movement or data exfiltration.
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads. Because these services start automatically upon boot, they are the gold standard for high-privilege persistence.
On Windows, attackers register malicious binaries with the Service Control Manager (SCM). This technique is the backbone of lateral movement frameworks like PsExec and Cobalt Strike.
System event log.ImagePath (Service File Name) within this event. A service executing a binary from a world-writable directory (C:\Users\Public\, C:\Windows\Temp\) or running a command-line interpreter (e.g., cmd.exe /c powershell.exe ...) is a critical Indicator of Compromise.On modern Linux distributions, systemd manages service execution.
.service unit files into /etc/systemd/system/.ssh.service.d/override.conf) designed to hook legitimate services and execute malicious payloads via the ExecStartPost directive.Instead of running as a system service, adversaries can configure payloads to execute when a user logs in. This is highly effective for targeting specific user sessions to steal credentials or monitor activity.
Windows Registry Run Keys (T1547.001)
The most common user-land persistence mechanism. Attackers add payload paths to HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\...\Run.
DFIR Pivot: Analyze the Windows Registry. The “Last Write Time” of the modified Run key reveals the exact millisecond the adversary established persistence.
Linux Legacy Initialization (T1547.006)
Despite the dominance of systemd, Linux maintains backward compatibility with legacy SysVinit scripts and user profiles. Attackers drop backdoors in /etc/rc.local or append malicious aliases to /etc/profile.d/.
DFIR Pivot: Use package managers (RPM/DPKG) to verify the cryptographic integrity of these initialization scripts to detect timestomping and tampering.
Scheduled tasks provide adversaries with extreme flexibility. A payload can be configured to execute daily at 3:00 AM, every 15 minutes as a C2 beacon heartbeat, or specifically when a Domain Admin logs on.
Attackers use native utilities like schtasks.exe or PowerShell cmdlets to register malicious tasks.
Security log.<Command> and <Arguments> nodes. Tasks launching scripting engines (wscript.exe, mshta.exe, powershell.exe) with obfuscated parameters must be triaged immediately.Cron is the Unix time-based job scheduler. It is the lifeblood of Linux persistence.
/var/spool/cron/crontabs/www-data) or drop executable scripts directly into /etc/cron.hourly/.curl or wget outputs directly into bash, or opening raw /dev/tcp/ sockets for reverse shell callbacks.To translate these ATT&CK techniques into operational SIEM alerts, utilize the following queries focused on identifying the establishment of persistence mechanisms.
// Mitre ATT&CK: T1053.005 (Scheduled Task)// Detects the creation of Scheduled Tasks executing suspicious scripting engines or LOLBAS.SecurityEvent| where EventID == 4698| parse EventData with * '<Data Name="TaskName">' TaskName '</Data>' *// Extract the XML execution details| parse EventData with * '<Command>' Command '</Command>' *| parse EventData with * '<Arguments>' Arguments '</Arguments>' *| extend Command = tolower(Command)// Filter for suspicious execution engines| where Command has_any ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe")// Exclude authorized administrative tasks| where TaskName !startswith "\\Microsoft\\Windows"| project TimeGenerated, Computer, SubjectUserName, TaskName, Command, Arguments| sort by TimeGenerated desctitle: Suspicious Execution via Registry Run Keys (T1547.001)id: 8d9e0f1a-2b3c-4d5e-6f7a-8b9c0d1e2f3astatus: stabledescription: Detects the addition of suspicious executables or command lines to the Registry Run/RunOnce keys to achieve persistence upon user logon.logsource: category: registry_event product: windowsdetection: selection: # Sysmon Event ID 12, 13, 14 TargetObject|contains|any: - '\Software\Microsoft\Windows\CurrentVersion\Run' - '\Software\Microsoft\Windows\CurrentVersion\RunOnce' selection_payload: Details|contains|any: - 'powershell' - 'cmd.exe /c' - 'wscript' - 'cscript' - 'C:\Users\Public\' - 'C:\Windows\Temp\' - '%TEMP%' condition: selection and selection_payloadlevel: hightags: - attack.persistence - attack.privilege_escalation - attack.t1547.001Persistence artifacts are the most durable indicators in a forensic investigation. While adversaries can wipe their bash history or use in-memory Process Injection to hide active execution, they cannot execute at boot without modifying the host’s configuration.
By systematically hunting for T1543, T1547, and T1053, defenders exploit the attacker’s operational necessity. Securing comprehensive visibility into Service creation, Scheduled Tasks, and Registry modifications ensures that even if Initial Access is missed, the adversary’s foothold will be rapidly identified and eradicated.