Skip to content

DFIQ (Digital Forensics Investigative Questions)

Host Persistence Audit

Host Persistence Audit

ID: S1007

Description: Once an attacker is on a system, a main goal becomes trying to maintain that access. Persistence mechanisms give the attacker the ability to run malware that will survive reboots and credential changes.

Was a browser extension used to maintain a foothold? F1019

Q1021 What Chrome extensions are installed?
Q1052 What browser extensions (non-Chrome) are installed?

Are there any interesting logon or boot initialization scripts? F1020

Q1053 What Launch Agents are configured?
Q1054 What Launch Daemons are configured?
Q1055 What Windows logon scripts are configured?
Q1056 What login hooks are configured?
Q1057 What network logon scripts are configured?

Are there any new accounts that have been created? F1021

Q1058 What domain accounts have been created?
Q1059 What local accounts have been created?

Are there any scheduled/automated tasks that ran? F1022

Q1060 What AT jobs are configured?
Q1061 What Scheduled Tasks are configured?
Q1062 What cron jobs are configured?
Q1063 What periodic scripts are configured?
Q1064 What systemd timers are configured?

Q1065 What files are referenced in Registry "Run" keys?
Q1066 What items are in startup folders?

Has a system process been created or modified? F1024

Q1067 What system services are installed?
Q1068 When were system services last modified?

Are there any indications of hijacking execution flows? F1025

Q1069 Are there any indications of dylib hijacking?
Q1070 Are there any indications of dylib proxying?
Q1071 Are there any indications of dynamic linker hijacking?