Skip to content

Host Persistence Audit

ID: S1007

Description: Once an attacker is on a system, a main goal becomes trying to maintain that access. Persistence mechanisms give the attacker the ability to run malware that will survive reboots and credential changes.

Was a browser extension used to maintain a foothold? F1019

  • Q1021  What Chrome extensions are installed?
  • Q1052  What browser extensions (non-Chrome) are installed?

Are there any interesting logon or boot initialization scripts? F1020

  • Q1053  What Launch Agents are configured?
  • Q1054  What Launch Daemons are configured?
  • Q1055  What Windows logon scripts are configured?
  • Q1056  What login hooks are configured?
  • Q1057  What network logon scripts are configured?

Are there any new accounts that have been created? F1021

  • Q1058  What domain accounts have been created?
  • Q1059  What local accounts have been created?

Are there any scheduled/automated tasks that ran? F1022

  • Q1060  What AT jobs are configured?
  • Q1061  What Scheduled Tasks are configured?
  • Q1062  What cron jobs are configured?
  • Q1063  What periodic scripts are configured?
  • Q1064  What systemd timers are configured?

Are there any suspicious files running at system boot or login autoruns? F1023

  • Q1065  What files are referenced in Registry "Run" keys?
  • Q1066  What items are in startup folders?

Has a system process been created or modified? F1024

  • Q1067  What system services are installed?
  • Q1068  When were system services last modified?

Are there any indications of hijacking execution flows? F1025

  • Q1069  Are there any indications of dylib hijacking?
  • Q1070  Are there any indications of dylib proxying?
  • Q1071  Are there any indications of dynamic linker hijacking?