Host Persistence Audit
Description: Once an attacker is on a system, a main goal becomes trying to maintain that access. Persistence mechanisms give the attacker the ability to run malware that will survive reboots and credential changes.
Was a browser extension used to maintain a foothold? F1019
- Q1021 What Chrome extensions are installed?
- Q1052 What browser extensions (non-Chrome) are installed?
Are there any interesting logon or boot initialization scripts? F1020
- Q1053 What Launch Agents are configured?
- Q1054 What Launch Daemons are configured?
- Q1055 What Windows logon scripts are configured?
- Q1056 What login hooks are configured?
- Q1057 What network logon scripts are configured?
Are there any new accounts that have been created? F1021
- Q1058 What domain accounts have been created?
- Q1059 What local accounts have been created?
Are there any scheduled/automated tasks that ran? F1022
- Q1060 What AT jobs are configured?
- Q1061 What Scheduled Tasks are configured?
- Q1062 What cron jobs are configured?
- Q1063 What periodic scripts are configured?
- Q1064 What systemd timers are configured?
Are there any suspicious files running at system boot or login autoruns? F1023
- Q1065 What files are referenced in Registry "Run" keys?
- Q1066 What items are in startup folders?
Has a system process been created or modified? F1024
- Q1067 What system services are installed?
- Q1068 When were system services last modified?
Are there any indications of hijacking execution flows? F1025
- Q1069 Are there any indications of dylib hijacking?
- Q1070 Are there any indications of dylib proxying?
- Q1071 Are there any indications of dynamic linker hijacking?