Detecting Persistence Techniques with Sysmon and Event Logs: A Practical Walkthrough
Home
Detecting Persistence Techniques with Sysmon and Event Logs: A Practical Walkthrough

Persistence is a crucial stage in the cyber attack lifecycle. After gaining initial access, adversaries often implant mechanisms that allow them to maintain foothold on a compromised system—surviving reboots, credential resets, or even defensive actions. Detecting these persistence techniques is essential for defenders, and one of the most effective ways to do so is by leveraging Sysmon (System Monitor) and native Windows Event Logs.

This blog provides a hands-on, technical walkthrough of detecting common persistence mechanisms using Sysmon and Event Viewer, combining real-world indicators with practical examples and detection logic.

Why Sysmon and Event Logs?

Sysmon, part of the Sysinternals suite by Microsoft, provides detailed visibility into system activities like process creation, registry changes, driver loading, and more. When configured correctly, it significantly enhances endpoint detection capability.

Native Windows Event Logs, on the other hand, offer insights into user logons, scheduled tasks, service modifications, and more—complementing Sysmon’s telemetry for a full picture.

Lab Setup for Walkthrough

  • Host OS: Windows 10 (Lab VM)
  • Logging Tools:
    • Sysmon v14+ with a comprehensive config (e.g., SwiftOnSecurity’s config)
    • Event Viewer
  • Tools used by attacker for persistence simulation:
    • schtasks.exe for Scheduled Tasks
    • Registry modifications via reg.exe
    • sc.exe for malicious services
    • powershell.exe for WMI subscriptions

Persistence Techniques and How to Detect Them

🔧 1. Registry Run Keys

Technique: Malware or an attacker can add a value to the registry so that the program runs at user logon.

Registry Path Examples:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Attacker Simulation:

bashreg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v myApp /t REG_SZ /d "C:\malicious.exe"

Sysmon Detection:

  • Event ID: 13 (Registry Value Set)
  • Field to watch: TargetObject containing the above path

Example Log:

xml<EventID>13</EventID>
<Details>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\myApp</Details>

Detection Tips:

  • Monitor for process names and paths not signed or located in suspicious directories.
  • Alert on uncommon users modifying Run keys.

🕒 2. Scheduled Tasks

Technique: Attackers use scheduled tasks to run payloads at intervals or on triggers like logon.

Attacker Simulation:

bashschtasks /create /tn "Updater" /tr "C:\malware\evil.exe" /sc ONLOGON

Event Logs:

  • Event ID:4698 (Task Created)
    • Log Path: Security
  • Event ID:106 (Task Registered)
    • Log Path: Microsoft-Windows-TaskScheduler/Operational

Sysmon Detection:

  • Event ID: 1 (Process Creation)
  • Look for suspicious use of schtasks.exe or powershell.exe creating XML task definitions.

Detection Tips:

  • Monitor task creation from unusual parent processes.
  • Track non-admin users registering tasks.
  • Alert on suspicious paths or task names (e.g., obfuscated or random).

🛠 3. Services for Persistence

Technique: Creating or modifying a Windows service to execute a binary on system startup.

Attacker Simulation:

bash
sc create MaliciousService binPath= "C:\malware\backdoor.exe" start= auto

Event Logs:

  • Event ID:7045 (Service installed)
    • Log Path: System

Sysmon Detection:

  • Event ID: 1 (Process Creation) — Look for sc.exe or New-Service usage
  • Event ID:12 and 13 (Registry creation/change) — Services are stored in:
    • HKLM\SYSTEM\CurrentControlSet\Services\

Example Log:

xml
<ServiceName>MaliciousService</ServiceName>
<BinaryPathName>C:\malware\backdoor.exe</BinaryPathName>

Detection Tips:

  • Flag service names and paths not matching enterprise standards.
  • Look for unsigned or external binaries in service configurations.

🧬 4. WMI Event Subscription

Technique: Adversaries can abuse WMI’s __EventFilter, __EventConsumer, and __FilterToConsumerBinding classes to execute code on trigger events like logon or time interval.

Attacker Simulation (via PowerShell):

powershell
$Filter=Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments @{
    Name='WMITrigger'
    EventNamespace='Root\Cimv2'
    Query="SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
    QueryLanguage='WQL'
}

Sysmon Detection:

  • Event ID: 1 (Process creation — suspicious PowerShell)
  • Event ID: 21 (WMI Event Filter)
  • Event ID: 22 (WMI Event Consumer)
  • Event ID: 23 (WMI Binding)

Example Log:

xml
<EventID>21</EventID>
<EventNamespace>root\subscription</EventNamespace>
<QueryLanguage>WQL</QueryLanguage>

Detection Tips:

  • Monitor WMI persistence classes in the root\subscription namespace.
  • Alert on rare or first-time WMI consumers.

🧱 5. DLL Search Order Hijacking / AppInit_DLLs

Technique: Modify registry or environment variables so a malicious DLL is loaded by a trusted process.

Registry Key Example:

  • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Detection:

  • Sysmon Event ID 7: Image Load — can detect DLLs loaded by processes.
  • Sysmon Event ID 13: Registry value change for AppInit_DLLs.

Detection Tips:

  • Flag DLLs from unusual directories.
  • Use baseline of known DLLs for trusted processes.

Correlation and Hunting Strategy

To effectively hunt for persistence:

TechniqueEvent SourceEvent IDsKey Field
Registry Run KeySysmon13TargetObject
Scheduled TaskEvent Logs4698, 106Task Name, XML
Service InstallSystem Log7045Binary Path
WMI SubscriptionSysmon21, 22, 23Namespace
DLL HijackSysmon7, 13Image/TargetObject

SIEM Query Example (Splunk):

spl
index=sysmon (EventCode=13 AND TargetObject="*\\Run\\*") 
OR (EventCode=4698) 
OR (EventCode=7045) 
OR (EventCode=21 OR EventCode=22 OR EventCode=23)

Best Practices for Detection & Prevention

  1. Baseline Normal Behavior: Understand what’s normal for your environment before alerting on noise.
  2. Use Signed Sysmon Configs: Like SwiftOnSecurity’s Sysmon Config
  3. Harden Registry and Task Permissions: Prevent unprivileged users from creating persistence.
  4. Centralize Logs to SIEM: Helps with correlation and detection over time.
  5. Periodic Log Review: Audit for known persistence paths.

Conclusion

Persistence techniques are essential for adversaries and must be a key focus area for blue teams. By leveraging the power of Sysmon, enriched with native Windows Event Logs, defenders can proactively detect and respond to stealthy persistence mechanisms before significant damage occurs.

The key lies in:

  • Understanding how attackers operate
  • Setting up effective telemetry
  • And building smart detection logic around that telemetry

Equip your blue team with visibility and vigilance. Persistence is sneaky—but not invisible.

Blogs

Latest Blogs