Detect Persistence From Event Logs
A hacker applies various methods to ensure persistence in the system. One of them is creating a "schedule task" or modifying an existing task.
As security analyst, we can access the logs related to the task scheduler from "Applications and Services Logs-Microsoft-Windows-TaskScheduler% 4Operational.evtx".
Log file for lesson: persistence.zip Pass=321
The following 2 event ids will make our job very easy.
Event ID 4698 - A scheduled task was created
Event ID 4702 - A scheduled task was updated
First, we can examine newly created tasks by filtering 4698. Here we can see newly created schedule tasks.
As can be seen in the image, a task that creates a reverse shell has been created.
When a new service is added to the system, Event ID 4697: A service was installed in the system log is generated. You want to examine the services created with a suspicious name or file on a suspicious date.
If you suspect that persistent is achieved by editing the registry values, you can search for the Event ID 4657 “A registry value was modified” log.