LetsDefend Academy

Online practicing and training platform for blue team members









Detect Persistence From Event Logs

A hacker applies various methods to ensure persistence in the system. One of them is creating a "schedule task" or modifying an existing task.

Schedule Task


As security analyst, we can access the logs related to the task scheduler from "Applications and Services Logs-Microsoft-Windows-TaskScheduler% 4Operational.evtx".

Log file for lesson:

persistence.zip Pass=321

The following 2 event ids will make our job very easy.
Event ID 4698 - A scheduled task was created
Event ID 4702 - A scheduled task was updated

First, we can examine newly created tasks by filtering 4698. Here we can see newly created schedule tasks.

As can be seen in the image, a task that creates a reverse shell has been created.

Service


When a new service is added to the system, Event ID 4697: A service was installed in the system log is generated. You want to examine the services created with a suspicious name or file on a suspicious date.

Registry


If you suspect that persistent is achieved by editing the registry values, you can search for the Event ID 4657 “A registry value was modified” log.