MITRE ATT&CK describes persistence as one of the key tactics used by cyber criminals to compromise your systems. In this live, free training I’m going to show you 9 of the best ways to detect attackers trying to obtain persistence.
Bad guys almost always need to obtain persistence so that they can, well, persist between reboots and logon sessions. Persistence also comes into play when attackers want to ensure they retain credentials with sufficient access independent of legitimate user accounts.
However, the good news is that establishing persistence requires the attacker to make system changes, changes that can be detected. Some methods are louder than others, but if you listen closely you should be able to hear them. It’s a matter of knowing all the ways and places persistence can be achieved, monitoring for those specific changes and filtering out the legitimate changes.
For this webinar, I selected many Persistence Techniques from ATT&CK, and some other methods I’m aware of, for a total of 9 security changes you can monitor for on your Windows Servers to detect persistence.
- Registry Run keys exploited for persistence
- New/changed services
- Local account changes
- Local group changes
- Rights assignments
- Scheduled Task changes
- WMI Event Subscription
- BITS Jobs
- DLL and EXE file system modifications
For each of these methods I will explain how they work and show you where and what you must monitor in order to detect them. Some of these are simple security events, others require PowerShell, file system, and registry auditing.
This will be a practical and technical webinar. You’ll learn about Windows, attackers, and MITRE ATT&CK framework. My sponsor is SolarWinds and they will show you how Server Configuration Monitor can automate all the monitoring tips I share with you.
Please join us for this real training for free session.