Detecting Persistence: Top 9 Security Changes to Monitor on Windows Server

Webinar Registration

MITRE ATT&CK describes persistence as one of the key tactics used by cyber criminals to compromise your systems. In this live, free training I’m going to show you 9 of the best ways to detect attackers trying to obtain persistence. 

Bad guys almost always need to obtain persistence so that they can, well, persist between reboots and logon sessions. Persistence also comes into play when attackers want to ensure they retain credentials with sufficient access independent of legitimate user accounts. 

However, the good news is that establishing persistence requires the attacker to make system changes, changes that can be detected. Some methods are louder than others, but if you listen closely you should be able to hear them. It’s a matter of knowing all the ways and places persistence can be achieved, monitoring for those specific changes and filtering out the legitimate changes. 

For this webinar, I selected many Persistence Techniques from ATT&CK, and some other methods I’m aware of, for a total of 9 security changes you can monitor for on your Windows Servers to detect persistence.    

  1. Registry Run keys exploited for persistence
  2. New/changed services
  3. Local account changes
  4. Local group changes
  5. Rights assignments
  6. Scheduled Task changes
  7. WMI Event Subscription
  8. BITS Jobs
  9. DLL and EXE file system modifications

For each of these methods I will explain how they work and show you where and what you must monitor in order to detect them. Some of these are simple security events, others require PowerShell, file system, and registry auditing.

This will be a practical and technical webinar. You’ll learn about Windows, attackers, and MITRE ATT&CK framework. My sponsor is SolarWinds and they will show you how Server Configuration Monitor can automate all the monitoring tips I share with you.

Please join us for this real training for free session.

First Name:   
Last Name:   
Work Email:  
Zip/Postal Code:  

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor.



Additional Resources