How Hackers Establish Persistence

Join Andrew Prince as he demonstrates how you can hunt for evidence of adversaries attempting to establish persistence in your environment. There are a handful of common techniques that they often lean on, and in this video, he shows you the telltale signs of malware implants. It's very rare these days to find an intrusion that doesn't involve some form of persistence but understand the common persistence methods and you'll be able to detect it more easily.

Like this video? Subscribe for more from the TCMS team!

WMI Event Consumer Example: https://gist.github.com/MalwareCube/9...

Like this content? Consider taking SOC 101 by Andrew Prince, found in the TCMS Academy. https://www.tcm.rocks/soc101-y

The PSAA (Practical SOC Analyst Associate) builds off the content in SOC 101 and proves your expertise. Read more about it here: https://www.tcm.rocks/psaa-y

We now have the more advanced course and cert, SOC 201 and PSAP (Practical SOC Analyst Professional), available. These focus more on incident response and threat hunting.
https://www.tcm.rocks/soc201-y
https://www.tcm.rocks/psap-y

#malware #threathunting #cybersecurity #infosec #hacking

Sponsor a Video: https://www.tcm.rocks/Sponsors
Pentests & Security Consulting: https://tcm-sec.com
Get Trained: https://academy.tcm-sec.com
Get Certified: https://certifications.tcm-sec.com
Merch: https://merch.tcm-sec.com

📱Social Media📱
___________________________________________
X: https://x.com/TCMSecurity
Twitch:   / thecybermentor  
Instagram:   / tcmsecurity  
LinkedIn:   / tcm-security-inc  
TikTok:   / tcmsecurity  
Discord:   / discord  
Facebook:   / tcmsecure  

Timestamps:
0:00 - Introduction
0:38 - Autostart Locations
3:30 - Hunting Run Keys
5:49 - Windows Services
9:09 - Abusing Service Failure Recovery
10:15 - Scheduled Tasks
11:03 - Hunting Scheduled Tasks
11:58 - WMI Event Consumers
14:37 - Creating and Hunting WMI Event Consumer Backdoors
18:21 - Conclusion

💸Donate💸
___________________________________________
Like the channel? Please consider supporting me on Patreon:
  / thecybermentor  
Support the stream (one-time): https://streamlabs.com/thecybermentor

Hacker Books:
Penetration Testing: A Hands-On Introduction to Hacking: https://amzn.to/31GN7iX
The Hacker Playbook 3: https://amzn.to/34XkIY2
Hacking: The Art of Exploitation: https://amzn.to/2VchDyL
The Web Application Hacker's Handbook: https://amzn.to/30Fj21S
Real-World Bug Hunting: A Field Guide to Web Hacking: https://amzn.to/2V9srOe
Linux Basics for Hackers: https://amzn.to/34WvcXP
Python Crash Course, 2nd Edition: https://amzn.to/30gINu0
Violent Python: https://amzn.to/2QoGoJn
Black Hat Python: https://amzn.to/2V9GpQk

My Build:
lg 32gk850g-b 32" Gaming Monitor:https://amzn.to/30C0qzV
darkFlash Phantom Black ATX Mid-Tower Case: https://amzn.to/30d1UW1
EVGA 2080TI: https://amzn.to/30d2lj7
MSI Z390 MotherBoard: https://amzn.to/30eu5TL
Intel 9700K: https://amzn.to/2M7hM2p
G.SKILL 32GB DDR4 RAM: https://amzn.to/2M638Zb
Razer Nommo Chroma Speakers: https://amzn.to/30bWjiK
Razer BlackWidow Chroma Keyboard: https://amzn.to/2V7A0or
CORSAIR Pro RBG Gaming Mouse: https://amzn.to/30hvg4P
Sennheiser RS 175 RF Wireless Headphones: https://amzn.to/31MOgpu

My Recording Equipment:
Panasonic G85 4K Camera: https://amzn.to/2Mk9vsf
Logitech C922x Pro Webcam: https://amzn.to/2LIRxAp
Aston Origin Microphone: https://amzn.to/2LFtNNE
Rode VideoMicro: https://amzn.to/309yLKH
Mackie PROFX8V2 Mixer: https://amzn.to/31HKOMB
Elgato Cam Link 4K: https://amzn.to/2QlicYx
Elgato Stream Deck: https://amzn.to/2OlchA5

*We are a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for us to earn fees by linking to Amazon.com and affiliated sites.