The Sysinternals tool Autoruns checks the registry and file system for known identify persistence mechanisms. It will output any tools identified, including built-in or added-on Microsoft functionality and third party software. Many of these locations are known by adversaries and used to obtain Persistence. Running Autoruns periodically in an environment makes it possible to collect and monitor its output for differences, which may include the removal or addition of persistent tools. Depending on the persistence mechanism and location, legitimate software may be more likely to make changes than an adversary tool. Thus, this analytic may result in significant noise in a highly dynamic environment. While Autoruns is a convenient method to scan for programs using persistence mechanisms its scanning nature does not conform well to streaming based analytics. This analytic could be replaced with one that draws from sensors that collect registry and file information if streaming analytics are desired.

ATT&CK Detection

Technique Tactic Level of Coverage
Modify Existing Service Persistence Moderate
New Service Persistence Moderate
Scheduled Task Persistence Moderate
Port Monitors Persistence Moderate
Registry Run Keys / Startup Folder Persistence Moderate
Path Interception Persistence, Privilege Escalation Moderate
Accessibility Features Privilege Escalation, Persistence Moderate
Modify Registry Persistence, Execution Moderate
Service Registry Permissions Weakness Persistence, Execution Moderate
Windows Management Instrumentation Event Subscription Persistence Moderate
File System Permissions Weakness Privilege Escalation, Persistence Moderate
Change Default File Association Persistence Moderate
Logon Scripts Persistence Moderate
Winlogon Helper DLL Persistence Moderate
AppInit DLLs Persistence Moderate

Additional Notes:

Utilizes the Sysinternals autoruns tool (ignoring validated Microsoft entries). Primarily not a detection analytic by itself but through analysis of results by an analyst can be used for such. Building another analytic on top of this one identifying unusual entries would likely be a beneficial alternative.