Investigating Persistence Techniques in Microsoft Defender XDR.
The attacker had access.
Then they made sure they could come back.
A scheduled task appeared. A registry key changed. A service pointed somewhere strange.
Agent Foskett followed the persistence trail.
Lesson overview
Learn how defenders investigate persistence techniques by correlating scheduled tasks, registry changes, services, startup activity, WMI indicators and process evidence in Microsoft Defender XDR.
Why persistence matters
The persistence investigation workflow
Step 1 — Find scheduled task creation
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("schtasks", "Register-ScheduledTask")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 2 — Review registry Run key changes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where RegistryKey has_any ("\Run", "\RunOnce")
| project Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
ActionType,
RegistryKey,
RegistryValueName,
RegistryValueData,
InitiatingProcessFileName
| order by Timestamp desc
Step 3 — Look for new or modified services
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("sc create", "New-Service", "sc.exe create", "binPath")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 4 — Search for startup folder persistence
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\Startup", "Start Menu\Programs\Startup")
| project Timestamp,
DeviceName,
InitiatingProcessAccountUpn,
ActionType,
FileName,
FolderPath,
SHA256,
InitiatingProcessFileName
| order by Timestamp desc
Step 5 — Investigate WMI-related persistence indicators
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("wmic.exe", "powershell.exe")
| where ProcessCommandLine has_any ("__EventFilter", "CommandLineEventConsumer", "__FilterToConsumerBinding", "ActiveScriptEventConsumer")
| project Timestamp,
DeviceName,
AccountName,
FileName,
InitiatingProcessFileName,
ProcessCommandLine
| order by Timestamp desc
Step 6 — Correlate persistence with file creation
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("schtasks", "sc create", "Register-ScheduledTask", "New-Service")
| join kind=leftouter (
DeviceFileEvents
| where Timestamp > ago(7d)
) on DeviceId
| where Timestamp1 between (Timestamp .. Timestamp + 30m)
| project PersistenceTime = Timestamp,
FileTime = Timestamp1,
DeviceName,
AccountName,
ProcessCommandLine,
FileName1,
FolderPath,
SHA256
| order by PersistenceTime desc
How to read persistence evidence
Real-world investigation
Investigation checklist
Related Agent Foskett Academy lessons
Coming next
Final thought
Investigating Persistence Techniques in Microsoft Defender XDR
Agent Foskett Academy Lesson 87 teaches defenders how to investigate persistence techniques in Microsoft Defender XDR.
Persistence techniques investigation workflow
This lesson explains how DeviceProcessEvents, DeviceRegistryEvents, DeviceFileEvents, scheduled tasks, registry Run keys, Windows services, startup folders, WMI activity and persistence timelines help defenders identify attacker methods used to maintain access.
