{
	"id": "2341d605-2743-4b9a-a503-54c8f6ecd92f",
	"created_at": "2026-04-06T00:07:34.128107Z",
	"updated_at": "2026-04-10T03:24:15.681916Z",
	"deleted_at": null,
	"sha1_hash": "38c9c684e377bfece4e74b3175f5b6f22b0d7799",
	"title": "Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2679525,
	"plain_text": "Adversary tradecraft 101: Hunting for persistence using Elastic\r\nSecurity (Part 1)\r\nBy David French, Brent Murphy, Elastic Security Intelligence \u0026 Analytics Team\r\nPublished: 2022-06-01 · Archived: 2026-04-05 15:25:52 UTC\r\nLast month, we hosted a webinar, Hunting for persistence using Elastic Security, where we examined some\r\ntechniques that attackers use in the wild to maintain presence in their victim’s environment. For each technique\r\ncovered, we explained:\r\nHow the offensive technique works\r\nWhy the technique is often successful for attackers\r\nHow defenders can hunt for and detect the malicious behavior effectively using Elastic Security\r\nIn this two-part blog series, we’ll share the details of what was covered during our webinar with the goal of\r\nhelping security practitioners improve their visibility of these offensive persistence techniques and help to\r\nundermine the efficacy of these attacks against their organization.\r\nPart 1 will explain what persistence is and why attackers need it. We’ll introduce the Event Query Language\r\n(EQL) before showing its practical use cases for threat hunting. We will examine a popular technique used by\r\nadversaries to maintain persistence, Windows Management Instrumentation (WMI) Event Subscription (T1084).\r\nWe’ll also share how Elastic Security users can hunt for and detect this technique being used in their environment.\r\nIn part 2, we’ll explore two additional persistence techniques that are being used by attackers in the wild: BITS\r\nJobs (T1197) and Scheduled Tasks (T1053). This follow-up post will walk through real world examples of these\r\ntechniques being used and how we can hunt for, detect, and prevent them using Elastic Security.\r\nThe Protections team at Elastic Security is responsible for researching, understanding, and developing detections\r\nand preventions for attacker behavior in order to stop attacks before damage or loss occur. For organizations that\r\ndo not have a full-time security operations team, Elastic Security includes out-of-the-box protections against\r\nadversary tradecraft, malware, and attacks like ransomware and phishing.\r\nWhat is persistence and why do attackers need it?\r\nWhen we consider the common components of an intrusion, such as those depicted in Figure 1, the attacker may\r\nhave spent a considerable amount of effort carrying out reconnaissance, obtaining initial access to, and\r\nestablishing a foothold in their target environment. Generally speaking, an adversary will often want to maintain a\r\npresence in order to survive disruptions to their access like system restarts or user password changes. An effective\r\npersistence mechanism will execute the attacker’s malicious code on a regular basis or when a specific condition\r\nis met such as a user logon or application launch event.\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 1 of 9\n\nIn many cases, gaining access to an organization’s network is harder than maintaining persistence. It is for this\r\nreason that attackers continue to use the persistence techniques covered in this post — with largely successful\r\nresults. When the security industry refers to “dwell time,” that's the period of time that begins when an adversary\r\ngains access to a system and ends when you detect them. Persistence facilitates longer dwell times, during which\r\nthe adversary can work to achieve their objectives.\r\nFigure 1 - FireEye Mandiant’s Cyber Attack Lifecycle\r\nThere are currently 63 persistence techniques documented in the MITRE ATT\u0026CK® knowledge base of\r\nadversary behavior. This number can seem daunting at first, but an adversary’s need for persistence can be their\r\nAchilles’ heel, providing defenders with valuable opportunities to detect and remove an attacker from their\r\nenvironment.\r\nBy learning these offensive tactics, techniques, and procedures (TTPs) and baselining the endpoints and network\r\nactivity in your environment, you have an opportunity to detect attackers early on in an intrusion before any\r\ndamage or loss occurs. Security operations teams work tirelessly to detect the techniques captured in the ATT\u0026CK\r\nmatrix — hunting and writing alert logic to provide the greatest visibility and coverage of their enterprise. To help\r\nreduce the barrier to entry and enable those teams, we created EQL and released it to the community.\r\nWhat is Event Query Language (EQL)?\r\nThe queries in this blog post, which can be used for threat hunting and detection, are written in EQL — a powerful\r\nand intuitive query language that makes it easy for practitioners to search for complex adversary behavior.\r\nTo learn more about EQL, you can read the Getting started with EQL blog post or review the EQL Analytics\r\nLibrary, which contains 200+ free security analytics mapped to the techniques documented in the MITRE\r\nATT\u0026CK matrix. EQL is a core component of Elastic Endpoint Security and is being added to Elasticsearch for\r\nuse in Elastic SIEM.\r\nLet’s now analyze the WMI Event Subscription technique used by attackers in the wild by demonstrating a variety\r\nof methods to hunt for and detect this technique. We decided to cover this technique given its popularity among\r\nattackers and the low detection rates by traditional security controls.\r\nPersistence via Windows Management Instrumentation (WMI) Event\r\nSubscriptions (T1084)\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 2 of 9\n\nWMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), a collection of\r\ntechnologies used to manage information and systems in enterprise environments. WMI is a built-in feature of\r\nWindows endpoints that allows both administrators and attackers to interact and manage many different functions\r\nof the operating system. Components such as network interfaces, power settings, service status, and installed\r\nsoftware or patches can all be queried and managed via WMI.\r\nAttackers have been abusing WMI since as early as 2008 to accomplish different objectives such as moving\r\nlaterally between endpoints, enumerating what processes are running on an endpoint, and to maintain persistence.\r\nAn attacker can “live off the land” by abusing built-in features of the operating system, which often results in a\r\nlower risk of detection than if they introduced malware into a victim environment.\r\nIt's no secret that adversaries prefer WMI-based persistence because:\r\nMany organizations are incapable of monitoring or investigating WMI\r\nOut-of-the-box WMI visibility is limited, and a third-party utility may be required to effectively convey\r\nhow WMI is being used\r\nWMI is an integral component of Windows, and the volume of weak signals from this data source can\r\noverwhelm analysts who aren't familiar with these attack types\r\nLike most offensive techniques, until organizations can reliably detect WMI abuse, the adversary is unlikely to\r\nchange their behavior.\r\nUnderstanding WMI Event Subscriptions and how they can be abused\r\nSimply put, a WMI Event Subscription can trigger an action when a certain condition is met. A WMI Event\r\nSubscription consists of three components.\r\nEventFilter - specifies a condition that you test for, i.e. a user successfully authenticates, a particular time\r\nand day of the week occurs, etc.\r\nEventConsumer - specifies an action to execute when the EventFilter condition is met, i.e. execute a\r\nWindows command or script, delete all Volume Shadow Copies, restart a service, etc.\r\nFilterToConsumerBinding - this links an EventFilter to an EventConsumer instance\r\nFigure 2 below shows the output from Sysinternals Autoruns, a free tool from Microsoft that can be used to\r\nexamine various persistence locations on Windows endpoints, also referred to as Autostart Execution Points\r\n(ASEPs). Autoruns reveals a persistent WMI Event Subscription, named checkforupdates. It is important to note\r\nthat there are sometimes benign WMI Event Subscriptions configured, but there shouldn’t be many. Alerting on\r\nthe creation of new WMI Event Subscriptions and hunting for new ones periodically can be a low cost, high\r\nreward exercise.\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 3 of 9\n\nFigure 2 - Autoruns showing a WMI Event Subscription registered by Empire\r\nThe full WMI Query Language (WQL) query from the Autoruns results is shown below. Autoruns conveniently\r\nenumerated the WMI __EventFilter class for us in the root\\Subscription namespace where this malicious entry\r\nwas created. Interpreting this WQL query, the EventFilter condition will be met when the system’s uptime is\r\nbetween 240 -325 seconds. The EventConsumer is an Empire PowerShell script and will execute when this\r\nEventFilter condition is met.\r\nTo summarize, a WMI Event Subscription has been configured to execute a malicious PowerShell script shortly\r\nafter the endpoint boots up. This enables the attacker to maintain persistence in the victim’s environment and\r\nsurvive system restarts.\r\nSELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_Sy\r\nTargetInstance.SystemUpTime \u003e= 240 AND\r\nTargetInstance.SystemUpTime \u003c 325\r\nFigure 3 - WMI Query Language (WQL) query showing WMI EventFilter condition\r\nHunting for and detecting malicious WMI Event Subscriptions\r\nThe EQL query in Figure 4 shows how we can search for a sequence of three WMI events, which were generated\r\nby the same unique process ID (PID). This query demonstrates one of the strengths of EQL by using the join\r\nfunction. This allows us to match sequences of events in any order. Searching for these three WMI events without\r\nbinding them together by unique PID might not return meaningful results. This query matches when a WMI\r\nEventFilter, EventConsumer, and FilterToConsumer binding are created by the same process in succession, which\r\ntypically occurs when malware is executed and creates a new WMI Event Subscription for persistence. This query\r\ncan be used to monitor for and detect abuse of WMI.\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 4 of 9\n\njoin by unique_pid\r\n [wmi where properties.Operation == \"*IWbemServices::PutInstance*EventFilter*\"]\r\n [wmi where properties.Operation == \"*IWbemServices::PutInstance*EventConsumer*\"]\r\n [wmi where properties.Operation == \"*IWbemServices::PutInstance*FilterToConsumerBinding*\"]\r\nFigure 4 - EQL query to search for the creation of a WMI EventFilter, EventConsumer, and\r\nFilterToConsumerBinding in succession\r\nThe above EQL query can be saved as a custom rule in Elastic Endpoint Security so that analysts can be alerted\r\nevery time a new WMI Event Subscription is created by a process (Figure 5).\r\nFigure 5 - Alert created by custom rule in Elastic Endpoint Security\r\nResolver is the primary interface for interacting with alerts in Elastic Endpoint Security and enables users to\r\nvisualize process ancestry along with relevant events such as DNS, file, network, WMI, and PowerShell, to name\r\na few. It also provides one-click response actions to resolve the alert.\r\nFigure 6 - Resolver showing process ancestry and events created by powershell.exe\r\nClicking the WMI event type next to powershell.exe in Resolver enables users to review the WMI events that\r\nwere generated by the process. Figure 7 shows the WMI event that was logged when powershell.exe was used to\r\ncreate the new WMI FilterToConsumerBinding, checkforupdates.\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 5 of 9\n\nFigure 7 - WMI event created by powershell.exe\r\nElastic Endpoint Security also includes template-based hunts that lower the barriers to entry for less experienced\r\nanalysts and allows for the easy collection and analysis of data across an organization’s endpoints. There are\r\ncurrently 25 categories of persistence data that can be collected and analyzed using template-based hunts.\r\nFigure 8 - Hunting for persistence using Elastic Endpoint’s template-based hunts\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 6 of 9\n\nOnce a hunt has been executed, there are several ways to sort or aggregate the data — such as by frequency or file\r\npath. This helps analysts to quickly baseline their endpoints and identify anomalies to investigate further.\r\nFigure 9 depicts the filtered results of a persistence hunt wherein the same malicious WMI Event Subscription was\r\nconfigured. Elastic Security enumerates persistence locations across your endpoints and enables users to apply\r\nfilters to identify anomalies or suspicious artifacts for further analysis. Hunt teams will often assume that\r\ntraditional passive and reactive security controls are fallible, and will proactively hunt for malicious persistence\r\nmechanisms in search for attackers operating in their environment.\r\nFigure 9 - Results of an Elastic Endpoint hunt showing malicious WMI persistence\r\nElastic Security comes with out-of-the-box detections for WMI abuse. Figure 10 shows the signal that was\r\ngenerated by Elastic Endpoint and shipped to Elastic SIEM when a malicious WMI Event Subscription was\r\ncreated.\r\nFigure 10 - Elastic Endpoint signal shown in Elastic SIEM\r\nUsers have the option to view a signal in the Timeline within Elastic SIEM. Timeline enables analysts to search\r\nfor similar activity across their data, gather and document evidence, and forward potential incidents to ticketing\r\nand SOAR platforms with ease. Part 2 of this series will show the workflow and features of Timeline.\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 7 of 9\n\nFigure 11 - Option to view signal in Timeline in Elastic SIEM\r\nAs of version 7.6 of the Elastic Stack, the SIEM app comes with a detection engine, which enables security teams\r\nto create their own custom rules. For example, Windows 10 logs Event ID 5861 when a new WMI\r\nEventFilterToConsumer binding is created. Figure 12 shows how a custom rule can be created in Elastic SIEM to\r\nsearch the winlogbeat-* index pattern for winlog.record_id: 5861. We can configure a description, severity, and\r\nrisk score for the new rule, as well as map the rule to the relevant techniques in the MITRE ATT\u0026CK matrix. This\r\ninformation will help an analyst triage and determine the steps to take when the rule condition occurs.\r\nFigure 12 - Example of a new rule being created in Elastic SIEM\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 8 of 9\n\nElastic SIEM is part of the Basic subscription and currently includes 92 detections that utilize Windows, Linux,\r\nnetwork, and APM logging. We will continue to add new rules in new releases of the Elastic Stack.\r\nFigure 13 - Detection rules view in Elastic SIEM\r\nIn this section, we learned how WMI Event Subscriptions can be abused for persistence and how we can hunt for\r\nand detect this technique using the combination of Elastic Endpoint and SIEM. It’s important to note that we have\r\nonly scratched the surface of how WMI works and the many ways that it can be used by attackers.\r\nWMI can be used during every phase of an attack, such as moving laterally between endpoints, conducting local\r\nand enterprise reconnaissance, and stealing data. Elastic Security has released detections for many techniques that\r\nleverage WMI.\r\nConclusion\r\nIn this blog post, we examined a popular technique that attackers use to maintain a presence in their target\r\nenvironments. The number of techniques in an attacker’s arsenal can seem daunting at first, but we demonstrated a\r\nformulaic approach to examining, hunting for, and detecting techniques effectively. By building comprehension\r\naround adversary tradecraft, you can identify interesting patterns, behaviors, and artifacts that you can use to your\r\nadvantage.\r\nElastic Security makes hunting for persistence easy. The features of Elastic Endpoint Security and SIEM (along\r\nwith the protections provided out of the box) lower the barriers to entry for analysts, provide detailed visibility\r\ninto endpoint activity, and enable organizations to prevent, detect, and respond to malicious behavior at scale.\r\nTo learn more about threat hunting, download a free copy of The Elastic Guide to Threat Hunting.\r\nPlus, EQL support is being added to Elasticsearch!\r\nSource: https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nhttps://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1"
	],
	"report_names": [
		"hunting-for-persistence-using-elastic-security-part-1"
	],
	"threat_actors": [
		{
			"id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53",
			"created_at": "2022-10-25T16:07:24.441133Z",
			"updated_at": "2026-04-10T02:00:04.993411Z",
			"deleted_at": null,
			"main_name": "Achilles",
			"aliases": [],
			"source_name": "ETDA:Achilles",
			"tools": [
				"RDP",
				"Remote Desktop Protocol"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775791455,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/38c9c684e377bfece4e74b3175f5b6f22b0d7799.pdf",
		"text": "https://archive.orkl.eu/38c9c684e377bfece4e74b3175f5b6f22b0d7799.txt",
		"img": "https://archive.orkl.eu/38c9c684e377bfece4e74b3175f5b6f22b0d7799.jpg"
	}
}