Description of Use Case¶

This was a very specialized use case where the top-performing log sources were those designed with the explicit purpose of monitoring for system configuration changes. General-purpose logs were far less effective. The results show a clear preference for telemetry that provides high-fidelity “before and after” states or real-time modification alerts.

Techniques Evaluated¶

• T1547 Boot or Logon Autostart Execution

• T1112 Modify Registry

• T1053 Scheduled Task/Job

• T1543 Create or Modify System Process

• T1546 Event Triggered Execution

• T1574 Hijack Execution Flow

• T1197 BITS Jobs

Top Scoring Log Sources¶

Key Trends & Generalizations¶

• Specificity is Paramount: This use case proves that a specialized tool for a narrow job (like Autoruns or Sysmon’s registry monitoring) is often more valuable than a general-purpose log that happens to catch some of the activity.

• There is a Place for Snapshot Analysis: Not all security data needs to be real-time. The high score of Autoruns demonstrates that periodic, high-fidelity snapshots are extremely effective for non-urgent but critical tasks like persistence hunting.

• The Action is on the Endpoint: Similar to Lateral Movement, network data is almost completely irrelevant for detecting this category of persistence. The entire story is told through file, registry, and process events on the host itself.

Evaluation of Log Source Types¶

Registry modification events were the clear #1 category. File creation events (for startup folders) were a strong #2. Process creation events were #3, useful for seeing the actor but not the persistence artifact itself.

Technology Comparison: EDR ≈ Sysmon > Specialized Tools (Autoruns) > Native Windows Logs

Scoring Data¶

The raw TC scores broken down by metric can be found here: Persistence via Registry/Startup