Signatures

Jump to bottom Edit New page

Invoke-IR edited this page Oct 18, 2014 · 1 revision

Table of Contents

Persistence Mechanisms

SERVICE_CREATION

Monitors the Win32_Service for __InstanceCreationEvents.

SERVICE_DELETION

Monitors the Win32_Service for __InstancDeletionEvents.

SCHEDULEDJOB_CREATION

Monitors the Win32_ScheduledJob for __InstanceCreationEvents.

SCHEDULEDJOB_DELETION

Monitors the Win32_ScheduledJob for __InstanceDeletionEvents.

STARTUPCOMMAND_CREATION

Monitors the Win32_StartupCommand for __InstanceCreationEvents.
Locations Monitored:
- HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKU\ProgID\Software\Microsoft\Windows\CurrentVersion\Run
- systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup
- systemdrive\Documents and Settings\username\Start Menu\Programs\Startup

STARTUPCOMMAND_DELETION

Monitors the Win32_StartupCommand for __InstanceDeletionEvents.

Network Resource

SHARE_CREATION

Monitors the Win32_Share for __InstanceCreationEvents.

SHARE_DELETION

Monitors the Win32_Share for __InstanceDeletionEvents.

NETWORKCONNECTION_CREATION

Monitors the Win32_NetworkConnection for __InstanceCreationEvents.

NETWORKCONNECTION_DELETION

Monitors the Win32_NetworkConnection for __InstanceDeletionEvents.

SERVERCONNECTION_CREATION

Monitors the Win32_ServerConnection for __InstanceCreationEvents.

SERVERCONNECTION_DELETION

Monitors the Win32_ServerConnection for __InstanceDeletionEvents.

Rootkit

DRIVER_CREATION

Monitors the Win32_SystemDriver for __InstanceCreationEvents.

DRIVER_DELETION

Monitors the Win32_SystemDriver for __InstanceDeletionEvents.