This artifact pack collects various persistence mechanisms in Windows.
name: Windows.Packs.Persistence
description: |
This artifact pack collects various persistence mechanisms in Windows.
precondition:
SELECT OS from info() where OS = "windows"
sources:
- name: WMI Event Filters
description: |
{{ DocFrom "Windows.Persistence.PermanentWMIEvents" }}
query: |
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
- name: Startup Items
description: |
{{ DocFrom "Windows.Sys.StartupItems" }}
query: |
SELECT * FROM Artifact.Windows.Sys.StartupItems()
- name: Debug Bootstraping
description: |
{{ DocFrom "Windows.Persistence.Debug" }}
If there are any rows in the table below then executing the
program will also launch the program listed under the Debugger
column.
query: |
SELECT * FROM Artifact.Windows.Persistence.Debug()