Windows应急响应 - 30 持久化综合Checklist

Windows应急响应
, ,

Windows应急响应/30-持久化综合Checklist

本篇汇总Windows系统上 60+ 持久化位置,按类别组织,每项包含:路径、检测命令、ATT&CK编号

目标:一站式速查,配合一键脚本实现全量排查

关联页面:09-注册表持久化审计

一、Registry 注册表类持久化

1.1 经典 Run / RunOnce

# 路径 ATT&CK 说明
1 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run T1547.001 所有用户登录时执行
2 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce T1547.001 执行一次后删除
3 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run T1547.001 当前用户登录时执行
4 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce T1547.001 当前用户一次性
5 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run T1547.001 32位兼容
6 HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce T1547.001 32位兼容

检测命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
@(
  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
  "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
  "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
  "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce"
) | ForEach-Object {
  Write-Host "`n[$_]" -ForegroundColor Cyan
  if (Test-Path $_) {
    Get-ItemProperty $_ | Select-Object * -ExcludeProperty PS* | Format-List
  } else { Write-Host "  (不存在)" }
}

1.2 RunServices / RunServicesOnce (Legacy)

# 路径 ATT&CK 说明
7 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices T1547.001 遗留,Win9x/2000
8 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce T1547.001 遗留

现代Windows上不常见,但排查时不应忽略

1.3 Winlogon 相关

# 路径/值 ATT&CK 说明
9 HKLM\...\Winlogon\Userinit T1547.004 默认值 userinit.exe,,被篡改则额外执行恶意程序
10 HKLM\...\Winlogon\Shell T1547.004 默认值 explorer.exe,被篡改替换桌面Shell
11 HKLM\...\Winlogon\Notify T1547.004 DLL通知包(遗留但仍可利用)
12 HKLM\...\Winlogon\SpecialAccounts\UserList 隐藏用户账户

检测命令:

1
2
3
4
5
$wl = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
Write-Host "Userinit : $($wl.Userinit)"
Write-Host "Shell    : $($wl.Shell)"
# Userinit应为 "C:\Windows\system32\userinit.exe," 
# Shell应为 "explorer.exe"

1.4 IFEO / AppInit / AppCert

# 路径 ATT&CK 说明
13 HKLM\...\Image File Execution Options\<exe>\Debugger T1546.012 映像劫持
14 HKLM\...\SilentProcessExit\<exe>\MonitorProcess T1546.012 进程退出触发
15 HKLM\...\Windows\AppInit_DLLs T1546.010 GUI进程DLL注入
16 HKLM\...\Session Manager\AppCertDLLs T1546.009 CreateProcess hook

详见:25-IFEO与AppInit-DLLs后门

1.5 Explorer 相关

# 路径 ATT&CK 说明
17 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders T1547.001 Startup文件夹路径
18 HKCU\...\Explorer\User Shell Folders T1547.001 用户Startup文件夹路径
19 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects T1176 IE BHO
20 HKCU\...\Explorer\FileExts\.<ext>\UserChoice 文件关联劫持

1.6 服务与驱动

# 路径 ATT&CK 说明
21 HKLM\SYSTEM\CurrentControlSet\Services\<name> T1543.003 Windows服务
22 HKLM\SYSTEM\CurrentControlSet\Services\<name> (Type=1) T1543.003 内核驱动
23 HKLM\...\Services\<svc>\Parameters\ServiceDll T1543.003 Svchost服务DLL

检测命令:

1
2
3
4
5
# 非Microsoft签名的服务
Get-WmiObject Win32_Service | Where-Object {
  $_.PathName -and $_.PathName -notmatch 'system32|SysWOW64'
} | Select-Object Name, StartMode, PathName, State |
  Sort-Object StartMode | Format-Table -AutoSize

1.7 COM对象劫持

# 路径 ATT&CK 说明
24 HKCU\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32 T1546.015 用户级COM劫持
25 HKCU\SOFTWARE\Classes\CLSID\{GUID}\LocalServer32 T1546.015 用户级COM劫持
26 HKLM\SOFTWARE\Classes\CLSID\{GUID}\InprocServer32 T1546.015 系统级COM劫持

HKCU下的COM注册优先于HKLM,攻击者在HKCU下注册同CLSID的恶意DLL即可劫持

1.8 其他注册表位置

# 路径 ATT&CK 说明
27 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load T1547.001 遗留加载
28 HKLM\...\BootExecute (Session Manager) T1547.001 启动前执行
29 HKLM\...\Command Processor\AutoRun T1546.003 cmd.exe自动执行
30 HKCU\...\Command Processor\AutoRun T1546.003 用户cmd自动执行
31 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run T1547.001 策略Run
32 HKCU\...\Policies\Explorer\Run T1547.001 用户策略Run
33 HKLM\...\Active Setup\Installed Components\{GUID}\StubPath T1547.014 Active Setup
34 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions 组策略扩展
35 HKLM\...\Authentication Packages (LSA) T1547.002 认证包
36 HKLM\...\Security Packages (LSA) T1547.005 安全包
37 HKLM\...\Notification Packages (LSA) T1547.005 通知包
38 HKLM\...\SecurityProviders\SecurityProviders T1547.005 SSP

二、File 文件系统类持久化

# 位置 ATT&CK 说明
39 %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ T1547.001 用户Startup文件夹
40 %ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\ T1547.001 全局Startup文件夹
41 C:\Windows\System32\Tasks\ T1053.005 计划任务XML
42 %APPDATA%\Microsoft\Windows\Start Menu\Programs\ 快捷方式(.lnk)替换
43 C:\Windows\System32\GroupPolicy\Machine\Scripts\ T1053.005 GPO脚本
44 C:\Users\<user>\NTUSER.DAT 离线注册表hive
45 C:\Windows\System32\drivers\ T1543.003 内核驱动文件
46 C:\Windows\System32\config\SAM,SYSTEM,SOFTWARE 注册表hive文件

检测命令 —— Startup文件夹:

1
2
3
4
5
6
7
8
9
# 列出所有Startup文件夹中的文件
$paths = @(
"$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
"$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
)
foreach ($p in $paths) {
Write-Host "`n[$p]" -ForegroundColor Cyan
Get-ChildItem $p -ErrorAction SilentlyContinue | Select-Object Name, LastWriteTime, Length
}

三、Scheduled Tasks 计划任务

# 位置/方式 ATT&CK 说明
47 schtasks / Task Scheduler T1053.005 标准计划任务
48 隐藏任务(SD值删除) T1053.005 删除注册表SD值隐藏任务
49 at.exe T1053.002 遗留at命令

检测命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
# 导出所有计划任务详情
Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' } |
ForEach-Object {
  $info = $_ | Get-ScheduledTaskInfo -ErrorAction SilentlyContinue
  [PSCustomObject]@{
    TaskName    = $_.TaskName
    TaskPath    = $_.TaskPath
    State       = $_.State
    Actions     = ($_.Actions | ForEach-Object { $_.Execute + " " + $_.Arguments }) -join "; "
    LastRun     = $info.LastRunTime
    Author      = $_.Principal.UserId
  }
} | Sort-Object TaskPath | Format-Table -AutoSize -Wrap

关联:Windows应急响应/18-计划任务持久化

四、WMI 持久化

# 类型 ATT&CK 说明
50 WMI Event Subscription (Filter+Consumer+Binding) T1546.003 WMI事件订阅
51 WMI Permanent Event Consumer T1546.003 永久事件消费者

检测命令:

1
2
3
4
5
6
7
8
9
10
11
Write-Host "=== WMI Event Filters ===" -ForegroundColor Cyan
Get-WMIObject -Namespace root\Subscription -Class __EventFilter |
Select-Object Name, Query | Format-List

Write-Host "=== WMI Event Consumers ===" -ForegroundColor Cyan
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer |
Select-Object __CLASS, Name, CommandLineTemplate, ScriptText | Format-List

Write-Host "=== WMI Bindings ===" -ForegroundColor Cyan
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding |
Select-Object Filter, Consumer | Format-List

关联:Windows应急响应/19-WMI事件订阅持久化

五、AD / GPO 持久化(域环境)

# 类型 ATT&CK 说明
52 GPO登录脚本 T1484.001 组策略Logon/Logoff脚本
53 GPO Startup/Shutdown脚本 T1484.001 计算机启动/关闭脚本
54 GPO计划任务(Immediate Task) T1484.001 GPP即时计划任务
55 DCShadow T1207 伪造DC推送恶意对象
56 AdminSDHolder T1484 修改ACL实现持久权限
57 Skeleton Key T1556.001 内存中注入万能密码
58 SID History T1134.005 添加特权SID
59 Golden Ticket T1558.001 krbtgt hash伪造TGT
60 DSRM后门 T1003.003 修改DSRM密码

关联:Windows应急响应/27-域环境持久化

六、其他持久化位置

# 类型 ATT&CK 说明
61 DLL搜索顺序劫持 T1574.001 放置恶意DLL到搜索路径
62 DLL侧加载 T1574.002 合法签名exe加载恶意DLL
63 Print Monitor DLL T1547.010 打印机监控DLL
64 端口监控(Port Monitor) T1547.010 端口监控DLL
65 Netsh Helper DLL T1546.007 Netsh加载DLL
66 Office Add-ins T1137 Word/Excel加载宏
67 Outlook Rules T1137.005 Outlook规则执行程序
68 Screensaver T1546.002 屏保执行路径篡改
69 Time Provider T1547.003 时间服务提供程序DLL
70 Accessibility Features T1546.008 辅助功能替换(sethc等)

关联:22-DLL劫持与侧加载

七、Autoruns 覆盖分析

7.1 Autoruns 可检测的项目

Run/RunOnce 全部6个位置

Winlogon (Userinit, Shell)

Services 和 Drivers

Scheduled Tasks

Startup文件夹

IFEO Debugger

AppInit_DLLs

Known DLLs

Boot Execute

Image Hijacks (文件关联)

LSA Providers

Print Monitors

Explorer Shell Extensions, BHOs

Sidebar Gadgets, Active Setup

COM对象(部分)

7.2 Autoruns 容易遗漏的项目

WMI Event Subscriptions → 需专门WMI查询

SilentProcessExit MonitorProcess → 不在标准扫描范围

COM劫持(HKCU覆盖HKLM) → 仅部分检测

隐藏计划任务(删除SD值) → 不可见于Task Scheduler

DLL搜索顺序劫持 → 需要运行时分析

内存驻留型(无文件持久化) → 无文件落地

域环境特有:Golden Ticket, SID History, AdminSDHolder

Netsh Helper DLL → Autoruns不默认检查

建议:Autoruns作为第一步快速排查,但不能仅依赖Autoruns

八、一键全量枚举脚本

8.1 综合排查脚本

以下脚本检查上述所有70+位置,输出到CSV:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
<#
.SYNOPSIS
  Windows持久化全量排查脚本
.DESCRIPTION
  检查60+持久化位置,输出结果到CSV
.NOTES
  需要管理员权限运行
#>

$results = [System.Collections.ArrayList]::new()
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outFile = "C:\IR\Persistence_Check_$timestamp.csv"

function Add-Finding {
  param($Category, $Location, $Name, $Value, $Risk, $ATTCK)
  [void]$results.Add([PSCustomObject]@{
    Category = $Category
    Location = $Location
    Name     = $Name
    Value    = $Value
    Risk     = $Risk
    ATTCK    = $ATTCK
    Time     = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
  })
}

# ===== 1. Run / RunOnce =====
Write-Host "[1/12] 检查 Run/RunOnce..." -ForegroundColor Cyan
$runPaths = @(
  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
  "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run",
  "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce",
  "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run",
  "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce",
  "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run",
  "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
)
foreach ($rp in $runPaths) {
  if (Test-Path $rp) {
    $props = Get-ItemProperty $rp -ErrorAction SilentlyContinue
    $props.PSObject.Properties | Where-Object { $_.Name -notmatch '^PS' } | ForEach-Object {
      Add-Finding "Registry-Run" $rp $_.Name $_.Value "Medium" "T1547.001"
    }
  }
}

# ===== 2. Winlogon =====
Write-Host "[2/12] 检查 Winlogon..." -ForegroundColor Cyan
$wl = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -ErrorAction SilentlyContinue
if ($wl.Userinit -and $wl.Userinit -ne "C:\Windows\system32\userinit.exe,") {
  Add-Finding "Winlogon" "Winlogon\Userinit" "Userinit" $wl.Userinit "High" "T1547.004"
}
if ($wl.Shell -and $wl.Shell -ne "explorer.exe") {
  Add-Finding "Winlogon" "Winlogon\Shell" "Shell" $wl.Shell "High" "T1547.004"
}

# ===== 3. IFEO =====
Write-Host "[3/12] 检查 IFEO..." -ForegroundColor Cyan
$ifeoBase = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"
Get-ChildItem $ifeoBase -ErrorAction SilentlyContinue | ForEach-Object {
  $p = Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue
  if ($p.Debugger) {
    Add-Finding "IFEO" $_.PSPath "Debugger" $p.Debugger "Critical" "T1546.012"
  }
  if ($p.GlobalFlag -band 0x200) {
    Add-Finding "IFEO" $_.PSPath "GlobalFlag" ("0x{0:X}" -f $p.GlobalFlag) "Critical" "T1546.012"
  }
}
# SilentProcessExit
$spePath = "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit"
if (Test-Path $spePath) {
  Get-ChildItem $spePath | ForEach-Object {
    $p = Get-ItemProperty $_.PSPath
    Add-Finding "IFEO-SPE" $_.PSPath "MonitorProcess" $p.MonitorProcess "Critical" "T1546.012"
  }
}

# ===== 4. AppInit_DLLs / AppCert_DLLs =====
Write-Host "[4/12] 检查 AppInit/AppCert DLLs..." -ForegroundColor Cyan
foreach ($aiPath in @(
  "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows",
  "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
)) {
  if (Test-Path $aiPath) {
    $ai = Get-ItemProperty $aiPath
    if ($ai.AppInit_DLLs -and $ai.AppInit_DLLs.Trim() -ne "") {
      Add-Finding "AppInit_DLLs" $aiPath "AppInit_DLLs" $ai.AppInit_DLLs "Critical" "T1546.010"
    }
  }
}
$certPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs"
if (Test-Path $certPath) {
  Get-ItemProperty $certPath | ForEach-Object {
    $_.PSObject.Properties | Where-Object { $_.Name -notmatch '^PS' } | ForEach-Object {
      Add-Finding "AppCert_DLLs" $certPath $_.Name $_.Value "Critical" "T1546.009"
    }
  }
}

# ===== 5. Services =====
Write-Host "[5/12] 检查 Services..." -ForegroundColor Cyan
Get-WmiObject Win32_Service | Where-Object { $_.StartMode -eq 'Auto' } | ForEach-Object {
  if ($_.PathName -and $_.PathName -notmatch '(?i)system32|syswow64|microsoft|windows defender') {
    Add-Finding "Service" "Services\$($_.Name)" $_.DisplayName $_.PathName "Medium" "T1543.003"
  }
}

# ===== 6. Scheduled Tasks =====
Write-Host "[6/12] 检查 Scheduled Tasks..." -ForegroundColor Cyan
Get-ScheduledTask | Where-Object { $_.State -ne 'Disabled' -and $_.TaskPath -notmatch '\\Microsoft\\' } |
  ForEach-Object {
    $actions = ($_.Actions | ForEach-Object { "$($_.Execute) $($_.Arguments)" }) -join "; "
    Add-Finding "ScheduledTask" $_.TaskPath $_.TaskName $actions "Medium" "T1053.005"
  }

# ===== 7. WMI Event Subscriptions =====
Write-Host "[7/12] 检查 WMI Subscriptions..." -ForegroundColor Cyan
Get-WMIObject -Namespace root\Subscription -Class __FilterToConsumerBinding -ErrorAction SilentlyContinue | ForEach-Object {
  Add-Finding "WMI" "root\Subscription" "Binding" "$($_.Filter) -> $($_.Consumer)" "Critical" "T1546.003"
}
Get-WMIObject -Namespace root\Subscription -Class __EventConsumer -ErrorAction SilentlyContinue | ForEach-Object {
  $detail = if ($_.CommandLineTemplate) { $_.CommandLineTemplate } elseif ($_.ScriptText) { $_.ScriptText.Substring(0, [Math]::Min(200, $_.ScriptText.Length)) } else { "N/A" }
  Add-Finding "WMI" "root\Subscription" $_.Name $detail "Critical" "T1546.003"
}

# ===== 8. Startup Folders =====
Write-Host "[8/12] 检查 Startup Folders..." -ForegroundColor Cyan
@(
  "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
  "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
) | ForEach-Object {
  Get-ChildItem $_ -ErrorAction SilentlyContinue | ForEach-Object {
    Add-Finding "StartupFolder" $_.DirectoryName $_.Name $_.FullName "Medium" "T1547.001"
  }
}

# ===== 9. LSA Providers =====
Write-Host "[9/12] 检查 LSA Providers..." -ForegroundColor Cyan
$lsa = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -ErrorAction SilentlyContinue
@("Authentication Packages","Security Packages","Notification Packages") | ForEach-Object {
  $val = $lsa.$_
  if ($val) {
    Add-Finding "LSA" "Lsa" $_ ($val -join ", ") "High" "T1547.002"
  }
}

# ===== 10. COM Hijacking (HKCU CLSID) =====
Write-Host "[10/12] 检查 COM Hijacking (HKCU)..." -ForegroundColor Cyan
$hkcuCLSID = "HKCU:\SOFTWARE\Classes\CLSID"
if (Test-Path $hkcuCLSID) {
  Get-ChildItem $hkcuCLSID -ErrorAction SilentlyContinue | ForEach-Object {
    $inproc = Join-Path $_.PSPath "InprocServer32"
    $local  = Join-Path $_.PSPath "LocalServer32"
    if (Test-Path $inproc) {
      $dll = (Get-ItemProperty $inproc -ErrorAction SilentlyContinue).'(default)'
      if ($dll) { Add-Finding "COM-HKCU" $inproc $_.PSChildName $dll "High" "T1546.015" }
    }
    if (Test-Path $local) {
      $exe = (Get-ItemProperty $local -ErrorAction SilentlyContinue).'(default)'
      if ($exe) { Add-Finding "COM-HKCU" $local $_.PSChildName $exe "High" "T1546.015" }
    }
  }
}

# ===== 11. Print Monitors =====
Write-Host "[11/12] 检查 Print Monitors..." -ForegroundColor Cyan
$monPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Print\Monitors"
Get-ChildItem $monPath -ErrorAction SilentlyContinue | ForEach-Object {
  $drv = (Get-ItemProperty $_.PSPath -ErrorAction SilentlyContinue).Driver
  if ($drv -and $drv -notmatch '(?i)localspl|AppMon|tcpmon') {
    Add-Finding "PrintMonitor" $_.PSPath $_.PSChildName $drv "Medium" "T1547.010"
  }
}

# ===== 12. Cmd AutoRun =====
Write-Host "[12/12] 检查 Cmd AutoRun..." -ForegroundColor Cyan
foreach ($arPath in @(
  "HKLM:\SOFTWARE\Microsoft\Command Processor",
  "HKCU:\SOFTWARE\Microsoft\Command Processor"
)) {
  if (Test-Path $arPath) {
    $ar = (Get-ItemProperty $arPath -ErrorAction SilentlyContinue).AutoRun
    if ($ar) { Add-Finding "CmdAutoRun" $arPath "AutoRun" $ar "High" "T1546.003" }
  }
}

# ===== 输出结果 =====
Write-Host "`n$('=' * 60)" -ForegroundColor Yellow
Write-Host "排查完成,共发现 $($results.Count) 项" -ForegroundColor Yellow

if (-not (Test-Path "C:\IR")) { New-Item -ItemType Directory -Path "C:\IR" -Force | Out-Null }
$results | Export-Csv $outFile -NoTypeInformation -Encoding UTF8
Write-Host "结果已保存到: $outFile" -ForegroundColor Green

# 高危项汇总
$critical = $results | Where-Object { $_.Risk -eq "Critical" }
if ($critical) {
  Write-Host "`n[!] 发现 $($critical.Count) 项 Critical 级别:" -ForegroundColor Red
  $critical | Format-Table Category, Name, Value -AutoSize
}

8.2 使用方法

以管理员权限运行PowerShell

复制脚本保存为 Check-AllPersistence.ps1

执行:powershell -ExecutionPolicy Bypass -File Check-AllPersistence.ps1

检查输出CSV文件,重点关注 Risk = Critical 的条目

九、快速决策树

发现可疑持久化项后的处理流程

  1. 确认是否为合法软件

查看文件签名:Get-AuthenticodeSignature <path>

查看文件版本信息:(Get-Item <path>).VersionInfo

VirusTotal查询hash

  1. 判断风险等级

Critical:IFEO Debugger、AppInit_DLLs非空、WMI Subscription、AppCertDLLs存在

High:异常Winlogon值、HKCU COM劫持、LSA Provider异常、Cmd AutoRun

Medium:非标准服务路径、非Microsoft计划任务、Startup文件夹中的未知文件

  1. 采集证据

导出相关注册表:reg export <key> <file>.reg

复制恶意文件用于分析

记录时间线

  1. 处置

删除持久化条目(参考各节处置命令)

删除或隔离恶意文件

验证清除结果

  1. 加固

部署监控规则(Sysmon / EDR)

限制权限

十、ATT&CK Persistence 子技术映射表

ATT&CK ID 子技术名称 本Checklist对应编号
T1547.001 Registry Run Keys / Startup Folder 1-8, 17-18, 27-28, 31-32, 39-40
T1547.002 Authentication Package 35
T1547.003 Time Providers 69
T1547.004 Winlogon Helper DLL 9-11
T1547.005 Security Support Provider 36-38
T1547.010 Port Monitors 63-64
T1547.014 Active Setup 33
T1543.003 Windows Service 21-23, 45
T1546.002 Screensaver 68
T1546.003 WMI Event Subscription / Cmd AutoRun 29-30, 50-51
T1546.007 Netsh Helper DLL 65
T1546.008 Accessibility Features 70
T1546.009 AppCert DLLs 16
T1546.010 AppInit DLLs 15
T1546.012 Image File Execution Options 13-14
T1546.015 COM Object Hijacking 24-26
T1053.005 Scheduled Task 41, 47-48
T1176 Browser Extensions / BHO 19
T1137 Office Application Startup 66-67
T1574.001 DLL Search Order Hijacking 61
T1574.002 DLL Side-Loading 62
T1484.001 Group Policy Modification 52-54
T1558.001 Golden Ticket 59
T1556.001 Domain Controller Authentication 57

完整映射参考:MITRE ATT&CK Persistence

关联参考:

Windows应急响应/18-计划任务持久化

Windows应急响应/19-WMI事件订阅持久化

Windows应急响应/20-服务与驱动持久化

Windows应急响应/21-COM劫持

22-DLL劫持与侧加载

Windows应急响应/23-Winlogon与Userinit持久化

Windows应急响应/24-Office宏与模板持久化

25-IFEO与AppInit-DLLs后门

Windows应急响应/26-屏幕保护与辅助功能后门

Windows应急响应/27-域环境持久化

Windows应急响应/28-Bootkit与UEFI持久化

Windows应急响应/29-无文件持久化

09-注册表持久化审计

上一章 目录 下一章
29-PrintSpooler与Bitsadmin后门 Windows应急响应 31-Sysinternals套件