DetectionHunter
back to roadmap
Phase 2·T1059.001·Moderate

PowerShell + Persistence Indicator Correlation

Tie PowerShell execution to Run-key writes, scheduled tasks, or service installs.

#Wazuh#Correlation#ATT&CK

Detection Objective

Alert when a PowerShell process is followed by a persistence artifact (T1547, T1053, T1543).

Real-World Attack Scenario

Loader executes, then writes HKCU\...\Run\Updater pointing back at itself.

Why This Detection Matters

Persistence is the adversary's commitment moment — catch it.

ATT&CK Mapping

T1059.001 · PowerShell
Tactic: Execution

Required Telemetry

  • SysmonEID 1, EID 12/13 (registry), EID 11 (file)
  • Windows Security4698 scheduled task created
Windows Event IDs
4698, 4697
Sysmon Event IDs
1, 11, 12, 13
Wazuh Log Source
Sysmon/Operational + Security

Setup Steps

  1. Sysmon registry + file rules. Audit Object Access for Task Scheduler.

Safe Validation Command

Create an inert Run key from PowerShell.
powershell.exe -c "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name DetectionTest -Value 'notepad.exe' -PropertyType String -Force"
⚠ lab use only · this project does not execute real malware

Expected Log Output

Sysmon EID 13 with TargetObject ending in \Run\DetectionTest

Detection Logic (Wazuh rule concept)

Group events by ProcessGuid: powershell.exe followed within 5 min by registry write to Run/RunOnce, scheduled task creation, or service install.

False Positives

  • IT onboarding scripts that set Run keys

Tuning Recommendations

  • Allowlist by signing thumbprint and known IT path.

Analyst Triage Notes

  • Dump the persistence artifact and the originating script.

Detection Improvement Ideas

  • Auto-revert persistence in lab via SOAR.

log analysis layer

Detection is not complete until the logs prove what happened. The sections below show the telemetry produced by the validation above, how to read it like an analyst, and why this pattern matters.

siem · log evidence
rule 100627
PowerShell + Persistence Indicator Correlation
Sysmon/Operational + Security
Event ID
Sysmon EID 1
Image
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Parent
C:\Windows\explorer.exe
CommandLine
powershell.exe -c "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name DetectionTest -Value 'notepad.exe' -PropertyType String -Force"
User
CORP\j.doe
Agent
WIN10-LAB-01
Timestamp
2026-05-26T14:32:11Z
analyst note
Dump the persistence artifact and the originating script.

Parent → Child Analysis

explorer.exe → powershell.exe — review whether this lineage is expected for WIN10-LAB-01 and user CORP\j.doe.

Command-Line Flags Observed

  • (no high-risk flags in this test)
    Signal value comes from context (parent, network, persistence) rather than flags.

Parsed Fields the Analyst Reads

  • ImageProcess binary that executed — confirms PowerShell.
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  • ParentImageWho launched it — context for legitimacy.
    C:\Windows\explorer.exe
  • CommandLineArguments — where attacker intent shows up.
    powershell.exe -c "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name DetectionTest -Value 'notepad.exe' -PropertyType String -Force"
  • UserAccount context — service vs interactive vs SYSTEM.
    CORP\j.doe
  • EventIDTelemetry channel and event type.
    Sysmon EID 1
  • Wazuh Rule IDRule that matched and produced this alert.
    100627
  • AgentEndpoint that produced the telemetry.
    WIN10-LAB-01
  • TimestampWhen it happened — anchor for correlation.
    2026-05-26T14:32:11Z

Malicious Pattern

pattern
PowerShell + Persistence Indicator Correlation
description
Loader executes, then writes HKCU\...\Run\Updater pointing back at itself.
analyst takeaway
Persistence is the adversary's commitment moment — catch it. Treat this signal as higher-risk when combined with suspicious parents, hidden windows, download cradles, or unusual user context.

proof the detection worked

test command
powershell.exe -c "New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name DetectionTest -Value 'notepad.exe' -PropertyType String -Force"
expected event
Sysmon EID 1 on WIN10-LAB-01 with Image=powershell.exe and the validation command above in CommandLine.
expected wazuh alert
Wazuh rule 100627 — "PowerShell + Persistence Indicator Correlation" fires at a level matching severity=high.
confirming log fields
ImageParentImageCommandLineUserEventID
analyst interpretation
The recorded fields satisfy every clause of the detection logic. Parent process, user context, and command-line arguments together prove the behavior was observed end to end.
conclusion
Detection succeeded: telemetry was captured, the rule matched, and the alert reached the analyst with enough context to triage.