Persistence

From ATT&CK
Jump to: navigation, search

Tactic Description

Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access.

Techniques

Below is a list of all the Persistence techniques in ATT&CK:

NameTacticsTechnical Description
Accessibility FeaturesPersistence
Privilege Escalation
Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two of these accessibility programs are C:\Windows\System32\utilman.exe, launched when the Windows + U key combination is pressed, and C:\Windows\System32\sethc.exe, launched when the shift key is pressed five times. The program "sethc.exe" is often referred to as sticky keys, and has been used by adversaries for unauthenticated access through a remote desktop login screen.1

Depending on the version of Windows, an adversary may take advantage of these features in different ways:

On Windows XP and Windows Server 2003/R2, the program (e.g., C:\Windows\System32\utilman.exe) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over Remote Desktop Protocol will cause the replaced file to be executed with SYSTEM privileges.2

On Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges.2
AppInit DLLsPersistence
Privilege Escalation
DLLs that are specified in the AppInit_DLLs value in the Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program. This value can be abused to obtain persistence by causing a DLL to be loaded into most processes on the computer.3 The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled.4
Basic Input/Output SystemPersistenceThe BIOS (Basic Input/Output System), which underlies the functionality of a computer, may be modified to perform or assist in malicious activity.5

Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

The Unified Extensible Firmware Interface (UEFI) is new specification for the interface between platform firmware and a computer operating system.6
BootkitPersistenceA bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR).7

Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Master Boot Record

The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code.8

Volume Boot Record

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.
Change Default File AssociationPersistenceWhen a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access.910 Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.
Component FirmwareDefense Evasion
Persistence
Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to Basic Input/Output System but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.
Component Object Model HijackingDefense Evasion
Persistence
The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.11 Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.12 An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.
DLL Search Order HijackingDefense Evasion
Persistence
Privilege Escalation
Windows systems use a common method to look for required DLLs to load into a program.13 Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.

Adversaries may perform DLL preloading, also called binary planting attacks,14 by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL.15 Adversaries may use this behavior to cause the program to load a malicious DLL.

Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation.161718

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program.

Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.
File System Permissions WeaknessPersistence
Privilege Escalation
Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

Services

Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to SYSTEM. Once the service is started, either directly by the user (requiring administrator privileges) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.
HypervisorPersistenceA type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware.19 It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen.20 A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system.21 A malicious hypervisor of this nature could be used to persist on systems through interruption.
Legitimate CredentialsDefense Evasion
Persistence
Privilege Escalation
Adversaries may steal the credentials of a specific user or service account using Credential Access techniques. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network and may even be used for persistent access to remote systems. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise.22
Local Port MonitorPersistence
Privilege Escalation
A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup.23 This DLL must be located in C:\Windows\System32 and will be loaded by the print spooler service, spoolsv.exe, on boot.24 Adversaries can use this technique to load malicious code at startup that will persist on system reboot. This same functionality is achieved by creating specifically formatted Registry keys at HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.24
Logon ScriptsLateral Movement
Persistence
Windows allows logon scripts to be run whenever a specific user or group of users log into a system.25 The scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. If adversaries can access these scripts, they may insert additional code into the logon script to execute their tools when a user logs in. This code can allow them to maintain persistence on a single system, if it is a local script, or to move laterally within a network, if the script is stored on a central server and pushed to many systems. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.
Modify Existing ServicePersistenceWindows service configuration information, including the file path to the service's executable, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and Reg. Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.
New ServicePersistence
Privilege Escalation
When operating systems boot up, they can start programs or applications called services that perform background system functions.26 A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through Service Execution.
Path InterceptionPersistence
Privilege Escalation
Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function.27

There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

Unquoted Paths

Service paths (stored in Windows Registry keys)28 and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., C:\unsafe path with space\program.exe vs. "C:\safe path with space\program.exe").29 An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is C:\program files\myapp.exe, an adversary may create a program at C:\program.exe that will be run instead of the intended program.

PATH Environment Variable Misconfiguration

The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, %SystemRoot%\system32 (e.g., C:\Windows\system32), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.

For example, if C:\example path precedes C:\Windows\system32 is in the PATH environment variable, a program that is named net.exe and placed in C:\example path will be called instead of the Windows system "net" when "net" is executed from the command-line.

Search Order Hijacking

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program.303132 However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program's directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument net user. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then cmd.exe /C net user will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT.33

Search order hijacking is also a common practice for hijacking DLL loads and is covered in DLL Search Order Hijacking.
Redundant AccessDefense Evasion
Persistence
Adversaries may use more than one remote access tool with varying command and control protocols as a hedge against detection. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Legitimate Credentials to use remote services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.34 Use of a Web Shell is one such way to maintain access to a network through an externally accessible Web server.
Registry Run Keys / Start FolderPersistenceAdding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.35 The program will be executed under the context of the user and will have the account's associated permissions level. Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Scheduled TaskExecution
Persistence
Privilege Escalation
Utilities such as at and schtasks, along with the Windows Task Scheduler, can be used to schedule programs or scripts to be executed at a date and time. The account used to create the task must be in the Administrators group on the local system. A task can also be scheduled on a remote system, provided the proper authentication is met to use RPC and file and printer sharing is turned on.36 An adversary may use task scheduling to execute programs at system startup or on a scheduled basis for persistence, to conduct remote Execution as part of Lateral Movement, to gain SYSTEM privileges, or to run a process under the context of a specified account.
Security Support ProviderPersistenceWindows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user's Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages and HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called. 37
Service Registry Permissions WeaknessPersistence
Privilege Escalation
If the permissions for users and groups to access the binPath/ImagePath Registry value for a service are not properly secured, adversaries can change the path to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute.
Shortcut ModificationPersistenceShortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.
Web ShellPersistence
Privilege Escalation
A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client).38 Web shells may serve as Redundant Access or as a persistence mechanism in case an adversary's primary access methods are detected and removed.
Windows Management Instrumentation Event SubscriptionPersistenceWindows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts.39 Examples of events that may be subscribed to are the wall clock time or the computer's uptime.40 Several threat groups have reportedly used this technique to maintain persistence.41
Winlogon Helper DLLPersistenceWinlogon is a part of some Windows versions that performs actions at logon. In Windows systems prior to Windows Vista, a Registry key can be modified that causes Winlogon to load a DLL on startup. Adversaries may take advantage of this feature to load adversarial code at startup for persistence.

References

  1. ^  Glyer, C., Kazanciyan, R. (2012, August 20). THE “HIKIT” ROOTKIT: ADVANCED AND PERSISTENT ATTACK TECHNIQUES (PART 1). Retrieved June 6, 2016.
  2. a b  Tilbury, C. (2014, August 28). Registry Analysis with CrowdResponse. Retrieved November 12, 2014.
  3. ^  Microsoft. (2006, October). Working with the AppInit_DLLs registry value. Retrieved July 15, 2015.
  4. ^  Microsoft. (n.d.). AppInit DLLs and Secure Boot. Retrieved July 15, 2015.
  5. ^  Wikipedia. (n.d.). BIOS. Retrieved January 5, 2016.
  6. ^  UEFI Forum. (n.d.). About UEFI Forum. Retrieved January 5, 2016.
  7. ^  Mandiant. (2016, February). M-Trends 2016. Retrieved January 4, 2017.
  8. ^  Lau, H. (2011, August 8). Are MBR Infections Back in Fashion? (Infographic). Retrieved November 13, 2014.
  9. ^  Microsoft. (n.d.). Change which programs Windows 7 uses by default. Retrieved July 26, 2016.
  10. ^  Microsoft. (n.d.). Specifying File Handlers for File Name Extensions. Retrieved November 13, 2014.
  11. ^  Microsoft. (n.d.). The Component Object Model. Retrieved August 18, 2016.
  12. ^  G DATA. (2014, October). COM Object hijacking: the discreet way of persistence. Retrieved August 13, 2016.
  13. ^  Microsoft. (n.d.). Dynamic-Link Library Search Order. Retrieved November 30, 2014.
  14. ^  OWASP. (2013, January 30). Binary planting. Retrieved June 7, 2016.
  15. ^  Microsoft. (2010, August 22). Microsoft Security Advisory 2269637 Released. Retrieved December 5, 2014.
  16. ^  Microsoft. (n.d.). Dynamic-Link Library Redirection. Retrieved December 5, 2014.
  17. ^  Microsoft. (n.d.). Manifests. Retrieved December 5, 2014.
  18. ^  Mandiant. (2010, August 31). DLL Search Order Hijacking Revisited. Retrieved December 5, 2014.
  19. ^  Wikipedia. (2016, May 23). Hypervisor. Retrieved June 11, 2016.
  20. ^  Xen. (n.d.). In Wikipedia. Retrieved November 13, 2014.
  21. ^  Myers, M., and Youndt, S. (2007). An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits. Retrieved November 13, 2014.
  22. ^  Microsoft. (2016, April 15). Attractive Accounts for Credential Theft. Retrieved June 3, 2016.
  23. ^  Microsoft. (n.d.). AddMonitor function. Retrieved November 12, 2014.
  24. a b  Bloxham, B. (n.d.). Getting Windows to Play with Itself [PowerPoint slides]. Retrieved November 12, 2014.
  25. ^  Microsoft. (2005, January 21). Creating logon scripts. Retrieved April 27, 2016.
  26. ^  Microsoft. (n.d.). Services. Retrieved June 7, 2016.
  27. ^  Nagaraju, S. (2014, April 8). MS14-019 – Fixing a binary hijacking via .cmd or .bat file. Retrieved July 25, 2016.
  28. ^  Microsoft. (n.d.). CurrentControlSet\Services Subkey Entries. Retrieved November 30, 2014.
  29. ^  Baggett, M. (2012, November 8). Help eliminate unquoted path vulnerabilities. Retrieved December 4, 2014.
  30. ^  Microsoft. (n.d.). CreateProcess function. Retrieved December 5, 2014.
  31. ^  Hill, T. (n.d.). Windows NT Command Shell. Retrieved December 5, 2014.
  32. ^  Microsoft. (n.d.). WinExec function. Retrieved December 5, 2014.
  33. ^  Microsoft. (n.d.). Environment Property. Retrieved July 27, 2016.
  34. ^  Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  35. ^  Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.
  36. ^  Microsoft. (2005, January 21). Task Scheduler and security. Retrieved June 8, 2016.
  37. ^  Graeber, M. (2014, October). Analysis of Malicious Security Support Provider DLLs. Retrieved June 24, 2015.
  38. ^  Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  39. ^  Dell SecureWorks Counter Threat Unit™ (CTU) Research Team. (2016, March 28). A Novel WMI Persistence Implementation. Retrieved March 30, 2016.
  40. ^  Kazanciyan, R. & Hastings, M. (2014). Defcon 22 Presentation. Investigating PowerShell Attacks [slides]. Retrieved November 3, 2014.
  41. ^  Mandiant. (2015, February 24). M-Trends 2015: A View from the Front Lines. Retrieved May 18, 2016.