Persistence (TA0003) Techniques
Introduction
Investigating persistence mechanisms in a network, Windows workstations, and server systems is crucial in understanding how attackers maintain access to compromised environments. Persistence allows attackers to regain entry even after initial entry points are closed, making it a critical aspect of forensic analysis.
Understand Common Persistence Techniques
Registry Keys: Autoruns, Run keys, and other registry locations where programs can be set to run on startup.
Startup Folders: Programs placed in these directories will automatically launch at startup.
Scheduled Tasks: Malicious tasks can be scheduled to run at specific times or intervals.
Service Creation: Malware can install itself as a service, which is automatically started by Windows.
DLL Hijacking: Malware replaces legitimate DLLs or adds malicious DLLs referenced by legitimate programs.
WMI Event Subscriptions: WMI can execute scripts or binaries in response to certain system events.
Account Manipulation: Creation of new user accounts or modification of existing accounts for future access.
Data Collection and Preservation
Forensic Imaging: Use tools like FTK Imager or dd to create images of affected systems.
Live System Data: If possible, gather live data, including running processes, network connections, and currently loaded drivers.
Log Collection: Collect security logs, system logs, application logs, and event logs.
Analysis Techniques
Registry Analysis: Use tools like Registry Explorer or RegRipper to analyse registry hives for unauthorised modifications.
File System Analysis: Tools like Autopsy or X-Ways can analyse file systems for suspicious files in startup directories, unusual file creation/modification dates, or hidden files.
Scheduled Task Analysis: Review Windows Task Scheduler for any unrecognised or suspicious tasks.
Service Analysis: Examine the list of installed services for unknown or modified services.
Log Analysis: Investigate logs for evidence of account creation, modification, or other signs of unauthorised access.
Investigate Common Persistence Locations
Autostart Locations: Check common autostart locations like
HKCU\Software\Microsoft\Windows\CurrentVersion\Run or HKLM\Software\Microsoft\Windows\CurrentVersion\Run.Startup Directories: Inspect directories like %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
Task Scheduler: Look for tasks that execute on system start or at regular intervals.
Services: Analyse the list of services (services.msc) for new or modified entries.
Network Analysis
Endpoint Detection and Response (EDR): Use EDR tools to monitor network traffic for signs of C2 communication.
SIEM Systems: Analyse aggregated logs for patterns indicative of persistence mechanisms.
6. Utilise Specialised Forensic Tools
Sysinternals Suite: Tools like Autoruns can help identify programs configured to run during system bootup.
PowerShell Scripts: Scripts like Get-Service, Get-ScheduledTask, or custom scripts can help identify anomalies.
Documentation and Reporting
Detailed Documentation: Keep a detailed record of all findings, methods used, and evidence paths.
Reporting: Prepare a comprehensive report outlining the persistence mechanisms found, their impact, and recommendations for remediation.
Remediation and Recovery
Remove Persistence Mechanisms: Based on findings, remove or disable the identified persistence mechanisms.
Strengthen Defenses: Update security policies, patch vulnerabilities, and adjust endpoint protection strategies.
Post-Incident Analysis
Review and Learn: Analyse the incident to understand how the persistence was established and improve defences accordingly.
Key Considerations
Legal and Compliance: Ensure compliance with legal and organisational guidelines.
Chain of Custody: Maintain a clear chain of custody for all forensic evidence.
Confidentiality: Ensure that sensitive data is handled appropriately.
Persistence investigation requires a comprehensive approach, leveraging various tools and techniques to uncover how attackers maintain access. Tailor your investigation to the specifics of the incident and the environment you are dealing with.
Using KQL to Investigate Persistence Activities in an Environment Using Defender/Sentinel
Persistence techniques allow adversaries to maintain access to a compromised system even after reboots or other interruptions.
1. T1547 - Boot or Logon Autostart Execution
Objective: Detect mechanisms that automatically execute code upon boot or user logon.
Detect Registry Run Key Modifications
Purpose: Identify changes to registry keys used to launch programs at startup.
Monitor Startup Folder for New Files
Purpose: Detect new files added to the Startup folder.
Detect New Service Creation
Purpose: Monitor for the installation of new services that could be used for persistence.
Identify New Scheduled Tasks
Purpose: Detect the creation of new scheduled tasks.
Monitor for Autorun Entries in the Registry
Purpose: Identify autorun entries that can be used to persist malicious code.
Detect Creation of WMI Event Subscriptions
Purpose: Monitor for the creation of WMI event subscriptions that can be used for persistence.
Identify Modifications to Userinit Key
Purpose: Detect modifications to the Userinit registry key, which can be used to launch programs at logon.
Monitor for DLLs Added to Startup Folders
Purpose: Detect DLL files added to startup folders for persistence.
Detect Modifications to Shell Registry Key
Purpose: Monitor for changes to the Shell registry key that can be used to persist malware.
Identify New Logon Scripts
Purpose: Detect new logon scripts that can be used for persistence.
2. T1053 - Scheduled Task/Job
Objective: Detect the creation or modification of scheduled tasks or jobs that persistently execute malicious code.
Detect Creation of New Scheduled Tasks
Purpose: Identify the creation of new scheduled tasks.
Monitor for Changes to Existing Scheduled Tasks
Purpose: Detect changes made to existing scheduled tasks.
Identify Scheduled Task Executing Suspicious Commands
Purpose: Monitor for scheduled tasks executing commands commonly used in attacks.
Detect Scheduled Task Execution
Purpose: Identify the execution of scheduled tasks.
Monitor for Scheduled Task Executions by Non-Admin Users
Purpose: Detect scheduled tasks being executed by non-administrative users.
Identify Scheduled Task Execution with Elevated Privileges
Purpose: Monitor for scheduled tasks running with elevated privileges.
Detect Suspicious Task Scheduler Executables
Purpose: Identify suspicious use of task scheduler executables.
Monitor for AT Command Usage
Purpose: Detect the use of the AT command to schedule tasks.
Identify Suspicious Scheduled Task Parameters
Purpose: Monitor for suspicious parameters in scheduled tasks.
Detect Creation of Hidden Scheduled Tasks
Purpose: Identify the creation of hidden or system-level scheduled tasks.
3. T1060 - Registry Run Keys / Startup Folder
Objective: Detect the use of registry run keys or startup folders to maintain persistence on a system.
Detect New Entries in Registry Run Keys
Purpose: Identify new or modified entries in registry run keys.
Monitor Startup Folder for New Executables
Purpose: Detect new executable files added to the Startup folder.
Identify DLLs Added to Registry Run Keys
Purpose: Detect DLLs added to registry run keys for persistence.
Monitor for Suspicious Modifications to RunOnce Keys
Purpose: Identify suspicious modifications to RunOnce registry keys.
Detect Executables Added to Startup Folders
Purpose: Monitor for executables added to Startup folders that could be used for persistence.
Identify Script Files Added to Startup Folders
Purpose: Detect script files added to Startup folders for persistence.
Monitor for Suspicious Entries in RunServices Keys
Purpose: Identify suspicious entries in RunServices registry keys.
Detect Modifications to Shell Registry Key
Purpose: Monitor for changes to the Shell registry key that may indicate persistence.
Identify Modifications to Userinit Key
Purpose: Detect modifications to the Userinit registry key for persistence.
Monitor for Unusual Activity in Common Startup Locations
Purpose: Detect unusual activity in common startup locations.
4. T1543 - Create or Modify System Process
Objective: Detect the creation or modification of system processes for persistence.
Detect New Service Creation
Purpose: Identify the installation of new services that could be used for persistence.
Monitor for Service Configuration Changes
Purpose: Detect changes to existing service configurations.
Identify Services Set to Auto Start
Purpose: Monitor for services configured to start automatically, which may be used for persistence.
Detect Services Running Executables from Non-Standard Locations
Purpose: Identify services running executables from unusual or non-standard locations.
Monitor for New Service Executables
Purpose: Detect new executables associated with services.
Identify Suspicious Service Descriptions
Purpose: Monitor for suspicious service descriptions that may indicate malicious intent.
Detect Modifications to System Services
Purpose: Identify modifications to system services by non-system accounts.
Monitor for Services with Elevated Privileges
Purpose: Detect services installed with elevated privileges.
Identify Services Executing Suspicious Commands
Purpose: Monitor for services executing suspicious commands.
Detect Services Executing Non-Executable Files
Purpose: Identify services configured to execute non-executable files.
5. T1176 - Browser Extensions
Objective: Detect the installation or modification of browser extensions that can be used for persistence.
Detect New Browser Extension Installation
Purpose: Identify the installation of new browser extensions.
Monitor for Changes to Existing Browser Extensions
Purpose: Detect modifications to existing browser extensions.
Identify Browser Extensions with Suspicious Permissions
Purpose: Monitor for browser extensions requesting suspicious permissions.
Detect Browser Extensions Executing Scripts
Purpose: Identify browser extensions executing JavaScript files.
Monitor for Unusual Activity in Browser Extension Folders
Purpose: Detect unusual activity in browser extension folders.
Identify Browser Extensions Making Network Requests
Purpose: Monitor for network requests made by browser extensions.
Detect Extensions Accessing Sensitive Files
Purpose: Identify browser extensions accessing sensitive files.
Monitor for Browser Extensions Installed by Non-Admin Users
Purpose: Detect browser extensions installed by non-administrative users.
Identify Browser Extensions Executing System Commands
Purpose: Monitor for browser extensions executing system commands.
Detect Browser Extensions with Elevated Privileges
Purpose: Identify browser extensions operating with elevated privileges.
6. T1546 - Event Triggered Execution
Objective: Detect the creation or modification of event triggers that persistently execute malicious code in response to specific events.
Detect Creation of WMI Event Filters
Purpose: Identify the creation of WMI event filters for persistence.
Monitor for Modification of WMI Event Filters
Purpose: Detect modifications to existing WMI event filters.
Identify WMI Event Consumers Creating or Modifying Files
Purpose: Monitor for WMI event consumers that create or modify files.
Detect WMI Event Consumers Executing Suspicious Commands
Purpose: Identify WMI event consumers executing suspicious commands.
Monitor for New or Modified System Log Event Filters
Purpose: Detect new or modified system log event filters.
Identify Task Scheduler Event Triggers
Purpose: Monitor for task scheduler event triggers associated with logon events.
Detect Creation of Hidden WMI Event Consumers
Purpose: Identify the creation of hidden WMI event consumers.
Monitor for Suspicious Event Triggers Related to User Activity
Purpose: Detect event triggers that execute in response to user activity.
Identify System Service Event Triggers
Purpose: Monitor for system services configured to trigger on specific events.
Detect Scheduled Task Event Triggers with Elevated Privileges
Purpose: Identify scheduled tasks with event triggers that run with elevated privileges.
Last updated