In case of a successful compromise the next important step is to make sure the access to the infrastructure can be sustained. Here the magic of persistence comes into the play. In this article we will take a look at some of the most common approaches used by attackers (and thus re-used by Red Teamers) to maintain persistence once the initial breach happens. In upcoming sub chapters of this section we will dive deeper in actual attacks.
+ Software Based
Most of the data breaches happen remotely and that’s why in most cases the persistence techniques are software based. While some of them are purely based on configuration changes of the affected system or environment, others require some malicious software to be deployed. However, the best result is achieved by using a combination of these two approaches.
Complexity of modern operating systems leaves a lot of venues for malicious configuration changes which might allow intruders to remain hidden and present within the infected host or network. The following list is just a brief summary of some configuration changes allowing to sustain or enhance a prolonged access to the target infrastructure.
- User accounts and roles. In many cases during a data breach or a Red Teaming engagement some sort of user manipulation takes place. For example, the two most common methods for persistence when it comes to user accounts are new user creation and existing user assignment to privileged (administrator) groups. These changes allow attacker to persist within the infrastructure in case their initially compromised user account is recycled (changes password or is removed).
- Startup applications. Most operating systems have various ways to (re)launch programs at startup. This feature is commonly (ab)used by attackers to deploy their malware in order to ensure that their backdoor malware is executed again after a reboot. While there are many ways to achieve this, the most common approaches are specific registry keys and specific files/folders which are looked up during the systems startup for software that needs to be launched. This configuration technique is often combined with additional malicious software which is previously deployed onto the system, but in some cases a fileless (example1, example2) approach can be taken to get around such a limitation.
- Firewall. Some persistence mechanisms require firewall changes. For example, after enabling Remote Desktop Protocol for remote access it is necessary to configure host (and maybe some network) firewall to allow incoming connections. Similarly, some other network traffic might be blocked by default and thus modifying firewall rules might allow an attacker/Red Teamer to access the target host from external network or to enable the malware to communicate with external command and control server.
- Other changes. As mentioned earlier, modern operating systems have a lot of features that can be exploited for persistence. This includes such functionality as scheduled tasks or cronjobs, authentication handlers, file system attributes, 3rd party software (for example browsers and their extensions), firmware, etc. In addition to targeting the operating system of a victim an attacker could create additional VPN and email user accounts, grant those account excessive permissions (such as ability to read everyone’s email). Finally, exploitation of network devices and services, such as routers/printers/IoT could allow prolonged persistence within the environment.
While most professional attackers and Red Teamers are capable of performing necessary configuration changes manually (which sometimes is more effective in terms of evasion), they usually automate such activities through scripts and their malware. Some open source tools, such as Powersploit’s persistence module (mirror) is accessible publicly making this task easy to perform even for newbies.
++ Malicious Software
There are very few cases when a data breach does not involve some kind of malware. APTs and Red Teamers use malware (sometimes called implants, agents, etc.) to maintain access to a compromised system and to help navigate through the network. Let’s check some of the properties a common piece of malware posses.
- Persistence capabilities. To sustain a prolonged access to the environment (necessary to complete the mission) the malware must be capable of various persistence techniques. The more sophisticated the malware the more stealthy and innovative approaches are implemented within malware’s code making detection more challenging.
- Credential harvesting. A very common technique for lateral movement is gathering credentials from the infected system or computers connected to the local network. Some of the most common features every malware implements (or is capable to implement via extensions) is credential harvesting from web browsers (both cached credentials and credentials that pass through the browser which are never saved), file transfer software (FTP, SCP, Git, etc.), Windows/Mac/Linux operating system credentials (current user, cached credentials, Wi-Fi, etc.) and so on.
- Basic operations. Such operations include directory listing, file search, file upload/download, execution of files and system commands, registry modification and others. These basic features allow flexible approach to some of the challenges that might arise during the mission.
- Lateral movement. Very often navigation through the network (aka lateral movement) involves various kinds of activities, such as enumeration of network resources, establishing tunnels/bridges between networks and attacks which require impersonation of other users to gain access to protected resources. Examples of such activities are implemented in tools like Powersploit’s Powerview (mirror) which allows to better understand the target’s network, PowerCat, a modern implementation of unix’s netcat tool which can be used as a SOCKS proxy and much more, Mimikatz, a very common tool for impersonating other users and extracting various secrets from the target host and Domain Controllers, BloodHound, a powerful tool for preparing Active Directory attacks, and so on.
- Modularity and/or Updating. It’s common for malware to have functionality which allows to dynamically load additional plugins/features or to be able to update itself to a newer version, which might include additional features and bug fixes. This is useful in order to upgrade the capabilities while still maintaining the same infrastructure allowing faster penetration through the network.
The actual form of a particular piece of malware might vary, but in most cases it comes in a binary format (Windows PE, Linux Elf or Mac Mach-O) or some sort of a supported scripting language’s code snippet (Powershell or Batch for Windows, Python or Bash for Linux/Mac OS).
+ Hardware Based
In some cases persistence within the environment is achieved by placing specialized hardware. Such hardware is capable to interact with the local network in a wired or wireless way. Attackers/Red Teamers can access this device remotely and leverage it for infiltrating the network. While it is often possible to reuse the target’s network (to which such a device is connected to) for remote access, devices which are capable to provide unfiltered access via 4G mobile network are considered more stealthy and effective. An example of such a scenario is provided below.
Defensive measures depend on the persistence mechanism that is used. For software based persistence mechanisms a combination of countermeasures, such as Antivirus, Firewall, Intrusion Detection/Prevention systems, proactive monitoring and analysis through SIEM can be used. For hardware based persistence threats active monitoring of network devices and up to date inventory list of digital assets can be used as the first line of defense.
In both cases anomalies and deviations form a baseline established within the company should be investigated and mitigated as soon as possible to minimize the impact of a potential breach.