Common Persistence

Strategies - Emulating,
Preventing, and Detecting
Michel Coene
About me

• Certified Instructor SEC599

• Head of Incident Response & Threat Intelligence

Twitter: @coenemichel
LinkedIn: https://www.linkedin.com/in/coenemichel/
 Persistence

Source: https://attack.mitre.org/matrices/enterprise/
What’s happening out there

Source: https://www.recordedfuture.com/top-2020-mitre-techniques/

Source: https://www.picussecurity.com/resource/the-top-ten-mitre-attck-techniques
Source: https://redcanary.com/blog/2022-threat-detection-report/
Account manipulation (1)
Attackers who have gained elevated privileges on a local machine or on the domain have frequently been seen creating new
user accounts with elevated privileges or adding privileges to user accounts that are already compromised by them. In
What several cases we have seen attackers create copies of already existing accounts with domain administrator privileges,
including different attributes such as internal phone number, department, and others.

There are a number of ways in which attackers can modify accounts on your local host or within your domain, ranging from
How using the built-in Local Users & Groups console, to net user commands to more advanced attacks using Mimikatz DCShadow
and alike

There are various groups out there who have been observed employing this technique, some examples are APT3 who
created new user accounts and added them to the local admin group. Dragonfly 2.0 was also observed adding new accounts
Who to the administrator group. Additionally, this is something we also come across from time to time during our own
investigations, both on a local host level and on a domain level.

Key - Elevated local computer privileges for manipulations of local accounts

requirements - Elevated domain privileges for manipulations of domain accounts
Account manipulation (2)
Account manipulation (3)

Event ID’s to keep an eye on:

- 4720 – A user account was created
- 4732 – A member was added to a security-enabled local group
- 4738 – A user account was changed
- 4728 - A member was added to a security-enabled global group.
Account manipulation (4)
Scheduled tasks (1)
As most of you will have done at some point, you used the Task Scheduler to ensure a program or script was
text What executed at startup, logon, or at a certain point in time. In addition to starting local tasks on a system (for
persistence), we also see attackers use the task scheduler to perform lateral movement, by scheduling tasks
on a remote system.

Similar as discussed with the new account creation, a scheduled task can easily be created using the
How Windows Built-in Task Scheduler or via the command line using “schtasks”

There are plenty of examples of groups that have been observed using scheduled tasks, APT29 used
Scheduled Tasks to maintain SUNSPOT persistent when the host booted during the 2020 Solarwinds
Who Intrusion for example, APT33 has been observed using scheduled tasks to run a .vbs file multiple times per
day, and we could go on like this for a while

- No elevated privileges are required to schedule a scheduled task. This scheduled task will then of course
Key
only run within that specific user context
requirements - It is also possible to run a system wide scheduled task, for this elevated privileges are required however.
Scheduled tasks (2)
Scheduled tasks (3)

Event ID’s to keep an eye on:

- Event ID 106 - Scheduled task registered
- Event ID 140 - Scheduled task updated
- Event ID 141 - Scheduled task deleted
- Event ID 4698 - Scheduled task created
- Event ID 4700 - Scheduled task enabled
- Event ID 4701 - Scheduled task disabled
Registry run key / Startup Folder (1)
Attackers can achieve persistence by adding a program to a startup folder or by referring to a program with a
text What Registry Run key. Both of these will ensure the program is executed when a user logs in. It’s important to
note that for these, the program will run in the user context of the currently logged in user and as such will
have the user’s permissions.

• Place a program or a shortcut to a program in the Startup folder of a user

How • Place a reference to a program in one of the default Windows Run keys

Also here, a large number of groups have been observed using registry run keys or the Startup folder. Cobalt
Group has used Registry run keys for persistence, the Emotet malware has been observed adding the
Who downloaded payload to Registry Run keys for persistence, FIN7 has been abusing the Startup folder, and the
list goes on

Key This is standard Windows functionality, no specific privileges are required for the current-user registry hive,
requirements elevated privileges are required to write to the SYSTEM registry hive
Registry run key / Startup Folder (2)
Registry keys typically targeted:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

Startup folder path for the current user is:

C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup.
Startup folder path for all users is:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Registry run key / Startup Folder (3)

Source: https://github.com/olafhartong/sysmon-modular/
COM Object Hijacking (1)
COM (Component Object Model) is described by Microsoft as a “platform-independent, distributed, object-
text What oriented system for creating binary software components that can interact.” The purpose of COM is to
provide an interface to allow developers to control and manipulate objects of other applications.

COM hijacking is a “stealthy” persistence technique that allows adversaries to run payloads in the context of
How trusted processes. Two commonly used techniques include “Phantom COM objects” abuse and “COM Search
Order Hijacking”, where the adversary hijacks a COM object to run a payload of his choosing.

Turla uses COM Object Hijacking as one of its key go-to methods for achieving persistence on a system (e.g.
Who the Outlook backdoor). BBSRAT, a malware with remote access tool functionality, has been observed
persisting on a system via COM Hijacking by replacing the COM object for MruPidlList

Key
No special permissions are required
requirements
Phantom COM Objects (1)

Phantom COM object hijacking uses CLSID’s that are pointing to no longer existing DLLs
Phantom COM objects (3)

An adversary can profit from this missing file by dropping a malicious DLL in the location to
which the CLSID is pointing
1
CLSID
0
Drop
3 2
Load Path
COM Search Order Hijacking(1)

COM Search Order hijacking technique leveraging the COM Object lookup order.

When resolving a CLSID to a path, first the “Current User” registry hive is checked, followed by
the “Local Machine” registry hive

1
CLSID
2
HKCU

3
5 4 HKLM
Load Path
COM Search Order Hijacking (2)

An adversary can duplicate a CLSID from the “Local Machine” registry hive to the “Current User”
registry hive and point the software to a malicious DLL

0 0
Drop Create

1
CLSID
5 2
Load HKCU

3
4 HKLM
Path
COM Search Order Hijacking (3)

To avoid breaking applications relying on the legitimate DLL, our malicious DLL can proxy
requests to the original DLL.

0 0
Drop Create

1
CLSID
5 2
6 Load HKCU
Proxy
3
4 HKLM
Path
LEOLOOBEEK/
COMPROXY
Practical example: Gootloader
Gootloader persistence
Introduction
Gootloader persistence
JavaScript Downloader
Gootloader persistence
Payload -> another JavaScript script
Gootloader persistence
Scheduled task
Gootloader persistence
Binary stored in Registry
Gootloader persistence
Analysis of the .NET Assembly
Gootloader persistence
Cobalt Strike
Leveling up: IIS backdoor
IIS Backdoor
Typical situations

Request Request
Reply IIS Reply IIS

Exchange

Windows Server Windows Server

IIS Backdoor
IIS Modules

Request
Reply M IIS M = HTTP Module

Exchange 1. Managed code (.NET)

2. Unmanaged code (native)

Windows Server
IIS Backdoor
Our native module/backdoor (1)
IIS Backdoor
Our native module/backdoor (2)
IIS Backdoor
Our native module/backdoor (3)
IIS Backdoor
Our native module/backdoor (4)
IIS Backdoor
Installation (1)
IIS Backdoor
Installation (2)
IIS Backdoor
Installation (3)
IIS Backdoor
Installation (4)
IIS Backdoor

Demo time
Thank you