A core tenant for malware authors and threat actors is that persistence is key. Afterall,
its reported
that only 4 percent
of users
click on phishing links and attachments. Establishing a foothold can be
difficult
, so when adversaries get into an environment, they want to make sure they stay there.
Enter the topic of persistence. Persistence
, especially amongst threat hunters,
doesn’t
often
get the same
level
of attention as some of the more exotic tactics like privilege escalation,
process hollowing, process
doppelgänging
, or DLL injection.
Nevertheless,
hunting
for persistence across an environment
should be
one of the top
hunts
that hunt teams
should
focus
on.
[hubspot type=cta portal=7924572 id=ec572148-ebc2-449f-8ccc-0353bc94df5e]
What is Persistence?
Before we get into hunting for persistence in an environment, let’s first look at “what persistence is.”
Persistence is an overall tactic that adversaries, malware, and tools
will use to ensure they keep access to systems across
events that might interrupt access.
Some examples of events that may interrupt access are
shutdowns and restarts, file deletion,
or
credential changes. Persistence may also be used as a means of “cleaning up” the evidence that a malware payload was ever even there.
Long story short? Persistence in adversaries and malware can be like zombies. Even after you think you’ve wiped them out, they just keep coming back.
Figure 1 - Image credit: Rollingstone.com
The techniques used for persistence vary wildly across operating systems, levels of access an adversary may have, and even the firmware your hardware components have installed. However, perhaps the most common forms of persistence an adversary may try to utilize
are
,
Registry Run Keys and the Startup Folder
(MITRE ATT&CK ID
T1547
.001
)
.
What are Registry Run Keys / Startup Folder?
Registry run keys are very specific keys in the Windows registry that are invoked during system start up. These keys allow specific settings or configurations to be loaded automatically. In addition, registry run keys can also point directly at executable files, allowing specific programs (and DLL files) to be executed at start up.
Similarly, the
s
tartup
f
older
corresponds to a series of registry keys
that will execute files in specific locations on start up.
Persistence, when talking about technique T1547.001, is the modification of specific registry keys and values in order to have a
n
executable, command, or script run every time the system is rebooted.
How Common is This Type of Persistence?
Persistence using registry run keys, or the
startup
f
older
are probably the two most common forms of persistence malware and adversaries use. For example,
the
Ryuk
ransomware
, which has
been
responsible
for some of the most damaging attacks globally, has
utilized
registry run keys to establish persistence.
Similarly, advanced persistent threats such as APT39, APT41, FIN7, and
Gamareddon
Group have all been shown to use registry run keys or the
startup
folder to establish persistence.
And even more generic malware, such as
Emotet
,
Hancitor
, and
IcedID
have all used this technique multiple times.
How Many Run Keys Are There?
While there are
several
registry
keys that can be used, the
most
commonly
abused
are
the
default
keys
on a Windows system, specifically:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Similarly, the registry keys that are used to launch programs or set folder items for persistence are:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
It should be noted that there are many other run keys that can be used for this type of persistence; however, these are the most common.
What Do I Need to Hunt for Persistence?
One of the first elements
hunt teams
typically
must
tackle when starting a hunt is to determine what log sources are required. If an organization is relatively small, hunting across the registries manually using a tool like
SysInternals
could be used. In fact, the tool will even cross reference the data with
VirusTotal
to flag known bad entries.
Hunting from the Registry, Down
However, most
will be faced with much larger environments where manual hunting isn’t feasible. In this case,
teams
will want logs from a tool like Sysmon. Now, it should be said, the registry is generally a very busy place, and logs generated from registry activity can be exceptionally noisy. So
,
teams
will want to focus on logs relating to the specific registry keys noted above.
With Sysmon logs,
hunt teams
can
look for events with an Event ID of 13 (
RegistryEntry
(Value Set)). This will identify registry value modifications of the DWORD and QWORD values. The log files contain a lot of useful information, including the system the change was made on, and the
key that was modified.
The
T
arget
O
bject
is a great starting point to look for suspicious key names (no, seriously the number of malware families that still use strings like “
Asdfasdf
” or “Qwerty” is frankly shocking).
Hunting from the System, Up
However, as we have already touched on, the registry can be a very noisy environment, and while Sysmon logging can reveal anomalies (
such as
changes that do not originate from regedit.exe, or regedit.exe in suspicious locations), most registry changes will
nevertheless originate from regedit.exe, obscuring the parent process that made the change.
Another hunting method harkens back to a
previous Cyborg Labs article
where we looked at using Windows Event logs to hunt for suspicious parent-child relationships. For persistence, however we are going to look for events with an Event ID of 4688 where the New Process Name contains “regedit.exe.” This will flag any parent process that is calling regedit.exe as a child process.
If the organization uses a so-called “gold image” or “gold master” that identifies the programs an organization
loads by default,
hunters
can start to look for programs that don’t look
as though they belong in the environment
. These could be programs with homoglyphs names (think svch0st), names with high entropy, or programs executing from suspicious paths. These are all good clues that a hunter can use to identify suspicious programs.
However,
as we keep saying, the registry is a noisy place. Therefore, we can expect that this method
will still generate a lot of noise.
W
e can
, however,
further reduce the noise by looking at the “Process Command Line” key where its value contains one of the identified
registry
run keys. This will highlight the specific changes
hunters
will want to focus on.
I’m Sorry, Your Persistence is Terminal…
Another great
log source to hunt for persistence is
command line history
. As we have previously mentioned, command line and terminal history (especially PowerShell) can reveal a huge amount of data which can not only be used by threat
hunters,
but
may also provide a wealth of intelligence about adversaries.
In this instance,
hunters
can look for specific commands related to users or processes invoking regedit.exe and modifying
those same registries
run keys
previously
mentioned.
Sum It Up!
Persistence remains one of the most common tactics adversaries and malware use, as it
has nearly become a necessity to
ensure
that they retain access to a system, and more importantly the environment, after
system
events or
changes.
While it may not be as exotic as some of the more “interesting” methods, it remains a staple for
threat
hunters
everywhere.
Want to learn about another hunting technique? Check out our latest
Threat Hunting Deep Dive on Application Shimming
!
[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]