[hubspot type=cta portal=7924572 id=ec572148-ebc2-449f-8ccc-0353bc94df5e]
What is Persistence?
Before we get into hunting for persistence in an environment, let’s first look at “what persistence is.” Persistence is an overall tactic that adversaries, malware, and tools will use to ensure they keep access to systems across events that might interrupt access. Some examples of events that may interrupt access are shutdowns and restarts, file deletion, or credential changes. Persistence may also be used as a means of “cleaning up” the evidence that a malware payload was ever even there. Long story short? Persistence in adversaries and malware can be like zombies. Even after you think you’ve wiped them out, they just keep coming back.Figure 1 - Image credit: Rollingstone.com
The techniques used for persistence vary wildly across operating systems, levels of access an adversary may have, and even the firmware your hardware components have installed. However, perhaps the most common forms of persistence an adversary may try to utilize are, Registry Run Keys and the Startup Folder (MITRE ATT&CK ID T1547.001).What are Registry Run Keys / Startup Folder?
Registry run keys are very specific keys in the Windows registry that are invoked during system start up. These keys allow specific settings or configurations to be loaded automatically. In addition, registry run keys can also point directly at executable files, allowing specific programs (and DLL files) to be executed at start up. Similarly, the startup folder corresponds to a series of registry keys that will execute files in specific locations on start up. Persistence, when talking about technique T1547.001, is the modification of specific registry keys and values in order to have an executable, command, or script run every time the system is rebooted.How Common is This Type of Persistence?
Persistence using registry run keys, or the startup folder are probably the two most common forms of persistence malware and adversaries use. For example, the Ryuk ransomware, which has been responsible for some of the most damaging attacks globally, has utilized registry run keys to establish persistence. Similarly, advanced persistent threats such as APT39, APT41, FIN7, and Gamareddon Group have all been shown to use registry run keys or the startup folder to establish persistence. And even more generic malware, such as Emotet, Hancitor, and IcedID have all used this technique multiple times.How Many Run Keys Are There?
While there are several registry keys that can be used, the most commonly abused are the default keys on a Windows system, specifically:-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
-
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
What Do I Need to Hunt for Persistence?
One of the first elements hunt teams typically must tackle when starting a hunt is to determine what log sources are required. If an organization is relatively small, hunting across the registries manually using a tool like SysInternals could be used. In fact, the tool will even cross reference the data with VirusTotal to flag known bad entries.Hunting from the Registry, Down
However, most will be faced with much larger environments where manual hunting isn’t feasible. In this case, teams will want logs from a tool like Sysmon. Now, it should be said, the registry is generally a very busy place, and logs generated from registry activity can be exceptionally noisy. So, teams will want to focus on logs relating to the specific registry keys noted above. With Sysmon logs, hunt teamscan look for events with an Event ID of 13 (RegistryEntry (Value Set)). This will identify registry value modifications of the DWORD and QWORD values. The log files contain a lot of useful information, including the system the change was made on, and the key that was modified.Hunting from the System, Up
However, as we have already touched on, the registry can be a very noisy environment, and while Sysmon logging can reveal anomalies (such as changes that do not originate from regedit.exe, or regedit.exe in suspicious locations), most registry changes will nevertheless originate from regedit.exe, obscuring the parent process that made the change. Another hunting method harkens back to a previous Cyborg Labs article where we looked at using Windows Event logs to hunt for suspicious parent-child relationships. For persistence, however we are going to look for events with an Event ID of 4688 where the New Process Name contains “regedit.exe.” This will flag any parent process that is calling regedit.exe as a child process. If the organization uses a so-called “gold image” or “gold master” that identifies the programs an organization loads by default, hunters can start to look for programs that don’t look as though they belong in the environment. These could be programs with homoglyphs names (think svch0st), names with high entropy, or programs executing from suspicious paths. These are all good clues that a hunter can use to identify suspicious programs. However, as we keep saying, the registry is a noisy place. Therefore, we can expect that this method will still generate a lot of noise. We can, however, further reduce the noise by looking at the “Process Command Line” key where its value contains one of the identified registry run keys. This will highlight the specific changes hunters will want to focus on.I’m Sorry, Your Persistence is Terminal…
Another great log source to hunt for persistence is command line history. As we have previously mentioned, command line and terminal history (especially PowerShell) can reveal a huge amount of data which can not only be used by threat hunters, but may also provide a wealth of intelligence about adversaries. In this instance, hunters can look for specific commands related to users or processes invoking regedit.exe and modifying those same registries run keys previously mentioned.Sum It Up!
Persistence remains one of the most common tactics adversaries and malware use, as it has nearly become a necessity to ensure that they retain access to a system, and more importantly the environment, after system events or changes.[hubspot type=cta portal=7924572 id=ae832f8f-83db-4b26-8f4d-f37f258623e2]