Persistence is just another opportunity for detection.
Persistence techniques give adversaries the ability to maintain access to compromised systems, but they also present opportunities for detection. Watch this on-demand webinar that explores persistence with Carbon Black and MITRE ATT&CK.
This ATT&CK Deep Dive walks through:
- Common techniques that adversaries and malware use to persist in macOS, Linux, and Windows environments
- Practical guidance on observing prevalent persistence mechanisms and detecting corresponding threats
- In-depth analysis of routine and sophisticated persistence techniques
- Examples of prominent, persistent malware
00:32 Introduction
03:20 Webinar Agenda
03:39 Overview: What is Persistence?
03:56 “Persistence is an adversary’s means of maintaining presence and access to a compromised asset.” – Phil
04:23 Why Adversaries Use Persistence
04:40 “Adversaries need their tools to be able to run through intermittent interruptions—and also need them to regain access after being discovered and removed from a network.” – Blake
05:57 “Depending on what their goal is, they might set up stealthy forms of access and data collection that might persist if other mechanisms are found.” – Blake
06:29 Persistence Mechanisms in ATT&CK®
06:42 “There are 59 techniques currently documented in ATT&CK. Keep in mind this isn’t really a numeration of all possible techniques. There are other theoretical things out there that we don’t know if adversaries really use.” – Blake
07:20 ATT&CK Sub-Techniques
07:29 “The ATT&CK team realizes that there are a lot of techniques out there and we need a better way of organizing them.” – Blake
09:24 Types of Persistence
10:28 “A lot of times we see multiple different forms of persistence deployed at the same time. If you don’t have full coverage across all the different techniques of persistence, one of those easier forms of persistence that we can detect may trigger an investigation into identifying something else that was used in your environment.” – Shane
11:33 Examples
12:07 Webshells
12:08 “Webshells are generally scripts that get deployed to publicly accessible web servers and allow adversaries backup access into the organization. – Blake
12:27 “We have seen these used by state-sponsored adversaries. China Chopper is a specific type of webshell that has been used by multiple Chinese groups.” – Blake
12:37 WMI Event Subscription
12:38 “It’s another technique that’s becoming more popular because it can be a little more difficult to detect.” – Blake
12:53 Registry Run Keys
13:00 “There are a set of things Windows runs when it starts, and it’s a really simple Registry change to make those work—either when the user logs in or Windows starts.” – Blake
13:27 Valid Accounts
13:37 “Those accounts can provide backup access because they are often used in conjunction with things like REP, Citrix, VPNs, and other remote services.” – Blake
13:55 Where Persistence Ranks
15:41 Detection Opportunities
16:47 “If you don’t have a full EDR solution, or even if you do, I highly recommend one or the other: Sysmon and Powershell Script Block Logging.” – Shane
17:28 “Understanding what’s being executed in your environment is really important. Some of the EDR platforms don’t always capture Script Execution. Having this in conjunction with an EDR solution can give you additional visibility into your environment.” – Shane
22:50 WMI Event Subscription Demo
23:56 Delivery – Macro Document – Spearphishing Attachment
24:27 “Hopefully you would be catching the attacker at this point before they are able to gain that persistence, spread laterally, and perform other actions on the host.” – Greg
24:41 Persistence – Office Templates – Office Application Startup
25:12 “This is a great way for an attacker to establish persistence: basically modifying these templates and injecting Macros directly into them.” – Greg
25:46 OPSEC
26:09 “By this point, we should have already detected them through multiple other TIDs.” – Greg
27:26 Establish Persistence
27:27 “The aggressor scripts are awesome. These automate common tasks that are performed during post-exploitation.” – Greg
29:34 Reboot and Test
29:55 Verify
29:58 “Once we hit reboot, we get our new shell. And as you can see, this one is actually system privileges, so now we have even higher access into the host.” – Greg
31:47 “We’ve seen this used with large botnets using Eternal Blue to spread and immediately establish persistence with WMI. It’s something that can be done very fast.” – Greg
32:25 The 7 Detection Methods
32:39 Method 1: PowerShell Logging
34:20 “A lot of these PowerShell-encoded commands are default, depending on which ATT&CK framework you are using. Some of these do change, some of these don’t. It just depends on how much effort your attacker wants to put into this.” – Shane
34:47 Method 2: Sysmon PowerShell Cli
36:20 “The added advantage of using the Sysmon is that you also get the parent command line as well as the image or the binary that is launching this.” – Shane
37:37 Sysmon Beaconing Activity
37:43 “It’s super useful if you are trying to correlate all of this activity to figure out what happened.” – Shane
38:37 Method 3: Sysinternals Autoruns
39:04 “It’s going to look in a lot of different places for anything that is slated to run automatically.” – Phil
40:00 Method 4: PowerShell Get-WmiObject
40:25 “This is great for understanding what these baseline configurations look like, and then look for changes to that over time.” – Greg
42:22 PowerShell – Remediation
42:53 “To clean up just from the WMI Persistence, this is a great way to do that. This works with Event Filters, Command Line Consumers, and everything that relates to WMI.” -Greg
43:12 Method 5: OSQuery
43:49 “OsQuery actually has five different WMI queries built in directly. So it makes it really quick and easy to find these malicious WMI objects.” – Greg
44:05 Method 6: Anti Malware Scan Interface (AMSI)
45:06 “We can pick up on pivoting activity both from the originating host and the host that is targeted with the pivoting.” – Greg
49:44 Method 7: Endpoint Detection and Response
50:25 “Everything we talked about in terms of WMI, you can actually find within Carbon Black today.” – Greg
51:50 Questions and Answers
52:09 Question 1: How do any of these detection methods for Persistence change when we move to EC2 or any other Cloud provider?
53:49 “The fact that we had seven different means of detecting this shows that a varied approach is going to be really important.” – Phil
55:27 Question 2: Do you have any other examples of Office templates that are used for Persistence?
56:12 “Mailcab is one in particular that is used in Excel startup item.” – Phil
56:56 Question 3: What is the best method for automated coverage testing for Persistence in ATT&CK?
57:10 “There are a lot of publicly available open-source tools like Red Canary’s Atomic Red Team and MITRE’s Caldera Framework that have several persistence mechanisms built in that you can use to do automated testing.” – Blake