Phil Hagen Blake Strom Greg Foss Shane Welcher

MITRE ATT&CK Deep Dive: Persistence


Persistence is just another opportunity for detection.

Persistence techniques give adversaries the ability to maintain access to compromised systems, but they also present opportunities for detection. Watch this on-demand webinar that explores persistence with Carbon Black and MITRE ATT&CK.

This ATT&CK Deep Dive walks through:

  • Common techniques that adversaries and malware use to persist in macOS, Linux, and Windows environments
  • Practical guidance on observing prevalent persistence mechanisms and detecting corresponding threats
  • In-depth analysis of routine and sophisticated persistence techniques
  • Examples of prominent, persistent malware

00:32 Introduction

03:20 Webinar Agenda

03:39 Overview: What is Persistence?

03:56 “Persistence is an adversary’s means of maintaining presence and access to a compromised asset.” – Phil

04:23 Why Adversaries Use Persistence

04:40 “Adversaries need their tools to be able to run through intermittent interruptions—and also need them to regain access after being discovered and removed from a network.” – Blake

05:57 “Depending on what their goal is, they might set up stealthy forms of access and data collection that might persist if other mechanisms are found.” – Blake

06:29 Persistence Mechanisms in ATT&CK®

06:42 “There are 59 techniques currently documented in ATT&CK. Keep in mind this isn’t really a numeration of all possible techniques. There are other theoretical things out there that we don’t know if adversaries really use.” – Blake

07:20 ATT&CK Sub-Techniques

07:29 “The ATT&CK team realizes that there are a lot of techniques out there and we need a better way of organizing them.” – Blake

09:24 Types of Persistence

10:28 “A lot of times we see multiple different forms of persistence deployed at the same time. If you don’t have full coverage across all the different techniques of persistence, one of those easier forms of persistence that we can detect may trigger an investigation into identifying something else that was used in your environment.” – Shane

11:33 Examples

12:07 Webshells

12:08 “Webshells are generally scripts that get deployed to publicly accessible web servers and allow adversaries backup access into the organization. – Blake

12:27 “We have seen these used by state-sponsored adversaries. China Chopper is a specific type of webshell that has been used by multiple Chinese groups.” – Blake

12:37 WMI Event Subscription

12:38 “It’s another technique that’s becoming more popular because it can be a little more difficult to detect.” – Blake

12:53 Registry Run Keys

13:00 “There are a set of things Windows runs when it starts, and it’s a really simple Registry change to make those work—either when the user logs in or Windows starts.” – Blake

13:27 Valid Accounts

13:37 “Those accounts can provide backup access because they are often used in conjunction with things like REP, Citrix, VPNs, and other remote services.” – Blake

13:55 Where Persistence Ranks

15:41 Detection Opportunities

16:47 “If you don’t have a full EDR solution, or even if you do, I highly recommend one or the other: Sysmon and Powershell Script Block Logging.” – Shane

17:28 “Understanding what’s being executed in your environment is really important. Some of the EDR platforms don’t always capture Script Execution. Having this in conjunction with an EDR solution can give you additional visibility into your environment.” – Shane

22:50 WMI Event Subscription Demo

23:56 Delivery – Macro Document – Spearphishing Attachment

24:27 “Hopefully you would be catching the attacker at this point before they are able to gain that persistence, spread laterally, and perform other actions on the host.” – Greg

24:41 Persistence – Office Templates – Office Application Startup

25:12 “This is a great way for an attacker to establish persistence: basically modifying these templates and injecting Macros directly into them.” – Greg

25:46 OPSEC

26:09 “By this point, we should have already detected them through multiple other TIDs.” – Greg

27:26 Establish Persistence

27:27 “The aggressor scripts are awesome. These automate common tasks that are performed during post-exploitation.” – Greg

29:34 Reboot and Test

29:55 Verify

29:58 “Once we hit reboot, we get our new shell. And as you can see, this one is actually system privileges, so now we have even higher access into the host.” – Greg

31:47 “We’ve seen this used with large botnets using Eternal Blue to spread and immediately establish persistence with WMI. It’s something that can be done very fast.” – Greg

32:25 The 7 Detection Methods

32:39 Method 1: PowerShell Logging

34:20 “A lot of these PowerShell-encoded commands are default, depending on which ATT&CK framework you are using. Some of these do change, some of these don’t. It just depends on how much effort your attacker wants to put into this.” – Shane 

34:47 Method 2: Sysmon PowerShell Cli

36:20 “The added advantage of using the Sysmon is that you also get the parent command line as well as the image or the binary that is launching this.” – Shane 

37:37 Sysmon Beaconing Activity

37:43 “It’s super useful if you are trying to correlate all of this activity to figure out what happened.” – Shane 

38:37 Method 3: Sysinternals Autoruns

39:04 “It’s going to look in a lot of different places for anything that is slated to run automatically.” – Phil 

40:00 Method 4: PowerShell Get-WmiObject

40:25 “This is great for understanding what these baseline configurations look like, and then look for changes to that over time.” – Greg 

42:22 PowerShell – Remediation

42:53 “To clean up just from the WMI Persistence, this is a great way to do that. This works with Event Filters, Command Line Consumers, and everything that relates to WMI.” -Greg

43:12 Method 5: OSQuery

43:49 “OsQuery actually has five different WMI queries built in directly. So it makes it really quick and easy to find these malicious WMI objects.” – Greg 

44:05 Method 6: Anti Malware Scan Interface (AMSI)

45:06 “We can pick up on pivoting activity both from the originating host and the host that is targeted with the pivoting.” – Greg 

49:44 Method 7: Endpoint Detection and Response

50:25 “Everything we talked about in terms of WMI, you can actually find within Carbon Black today.” – Greg 

51:50 Questions and Answers

52:09 Question 1: How do any of these detection methods for Persistence change when we move to EC2 or any other Cloud provider?

53:49 “The fact that we had seven different means of detecting this shows that a varied approach is going to be really important.” – Phil

55:27 Question 2: Do you have any other examples of Office templates that are used for Persistence?

56:12 “Mailcab is one in particular that is used in Excel startup item.” – Phil 

56:56 Question 3: What is the best method for automated coverage testing for Persistence in ATT&CK?

 57:10 “There are a lot of publicly available open-source tools like Red Canary’s Atomic Red Team and MITRE’s Caldera Framework that have several persistence mechanisms built in that you can use to do automated testing.” – Blake

Using visibility to gather context and find persistence mechanisms
ATT&CK T1501: Understanding systemd service persistence
Advanced persistence threats: to be a cybercriminal, think like a sysadmin
Detecting COR_PROFILER manipulation for persistence