Persistence Categories

Registry Persistence

The Windows Registry is a vast database housing configuration settings for the operating system, applications, and users. This centrality makes it a prime target for establishing persistent malware infections.

Startup Techniques:

  • Run/RunOnce/RunServices Keys: Adding or modifying entries in these keys triggers the execution of programs or scripts at system startup or user login, a classic and effective persistence mechanism.

  • Active Setup: Registry keys under Active Setup\Installed Components execute commands at user login, providing a covert entry point.

  • Startup Folder: Placing malicious executables in the user or system startup folders ensures execution upon login.

  • Scheduled Tasks: Creating or modifying tasks in Schedule\TaskCache\Tasks enables the timed execution of malicious payloads.

Application and File Manipulation:

  • File Association Modification: Altering file associations redirects specific file types to launch malicious programs instead of their intended handlers. This can be particularly dangerous for commonly used file types, as users might unknowingly trigger malware execution.

  • Shell Extensions: Injecting malicious code into shell extensions allows for execution when interacting with files or folders. For instance, a malicious shell extension might be designed to launch malware whenever a user right-clicks on a specific file type.

  • App Paths: Modifying these keys can launch malicious programs in place of legitimate ones when invoked via ShellExecuteEx. This technique can be abused by attackers to target specific applications used within an organization.

  • Application Shimming: Shim databases can be manipulated to execute malicious code when targeted applications run. Shims are a legitimate Windows mechanism for compatibility purposes, but attackers can exploit them to inject malicious functionality.

  • Image File Execution Options (IFEO) Injection: Modifying IFEO registry keys can redirect the execution of legitimate programs to malicious files. This allows attackers to hijack the execution flow of specific applications.

System-Level Attacks:

  • Service Registration: Creating or modifying services allows malware to run in the background with elevated privileges. Services provide essential functionalities for the operating system, and attackers can disguise their malicious code as legitimate services to gain persistence and evade detection.

  • AeDebug Registry Key: Changing this key substitutes the default debugger with a malicious one, activated when programs crash. A malicious debugger can tamper with crash dumps or steal sensitive information during the debugging process.

  • LSA Manipulation: Tampering with Local Security Authority (LSA) settings (authentication packages, extensions, etc.) can compromise the login process. The LSA is a critical component responsible for user authentication and authorization, and attackers can manipulate its settings to bypass security measures or steal credentials.

Hijacking and Interception:

  • COM Hijacking: Modifying registry entries under CLSID allows for substituting legitimate COM objects with malicious ones. COM (Component Object Model) is a technology used for software component interaction, and attackers can exploit it to inject malicious code into legitimate applications.

  • DLL Hijacking: Replacing legitimate DLLs (e.g., AutodialDLL, hhctrl.ocx) with malicious versions enables code execution in various contexts. DLLs (Dynamic Link Libraries) are shared libraries containing reusable code. Attackers can replace legitimate DLLs with malicious ones to gain code execution whenever the legitimate DLL is loaded.

  • Path Interception: Modifying the PATH environment variable allows malicious executables in specific directories to be executed before legitimate ones. The PATH variable specifies the directories where the system searches for executable files. By manipulating this variable, attackers can trick the system into executing their malicious code first, even if the user types the name of a legitimate program.

File System Persistence

While the Registry is a prime target, the file system itself offers numerous avenues for attackers to establish persistence. By manipulating files and directories, malware can embed itself deeply into the operating system and application ecosystem.

Startup Locations:

  • Startup Folder: Placing malicious executables or shortcuts in the user or system startup folders ensures they launch at login. This is a straightforward yet effective method often used for quick and dirty persistence.

  • Scheduled Tasks: Creating or modifying tasks in the Task Scheduler allows for timed execution of malicious payloads. This method provides flexibility, enabling attackers to schedule malware execution at specific intervals or upon certain triggers.

  • Windows Terminal Profile: Modifying the Windows Terminal profile settings can execute commands at startup or login, offering a less conspicuous entry point than traditional startup folders.

File Manipulation and Replacement:

  • DLL Hijacking: Replacing legitimate DLLs (Dynamic Link Libraries) with malicious ones in system folders allows attackers to execute code within the context of the legitimate process that loads the DLL. This is a stealthy technique, as the malware masquerades as a trusted component.

  • Executable Replacement: Replacing legitimate executables (e.g., accessibility tools like sethc.exe) with malicious ones provides an unexpected entry point for attackers. Users might inadvertently launch the malicious executable, believing it to be the legitimate tool.

  • Alternate Data Streams (ADS): Hiding malware within ADS of legitimate files makes it harder to detect. ADS is a feature of the NTFS file system that allows for storing additional data streams alongside the main file content. Attackers can exploit this to hide malicious code.

Leveraging Legitimate Software:

  • Browser Extensions: Malicious browser extensions can run code in the context of the browser, potentially gaining access to sensitive data or manipulating web content. Browser extensions are often trusted by users, making them an attractive target for attackers.

  • Third-Party Application Plugins: Placing malicious DLLs in plugin folders for software like KeePass or exploiting DLL side-loading vulnerabilities in applications like OneDrive or Teams allows attackers to execute code when these applications launch. Users often install third-party plugins to extend the functionality of their software, creating an opportunity for attackers to exploit.

System-Level Attacks:

  • WMI Event Subscription/BITS Jobs: Creating malicious WMI event filters or BITS jobs allows for executing code upon specific triggers. WMI (Windows Management Instrumentation) is a powerful framework for managing system components, and BITS (Background Intelligent Transfer Service) is a service for transferring files in the background. Attackers can abuse these legitimate mechanisms for persistence.

Network Persistence

While the file system and registry provide local persistence, attackers often rely on network communication to maintain control over compromised systems. Network persistence allows malware to receive commands, update itself, and exfiltrate data, often evading detection by traditional security measures.

Remote Access Trojans (RATs):

  • Covert Channels: RATs establish hidden communication channels with remote servers, allowing attackers to remotely control the infected system. These channels are often disguised as legitimate traffic or use obfuscation techniques to avoid detection.

Domain Generation Algorithms (DGAs):

  • Dynamic Domain Names: DGAs generate a large number of domain names that are used for C2 communication. This constant changing of domain names makes it difficult for defenders to block malicious traffic or track the attacker's infrastructure.

Fast Flux:

  • Rapid IP Rotation: Fast flux involves rapidly changing the IP addresses associated with domain names. This makes it difficult for defenders to identify and block malicious traffic, as the IP addresses are constantly changing.

  • Distributed Infrastructure: Fast flux networks are often distributed across multiple servers and geographic locations, making them even more resilient to takedown attempts.

Pre-OS Persistence

While most persistence techniques target the operating system (OS) or its software components, pre-OS persistence delves deeper, embedding malware within the firmware, boot processes, or even hardware itself. These methods are particularly insidious, as they can evade detection by traditional security tools and persist even after the OS is reinstalled or replaced.

Firmware and UEFI/BIOS Persistence:

  • Rootkits and Bootkits: These sophisticated malware strains infect the firmware (UEFI or BIOS) or bootloader, gaining control before the OS even starts. This gives them unprecedented access and stealth, allowing them to manipulate the OS, install additional malware, or exfiltrate data without detection.

  • Firmware Vulnerabilities: Exploiting vulnerabilities in firmware can provide attackers with a persistent foothold, often undetectable by antivirus software. Firmware vulnerabilities can be exploited to install backdoors, modify boot processes, or even brick the device.

  • Boot Sector/Bootloader Modifications: Modifying the boot sector or bootloader code enables the execution of malicious code during the earliest stages of system startup. This can be challenging to detect, as the malicious code runs before the OS and its security mechanisms are loaded.

Hardware Implants:

  • Hidden Hardware: Tiny devices, such as malicious USB drives or network adapters, can be physically implanted into a system to create covert communication channels or exfiltrate data. These implants can be difficult to detect without a thorough physical inspection.

  • Hardware Vulnerabilities: Exploiting hardware vulnerabilities can allow attackers to gain access to sensitive information or execute malicious code. These vulnerabilities can be challenging to patch or mitigate, as they often require firmware or hardware updates from the manufacturer.

Persistence Mitigations

Persistence is a constant battle, requiring proactive measures to disrupt an attacker's foothold on a system. Here are key strategies for combating persistence techniques:

Hardening System Configurations:

  • Secure Boot: Enabling Secure Boot ensures that only trusted code executes during system startup, preventing unauthorized bootloaders or firmware from running.

  • Least Privilege: Enforce the principle of least privilege, granting users and processes only the minimum permissions necessary for their tasks. This limits the potential impact of compromised accounts or processes.

  • Application Whitelisting/Blacklisting: Implement whitelisting to allow only approved applications to run, or blacklisting to block known malicious software. This can prevent unauthorized programs from executing.

  • Patch Management: Keep the operating system, firmware, and applications updated with the latest security patches to close vulnerabilities that attackers could exploit.

Monitoring and Detection:

  • Regularly Review Startup Items: Inspect the list of programs configured to run at startup using tools like msconfig (Windows) or Startup Items (macOS) and disable or remove any that are not recognized or authorized.

  • Monitor Running Processes: Use task managers or process monitoring tools to identify and investigate any unusual or suspicious processes running on the system.

  • Log Analysis: Regularly review system and application logs for unauthorized modifications, failed login attempts, or other suspicious activity.

  • File Integrity Monitoring: Employ file integrity monitoring tools to track changes to critical system files, configurations, and executable code.

  • Network Traffic Analysis: Monitor network traffic for unusual patterns, such as connections to suspicious IP addresses or domains, unexpected protocols, or large data transfers.

Configuration Management and Access Control:

  • Initialization Scripts and Databases: Regularly audit initialization scripts and databases for any unauthorized changes. Implement strict access controls to prevent unauthorized modifications.

  • Environment Variables: Review and control environment variables, especially those related to system paths, startup commands, or DLL loading.

  • Scheduled Tasks: Periodically review scheduled tasks for unauthorized or suspicious entries. Disable or remove any tasks that are not needed or trusted.

  • User Accounts: Regularly audit user accounts, disable unused accounts, and enforce strong password policies. Consider using multi-factor authentication for sensitive accounts.

Server-Specific Mitigations:

  • Secure Server Software: Keep server applications and extensions up-to-date with the latest security patches. Regularly scan for vulnerabilities and use web application firewalls (WAFs) to protect against web-based attacks.

  • Monitor Server Logs: Closely monitor server logs for signs of unauthorized access, configuration changes, or suspicious activity.

  • Harden Server Configurations: Disable unnecessary services, restrict access to sensitive files and directories, and enforce strong authentication measures for server administrators.

User Awareness and Education:

  • Security Awareness Training: Educate users about the risks of downloading and installing software from untrusted sources, opening email attachments from unknown senders, and clicking on suspicious links.

  • Phishing Awareness: Train users to recognize and report phishing attempts, as these are often the initial entry point for attackers seeking to establish persistence.

  • Regular Backups: Encourage users to create regular backups of their important data to mitigate the impact of ransomware or other attacks that might compromise system integrity.

PreviousAPT ExamplesNextDetection

Last updated