The MITRE ATT&CK Framework: Persistence – Info CCrime

Disregarding ransomware, persistence is one of the more sought-after techniques of an attacker. Persistence allows an attacker to re-infect a machine or maintain their existing connection after events such as a system reboot, changed credentials, or even a re-imaging a machine. Attackers want to do the least amount of work possible, which includes spending time getting access to their target.

The Registry Run Keys / Start Folder is the most common technique, at least in how it is used under the hood. These are registry keys or file system locations which are executed whenever a computer is booted. These are some well-known locations such as RunOnce keys or more obscure locations such as AppInit DLL’s which are loaded when the system starts.

The run keys and start folders have been well known for some time, so attackers started gaining persistence when commonly used applications started up, such as your web browser or Microsoft Office. Most desktop users in an enterprise are going to boot up a web browser and/or email client within the first minutes of logging in. Another option is modifying how files are opened using the Image File Execution Options Injection technique, so server systems, for example, that only handle a single file type can still maintain some level of persistence.

Some of the items which can be found on the endpoints can be blatantly obvious that they are malicious. A brand new run key execution a RunOnce key that executes malware.exe, though unlikely, would be a red flag.  However, what about a default file association for a word document that contains a path to a cryptic DLL? Is that bad or is it how Word is expected to open a document under the hood?

Many of these items are not going to change very often, if at all. Most items that fall under persistence only under predictable conditions such as installing new applications, performing system updates, or creating new users. Establishing a baseline of what’s good or expected to compare against is ideal. At a minimum, establish the baseline on a per system basis and monitor for change on regular intervals. Tools such as SysInternals AutoRuns can identify some of the persistent locations on an operating system. Security tools such as Tripwire Enterprise can not only monitor for change on persistent locations but also test if the values discovered are expected or not.

Read more about the MITRE ATT&CK Framework here: