A core tenant for malware authors and threat actors is that persistence is key. Afterall, its reported that only 4 percent of users click on phishing links and attachments. Establishing a foothold can be difficult, so when adversaries get into an environment, they want to make sure they stay there.
Enter the topic of persistence. Persistence, especially amongst threat hunters, doesn’t often get the same level of attention as some of the more exotic tactics like privilege escalation, process hollowing, process doppelgänging, or DLL injection. Nevertheless, hunting for persistence across an environment should be one of the top hunts that hunt teams should focus on.
What is Persistence?
Before we get into hunting for persistence in an environment, let’s first look at “what persistence is.”
Persistence is an overall tactic that adversaries, malware, and tools will use to ensure they keep access to systems across events that might interrupt access. Some examples of events that may interrupt access are shutdowns and restarts, file deletion, or credential changes. Persistence may also be used as a means of “cleaning up” the evidence that a malware payload was ever even there.
Long story short? Persistence in adversaries and malware can be like zombies. Even after you think you’ve wiped them out, they just keep coming back.
Figure 1 – Image credit: Rollingstone.com
The techniques used for persistence vary wildly across operating systems, levels of access an adversary may have, and even the firmware your hardware components have installed. However, perhaps the most common forms of persistence an adversary may try to utilize are, Registry Run Keys and the Startup Folder (MITRE ATT&CK ID T1547.001).
What are Registry Run Keys / Startup Folder?
Registry run keys are very specific keys in the Windows registry that are invoked during system start up. These keys allow specific settings or configurations to be loaded automatically. In addition, registry run keys can also point directly at executable files, allowing specific programs (and DLL files) to be executed at start up.
Similarly, the startup folder corresponds to a series of registry keys that will execute files in specific locations on start up.
Persistence, when talking about technique T1547.001, is the modification of specific registry keys and values in order to have an executable, command, or script run every time the system is rebooted.
How Common is This Type of Persistence?
Persistence using registry run keys, or the startup folder are probably the two most common forms of persistence malware and adversaries use. For example, the Ryuk ransomware, which has been responsible for some of the most damaging attacks globally, has utilized registry run keys to establish persistence.
Similarly, advanced persistent threats such as APT39, APT41, FIN7, and Gamareddon Group have all been shown to use registry run keys or the startup folder to establish persistence.
And even more generic malware, such as Emotet, Hancitor, and IcedID have all used this technique multiple times.
How Many Run Keys Are There?
While there are several registry keys that can be used, the most commonly abused are the default keys on a Windows system, specifically:
Similarly, the registry keys that are used to launch programs or set folder items for persistence are:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
It should be noted that there are many other run keys that can be used for this type of persistence; however, these are the most common.
What Do I Need to Hunt for Persistence?
One of the first elements hunt teams typically must tackle when starting a hunt is to determine what log sources are required. If an organization is relatively small, hunting across the registries manually using a tool like SysInternals could be used. In fact, the tool will even cross reference the data with VirusTotal to flag known bad entries.
Hunting from the Registry, Down
However, most will be faced with much larger environments where manual hunting isn’t feasible. In this case, teams will want logs from a tool like Sysmon. Now, it should be said, the registry is generally a very busy place, and logs generated from registry activity can be exceptionally noisy. So, teams will want to focus on logs relating to the specific registry keys noted above.
With Sysmon logs, hunt teamscan look for events with an Event ID of 13 (RegistryEntry (Value Set)). This will identify registry value modifications of the DWORD and QWORD values. The log files contain a lot of useful information, including the system the change was made on, and the key that was modified.
The TargetObject is a great starting point to look for suspicious key names (no, seriously the number of malware families that still use strings like “Asdfasdf” or “Qwerty” is frankly shocking).
Hunting from the System, Up
However, as we have already touched on, the registry can be a very noisy environment, and while Sysmon logging can reveal anomalies (such as changes that do not originate from regedit.exe, or regedit.exe in suspicious locations), most registry changes will nevertheless originate from regedit.exe, obscuring the parent process that made the change.
Another hunting method harkens back to a previous Cyborg Labs article where we looked at using Windows Event logs to hunt for suspicious parent-child relationships. For persistence, however we are going to look for events with an Event ID of 4688 where the New Process Name contains “regedit.exe.” This will flag any parent process that is calling regedit.exe as a child process.
If the organization uses a so-called “gold image” or “gold master” that identifies the programs an organization loads by default, hunters can start to look for programs that don’t look as though they belong in the environment. These could be programs with homoglyphs names (think svch0st), names with high entropy, or programs executing from suspicious paths. These are all good clues that a hunter can use to identify suspicious programs.
However, as we keep saying, the registry is a noisy place. Therefore, we can expect that this method will still generate a lot of noise. We can, however, further reduce the noise by looking at the “Process Command Line” key where its value contains one of the identified registry run keys. This will highlight the specific changes hunters will want to focus on.
I’m Sorry, Your Persistence is Terminal…
Another great log source to hunt for persistence is command line history. As we have previously mentioned, command line and terminal history (especially PowerShell) can reveal a huge amount of data which can not only be used by threat hunters, but may also provide a wealth of intelligence about adversaries.
In this instance, hunters can look for specific commands related to users or processes invoking regedit.exe and modifying those same registries run keys previously mentioned.
Sum It Up!
Persistence remains one of the most common tactics adversaries and malware use, as it has nearly become a necessity to ensure that they retain access to a system, and more importantly the environment, after system events or changes.
While it may not be as exotic as some of the more “interesting” methods, it remains a staple for threat hunters everywhere.
Want to learn about another hunting technique? Check out our latest Threat Hunting Deep Dive on Application Shimming!