Fahd Aomari

tryhackme
Blog
Fahd Aomari Last Edit : October 15, 2024 4:25 AM

Malware Persistence Analysis

After initial access, the first thing an adversary will try to do is Persistence. They will make sure that their malware will continue to run, Concept of Surviving. but even will try to Hide.

These are the most commonly techniques used for persistence :

AutoStart Locations

The “Run” Registry keys are among the most popular Autostart Execution Points (ASEP) exploited by malware, You may say who will even use such banale technique. Well check Stuxnet :D what i learned is adversaries dont want to use all what they have, they will not show all their cards to then be shared as intelligence.

1. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run

  • Scope: This key applies to the currently logged-in user. Malware here will launch whenever that specific user logs in.
  • Analysis Tip: When analyzing a system, be sure to check the NTUSER.DAT file for each user profile on the machine, as malware could be configured to run under different user accounts.

2. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Scope: Similar to the “Run” key, but programs listed here are executed only once at the next logon. This can be useful for malware that wants to perform an initial action (like installing itself further) and then remove its entry to avoid repeated execution.
  • Analysis Tip: Pay close attention to any entries in “RunOnce” as they might indicate a recent infection or a malware component that is yet to perform its primary function.

3. Software\Microsoft\Windows\CurrentVersion\RunOnce

  • Scope: This key affects all users of the system. Malware placed here will run once for every user who logs on.
  • Analysis Tip: This key is a prime target for malware seeking system-wide persistence.

4. Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

  • Scope: This key is often used by system administrators to enforce specific programs to run for all users. Malware can abuse this key to gain persistence in a similar way.
  • Analysis Tip: Check for any unexpected entries in this key, especially if the system is not managed in a corporate environment.

5. Software\Microsoft\Windows\CurrentVersion\Run

  • Scope: Like its “RunOnce” counterpart, this key affects all users on the system and programs listed here will launch every time any user logs on.
  • Analysis Tip: This is another high-value target for malware seeking system-wide persistence.

Important Considerations for Your Article:

  • NTUSER.DAT vs. SOFTWARE: NTUSER.DAT is user-specific, while SOFTWARE applies to the entire machine.
  • Multiple “Run” Keys: multiple “Run” keys exist, and malware can utilize any combination of them to ensure persistence.

Service Creation/ Replacement/ Failure Recovery

Create new services

  • APT: APTualizator
  • Technique: Create or Modify System Process (T1543) - specifically, Windows Service (T1543.003)
  • Details: This APT employed a unique approach by installing a malicious service disguised as a legitimate Windows update (KB3033929). This deceptive tactic exploited user trust in system updates to install a kernel-level driver, granting the attackers deep system access.

Replace existing services

Target disabled or unused services, replacing their binaries with malicious ones.

  • APT: Winnti Group
  • Technique: Service Replacement (T1093)
  • Details: The Winnti Group, another China-based APT, utilized GlassRAT, a backdoor that often replaced the “RasAuto” service. This service, related to dial-up networking, is frequently disabled on modern systems, making it an ideal target for replacement with minimal disruption or suspicion.

Exploit service recovery

Configure services to execute malware upon crashing, leveraging vulnerabilities that trigger such crashes.

  • APT: Turla
  • Technique: Service Recovery Manipulation (T1136)
  • Details: The Turla APT has been observed manipulating the recovery options of the Remote Desktop Services (RDP). By exploiting known vulnerabilities that can crash the RDP service, they can trigger the execution of their malware through the configured recovery mechanism. This is a more sophisticated technique that relies on specific vulnerabilities and careful configuration.

Scheduled Tasks

Scheduled tasks offer a versatile mechanism for attackers to maintain persistent access to compromised systems. Both at.exe (older) and schtasks.exe (newer) allow for precise scheduling and execution of malicious code.

Scheduled Malware Execution: Attackers can schedule tasks to launch malware at specific times, on boot-up, or in response to specific events like user login.

Remote Task Scheduling: Both at.exe and schtasks.exe can schedule tasks on remote systems, enabling attackers to spread malware, execute commands, and perform lateral movement across a network.

APT Examples

  • SolarWinds Supply-Chain Attack:
    • APT: UNC2452 (suspected Russian actors)
    • Technique: Scheduled Task/Job (T1053)
    • Details: The SUNSPOT malware, responsible for injecting the SUNBURST backdoor into SolarWinds Orion software, was executed using a scheduled task configured to run at system startup. This ensured the malware’s persistence across system reboots.
  • APT29 (Cozy Bear) and Scheduled Tasks for Lateral Movement:
    • APT: APT29 (Cozy Bear)
    • Technique: Scheduled Task/Job (T1053) & Lateral Movement (T1570)
    • Details: This Russian APT group has been observed using scheduled tasks to execute malicious PowerShell scripts on remote systems, facilitating lateral movement and further compromise within target networks.

DLL Hijacking

Did you know that some programs don’t have all the source code they need to run? That’s where DLLs come in—they’re like external source code libraries. And guess what? Adversaries love DLLs.

How, you ask? let me show you how.

DLL Search Order Hijacking

When a program tries to load a DLL, Windows follows a specific search order to locate the needed DLL. Attackers can exploit this process by making the program load a malicious DLL. The search order is as follows:

  1. DLLs already loaded in memory
  2. Side-by-Side Components
  3. KnownDLLs list
  4. Directory from which the application is loaded
  5. C:\Windows\System32
  6. C:\Windows\system
  7. C:\Windows
  8. Current Directory
  9. System %PATH%

Both APT29 (Cozy Bear) and FIN7 (Carbanak) are known to use this type.

Phantom DLL

If the program tries to load a DLL that no more exists in new version of windows OS, the attacker can create a Phantom DLL in replacement of the non-existent anymore one.

APT32 (OceanLotus)

DLL Side-Loading

Abuses the Windows side-by-side (SxS) loading mechanism, which allows applications to use specific DLL versions. Attackers provide malicious “updated” DLLs that get loaded instead of the legitimate ones.

APT19 (Deep Panda): This Chinese APT group is known for using DLL side-loading, especially with their PlugX malware. They often use legitimate, digitally signed executables to load malicious DLLs, making detection harder.

Relative Path DLL Hijacking

Basically the attacker takes the a legitimate application and copy it to another folder, then copy a malicious DLL within the same folder.

APT32 (OceanLotus)

WMI Events (Filter / Consumer [MITRE ATT&CK ID: T1546.003] )

What is WMI?

WMI (Windows Management Instrumentation) is a powerful technology built into Windows for managing and monitoring systems. It provides an interface to access information about the operating system, hardware, and software.

How WMI Backdoors Work:

Event Filters: These define the trigger condition, for example if this user login do this or after each 1h do this..

Event Consumers: These specify the action to be taken when the filter condition is met (e.g., execute a script, launch an executable).

Binding: This links the filter and consumer, creating the backdoor.

WMI is not only for persistence, but even for privilege escalation and Defense Evasion as wmi are often overlooked by security tools.

APT Groups Using WMI Backdoors:

  • Stuxnet: This highly sophisticated worm used a WMI backdoor to execute its payload after exploiting a print spooler vulnerability.
  • APT29 (Cozy Bear): This Russian APT group has been observed using WMI backdoors for persistence and lateral movement within compromised networks.
  • FIN7 (Carbanak): This financially motivated group has leveraged WMI (potentially T1546.003) to maintain access to compromised systems and execute malicious code.
  • OilRig (APT34): This Iranian APT group has used WMI backdoors (possibly including T1546.003) for persistence and data exfiltration

Detecting Malware Persistence

Autoruns

it’s a free tool from Sysinternals that provides a comprehensive view of all programs and services configured to run automatically on a Windows system.

It examines various auto-start locations, including:

  • Registry keys (Run, RunOnce, Startup folders)
  • Scheduled tasks
  • Services
  • Drivers
  • Shell extensions
  • Browser extensions
  • And more…

here we will be doing baselining and hash check. first filter out the signed entries then further filter by what you know its legit.

for drivers you can check Vanilla Windows Reference that gives list of fresh windows entries.

for tasks, modern windows may have more than 150 entries, you filter out task that point to signed code from vendors you trust and disabled tasks.

Beside DLL Hijacking, it will give you the visibility you need to examine and decide if the entry is benign or malicious.

I will add DLL Hijacking Detection Techniques later…

see also