When I first started researching ATT&CK last year, Persistence was the tactic which made me fall in love. Even though I have been in the industry for some time, I learned more from digging into the various techniques here than any other tactic. While I knew about fun tricks like replacing sethc.exe with cmd.exe and hitting the shift key a bunch of times from a lock screen, there were many other techniques that were brand new to me. By looking into each of these techniques one by one, I became a better defender. Understanding the new (to me) ways an operating system could be abused was intoxicating and has led me to becoming an ATT&CK fan ever since.
Disregarding ransomware, persistence is one of the more sought-after techniques of an attacker. Persistence allows an attacker to re-infect a machine or maintain their existing connection after events such as a system reboot, changed credentials, or even a re-imaging a machine. Attackers want to do the least amount of work possible, which includes spending time getting access to their target.
The Registry Run Keys / Start Folder is the most common technique, at least in how it is used under the hood. These are registry keys or file system locations which are executed whenever a computer is booted. These are some well-known locations such as RunOnce keys or more obscure locations such as AppInit DLL’s which are loaded when the system starts.
The run keys and start folders have been well known for some time, so attackers started gaining persistence when commonly used applications started up, such as your web browser or Microsoft Office. Most desktop users in an enterprise are going to boot up a web browser and/or email client within the first minutes of logging in. Another option is modifying how files are opened using the Image File Execution Options Injection technique, so server systems, for example, that only handle a single file type can still maintain some level of persistence.
Some of the items which can be found on the endpoints can be blatantly obvious that they are malicious. A brand new run key execution a RunOnce key that executes malware.exe, though unlikely, would be a red flag. However, what about a default file association for a word document that contains a path to a cryptic DLL? Is that bad or is it how Word is expected to open a document under the hood?
Many of these items are not going to change very often, if at all. Most items that fall under persistence only under predictable conditions such as installing new applications, performing system updates, or creating new users. Establishing a baseline of what’s good or expected to compare against is ideal. At a minimum, establish the baseline on a per system basis and monitor for change on regular intervals. Tools such as SysInternals AutoRuns can identify some of the persistent locations on an operating system. Security tools such as Tripwire Enterprise can not only monitor for change on persistent locations but also test if the values discovered are expected or not.
Of all the ATT&CK tactics, I believe that Persistence is one of those to which should be paid most attention. If you discover malware on an endpoint and just delete it, there is a good possibility it will come right back in. This could be because there are unpatched vulnerabilities, but it could also be because the attacker has already established persistence on this or another box on the network. Hunting for persistence abuse should be relatively easy when compared to hunting for some of the other tactics and techniques. For those starting to leverage ATT&CK, persistence can be a quick win to get under your belt.
There is also a mapping of CIS controls to the ATT&CK framework available. This can be helpful if you’re already adopting the CIS Controls and are starting down the path of adopting ATT&CK.