Persistence: The Art of Staying Hidden

In the world of ransomware, persistence is key. Once attackers gain access to a system, their goal is to maintain that access for as long as possible, often without detection. To achieve this, they use a variety of techniques, ranging from post-exploitation frameworks to seemingly legitimate remote monitoring and management (RMM) tools. Let's dive in.

Post-Exploitation Frameworks: The GitHub Goldmine

GitHub is a treasure trove for cybercriminals, offering a wide array of post-exploitation frameworks that can be easily pulled and deployed. These frameworks are often designed to help attackers establish persistence on compromised systems. Some of the most notorious examples include:

• Emotet and TrickBot: These Malware-as-a-Service (MaaS) families are well-known for their persistence techniques.

• Web Shells: Ransomware actors are increasingly leveraging web shells, which are scripts dropped onto a web server. These scripts, whether ASPX for IIS or ASP for Apache or Nginx, allow attackers to connect to the system via HTTP/HTTPS and run commands. This method is particularly stealthy, as it blends in with normal web traffic, making it difficult to detect.

Learn More: For an in-depth look at web shells, at this link.

RMM Tools: Hiding in Plain Sight

Ransomware affiliates are increasingly using RMM tools to establish persistence. These tools, designed for legitimate remote management of systems, can be a double-edged sword. In the hands of an attacker, they blend seamlessly into the victim’s environment, often going unnoticed by IT and security teams.

Why RMM Tools Are Dangerous:

• Legitimacy: RMM tools are often mistaken for legitimate software, making it easy for attackers to maintain access without raising red flags.

• Baseline Monitoring: If your organization doesn't have an approved list of RMM tools integrated with your software management system, it’s time to create one. Establish a baseline and set up alerts for any RMM tools that don't match it. For example, if ScreenConnect is the only approved RMM tool, any other RMM software should trigger an alert.

RMM Tool Analysis: Here’s where you can find logs for some common RMM tools:

• AnyDesk:

  • %PROGRAMDATA%\AnyDesk\connection_trace.txt

  • %PROGRAMDATA%\AnyDesk\ad_svc.trace

  • %APPDATA%\AnyDesk\ad.trace

• ConnectWise:

  • %SYSTEMROOT%\temp\screenconnect\[version]\

  • %PROGRAMDATA%\ScreenConnect Client ([fingerprint])\

  • %PROGRAMFILES(x86)%\ScreenConnect Client ([fingerprint])\

  • %USERPROFILE%\Documents\ConnectWiseControl\Files\

  • %USERPROFILE%\Documents\ConnectWiseControl\captures\

• TeamViewer:

  • C:\Program Files\TeamViewer\Connections_incoming.txt

  • C:\Program Files\TeamViewer\TeamViewer15_Logfile.log

  • C:\Program Files\TeamViewer\TVNetwork.log

  • %APPDATA%\TeamViewer\TeamViewer15_Logfile.log

  • %LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log

Learn More: For a deeper dive into RMM tool analysis, check out Théo Letailleur’s article on legitimate RATs for more on TeamViewer, AnyDesk, Atera, and Splashtop at this link.

The Rise of Post-Exploitation Frameworks

Post-exploitation frameworks, both commercial and open-source (FOSS), are commonly used by ransomware actors to establish persistence.

• Commercial Tools: Cobalt Strike and Brute Ratel are two of the most popular commercial tools used in ransomware attacks.

• FOSS Solutions: Open-source frameworks like the former PowerShell Empire project are also widely used. Even though the original PowerShell Empire project has been archived, a new project called Empire has picked up where it left off. This new project combines the PowerShell Empire and Python EmPyre projects, and it's frequently leveraged in ransomware campaigns.

  
  

Learn More: For more details on Empire, check out the project’s web page at this link.

Persistence Techniques:

1. Account Creation

   Attackers use various methods to create new user accounts and add them to privileged groups. The standard tools they use include Command Prompt and PowerShell.

   • Command Prompt Commands:

     Attackers can use the net user and net localgroup commands to create new user accounts and elevate them to privileged groups.

     
     

     net user SAMAdmim #sorryNOTsorry# /add

     net localgroup administrators SAMAdmim /add

     net localgroup "Remote Desktop Users" SAMAdmim /add

     
     

   • PowerShell Commands:

     PowerShell provides cmdlets to achieve the same result in a more scriptable way

     
     

     New-LocalUser -Name "SAMAdmim" -Password (ConvertTo-SecureString "#sorryNOTsorry#" -AsPlainText -Force) -FullName "SAM Administrator" -Description "Admin user"

     Add-LocalGroupMember –Groups administrators –Member SAMAdmim

     Add-LocalGroupMember –Groups "Remote Desktop Users" –Member SAMAdmim

     
     

Event-Based Detection

• Event ID 4720: A user account was created..

• Event ID 4728: A member was added to a security-enabled global group.

Artifact-Based Detection

In addition to monitoring event logs, examining filesystem artifacts can help identify unauthorized account creation.

• Creation Timestamps:

  • When a new user account is created, a corresponding directory is created under C:\Users\[User]. Reviewing the creation timestamp of this directory can reveal when the account was created, which can be useful for timeline analysis.

• NTUSER.DAT Registry Hive:

  • Each user account has an associated NTUSER.DAT registry hive that stores user-specific configuration data. Investigating the creation timestamp and contents of this file can provide further evidence of unauthorized activity.

2. Boot/Logon Autostart

The most common persistence methods used by threat actors and malware, focusing on techniques that have been prevalent since the 1990s. Ransomware operators, in particular, frequently employ these methods to maintain control over infected systems.

1. Run Keys (Registry-based Autostart Entries):

   • Run and RunOnce Keys are frequently used for persistence by malware. These registry keys allow applications to be executed automatically when a user logs in.

     
     

     Example path:

     • HKLM\Software\Microsoft\Windows\CurrentVersion\Run

     • HKCU\Software\Microsoft\Windows\CurrentVersion\Run

       
       

   • These keys are some of the oldest and most widely abused mechanisms, and they still remain popular among modern threat actors, including ransomware operators.

   
   

2. Startup Folder:

   • Placing shortcuts or scripts in the startup folder ensures that the malware will be executed whenever the user logs into Windows.

     
     

     Example path:

     • C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

       
       

3. Winlogon:

   • The Winlogon process is responsible for handling user logons. By modifying specific registry values, attackers can execute code during the logon process. Two popular values within the Winlogon key are Userinit and Shell.

     
     

     Example path:

     • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

   
   

   • This method is stealthier than Run keys, as it directly ties into the user authentication process.

     
     

4. SilentProcessExit:

   • This method leverages a registry key that allows the configuration of an action to be executed when a specific process exits.

   • For example, the following command creates persistence by launching rundll32 to execute a function from a malicious DLL whenever Notepad is closed.

     
     

     reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "c:\windows\system32\cmd.exe rundll32.exe c:\users\public\music\not_a_beacon.dll,Control_runDLL"

   
   

   • This method allows malware to stay hidden until a seemingly benign process, like Notepad, exits.

     
     

5. MITRE ATT&CK Framework: Autostart Locations

   The MITRE ATT&CK framework provides a detailed list of common autostart locations, which are frequently abused for persistence. You can find an extensive catalog of these techniques at MITRE ATT&CK - T1547.001. Some of the most notable locations include:

   • Startup Folder:

     C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

   • RunOnceEx Key:

     HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

   • Explorer User Shell Folders:

     HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

   • Shell Folders:

     HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

     
     

   These autostart locations are often the first place incident responders and forensic analysts check when hunting for signs of persistence.

3. Services and Their Role in Ransomware Persistence

In most ransomware attacks, the installation of services plays a critical role in ensuring persistence. Services allow ransomware to continue running in the background, often with elevated privileges.

How Services Work in Windows

A service in Windows is a background process that typically starts when the computer boots and runs without user interaction. These services are managed using commands like sc or net, or via PowerShell cmdlets like Get-Service and Stop-Service.

Event IDs to Monitor for Services

PE (Portable Executable): This is a file format used by Windows for executables, DLLs, and others. However, not all PE files are capable of running as a service. They need to be specifically designed with the necessary code to interact with the Windows Service Control Manager (SCM) to start, stop, and handle service-related commands.

Example:

A regular application like notepad.exe is a PE file, but it cannot run as a service because it doesn't have the necessary code to function as a service.

Service Handlers and ImagePath

ImagePath:

When you define a service in the Windows registry, one of the keys associated with the service is the ImagePath. This key points to the executable file on disk that handles the service.

Example:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyService

ImagePath = "C:\Program Files\MyService\MyService.exe"

NSSM (Non-Sucking Service Manager)

The Non-Sucking Service Manager is a tool that allows you to run any executable as a service, even if that executable was not designed to run as one.

Why is this important for adversaries?

Regular malware executables (PE files) are not designed to run as services. However, using NSSM, attackers can force these malware files to run as a service, allowing the malware to start automatically when the system boots and run in the background without user intervention.

Example of NSSM Usage:

Let's say an attacker has a malicious executable named malware.exe. Normally, malware.exe is just a regular PE file and cannot run as a service. By using NSSM, the attacker can create a service that uses malware.exe as the service handler:

nssm install MyMalwareService "C:\Path\To\malware.exe"

This command tells NSSM to install malware.exe as a service named MyMalwareService. Now, every time the system boots, malware.exe will run as a service, making it harder to detect and remove.

4. Scheduled Tasks:

In many ransomware attacks, scheduled tasks are commonly employed as a method of persistence. Attackers use tools like schtasks.exe to automate the execution of malicious code at specific intervals or events, ensuring that their malware remains active on the system even after a reboot.

Example of a Malicious Scheduled Task

Threat actors often use the schtasks.exe command to create malicious tasks. For example,

cmd.exe /c schtasks /f /create /ru samadmin /sc ONLOGON /tn "\Microsoft\windows\XBox" /tr "%COMSPEC% /c %APPDATA%\42.exe"

This command creates a scheduled task named "samadmin" in the \Microsoft\windows\XBox container. The task is set to trigger upon user logon (/sc ONLOGON) and runs the file located at %APPDATA%\42.exe. Essentially, every time the user logs in, the malicious executable (42.exe) is executed.\

Event-Based Detection:

Registry and File System Artifacts

Windows stores scheduled task information in various locations within the system.

• Registry Keys:

  • SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks

  • SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tree

• Task Definitions on Disk:

  • C:\Windows\System32\Tasks\

    
    

  Each task in Windows is defined by an XML file stored in this directory. These XML files describe the task's behavior, including the program to be executed, the trigger conditions, and the user context under which the task runs. When conducting a forensic investigation, it is crucial to collect all files from this directory, as they provide detailed information about the scheduled tasks on the system

5. WMI Event Subscription: Stealthy Persistence Technique

Windows Management Instrumentation (WMI) is a powerful framework used for managing data and devices in a Windows environment. Unfortunately, threat actors have recognized WMI's capabilities and have been leveraging it for stealthy persistence.

WMI subscriptions rely on three main components:

• Filters: Define the conditions under which the subscription will trigger.

• Consumers: Define the action or command to execute when the subscription triggers.

• Binders: Link the filter and consumer together, creating a fully functional WMI subscription

Example WMI Event Subscription

Suppose an attacker wants to execute malicious code whenever the system reaches a certain uptime. The filter defines the condition (system uptime), and the consumer specifies the malicious code to execute:

• Filter: 

  Monitors system uptime and triggers when the uptime is between 240 and 325 seconds.

• Consumer: 

  Executes LegitUpdater.exe from the C:\Windows\Temp\ directory when the filter condition is met.

With this setup, the malicious code is executed in the background whenever the system uptime condition is satisfied, allowing the attacker to maintain persistence without detection.

Further Reading on WMI Persistence

For a deep dive into WMI's capabilities and persistence techniques, I have created an extensive series of blog posts covering various aspects of WMI:

1. Part 1: WMI – A Deep Dive into its Capabilities and Stealthy Persistence Techniques

2. Part 2: WMI – Detecting and Defending Against WMI-based Attacks

3. Part 3: WMI – Understanding WMI Event Consumers in Cybersecurity

4. Part 4: WMI – The Intricacies of MOF Files: A Gateway for Malicious Infiltration in WMI

5. Part 5: WMI – Unveiling the Persistence of Malicious MOF Files: A Deep Dive into PRAGMA AUTORECOV

6. Part 6: WMI – Hunting Down Malicious WMI Activity

For more detailed insights into WMI event consumers, you can also explore Matthew Green’s article, "WMI Event Consumers: What Are You Missing?" available in the Velociraptor project documentation here.

Conclusion

Persistence techniques are a cornerstone of many ransomware attacks and other forms of malware, allowing adversaries to maintain their foothold on compromised systems.. Each technique presents its unique challenges for detection, but by understanding how these methods work and regularly monitoring key system artifacts—such as registry entries, scheduled tasks, services, and WMI subscriptions—security professionals can identify and mitigate persistence mechanisms before they escalate into more significant threats.

Akash Patel