ATT&CK Series: Persistence

Scheduled Tasks, Registry Keys, Valid Accounts

Nearly all organizations spend most of their security budgets on tightening their perimeter network and endpoint protection to prevent an attack from happening. However, once an attack has occurred, an adversary will generally take measures to ensure continued access into the environment.

In this post, we will cover ATT&CK’s Persistence techniques and tactics that an attacker may employ to maintain their presence following initial compromise. The techniques covered in this post are a small sample of methods that may be utilized by an adversary but represent some of the most common methods an attacker may use to remain on the network today.

Techniques 

T1053 – Scheduled Task

Description 
There are many ways to get a payload to execute on a Windows system, but the first one we will cover is Scheduled Tasks. These allow a program or command to be run at a predetermined interval or triggered by a sequence of events. This can include (but is not limited to) executing when the system is booted up, when a user logs in, every 20 minutes, or when a specific event occurs in the Windows Event Log such as a password change.

What’s the Risk?
Scheduled Tasks may be used to perform anything that could be run on the Windows command line, such as launching a PowerShell script that fetches and runs code from a remote server or executing a binary file stored on the hard drive. This can be utilized to spawn a Command and Control (C2) presence after a system is rebooted to re-establish a connection to the C2 server. While this method would not usually be considered stealthy, it could remain undetected for some time if Scheduled Tasks are not audited on a regular basis.

How to Mitigate
There are several methods to detect Scheduled Task usage which can be easily performed. Windows Event Logs are triggered when a scheduled task is created, updated, or removed – Event IDs 106, 140, and 141, respectively. The use of a Security Information and Event Management (SIEM) solution may aid in the collection and correlation of these events on hosts across the network so appropriate action can be taken. A tool such as Microsoft Sysinternals Autoruns could be utilized to identify Scheduled Tasks that have been created outside of known Microsoft and third-party software tasks. Scheduled Tasks can also be reviewed manually, by using the Windows Task Scheduler, schtasks.exe on the command line, or the Windows Registry Editor.

T1060 – Registry Run Keys / Startup Folder

Description 
Several methods exist to execute a program when a user logs onto a system, the most common being Startup folders and Registry Run Keys. Both of these functions allow a program, command or service to be launched when a user logs in. This can be configured to execute when any login occurs or triggered by specific user logins. Applications or shortcuts placed in Startup folders will be executed when a user logs in. Typically, a user’s startup folder can be found in the Windows Start menu, but the location can be modified via the Startup string in the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Similar to Startup folders, registry Run keys can execute commands using the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

What’s the Risk?
Similar to Scheduled Tasks, Startup Folders and Run Keys can launch anything that could be run from the command line, including PowerShell scripts or binaries on the system. Attackers may make use of these methods to re-establish a C2 presence on a system once a user logs in after a reboot. As with Scheduled Tasks, this tactic would not be considered stealthy, but may remain under the radar if regular auditing is not taking place.

How to Mitigate
Startup folders can be manually browsed using the folders specified in the Startup folder registry keys, and Registry Run Keys can be viewed in the Windows Registry Editor. A tool such as Microsoft Sysinternals Autoruns may also aid in identifying entries that are not part of a standard Windows image or from well-known software installations. Additionally, vulnerability scanners that can perform authenticated Windows configuration auditing may also assist with identifying non-standard entries.

T1078 – Valid Accounts

Description 
One of the easiest ways to remain hidden on a network is to blend in with normal user activity. Valid credentials can be obtained in several ways, including leveraging the use of weak passwords that could be easily guessed or of password reuse, of improper storage of passwords, of network-based attacks such as LLMNR/NBNS poisoning, or by obtaining cleartext passwords from system memory following system compromise.

What’s the Risk?
Obtaining the credentials for an account will allow access within the perspective of that account’s permissions. This account access can be used in a number of ways, depending on the context and level of the user’s permissions, including logging in to systems, VPN access, access to network shares, email and more. If the compromised account has Administrator privileges on a workstation or server, an attacker would be able to leverage that access to compromise the system. If the account has access to privileged information on a network, an attacker would also be able to access that information.

How to Mitigate
Although the focus should generally remain on user awareness training for constructing strong passwords and safely storing them, other factors may help mitigate the effectiveness of a compromised account. Implementation of Multi-Factor Authentication (MFA) on systems that contain sensitive data or are critical to operations can reduce the vulnerability of a compromised password, by requiring an additional point of authentication such as a One-Time Password from a physical token or soft token on a smartphone. Furthermore, measures should be taken to protect against related techniques such as T1003 Credential Dumping to ensure that cleartext passwords cannot be retrieved from memory following system compromise. Finally, a SIEM platform may aid in the detection of anomalous user activity, such as a user account accessing systems that it has never accessed before or logging in from multiple geographical areas simultaneously.

T1136 – Create Account

Description 
Similar to the Valid Accounts tactic above, new accounts can be created on either the local machine or Windows domain. Creating a new account eliminates the necessity of re-obtaining valid credentials in the event that a compromised account changes their password.

What’s the Risk?
As with Valid Accounts, a created account could be used for anything from the context of the permissions it is given. A local account that is given Administrator privileges on a system will have complete control over that system. Likewise, a Domain account that is added to a security group such as “Domain Admins” will have the same level of access as other members of the group, including local Administrator privileges, access to network shares, VPN access, etc.

How to Mitigate
Newly created accounts will trigger Event ID 4720 within the Windows Event Log on a workstation, server, or Domain Controller. A SIEM solution may aid in the detection of these events so appropriate action can be taken. Additionally, regular audits should be conducted of both domain and local accounts in order to identify accounts that are suspicious or do not belong to a legitimate user on the network.

Conclusion 

While we have covered four common Persistence techniques here, it is important to note that there are many other techniques that may be employed by an adversary to maintain a presence on the network. Additionally, although these techniques can be mitigated with the previously mentioned utilities, it may be necessary to engage with an Incident Response (IR) team before making any system changes if you suspect a breach has occurred, as these tactics may contain important evidence for your case. This series will continue with other ATT&CK techniques and tactics in use by adversaries, to provide knowledge and mitigation techniques of each tactic and critical techniques.

Read more in Optiv’s ATT&CK series. Here's a review of related posts on this critical topic:

• ATT&CK Intro - September 2018
• ATT&CK Initial Access - October 2018
• ATT&CK Privilege Escalation - November 2018
• ATT&CK Discovery - March 2019
• ATT&CK Persistence - April 2019
• ATT&CK Credential Access - April 2019
• ATT&CK Execution - May 2019
• ATT&CK Defense Evasion - May 2019
• ATT&CK Lateral Movement Techniques - June 2019
• ATT&CK Exfiltration - July 2019
• ATT&CK Series: Command and Control - August, 2019
• ATT&CK Series: Collection Tactics – September, 2019
• ATT&CK Series: Collection Tactics Part Two – April, 2020
• ATT&CK Series: Impact – September, 2019