Red Teaming Persistence Technique
The Red team professionals and attackers widely use the persistence technique to maintain the connection with the target systems. This comprehensive blog is designed to describe the few most commonly executed persistence techniques used by the Red Team professionals.
Table of Contents
What is the Red Team?
Persistence Techniques
MITRE ATT&CK Persistence Techniques
What is the Red Team?
Red Team is a group of internal IT employees or a team used to simulate the actions of malicious attackers. The team helps identify and assess vulnerabilities, test assumptions, and reveal an organization’s limitations and security risks. They can get initial access through the theft of user credentials or Social Engineering techniques.
Persistence Techniques
Persistence is a technique used to maintain access to systems over restarts, changed credentials, and other interruptions that could cut off their access. This technique is used by the Red Team professionals, which includes any access, action, or configuration changes that allow them to maintain their systems, such as hijacking or replacing or adding legitimate code or startup code.
MITRE ATT&CK Persistence Techniques
The following are the list of Persistence Techniques defined by MITRE ATT&CK:
- Account Manipulation
- BITS Jobs
- Boot or Login Autostart Execution
- Boot or Login Initialization Scripts
- Browser Extensions
- Compromise Client Software Binary
- Create Account
- Create or Modify System Process
- Event-Triggered Execution
- External Remote Services
- Hijack Execution Flow
- Implant Internal Image
- Modify Authentication Process
- Office Application Startup
- Pre-OS Boot
- Scheduled Task/Job
- Server Software Component
- Traffic Signaling
- Valid Accounts
These Persistence techniques are described to provide a precise and systematic way of establishing persistence on the target system.
The following is a list of key Persistence techniques and sub-techniques that are explained below:
- Registry Run Keys / Startup Folder
- Scheduled Task/Job
- Local Accounts
- Poisoning.Ink Shortcuts
Registry Run Keys / Startup Folder
Adding an entry to the registry or startup folder allows the program to run whenever a user logs on. These programs will be executed under the user’s context and have accounts associated with the permission level. There is a startup folder for individual accounts and a system-wide startup folder for all users, irrespective of which user account login.
The startup folder path for the individual user is:
C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\StartMenu\Programs\Startup.
For all users, the startup folder is:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp.
The Registry keys that are used to set startup folder items for persistence are as follows:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
Scheduled Task/Job
In Windows, the task scheduler can be accessed in many ways. The schtasks can be executed directly on the command line or accessed using GUI in the Administrator Tools section of the Control Panel. In some cases, attackers have used a .NET wrapper or Windows netapi32 library to create a scheduled task.
The following command line is used to create a scheduled task that will execute every minute. And then, a shell in the C:\tmp\shell.cmd path is executed.
schtasks /create /sc minute /mo 1 /tn “persistenttask” /tr C:\tmp\shell.cmd /ru “SYSTEM”
Local Accounts
Local accounts are configured for users, remote support, services, or administration in the organization’s single system or service.
The net user /add command is used to create a local account with a sufficient level of access. The dscl -create command is used for macOS systems to create a local account.
Poisoning.Ink Shortcuts
The most common way of creating persistence on a target machine is by poisoning a simple shortcut. By changing the “Target” field, we can use the shortcut that it should execute. The following image shows that the HxD64.exe program is opened after running the shortcut file.
However, we can include a payload to perform two things:
- Open the original program (HxD64.exe)
- Run the target (calc.exe) and minimize it.
powershell.exe -c “invoke-item
\\VBOXSVR\Tools\HxD\HxD64.exe; invoke-item
c:\windows\system32\calc.exe”
Any program can be launched using this technique when the user starts the legitimate program using the shortcut file. For instance, Microsoft Edge or Google Chrome could significantly execute this technique during a red teaming exercise.
Conclusion
Monitoring all the processes and traffic is essential to identify and prevent malicious activity before or even after improving cybersecurity standards in the organization. Every day new security changes emerge worldwide, and Red Teaming is required to maintain and deliver the possible security of the organization.
InfosecTrain offers complete instructor-led training on the RedTeam Expert Online Training course. This course is designed by certified cybersecurity experts and Red Team professionals to build a robust upskill process with effective learning techniques. So if you want to become a Red Teamer, enroll in our course and get certified.
Contact Us
1800-843-7890 (India) 
