Skip to content

Persistence

What is "Persistence" ?

Persistence refers to the techniques that adversaries use to maintain their foothold on systems across restarts, changed credentials, and other interruptions that could cut off their access. This capability is crucial for the continuation of an attack after the initial compromise phase. It ensures that the threat actor can continue to have access to the compromised environment, even through disruptions such as system reboots and account changes.

How "Persistence" is Achieved ?

Persistence can be achieved through various methods that often involve manipulating a system's mechanisms for initialization and management of user sessions. Here are some common techniques:

  1. Registry Modifications: Windows Registry contains startup keys that control which programs run when a user logs in or when the system starts. Adversaries may add malicious entries here.

  2. Scheduled Tasks/Cron Jobs: On Windows, adversaries might create scheduled tasks to execute malicious payloads at specific times. On Unix-like systems, similar outcomes are achieved using cron jobs.

  3. Service Hijacking: Modifying existing legitimate services or creating new services so they load malicious executables during system startups.

  4. Daemon Tools: On Linux/Unix systems, adversaries might install malicious daemons that start automatically.

  5. Login Items: On macOS, applications can be added to login items so they run on user login.

  6. Browser Extensions: Installing malicious browser extensions that remain active across sessions.

  7. Modifying Startup Scripts: Such as bashrc or profile scripts in Unix-like systems to execute commands when a user logs in.

  8. Web Shells: Placing web shells on a server to ensure persistent remote access via web interfaces.

  9. Manipulating Account Properties: Like setting up auto-login features or creating hidden user accounts with administrative privileges.

Where is it Found ?

Persistence mechanisms are implanted within numerous layers of an operating system:

  • Windows Systems: Registry keys (e.g., Run keys), Scheduled Tasks, Service configurations, Group Policy Objects (GPOs), Startup folders.
  • Linux/Unix Systems: Crontab entries, rc.common files, systemd units, .bash_profile/.bashrc scripts.
  • MacOS Systems: Launch Agents and Daemons, Login Items.
  • Network Devices and IoTs: Firmware modifications or configurations that cause devices to run customized scripts upon reboot.
  • Web Applications/Servers: Deployment of persistent web shells within application directories.

Why "Persistence" is Critical ?

Persistence allows an adversary to maintain access and control over their target environment despite defensive actions such as rebooting systems or changing user credentials. This capability is essential for conducting prolonged espionage or data exfiltration operations where continuous access is crucial for success. It also enables attackers to deploy additional payloads over time, escalate privileges further, manipulate data covertly, or lay dormant until conditions are favorable for further actions such as ransomware deployment or sabotage operations.

In summary:

  • What: Techniques used by adversaries to maintain access over time.
  • How: Through manipulation of system features like startup programs/services and account settings.
  • Where: Across various components and layers of operating systems including registry settings, service configurations, script files.
  • Why: To ensure continuous control over compromised environments for ongoing exploitation or staging further attacks.