Persistence Strategies
One of the fundamental differences between APTs and other cyber-attacks is persistence. From the attacker’s point of view Persistence is critical because if users log off or restart computers in an operating system like windows, running programs are terminated. To restart the malicious programs, we need to exploit them again. depending on the privileges available to the adversary, they could choose to hide in two main parts of the victim system: user-space or kernel. In this paper, we discuss types of persistence strategies and see how can detect Dll injection that used for this purpose.
At first glance, it may seem that adversaries always prefer kernel-mode persistence but it is not true, in some cases, the very presence of a rootkit could signal something is suspicious. Advance adversaries have been known to use both locations for persistence.
In addition, other tips are key to persistence such as functions of the target system, internet available, and administrative privilege that the existence of any of these cases can change the strategy. Even if administrative privileges are helpful to the adversary, persistence can be achieved without having them as well. adversaries can maintain access directly or indirectly.
They can infect a web server, where could now deploy a backdoor as part of the web application or adversary can compromised a workstation inside the enviroment.
Common persistence streategies are listed below:
- Registery manipulation such as run keys, logon scripts , …
- Task Schedulers such as At, cron, …
- Web Shells such as web server accessible from the internet
- DLL serach order hijacking
- Bootkit such as infecting the master boot record
- Auto start services
- User Startup folders
- …
you can check Mitre framework for additional techniques. https://attack.mitre.org/
Dynamic-link library is Microsoft implemention of the shared library concept. Windows will follow a specefic search order when a dll has to be loaded. Adeversaries can perform Dll preloading, by placing a malicious Dll with the same name as legitimate Dll in a location that windows search first. When windows encounters the malicious Dll, it will be loaded instead of rhe legitimate one. Attackers can also replace an existing Dll or modify a manifest file to cause another Dll to load.
For detect Dll search order hijacking attacks we have a few solution such as
- Monitor file systems for moving, renaming, replacing, or modifying Dlls
- Detect Dlls loaded into a process with the same name but an abnormal path
- Monitor modifications to .manifest redirection files
The easiest way to identify and detect dll hijacking and injection is memory forensic. For this purpose, we can use Volatility framework.
volatility has a complete set of extraction features such as dlllist and dlldump. dlldump extract dll file belonging to a specefic process or group of process.
With dlllist you can list dll of specefic process in this example we want to list the dlls for the iexplorer.exe process with PID 3340 like picture below.
Then you can look at the dll list and find the malicious dll. after that extract the suspicious dll for further analysis with dlldump.
Now you can use strings tool to identify what notable API function calls in this dll.
I hope this article has given you a better understanding of persistence strategy.
Thank you.
