Establishing Persistence

Establishing Persistence – A Comprehensive Guide for GIAC GCIH

Establishing Persistence

Why Is Establishing Persistence Important?

Establishing persistence is one of the most critical phases in the post-exploitation lifecycle. Once an attacker has gained initial access to a system or network, that access is often fragile — a reboot, a patch, or a user logging off could sever the connection entirely. Persistence mechanisms ensure that the attacker maintains long-term access to the compromised environment, even after system restarts, credential changes, or partial remediation efforts.

From a defensive perspective, understanding persistence is essential because:

• It allows incident responders to identify all footholds an attacker has established, which is critical for full remediation.
• Failure to remove persistence mechanisms means the attacker can return at will, rendering other remediation efforts useless.
• Many advanced persistent threats (APTs) rely on multiple, layered persistence techniques, making detection and eradication challenging.
• For the GCIH exam, persistence is a core concept that ties together exploitation, post-exploitation, and incident handling phases.

What Is Establishing Persistence?

Establishing persistence refers to the techniques an attacker uses to maintain access to a compromised system or network over an extended period. This is achieved by implanting backdoors, modifying system configurations, creating new accounts, installing malicious services, or leveraging legitimate system features in unintended ways.

Persistence can be categorized in several ways:

1. User-Level Persistence: Mechanisms that survive user logoff/logon cycles but may not survive a full system reboot, or that are tied to a specific user context.
- Registry Run keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run)
- Startup folder shortcuts
- Scheduled tasks running under a user context
- Browser extensions or add-ons
- Application-specific persistence (e.g., Office macros, Outlook rules)

2. System-Level Persistence: Mechanisms that survive reboots and operate with elevated privileges.
- Windows Services
- Registry Run keys (HKLM\Software\Microsoft\Windows\CurrentVersion\Run)
- Scheduled tasks running as SYSTEM
- WMI (Windows Management Instrumentation) event subscriptions
- DLL search order hijacking
- Boot or logon autostart execution
- Group Policy modifications

3. Firmware/Hardware-Level Persistence: The most difficult to detect and remove.
- BIOS/UEFI implants
- Bootkit installations
- Hard drive firmware modifications

4. Network-Level Persistence:
- Rogue access points
- VPN account creation
- Compromised network devices (routers, switches)
- DNS hijacking

5. Account-Based Persistence:
- Creating new local or domain accounts
- Adding users to privileged groups
- Stealing or forging authentication tokens (e.g., Golden Ticket, Silver Ticket attacks in Kerberos)
- SSH key implantation
- Credential dumping for future reuse

How Does Establishing Persistence Work?

The process of establishing persistence typically follows this workflow:

Step 1: Assess the Compromised Environment
After gaining initial access, the attacker surveys the system to understand the operating system, privilege level, installed security tools, network configuration, and available persistence options. Tools like whoami, systeminfo, net user, and enumeration scripts help with this reconnaissance.

Step 2: Escalate Privileges (If Necessary)
Many persistence mechanisms require elevated privileges (e.g., SYSTEM on Windows, root on Linux). The attacker may need to perform privilege escalation before establishing durable persistence.

Step 3: Select and Deploy Persistence Mechanism(s)
The attacker chooses one or more persistence techniques based on:
- The level of access achieved
- The target operating system
- The need for stealth vs. reliability
- The presence of endpoint detection tools

Common Windows Persistence Techniques:

Registry Run Keys: Adding entries to HKLM or HKCU Run/RunOnce keys causes a program to execute every time the system starts or a user logs in.
Example:
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d "C:\temp\backdoor.exe"

Scheduled Tasks: Creating scheduled tasks that execute malicious payloads at specified intervals or on system events.
Example:
schtasks /create /tn "SystemUpdate" /tr "C:\temp\backdoor.exe" /sc onlogon /ru SYSTEM

Windows Services: Installing a malicious binary as a Windows service ensures execution at boot with SYSTEM privileges.
Example:
sc create EvilService binPath= "C:\temp\backdoor.exe" start= auto

WMI Event Subscriptions: WMI can be used to trigger execution based on system events (e.g., a process starting, a user logging in). This is particularly stealthy because it leaves minimal filesystem artifacts.

DLL Hijacking / DLL Search Order Hijacking: Placing a malicious DLL in a directory that a legitimate application searches before the correct directory, causing the legitimate application to load the malicious DLL.

Accessibility Features Backdoor: Replacing accessibility executables (e.g., sethc.exe for Sticky Keys, utilman.exe for Utility Manager) with cmd.exe allows command-line access from the login screen.

Common Linux Persistence Techniques:

Cron Jobs: Adding entries to crontab to execute malicious scripts at regular intervals.
Example: (crontab -l; echo "*/5 * * * * /tmp/.hidden/backdoor.sh") | crontab -

SSH Authorized Keys: Adding the attacker's public key to ~/.ssh/authorized_keys provides passwordless SSH access.

Systemd Services: Creating a malicious systemd unit file ensures the backdoor starts at boot.

Bashrc / Profile Modifications: Adding malicious commands to .bashrc, .bash_profile, or /etc/profile causes execution whenever a shell session starts.

Rootkits: Kernel-level or user-level rootkits can hide processes, files, and network connections while maintaining persistent access.

LD_PRELOAD: Setting the LD_PRELOAD environment variable to load a malicious shared library before legitimate ones.

Advanced / AI-Augmented Persistence Techniques:

In modern attack scenarios, adversaries may leverage AI-driven approaches to enhance persistence:

- Polymorphic backdoors: AI-generated code that changes its signature to evade antivirus detection while maintaining functionality.
- Adaptive persistence: Malware that uses machine learning to determine the best persistence mechanism based on the target environment, adjusting its behavior to avoid detection.
- AI-driven evasion: Persistence mechanisms that monitor for security tool activity and dynamically alter their behavior (e.g., going dormant when analysis tools are running).
- Living-off-the-land (LOLBins): Using legitimate system binaries and tools (like PowerShell, WMI, certutil, mshta) to establish persistence without dropping traditional malware — AI can help attackers identify and chain these techniques more effectively.

Step 4: Test and Validate Persistence
Attackers verify their persistence by simulating system reboots, logoffs, or network disconnections to ensure they can regain access.

Step 5: Establish Redundancy
Sophisticated attackers deploy multiple, independent persistence mechanisms. If one is discovered and removed, others remain active. This is a hallmark of APT operations.

Detection and Defense Against Persistence

For incident handlers, detecting persistence is critical:

• Autoruns (Sysinternals): Comprehensive tool for identifying all autostart extensibility points (ASEPs) on Windows.
• Checking scheduled tasks: Use schtasks /query or Task Scheduler GUI to review all tasks.
• Reviewing services: Look for unusual or recently created services with sc query or services.msc.
• Registry analysis: Examine Run, RunOnce, and other autostart registry keys.
• WMI repository inspection: Use tools like Get-WMIObject or wmic to review WMI subscriptions.
• File integrity monitoring: Detect unauthorized changes to system files and configurations.
• Log analysis: Windows Event Logs (Event IDs 4698 for scheduled task creation, 7045 for service installation, 4720 for account creation).
• Linux auditing: Review crontab, systemd units, authorized_keys files, and profile scripts.
• Endpoint Detection and Response (EDR): Modern EDR tools can detect many persistence techniques in real-time.
• Memory forensics: Tools like Volatility can identify in-memory-only persistence and rootkits.

Mapping to Frameworks:
Persistence maps directly to the MITRE ATT&CK Tactic TA0003 (Persistence), which includes dozens of specific techniques. Understanding ATT&CK is valuable for both the GCIH exam and real-world incident handling.

Exam Tips: Answering Questions on Establishing Persistence

1. Know the common persistence mechanisms by category: Be able to distinguish between user-level, system-level, and firmware-level persistence. Exam questions may describe a scenario and ask you to identify which type of persistence is being used.

2. Understand the specific registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run and HKCU equivalents are frequently tested. Know the difference between HKLM (system-wide, requires admin) and HKCU (user-specific, no admin needed).

3. Know the tools: Sysinternals Autoruns is the go-to tool for persistence detection on Windows. Be familiar with schtasks, sc, wmic, and PowerShell commands used to create and detect persistence.

4. Recognize scenario-based questions: The exam may describe an attacker's actions (e.g., "The attacker added a new entry to the Run key in the registry") and ask what this accomplishes or how to detect it. Read carefully to identify the persistence technique being described.

5. Understand Sticky Keys and Accessibility Feature attacks: Replacing sethc.exe or utilman.exe with cmd.exe is a classic GCIH topic. Know that this allows pre-authentication command execution from the Windows login screen.

6. Differentiate between persistence and privilege escalation: These are distinct phases. Persistence is about maintaining access; privilege escalation is about gaining higher-level access. Some techniques can serve both purposes, but know the primary function being described.

7. Remember Golden Ticket and Silver Ticket attacks: These Kerberos attacks provide extremely durable persistence. A Golden Ticket uses the KRBTGT account hash and allows forging any TGT, while a Silver Ticket uses a service account hash for a specific service.

8. Know Event Log IDs: Event ID 4698 (scheduled task created), 7045 (new service installed), 4720 (new user account created), and 4732 (user added to security group) are relevant to persistence detection.

9. Linux persistence matters too: Don't focus exclusively on Windows. Know about cron jobs, SSH key planting, systemd services, and modifications to shell configuration files.

10. Think like an incident handler: Many questions will approach persistence from the defensive side — how would you detect it? How would you remove it? What steps ensure complete eradication? Always consider that multiple persistence mechanisms may exist simultaneously.

11. WMI event subscriptions: This is an increasingly tested topic. Know that WMI subscriptions consist of three components: an Event Filter, an Event Consumer, and a Filter-to-Consumer Binding. They are fileless and highly stealthy.

12. Process of elimination: If a question describes a specific behavior (e.g., malware that survives reboots and runs as SYSTEM), eliminate answers that don't match those criteria. User-level persistence won't run as SYSTEM; a cron job is Linux, not Windows.

13. Time management: Persistence questions often involve reading detailed scenarios. Quickly identify the key indicators — the OS, the privilege level, the specific technique — and match them to your knowledge.

14. Review MITRE ATT&CK TA0003: Familiarity with the ATT&CK framework's persistence techniques provides a structured way to categorize and recall persistence methods during the exam.

By thoroughly understanding the concepts of establishing persistence — the techniques, the tools for detection, and the defensive response — you will be well-prepared to answer related questions on the GCIH exam confidently and accurately.