Attack Detection Fundamentals: Code Execution and Persistence - Lab #2

One means of persistence is to create a file in the user's "Start Up" folder. As the name might suggest, the special thing about this folder, is that everything that is in it gets executed at start up, as long as it is in an executable format.

The path of this folder is as follows:

It is important to note here that anything that gets executed this way will be under the context of the user logging in.

Notably, if we have administrative privileges, we could instead use the system-wide StartUp folder, located in:

This way our payload would load any time a user logs into the system, no matter who they are (although, the file would still be executed under that user's privileges).

By adding an entry to certain locations inside the Windows Registry (known as "Run Keys") an attacker is able to get code executed every time the system boots up or that the user logs in. As with the "Start Up" folders described above, here we also have user-specific locations and system wide locations (that also require administrative privileges to be modified).

Entries added to the Run Keys in the Current User Registry Hive (HKCU) will get executed every time the compromised user logs in.

The following list shows the most common locations to achieve persistence under the context of the current user.

We can modify one such location and add a key to get our code executed every time the user logs in with the following command:

On the other hand, entries added to the Run Keys in the System or Local Machine Registry Hive (HKCU) will get executed every time any user logs in into the system.

And the command to modify one of these registries, and add our system wide persistence key, is as follows (remember we do need administrative privileges to tinker with this):

Additionally, there are a few other registry locations that can be used to create and place start up folder items that will of course also get executed at log in:

In fact, this is actually the case with the Astaroth malware. The attackers added an entry to the registry listed below to achieve persistence, and we will do the same in our lab.

Finally, there are still more locations and methods to achieve persistence using this technique, so I recommend doing some more research on the topic to get a more thorough view on this.

You can find the complete code for the new stager below.

This file will work in the same way as before, with the added benefit that now it is also going to provide us with access to the target machine between reboots.

The steps to carry out the attacks are the same as in the first lab, but now we will also reboot our target machine and restart our listener to test for persistence.

These steps are recreated below:

1. The first step is to move the `create_dropper_lnk.bat` batch file to the Windows VM (Desktop works) that will act as the target and execute it. This will create a shortcut file named "clickme.lnk" that will imitate the Infection Vector in the real attack.
2. On the attacking machine, move to the directory where the payloads are stored and set up a HTTP server as described above.
3. Open up a Metasploit console and set up a listener for a reverse Meterpreter shell over TCP, again following the steps already outlined.
4. Back to the target machine, it is time for the user to click on that completely benign looking file. This will trigger the whole attack chain.
5. Turns out the "clickme" shortcut file is a dropper! Who would have though. Anyway, after executing, this binary uses BITSAdmin to fetch the next step of the attack chain, a stager batch file. This stager gets automatically executed and performs two actions:
6. First it reaches back to our C2 server, retrieves our DLL payload, renames it and stores it in "C:\Users\Public\Libraries\raw\".
7. Second, it generates a VBS script and copies it to the Alternate Data Stream of "desktop.ini" inside the same directory, hiding it from unwanted eyes. The original script is immediately deleted.
8. This now hidden script is accessed and executed by the stager, creating the final launcher file in shortcut format (.lnk).
9. Almost there. On its final step, the stager executes the shortcut file, which launches ExtExport.exe - a LOLBin bundled in Internet Explorer - pointing to the directory where the aptly renamed DLL payload is stored. If successful, the DLL is side-loaded and the embedded payload executed.
10. Voila! A Meterpreter shell spawns in the terminal of our attacking machine. Good job! Now let's test for persistence.
11. First navigate to the user Start Up folder C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\` and check that a copy of our launcher has successfully been copied there.
12. Now let's make use of an internal Windows tool called Regedit to check if the key has been added to the Registry too. Open the search bad in the taskbar and type `regedit`. You need to run this with administrative rights. Once inside Regedit's interface, navigate to `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders`. Check the value on right hand side of the key named "startup". If the stager script was successful, this should now contain the path to our payload.
13. Time for the final test: Shut down your target Windows VM. Your Meterpreter shell should die shortly afterwards.
14. Restart the listener on the Metasploit console in our C2 machine.
15. Reboot the target Windows VM and login as the same user.
16. Back in your attacking VM you should now see a shiny new Meterpreter shell coming up. Victory! Persistence has been achieved! Now sit back and get ready to #HackTheWorld.

The Autoruns utility from the Sysinternals suite is probably the easiest way to monitor any startup location susceptible of being abused to achieve persistence by an attacker. The tool looks into all the startup locations in the system and shows every program or executable that is configured to run during system bootup or user log in. This includes of course the StartUp folder and the registries we have been talking about through this guide.

Not only that but it also checks for files that are configured to run when other built-in Windows applications are launched, like Explorer, Internet Explorer or media players, which can also be abused by attackers to make them execute extraneous code.

Finally, the tool offers a wide arrange of options to filter and zoom in on any suspicious file or group of files to get a closer look into any anomalies in the startup process.

Although the advanced usage of this tool goes beyond the scope of this guide, Autoruns should be one of the assets in any system administrator or blue teamer's toolset.

Focusing on specific detections, persistence by the method of creating a file in the startup folder can be carried out in the following manner.

If we have Sysmon installed as part of our detection stack, we can look for records of events in the Startup folder directory with the EID 12 (file creation), that would point to a new file being added on this location.

We can then filter down these events by checking other data like the actual name of the process that created the file and the extension of the file itself, comparing them to a list of usual suspects to get a better context on the file creation process.

Finally, all of this could then be implemented in a rule in whatever format we use and feed it to our SIEM to start monitoring for these occurrences.

When it comes to monitoring persistence techniques that rely on modifying Registry Keys, the process is not very different from what has been outlined above.

Sysmon events with an EID 12 point to actions that have modified an entry in the registry. If we ingest these records, we can then check the image that performed the action and the "TargetObject" to see if the command was pointing to a Run Key, for example. And just like with Sysmon, events in the Windows Security Log with an EID 4657 (A registry value was modified) also bring up the same type of actions, so we can use the same approach to develop monitoring capabilities over registry modifications.

If we are correctly logging and parsing the whole command, we can also check if there is any file extension in the arguments, and again compare it to a list of usual suspects (executables) to further filter out false positives and create a more efficient detection rule.