Hello folks – welcome to Part 5 of the series on MITRE ATT&CK Tactics! Today we’re talking about how adversaries maintain a foothold. Like any invading force, threat actors work hard to ensure that they get initial access, and they would rather not have to repeat that effort. Traditional aggressors most often resolve to maintaining pressure on the front once their initial attack lands. This has the effect of exhausting the defenders and ensuring they are unable to reset or respond effectively. Some attackers will leverage asymmetrical warfare elements like guerilla forces, local resistance forces, or agents to undermine defenses and guarantee access. Cyber adversaries need the same sort of effects, and that guaranteed access is arguably their highest priority. So let’s discuss the MITRE ATT&CK Persistence tactic and see why it is vital and how they might achieve it!

The Importance of ATT&CK Persistence

We have seen that there are many parallels between traditional battlefield tactics and those of cyber threat actors. Both seek to maintain pressure on their targets to ensure objectives are met while incurring as few casualties as they can manage. But how do these adversaries differ from each other? Will the lessons of one benefit the other? When it comes to sustaining an attack, each domain actually starts to see a different path of persistence.

Traditional adversaries would certainly love to have insiders working on their behalf to harass and torment their targets, but developing those assets takes a ton of time and effort that may not line up well with the availability of resources. These adversaries thus maintain persistence primarily with external pressure. By attacking on various fronts, with unpredictable tempo, and with varying tactics, the adversary can ensure defenders are unable to regroup and analyze the efforts. Even when advance forces are able to develop collaborators internal to the opponent, human nature makes those less reliable and highly dynamic. These operations carry extremely high risk, and assets are treated as burnable or expendable.

The One-legged Wonder Woman

The book “A Woman of No Importance” by Sonia Purnell tells the amazing tale of Virginia Hall, a one-legged American working for the British Special Operations Executive (SOE) in occupied France . What made her exploits (see what I did there?) so remarkable was that she was able to persist long enough, to survive despite the odds, such that she was able to materially impact the German forces. Given the sheer number of contemporaries who were killed long before they proved useful, it can be surmised that the British supported these operations not as a primary threat to the occupying forces, but as a psychological diversion. That she was able to lead her spy ring and coordinate so much mayhem was a huge plus. Her team destroyed countless bridges and depots, eliminated thousands of German troops and assets from the board, and also acted as a vital channel for intelligence back to London. But for all of her success, almost every one of her peers was ineffective or eliminated early. Much of the heavy lifting would have to be done through traditional force movement, attacks, and a long and costly war.

Virginia Hall is the model of persistence. From her place in Occupied France, she exfiltrated information and pilots, executed devastating attacks, compromised more units and gained higher access, and generally was a badass. (painting by Jeffrey W. Bass)

In these traditional battlefields persistence maintains pressure on the opponent until they are conquered (if attacking) or repelled/deterred (if being attacked).

The Inside-out Nature of Cyber Threat Persistence

Cyber adversaries have a different paradigm and threat picture than a nation at war (physically). For one, anonymity is much easier to maintain for sophisticated actors, and conversely, directed activity from outside the walls can risk that. Inside assets are actually preferred here, as systems – not people – are what they are leveraging. These systems behave predictably and without emotion. Even if discovered, any tentacles of persistence are useful in distracting defenders and cost the adversary very little. If used properly a variety of ATT&CK persistence techniques make it frustratingly difficult to eliminate the foothold of an APT.

In a modern cyber attack, adversaries need to maintain presence in the environment to carry out their objectives. Whether to disrupt critical infrastructure, spy on and harvest data from an industrial or intellectual adversary, or run a ransomware operation, sustained access is essential. Persistence opens up options to better discover, move laterally, collect information, and otherwise impact the environment. Even adversaries looking for a quick win typically favors leaving some lingering backdoor access should they want to revisit.

Persistence – whatever it takes to avoid exile

The MITRE ATT&CK Persistence (TA0003) tactic is comprised of 20 techniques and almost 100 sub-techniques, so we’re going to group them logically based on the area each focuses in on. In prior entries to this series, I tried to blow up the sub-techniques, but for the above reasons we’ll just show the 20 top-level techniques here:

There are tons of ways adversaries gain persistence – most will use a few!

As we mentioned in the Execution (TA0002) tactic write-up last week, these don’t have to exist on their own in an adversary’s plan. Many APTs will leverage a TTP that covers multiple goals or tactics, or conversely combine multiple TTPs in a single payload, script, or procedure. While Execution is necessary to do much of anything, persistence gives the adversary more time and/or chances to execute those things. So this tactic is all about staying in the hunt!

Our hero Lloyd new a little something about persistence paying off…

Persistence via accounts & access

Plenty history’s most exciting stories come from events where a mole, spy or traitor turned the tide of a war. The pinnacle of any intelligence operation is to get real, credible accounts working for you. Cybersecurity is no different, which is why we see so much emphasis on preventing the use of Valid Accounts (T1078). Those credentials are hard to beat, as they are granted with real privileges and business justification. Whether those were hard-earned in a phishing attack or prior breach, or the attacker gained access via Modify Authentication Process (T1556), they now have a beach head! If an adversary ends up as a low-ranking user but desires higher privileges, they might use Account Manipulation (T1098) to elevate privileges or alter permissions or assigned roles.

Any of these paths end up allowing the attacker to operate on a system with enough privileges to do harm. What is better than one account with that access? How about two or more? Attackers will Create Accounts (T1136) at the local or domain levels to ensure that if their primary account is discovered, they have a backup. If they used legitimate credentials in the first place, they may quickly pivot to these new accounts to avoid tripping behavioral alerts and achieve that ATT&CK Persistence goal.

Persistence via services, processes, and execution

Even the most well-meaning sysadmin is going to need to leave certain paths open for their own use. External Remote Services (T1133) like VNC, RDP, and SSH -while valid paths for administrators or users – can just as easily be followed by attackers. Sometimes an adversary needs to create a doorway where one did not exist prior. They may want to piggyback on a legitimate process to achieve their goal and Hijack Execution Flow (T1574) to convince the system to run their payloads. This particular TTP offers a lot of variety, and we begin to see some distinctive go-to methods emerge for certain APTs that are useful in identifying the foe. When an adversary is unable to hijack legitimate execution they may go so far as to Implant an Internal Image (T1525) to do their dirty work. This is very helpful to adversaries in cloud environments, as the adversary can taint an image upstream in the supply chain and ensure that their persistence is propagated every time that repository is called. Crazy stuff, isn’t it?

Persistence via operating system or application

The modern operating systems are a marvel of complexity and options. Adversaries love to use all of these different capabilities to their advantage, and there is a plethora of options detailed in the ATT&CK Persistence tactic.

Boot-up

From the boot sequence, most modern devices or servers have firmware or bootstrapping routines that happen before the OS wakes up and takes over. APTs love to find ways to land a persistence mechanism in the Pre-OS Boot (T1542) phase. Here it is trivial to avoid detection here in most environments. They also ensure that their backdoor or pathway in are reliably opened every time the system restarts. Alternatively, they may be unable to land a TTP here, and opt instead to never let the device reboot. By manipulating Power Settings (T1653) they can prevent hibernation, sleep, shutdown, or reboot sequences that might wipe out their hard-earned illicit access.

OS startup and normal opps

Most threat actors will leverage the many locations and methods used by Windows devices to ensure their scripts or executables are reloaded. Boot or Logon Autostart Execution (T1547) is a very popular place for attackers to attempt to put executables they want run. It is also a common place for defenders to look. Very similarly, Boot or Logon Initialization Scripts (T1037) offer another opportunity for attackers to embed their own commands. This is primarily in Linux/Unix systems. These same principles explain the use of a Scheduled Task/Job (T1053) like cron or the execution of a tainted Office Application Startup (T1137) macro or template. The goal is to ensure periodic refresh of a persistence path. Knowing that defenders are looking for malicious entries in these locations, attackers can Create or Modify System Process (T1543) to get a legitimate process to do their dirty work for them. The process itself is completely unaware that it is the unwitting accomplice.

Essential OS and application services

Some processes running on an OS have nothing to do with the users. Modern domains rely on these services to maintain synchronization, accelerate file shares, and keep things running smoothly. Built-In Intelligent Transfer Services (BITS Jobs (T1197)) are one such path. They tend to fly under the radar and are necessary, offer ample opportunities for attackers to abuse these services, or to add their own for many goals like persistence. Systems serving applications are likewise dependent on various Server Software Components (T1505) for administration, operation, and maintenance. A well-studied APT will know how to use and abuse those paths for their own purposes. And client devices are dependent on a very dynamic tool, the browser. Browser Extensions (T1176) offer a menacing and powerful path. While the immediate targets may not be crown-jewel assets, their users often access those high value systems. With a hooked browser the APT has front row seats!

Persistence via hidden doors

Whether an adversary is unable to gain persistence using an above TTP, or they prefer to be a little more covert, the hidden doors offered in this section are the stuff of cloak & dagger capers. Adversaries may have other methods in the ATT&CK persistence menu. Even when those are found, the more advanced foes will have carved secret holes into the environment.

The infamous Sandworm used Exaramel backdoors and RDP access to maintain persistence in their target environment. This bought them time to compromise more systems and then deploy their wiper. (from MITRE CTID’s Emulation Library)

An adversary may have planted a sleeping process to respond at a later date to an Event Triggered Execution (T1546). Through prior access, they can reconfigure event-related scripts or reactions for routine or mundane stuff. Screensavers, installers, scripting events – all of these can be used. The APT may even Compromise a Client Software Binary (T1554). This ensures that when they provide an external stimulus, the system responds and opens up access. Network-savvy threat actors can program in a normally undetectable pathway. It is hidden until awakened by Traffic Signaling (T1205), which is the equivalent of a secret knock. Assuming they provide the right pattern of stimulus traffic, a door swings open to allow them in.

How can we prevent persistence?

There is nothing more demoralizing to a defender than the feeling that an APT can dictate terms. The Nazis weren’t just worried about the Allied invasion on multiple fronts. They worried about the elusive and disruptive threats from within. Despite brutal efforts to torture and execute spies and resistance fighters, they were never rid of that threat. This in turn allowed the Allied invasion force to assemble and attack on their own timetable. Even with the high mortality rate & questionable value of operators not named Virginia, they had options thanks to those efforts.

For cyber threats, options and time are vital for the success of an operation. Persistence is what empowers these adversaries. So what sorts of things can defenders do to prevent or mitigate it? They should:

  • Monitor common startup and scheduled task paths and registry keys for malicious activity
  • Monitor file integrity for libraries, executables, and upstream repositories
  • Clamp down externally accessible services and look for signs of command and control
  • Log and monitor account activity extensively, looking for signs of abnormal use, new account creation, etc. Consider honey accounts as well!
  • Implement strong MFA and access policies
  • Take actions to monitor and harden OS, firmware, and essential applications
  • Disable and log use of Office macros

The key factor in combating persistence is to remove some of the options. As defenders do so, adversaries will have less variety to work with and generate more noise as they operate. This improves their chances of detecting the activity. As this is an ever-moving landscape, it is essential for defenders to quickly adapt and to have forensic data to retrospectively correlate persistence activity. This look-back will enable them to adapt policies quickly going forward.

Conclusion

The presence or lack of persistence can change the tide of a battle. Whomever has more opportunities and time within which to use them typically wins. Even now, western governments are wrestling with the certainty that Chinese threat actors have gained persistence throughout critical infrastructure environments. Several nation-states have footholds in the US and EU defense industrial bases. A non-zero number of organizations from government to healthcare to financial are very likely closer to adversary impact than they know. This is because those APTs already have established persistence and are waiting for the right time to strike.

It is vital that defenders close up all environments to eliminate potential footholds. By concentrating the attackers’ purchase to a smaller number of options, they become noisier and easier to hear. Of the 20 techniques in ATT&CK Persistence, at least 14 of them can be hardened outright. All can be logged much more effectively. APTs are like ants in this way. If you don’t want ants in your home, don’t leave them food or water, and eliminate pathways in!

I hope that this post was helpful in understanding the role persistence plays in an attacker’s arsenal. With this post, we’re seeing the beginning of some massive tactics. We’ll start to talk higher level about the goals themselves and avoid digging too deep into each technique. As much as I would love to write about that stuff, I think that understanding their place in the big picture is more helpful. As always, let me know if this is helpful, and have a great week folks!