Section 1.4: Malware Persistence

Question 1

Name the persistence mechanisms malware use.

Answer 1

AutoStart, Service Creation/Replacement, Service Recovery, DLL hijacking, Scheduled Tasks, WMI Event Consumers. More Advanced: MS Add-ons, Local Group Policy, and BIOS Flashing.

Question 2

What persistence mechanisms reside more than 80% in the wild?

Answer 2

AutoStart locations and services.

Question 3

What are AutoStart Extension Points (ASEP) and why are they hard to secure? Is there any other locations besides the registry?

Answer 3

Microsoft has over 50 of them. They are mostly found in the registry. They can also be found in the filesystem which can be an advantage to an adversary since they wont need admin rights to create persistence.

Question 4

What is a good method to find compromised AutoStart data across many systems in the enterprise?

Answer 4

Stacking.

Question 5

Name two methods ASEP keys run in a system.

Answer 5

When the user logs in and/or when a system boots.

Question 6

List the registry key paths that run once a user logs in.

Answer 6

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Run(Runonce)_
Software\Microsoft\Windows\Currentversion\Runonce
Software\Microsoft\Windows\Currentversion\policies\Explorer\Run
Software\Microsoft\Windows\Currentversion\Run
Software\Microsoft\Windows NT\Currentversion\Winglogon\Userinit

Question 7

Describe a feature Winlogon folder has for userinit.exe that can be dangerous adversary usage.

Answer 7

Winlogon executes userinit.exe and launches explorer.exe. The key can be modified to include a reference to load an binary that can be found elsewhere to also load at boot.

Question 8

What folder location can an adversary place a shortcut to maintain an ASEP persistence?

Answer 8

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Question 9

What are services?

Answer 9

They are designed to run applications in the background without user interaction. Many are required at system boot such as: DHCP Client, Windows Event Log, Server, and Workstation services. They can be executables or loaded DLLs.

Question 10

What is svchost.exe?

Answer 10

A Windows-generic service host process and it is typical to see 5 or more of them.

Question 11

Where can I do service configurations?

Answer 11

Inside the registry: HKLM\SYSTEM\CurrentControlSet\Services. Here I can find the parameters to the name, display name, start value, required priviledges, dependencies, and more. Start values can be (0x00 for Boot Start), (0x02 for Automatic). Be cautious because start type can also be triggered through events such as IP address or hardware connections.

Question 12

What is so dangerous about the “sc” command?

Answer 12

It can create a service that auto-loads a malicious DLL or executable. Type sc in powershell for help.

Question 13

Name three ways services can be abused by the adversary.

Answer 13

New service creation, Service replacement, and service failure recovery.

Question 14

How did Mandiant APT1 use services to load malware?

Answer 14

They replaced the rarely used RIP Listener Service (IPRIP) and loaded their malware instead. Another service to lookout for is RasAuto service.

Question 15

What is a technique to find new services in a system?

Answer 15

Baselining system services and stacking them throughout the enterprise.

Question 16

Explain service recovery mode and the best way to detect it.

Answer 16

It gives the service the option to run a binary when a specific service crashes. An example would be to crash RDP service and make it run malware. Use Kansa Svcfail.ps1 script to find suspicious services.

Question 17

Methods to collect service information through live and offline systems.

Answer 17

Through live systems: sc command and powershell.
Through offline systems: Registry and Autoruns tools.
Look into service crashing as well.

Question 18

For what purposes would an adversary use scheduled tasks to establish persistence?

Answer 18

To continuously run credential dumping or lateral movement usage remotely or locally.

Question 19

What are the binary names of scheduled tasks?

Answer 19

at..exe (recorded as at*.job files and schdlgu.txt (XP)) and schtasks.exe.

Question 20

Where can scheduled tasks files be found in the filesystem?

Answer 20

Windows\Tasks or Windows\System32\Tasks

Question 21

Attack methods used for DLL hijacking.

Answer 21

DLL search order hijacking, Phantom DLL hijacking, DLL side-loading, and relative path DLL hijacking.

Question 22

What is the main issue with DLLs loading once an executable is run inside Windows?

Answer 22

DLLs, with the exception of KnownDLLs registry key, are not required to be hardcoded to a specific location. Instead, it is done through search order. Adversaries will try to find DLLs that aren’t located inside System32 and the registry key in order to run their executable from the same folder to trump the search order.

Question 23

Explain a live example of DLL search order hijacking.

Answer 23

Explorer.exe is found inside the Windows folder and one of its DLLs (ntshrui.dll) is found inside the System32 folder. This DLL isn’t protected by the key so adversary placed a malware DLL by the same name inside the Windows folder to beat the search order.

Question 24

Name the SafedllSearchMode list.

Answer 24

DLLs already loaded in memory, SxS components, KnownDLL list, Directory of the binary, System32 folder, System folder, Windows folder, Current directory, and System %PATH%.

Question 25

Explain the Phantom DLL hijacking method.

Answer 25

A bit similar to the search order method, adversaries look for very old DLLs that binaries are still trying to load into its application. Some don’t even exist in the system but will still attempt to load. If they can figure out what DLL it is, all they have to do is load it. Fax Service (fxsst.dll) is an example.

Question 26

Explain the DLL side-loading hijack method and methods to identify it.

Answer 26

The attack uses Windows SxS DLL loading mechanism to introduce an “updated” version of a DLL. Since SxS is legit, it has few validity checks for new DLLs and can be devastating if developers don’t tweak their applications right. They take advantage that it can pass through A/V with a legit hash. Methods to identify include searching for new binaries and helper files added to the system.

Question 27

Explain the relative path DLL hijacking method and methods to identify it.

Answer 27

Adversaries will copy a binary from a protected folder, (Windows32, Windows), and paste it into a writeable location. They just add the bad DLL and voila! To discover this tactic, file system timelining and memory analysis is recommened.

Question 28

A fact to keep in mind when it comes to binaries and DLLs.

Answer 28

Newly created binaries and DLLs are RARE in most systems. ProgramData folder RARELY has any binaries or DLLs.

Question 29

Describe how WMI can give adversaries the ability to establish persistence.

Answer 29

Having access to admin rights, an adversary can create an event consumer to run scripts or binaries once an event filter is triggered. WMI’s are tied through binding and saved in managed object format (MOF) file.

Question 30

Name some examples of WMI Event Filters.

Answer 30

Specific time, existence of an executable, existence of a file or folder, service starting or stopping, and a specific user authenticated.

Question 31

Name commands analysts can search when looking for WMI activity.

Answer 31

mofcomp.exe
Get-WmiObject
Set-WmiInstance
Create-Instance

Question 32

How can an analyst discover malicious WMI activity?

Answer 32

They can use Powershell commands or Kansa. Commands in Powershell are:
Get-WMIObject -Namespace root\Subscription (or root\Default) -Class _EventFilter (or _EventConsumer, _EventConsumerBinding)

Question 33

What are some WMI false positives to be aware of?

Answer 33

SCM Event Log Consumer, BVTFilter, TSlogonEvents.vbs, TSLogonFilter, RAevent.vbs, RmAssistEventFilter, KernCap.vbs, NTEventLogConsumer, and WSCEAA.exe (DEll)

Question 34

Interesting WMI search terms for analysts to consider:

Answer 34

.exe, .vbs, .dll, .ps1, .eval, ActiveObject, powershell, CommandLineTemplate, and ScriptText.

Question 35

Name the two most common consumer classes advesaries are likely to use.

Answer 35

CommandlineEventConsumer (run an binary), and ActiveScriptEventConsumer (run a script through a specific path). Scripts used in WMI are either Visual Basic or Jscript, not Powershell.

Question 36

Name the other consumer classes besides the two most common.

Answer 36

LogFileEventConsumer, NTLogEventConsumer, SMTPEventConsumer, and Custom.