We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 3
Persistence
Links to all parts:
Part 1. Obtaining initial access (Initial Access)
Part 2. Execution (Execution)
Part 3. Consolidation (Persistence)
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining credentials (Credential Access)
Part 7. Discovery (Discovery)
Part 8. Lateral Movement (Lateral Movement)
The main task of securing access is to ensure the continuity of the presence in the attacked system, because access can be lost due to restarting the attacked system, loss of credentials data or blocking delete tools access due to attack detection.
The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of MITER ATT & CK content .
Methods to ensure consistency in the system can be divided into 3 categories:
- Unauthorized creation of accounts or theft of existing credentials;
- Hidden installation and launch of remote access tools;
- Making changes to the configuration of the attacked system, with the help of which numerous launching of malicious code becomes possible. Malicious code can be automatically launched each time the system is booted or every user logs into the system, starts modified or malicious services, starts certain programs by the user, starts system or third-party software update processes.
The following are the access hardening techniques offered by ATT & CK.
Modifying the ~ / .bash_profile and ~ / .bashrc files
System: Linux, macOS
Privileges: User, Administrator
Description: Attackers can insert code into the ~ / .bash_profile and ~ / .bashrc files ( designed to create a user environment in the OS ) that will be executed when the user logs in or starts a new shell. The ~ / .bash_profile file is executed when a user logs in, ~ / .bashrc is executed when shells are opened interactively. When a user logs in (locally or remotely, for example via SSH) using the username and password ~ / .bash_profile is executed before the user prompt is returned. After that, every time a new shell is opened, ~ / .bashrc is executed.
In macOS, Terminal.app is slightly different in that it launches the login shell by default each time the terminal window is opened, thereby calling ~ / .bash_profile each time.
Security Tips: Granting permissions to modify the ~ / .bash_profile and ~ / .bashrc files only for authorized administrators.
Modifying executable files of the Windows Accessibility Features
System: Windows
Permissions: Administrator
Description: “special features” applications (screen magnifier, screen keyboard, etc.) can be launched using keyboard shortcuts before the user logs in. An attacker can spoof the startup files of these programs or change the way they are launched and open the command console or get a backdoor without logging in.
- C: \ Windows \ System32 \ sethc.exe - runs 5 times by pressing the Shift key;
- C: \ Windows \ System32 \ utilman.exe - launched by pressing the Win + U combination.
In WinXP and later versions, sethc.exe and utilman.exe can be replaced, for example, with cmd.exe, and later, when you press the necessary cmd.exe key combination, start up before entering Windows with System privileges.
In Vista and later versions, you need to change the registry key that configures cmd.exe or another program as a debugger, for example, for ultiman.exe. After editing the registry and pressing the desired key combination on the login screen or when connecting to the host via RDP, cmd.exe will execute with System privileges.
There are also Windows programs that can be used when implementing this attack technique:
- C: \ Windows \ System32 \ osk.exe;
- C: \ Windows \ System32 \ Magnify.exe;
- C: \ Windows \ System32 \ Narrator.exe;
- C: \ Windows \ System32 \ DisplaySwitch.exe;
- C: \ Windows \ System32 \ AtBroker.exe.
Security Tips : Configure the launch of the mandatory network authentication of remote users before creating an RDP session and displaying the login screen ( enabled by default in Windows Vista and later versions ). Use Remote Desktop Gateway to manage connections and RDP security settings.
Key modification AppCert DLLs
System: Windows
Permissions: Administrator, System
Description: The DLLs specified in the AppCertDLLs key value are loaded into each process that calls commonly used API functions: CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, WinExec . The value of the AppCertDLLs key can be abused by triggering the loading of the malicious DLL and running certain processes. AppCertDLLs is stored in the following registry key:
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager .
Security Tips : Use all sorts of tools to block potentially dangerous software and download unknown DLLs, such as AppLocker and DeviceGuard.
Key modification AppInit DLLs
System: Windows
Permissions: Administrator, System
Description: The DLLs specified in the AppInit_DLLs key value are loaded into each process that loads user32.dll. In practice, this is almost every program.
AppInit_DLLs is stored in the following registry keys:
- HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows;
- HKEY_LOCAL_MACHINE \ Software \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Windows.
The value of the AppInit_DLLs key can be abused to exceed privileges by loading malicious DLLs and starting certain processes. AppInit_DLLs functionality is disabled in Windows 8 and later versions when secure boot is activated.
Security Tips: Consider using OS no earlier than Windows 8 and enabling secure boot. Use all sorts of tools to block potentially dangerous software and download unknown DLL libraries, such as AppLocker and DeviceGuard.
Abuse of Application Compatibility Subsystem (Application Shimming)
System: Windows
Permissions: Administrator
Description: Microsoft Windows Application Compatibility Infrastructure / Framework is designed to ensure compatibility of programs with Windows updates and changes in the OS code. The compatibility system uses the so-called shim (“shims”) - libraries that act as a buffer between the program and the OS. Using the shim cache, the system determines whether it is necessary to use shim pads (stored as a database of the .sdb type). The .sdb files store various procedures for intercepting application code, processing it, and further redirecting to the OS. The list of all shims installed by the installer (sdbinst.exe) is stored by default in:
- % WINDIR% \ AppPatch \ sysmain.sdb ;
- HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ AppCompatFlags \ InstalledSDB .
Custom shim bases are stored in:
- % WINDIR% \ AppPatch [64] \ Custom;
- HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ AppCompatFlags \ Custom .
To ensure protection in user mode, the possibility of changing the OS kernel using shim pads is excluded, and administrator rights are required to install them. However, some shim pads can be used to bypass User Account Control (UAC), DLL injection, disable Data Execution Prevention and Srtucture Exception Handling , as well as intercept memory addresses. The use of shim pads by an attacker allows you to elevate privileges, install backdoors, disable OS protection, such as Windows Defender. Security Tips
: There are not many ways to prevent Application shiming. Disabling application compatibility is not recommended to avoid OS stability issues. Microsoft has released KB3045645which will remove the “auto-elevate” flag in the sdbinst.exe file to prevent the use of a shim system to bypass UAC.
Modifying Windows Authentication Package Components
System: Windows
Permissions: Administrator
Description: The Windows Authentification Pack DLLs are loaded by the Local Security Authority (LSA) process at system startup and provide support for multiple login processes and multiple OS security protocols. Malicious users can use the LSA autorun mechanism by placing a link to a binary file in the following registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ Authentication Packages: [target binary] .
The [target binary] will be launched by the system when the Authentication Pack is loaded .
Protection recommendations:In Windows 8.1, Windows Server 2012 R2 and later versions of LSA, you can make it work as a protected process (PPL) using the registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ RunAsPPL = DWORD: 00000001 ,
which requires that all DLLs, The downloaded LSAs were signed with a Microsoft digital certificate.
Creating BITS Jobs (BITS Jobs)
System: Windows
Permissions: User, Administrator, System
Description: Windows Background Intelligent Transfer Service (BITS)Is a mechanism for asynchronous file transfer through the Component Object Model (COM) using low bandwidth. BITS is usually used by update programs, instant messengers and other applications that prefer to run in the background without interrupting the operation of other network applications. File transfer tasks are represented as BITS jobs that contain a queue of one or more file operations. The interface for creating and managing BITS tasks is available in the PowerShell and BITSAdmin tool. Attackers can use BITS to download, run, and clean up after running the malicious code. BITS tasks are stored autonomously in the BITS database, and no new files or registry entries are created in the system, BITS is often allowed by the firewall. With the help of BITS tasks, you can gain a foothold in the system,
Protection recommendations: BITS is a standard OS functionality, the use of which is difficult to distinguish from malicious activity, therefore, the protection vector should be aimed at preventing the attacker's tools from running at the beginning of the attack chain. Disabling BITS completely can lead to the termination of updating legitimate software, but you can consider limiting access to the BITS interface for specific users and access groups, you can also limit the lifetime of BITS tasks, which is set by changing the following keys:
- HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ BITS \ JobInactivityTimeout;
- HKEY_LOCAL_MACHINE \ Software \ Policies \ Microsoft \ Windows \ BITS \ MaxDownloadTime .
Bootkits
System: Linux, Windows
Permissions: Administrator, System
Description: Bootkit is a type of malware that can change the boot sectors of a hard disk, including Master Boot Record (MBR) and Volume Boot Record (VBR). Malefactors can use Bootkit for fixing in systems at the level below OS. MBR - section of the hard disk, which is loaded immediately after the completion of the hardware initialization of Bios. An attacker who has access to overwrite the MBR can replace the OS bootloader code with a malicious one. VBR is a hard disk partition that receives boot control from the MBR. By analogy with the MBR rewrite option, an attacker can run malicious code during the system boot phase.
Protection recommendations:Use of MBR and VBR integrity monitoring tools. Apply Trusted Platform Module (TPM) and Secure Boot.
Browser Extensions (Browser Extensions)
System: Windows, Linux, macOS
Permissions: User
Description: As a rule, plugins have all the access and permissions that the browser can get. Malicious plugins can be installed by downloading malicious applications disguised as legitimate programs by using social engineering techniques, phishing, or an attacker who has already compromised the system. Malicious plugins can in the background open websites, steal information that a user enters in a browser, including credentials, as installers of remote administration tools (RAT) and pinning in the system.
Protection recommendations:Install plugins only from trusted sources. Control of installed plugins using group policy. Prevent plug-in installation by regular users. Inventory and monitoring of installed plugins.
Modify File Association Settings
System: Windows
Permissions: User, Administrator, system
Description: Attackers can modify file associations to launch arbitrary commands. The choice of associating files with applications is stored in the Windows registry and can be edited by users, administrators, and programs that have access to the registry. Applications can modify associations to call arbitrary programs. The system association parameters are stored in the registry: HKEY_CLASSES_ROOT \. [Extension] , for example, HKEY_CLASSES_ROOT \ .txt . The various commands are listed as subsections: HKEY_CLASSES_ROOT \ [handler] \ shell \ [action] \ [command] , for example:
- HKEY_CLASSES_ROOT \ txtfile \ shell \ open \ [command];
- HKEY_CLASSES_ROOT \ txtfile \ shell \ print \ [command];
- HKEY_CLASSES_ROOT \ txtfile \ shell \ printto \ [command];
where [command] is a command that will be executed when opening a file with the specified extension.
Security Tips: Follow Microsoft 's file association recommendations . Use all sorts of blocking tools for potentially dangerous software, such as AppLocker and DeviceGuard.
Component Firmware
System: Windows
Rights: System
Description: Some attackers can use sophisticated tools to compromise computer components and install malicious firmware on them, which will run malicious code outside the operating system or even the main system firmware (Bios). The technique is the firmware of computer components that do not have a built-in system for checking the integrity of, for example, hard drives. A device with malicious firmware can provide constant access to the attacked system despite failures and overwriting of the hard disk. The technique is designed to overcome software protection and integrity control.
Interception of links and links Component Object Model Hijacking
System: Windows
Permissions: User
Description: Microsoft Component Object Model (COM) is a technology for creating software based on interacting components of an object, each of which can be used in many programs at the same time. Attackers can use COM to insert malicious code that can be executed instead of legitimate via the capture of COM links and connections. To intercept a COM object, you need to replace the reference to a legitimate system component in the Windows registry. If you further call this component, the malicious code will be executed.
Protection recommendations:Preventive measures to prevent this attack are not recommended because COM objects are part of the OS and software installed on the system. Locking changes to COM objects can affect the stability of the operating system and software. The protection vector is recommended to be directed to blocking malicious and potentially dangerous software.
Create Account
System: Windows, Linux, macOS
Permissions: Administrator
Description: Malicious users with sufficient access can create local or domain accounts for posting on the system. Network user commands can also be used to create accounts.
Protection recommendations:The use of multifactor authentication. Configure security settings on important servers, configure access controls, firewalls. Prevent the use of a domain administrator account for daily operations during which an attacker can obtain account information. Attackers who have created accounts in the system can get only limited access to the network if access levels are properly blocked. Accounts may be required only to secure access to a separate system.
Interception Search DLL (DLL Search Order Hijacking)
System: Windows
Rights: User, Administrator, System
Description: The technique is to exploit the vulnerabilities of the application's search algorithm for the DLL files they need to work ( MSA2269637 ). Often, the DLL search directory is the working directory of the program, so attackers can replace the original DLL with a malicious one with the same file name.
Remote attacks on DLL search can be carried out when the program installs its current directory in a remote directory, for example, a network share. Also, attackers can directly change the way the DLL is searched and loaded by replacing the .manifest or .local files that describe the DLL search parameters. If the attacked program works with high privileges, then the malicious DLL loaded by it will also be executed with high rights. In this case, the technique can be used to elevate privileges from the user to the administrator or System.
Advice on protection: The ban DLL remote boot (enabled by default in Windows Server 2012+ and is available with upgrades to XP +, and Server 2003+). Enable safe search mode DLL, which will limit the search directories directories of type% SYSTEMROOT% before performing a DLL search in the current application directory.
Enable DLL Safe Search:
Computer Configuration> [Policies]> Administrative Templates> MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.
The corresponding registry key is
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SafeDLLSearchMode.
Consider the feasibility of auditing the protected system to eliminate DLL weaknesses using tools such as the PowerUP module in PowerSploit. Do not forget about blocking malicious and potentially dangerous software, as well as the implementation of Microsoft recommendations .
Dylib Hijacking interception
System: MacOS
rights: User
Description: The technique is based on the vulnerability of search algorithms for dynamic libraries in MacOS dylib the X and OS . The bottom line is the definition of dylib, which loads the attacked application and the subsequent placement of the malicious version of dylib with the same name in the working directory of the application. This will cause the dylib application to load, which is located in the working directory of the program. In this case, the malicious Dylib will be executed with the access rights of the attacked application. Security Tips
: Prevent users from writing files to dylib search directories. Vulnerability auditing with Objective-See Dylib Hijacking Scanner .
External Remote Services
System: Windows
Rights: User
Description: Attackers can use external remote services of the organization, such as VPN, Citrix and WinRM, to secure themselves within the attacked network. Access to services can be carried out with the help of valid accounts obtained using the technician redirecting users to false sites (pharming), or at the stage of network compromise.
Protection recommendations:Restricting access to remote services using centrally managed switches, using VPN. Prohibit direct remote access to the internal network through the use of proxies, gateways and firewalls. Disable services that can be used remotely, for example, WinRM. The use of two-factor authentication. Monitoring the activity of using remote services outside working hours.
Lack of permissions at the file system level (File System Permissions Weakness)
System: Windows
Permissions: User, Administrator
Description: The essence of the technique is the substitution of executable files that are automatically launched by various processes (for example, when the OS boots up or at a certain time, if the rights to the executable files are configured incorrectly). After the substitution, the malicious file will be launched with the rights of the process, so if the process has a higher level of access, the attacker will be able to escalate the privileges. As part of this technique, attackers may attempt to manipulate the binary files of Windows services.
Another type of attack is associated with the flaws in the algorithms of self-extracting installers. During the installation process, installers often unpack various useful files, including .dll and .exe, into the% TEMP% directory, and they may not set the appropriate permissions to restrict access to the unpacked files, which allows attackers to swap files and as a result, increase privileges or bypass account control, since Some installers are run with extended permissions.
Protection recommendations:Restricting account rights so that only administrators can manage services and interact with the binary files used by services. Disable privilege elevation for standard users in UAC. UAC settings are stored in the following registry key:
- [HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Policies \ System] .
To automatically reject requests for elevation of privileges, you need to add a key:
- "ConsentPromptBehaviorUser" = dword: 00000000.
To control installers, you need to add a key:
- "EnableInstallerDetection" = dword: 00000001 , which will require you to enter a password to install programs.
Hidden files and folders (Hidden Files and Directories)
System: Windows, Linux, macOS
Permissions: User
Description:Attackers can use the ability to hide files and folders, so as not to attract the attention of users. In Windows, users can hide files using the attrib command. It is enough to specify the attribute + h <file name> to hide the file or "+ s" to mark the file as system. By adding the "/ S" parameter, the attrib utility will apply the changes recursively. In Linux / Mac, users can hide files and folders simply by typing a "." At the beginning of the file name. After this, the files and folders will be hidden from the Finder application and such as the “ls” utility. In macOS, files can be marked with the UF_HIDDEN flag, which will turn off the ban on their visibility in Finder.app, but will not prevent you from seeing hidden files in Terminal.app. Many applications create hidden files and folders so as not to clutter up the user's workspace. For example,
Protection recommendations: Preventing the use of this technique is difficult due to the fact that file hiding is a regular feature of the OS.
Interception of Windows API function calls (Hooking)
System: Windows
Permissions: Administrator, System
Description: The Windows API functions are usually stored in DLL libraries. The hooking technique is to redirect calls to API functions through:
- Hook-procedures - built-in OS procedures that execute code when calling various events, for example, pressing keys or moving a mouse;
- Modifications of the address table (IAT), in which the pointers to the API functions are stored. This will “deceive” the attacked application by forcing it to launch the malicious function;
- Directly changing a function (splicing), during which the first 5 bytes of a function are changed, instead of which a transition to a malicious or other function defined by the attacker is inserted.
Like injections, attackers can use hooking to execute malicious code, disguise its execution, access the memory of the attacked process, and elevate privileges. Attackers can capture API calls that include parameters that contain authentication data. Hooking is usually used by rootkits to hide malicious activity in the system.
Protection recommendations:Interception of events in the OS is part of the normal operation of the system, so any restriction of this functionality may adversely affect the stability of legitimate applications, such as antivirus software. Efforts to prevent interception techniques need to be focused on the earlier stages of the attack chain. You can detect malicious hooking activity by monitoring calls to the SetWindowsHookEx and SetWinEventHook functions, using rootkit detectors, analyzing anomalous process behavior.
Hypervisor
System: Windows
Permissions: Administrator, System
Description: The hypervisor can be compromised by an attacker and have rootkits hidden from the guest systems.
Security Tips: Prevent intruders from accessing privileged user accounts necessary to install and configure the hypervisor.
IFEO injection (Image File Execution Options Injection)
System: Windows
Permissions: Administrator, System
Description: The Image File Execution Options (IFEO) mechanism allows you to run instead of the program its debugger, previously specified by the developer in the registry:
- HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options / [executable]
- HKLM \ SOFTWARE \ Wow6432Node \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ [executable] , where [executable] is the executable binary file of the debugger.
Like injections, the value of [executable] can be abused by running arbitrary code to elevate privileges or gain a foothold in the system. Malicious programs can use IFEO to bypass protection by registering debuggers that redirect and reject various system and security applications.
Protection Recommendations: The described technique is based on the abuse of standard OS development tools, so any restrictions may cause instability in the operation of legitimate software, for example, security applications. Efforts to prevent the use of IFEO injections need to be focused on the earlier stages of the attack chain. You can detect such an attack by monitoring processes with the Debug_process flags andDebug_only_this_process .
Extensions and loadable kernel modules (Kernel Modules and Extensions)
System: Linux, macOS
Permissions: Root
Description: Loadable kernel modules (LKM) are special programs that can be loaded and unloaded from the kernel without the need for a full system reboot. For example, device drivers are LKM. Attackers can load malicious LKM using different rootkits. As a rule, such rootkits disrupt themselves, files, processes, network activity, falsify audit logs, provide backdoors. Like LKM in macOS, there are so-called KEXTs that are loaded and unloaded by the kextload and kextunload commands.
Protection recommendations:Use Linux rootkit detection tools: rkhunter, chrootkit. Restrict access to the root account, which is required to load modules into the kernel. Use the SELinux forced access control system.
Modification of the LC_LOAD_DYLIB Addition header in Mach-O files (LC_LOAD_DYLIB Addition)
System: macOS
Permissions: User
Description: Mach-O files contain a series of headers that are used to perform certain operations when loading a binary file. The LC_LOAD_DYLIB header in Mach-O binaries tells the OS which dylib libraries to load. Changes to the headers will invalidate the digital signature, however, an attacker can remove the LC_CODE_SIGNATURE command from a binary file and the system will not verify the signature during loading.
Security Tips: All binaries must be signed with the correct Apple Developer IDs, and white lists of applications are compiled using known hashes.
Local Security Authority Drivers (LSASS Driver)
System: Windows
Permissions: Administrator, system
Description: Local Security Authority (LSA) is a Windows subsystem that provides user authentication. LSA includes several dynamic interconnected DLLs that are executed in the LSASS.exe process. Attackers can attack LSASS.exe by replacing or adding illegitimate LSA drivers and then executing arbitrary code. The technique is implemented in the Pasam and Wingbird malware, which “flip” modified DLLs used when loading LSASS. In this case, the malicious code is executed before an illegitimate DLL causes a crash and a subsequent crash of the LSASS service.
Protection recommendations: In Windows 8.1 and Server 2012 R2, enable LSA protection by activating the specified key:
- HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ RunAsPPL = dword: 00000001.
This protection ensures that downloadable LSA plug-ins and drivers are digitally signed by Microsoft. In Windows 10 and Server 16, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtual environment. In order to reduce the risk of loading malicious libraries into lsass.exe, enable safe DLL search mode:
- HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager \ SafeDllSearchMode.
Launch Agents (Launch Agent)
System: macOS
Permissions: User, Administrator
Description: The technique involves abusing the functionality of creating and launching Launch Agents by users - autorun services at the user level. When each user logs on, launchd loads the Launcher settings from * .plist files. Plist files have an XML structure and contain instructions that tell launchd which executable files to run and when. Plist files can be found in the following directories:
- / System / Library / LaunchAgents;
- / Library / LauncAgents;
- $ Home / Library / LaunchAgents.
Attackers can also mask the names of malicious Launchers using legitimate program names. For example, the Komplex Trojan creates a startup agent: $ HOME / Library / LaunchAgents / com.apple.updates.plist.
Security Tips: Using Group Policy, configure a restriction for users to create Launch Agents. Creating Startup Agents involves loading or creating plist files to disk, so concentrate protection efforts in the earlier stages of the attack.
Launch Daemon
System: macOS
Permissions: Administrator
Description: The technique involves the attacker changing the parameters of the services of the system launch level - Launch Daemon, specified in the plist-files. When booting the system, the Launchd process loads the parameters of services (daemons) from plist files located in the following directories:
- / System / Library / LaunchDeamons;
- / Library / LaunchDeamons.
Launch Daemon can be created with administrator privileges, but will run under the root account, so an attacker can implement privilege escalation. The permissions of the plist files must be root: while, however, the script or program specified in it may have less strict permissions. Therefore, an attacker can change the executable files specified in the plist, and thus modify the current system services to be fixed in the system or privilege escalation.
Security Tips : Limit user privileges so that only authorized administrators can create a Launch Daemon. Consider monitoring the creation of plist files on your system using applications such as KnockKnock.
Launchctl Utility
System: macOSPermissions: User, Administrator
Description: Launchctl is a utility for managing the Launchd service. With Launchctl, you can manage system and user services (LaunchDeamons and LaunchAgents), as well as execute commands and programs. Launchctl supports command line subcommands interactive or redirected from standard input:
launchctl submit -l [labelname] - / Path / to / thing / to / execute '' arg "'' arg" '' arg ".
Starting and restarting services and Daemons, attackers can execute code and even bypass the whitelist if the launchctl is an allowed process, however loading, unloading and reloading services and daemons may require elevated privileges.
Restricting user rights to create Launch Agents and launch Launch Deamons through group policy. Using the KnockKnock app, you can discover programs that use launchctl to manage Launch Agents and Launch Deamons.
Local Job Scheduling
System: Linux, macOS
Privileges: User, Administrator, root
Description: Attackers can create tasks in the attacked systems for unauthorized launch of programs when the system is booted or on a schedule. Linux and Apple systems support several methods for scheduling periodic background tasks: cron, at, launchd. Unlike Windows Task Scheduler, task scheduling on Linux systems cannot be done remotely, except for using remote sessions like SSH.
Security Tips: Restricting users to create scheduled tasks, blocking system utilities and other software that can be used to schedule tasks.
Login Items
System: macOS
Privileges: User
Description: In order to pin on the system, attackers can configure their own autorun code using login elements (user-defined autorun settings for applications each time they log on to the system). Login Items created using the Service Management Framework are not displayed in the system settings and can only be deleted through the application in which they were created. Users can manage only those Login Item, which are displayed in the system settings. The settings for such an Login Item are stored in a plist file in the user directory:
~ / Library / Preferences / com.apple.loginitems.plist.
Applications that are part of the Login Item can display windows visible to the user at startup, but you can hide them using the “Hide” option.
Protection recommendations: Restrict user rights to create a Login Item. It is worth noting that holding down the shift key while logging in prohibits automatic launch of applications. Monitor the Login Item settings ( System Settings → Users and Groups → Login Items ).
Logon Scripts
System: Windows, macOS
Description: In order to consolidate the system, an attacker can use the ability to create new or modify existing logon scripts — scripts that are executed whenever a particular user or group of users logs on to the system. If an attacker has access to the logon script on a Windows domain controller, he can modify it to execute code in all systems of the domain in order to “lateral movement” over the network. Depending on the access permissions settings for the logon script files (usually such scripts are stored in \\ [DC] \ NETLOGON \ ), an attacker may need local or administrative credentials.
On Mac, logon scripts ( Login / Logout Hook), unlike Login Items, which run in the context of a user, can be run as root.
Security Tips: Restricting the rights of administrators to create logon scripts. Identification and blocking of potentially dangerous software that can be used to modify login scripts.
Modifying Existing Services (Modify Existing Service)
System: Windows
Permissions: Administrator, System
Description: To run malicious code repeatedly in the system, an attacker can change the configuration of existing services using system utilities or tools for interacting with the Windows API. Attackers can intentionally damage or kill a service for later invoking a modified program or service recovery command. Using existing services is one of the masquerading techniques that makes it difficult to detect malicious activity. Information about the configuration of Windows services, including the path to the programs and the commands for starting and restoring the service, is stored in the registry:
- HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services .
The configuration of services can be changed using the console utilities sc.exe and Reg.
Security Tips: Restricting user and group privileges to change service configurations, giving rights to authorized administrators only. Blocking potentially dangerous software. You can use the Sysinternals Autoruns utility to investigate changes in system services in order to identify attempts to secure an attacker in the system.
Netsh helper utilities dll (netsh helper dll)
System: Windows
Permissions: Administrator, System
Description: Attackers can execute code using the built-in console utility Netsh, which, to expand functionality, allows loading auxiliary DLLs:
netsh> add helper [Path to DLL]
Information about registered libraries used by netsh is stored in the registry :
HKEY_LOCAL_MACHINE \ SOFTWARE \ the Microsoft \ NetSh
Some corporate VPN-client and network utilities can use netsh.exe, running it on behalf of the System, in such a situation, an attacker can register or modify a supporting DLL, which will be performed tsya using netsh VPN-client. Tools for implementing this type of attack are included in CobaltStrike(framework for penetration testing).
Security Tips: Blocking potentially dangerous software using tools such as AppLocker.
New Services (New Service)
System: Windows
Permissions: Administrator, System
Description: The name of the access to the system, attackers can create new services and configure their automatic start. The service name can be masked using names specific to the operating system. Services can be created with administrator privileges, but run as System. Services can be created from the command line, using remote access tools with Windows API interaction functions, or using standard Windows management tools and PowerShell.
Security Tips : Restrict the rights of users to create new services so that only authorized administrators can do this. Use AppLocker and Software Restriction Policy .
Autostart in office applications (Office Application Startup)
System: Windows
Rights: User, Administrator
Description: Some mechanisms of MS Office can be used to execute code when running office applications and, as a result, to ensure that the attackers are consistent in the system:
• Embedding malicious VBA macros into the basic Office templates. Word uses the Normal.dotm template:
C: \ Users \ [Username] \ AppData \ Roaming \ Microsoft \ Templates \ Normal.dotm .
Excel does not have a default template, but you can add it manually, and it will automatically load:
C: \ Users \ [Username] \ AppData \ Roaming \ Microsoft \ Excel \ XLSTART \ Personal.xls .
The implementation of the attack is possible only when the " Run all macros"in Office Security Management Center:
HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ [Version] \ [Application] \ Security \ VBAWarnings: 1;
• Placing a link to a DLL in the Office test key in the Windows registry causes the specified DLL to be executed each time the application is started Office:
HKEY_CURRENT_USER \ Software \ Microsoft \ Office Test \ Special \ Perf \ [Default]: [Specify the path to the DLL];
• Add an add-in to the Office application with malicious code that will be executed when the attacked application is launched
Protection recommendations : Follow the recommendations Microsoft when setting macros security settings. To prevent the Office Test mechanism from operating, create the specified key in the registry and set read-only permissions on it to prevent access to it without administrator rights. If possible, disable Office add-ons, if they are needed, then follow the Microsoft recommendations when organizing their work.
Path Interception
System: Windows
Permissions: User, Administrator, system
Description: The technique of intercepting a path consists of placing the executable file in the directory from which the application will launch it instead of the target file. The attacker can use the following methods:
- Non-existent ways. The paths to the service executable files are stored in registry keys and can have one or more spaces, for example, C: \ Program Files \ service.exe , if the attacker creates the file C: \ Program.exe in the system , then Windows will start it instead of processing the path target service file.
- Incorrect configuration of environment variables. If in the PATH variable the path C: \ example is preceded by c: \ Windows \ System32 and the file C: \ example \ net.exe exists , then when calling the net command, C: \ example \ net.exe will be executed , but not c: \ Windows \ System32 \ net.exe .
- Search order hijacking. When the full path to the executable file is not specified, Windows typically searches for a file with the specified name in the current directory, then searches the system directories. For example, the file "example.exe" when executed runs cmd.exe with arguments to run the net use command. The attacker can put the net.exe file in the directory of the example.exe location and it will be launched instead of the c: \ Windows \ System32 \ net.exe utility . In addition, if the attacker places the net.com file in the directory with the net.exe file, Windows will execute net.com in accordance with the order of execution specified in the PATHEXT system variable.
Interception of the file search order is also used to execute a DLL using the Search Hijacking DLL technique .
Security Tips: Highlight the paths specified in the configuration files, scripts, PATH variable, service settings, and shortcuts. Remember to search for executable files and use only full paths. Perform cleaning of the old registry keys left over from the remote software so that there are no keys in the registry pointing to non-existent files. Set a ban on users to write to the root directory of C: \ and Windows system directories, restrict write permissions to directories with executable files.
Modifying Plist Files (Plist Modification)
System: macOS
Rights: User, Administrator
Description: Attackers can modify plist files, specifying in them their own code for its execution in the context of another user. The plist property files located in / Library / Preferences run with elevated privileges, and plist from ~ / Library / Preferences run with user privileges. Security Tips
: Prevent plist files from being modified by making them read-only.
Port knocking
System: Linux, macOS
Permissions: User
Description: Attackers can use the Port Knocking methods to hide the open ports that they use to connect to the system.
Security Tips : Using stateful firewalls can prevent some Port Knocking options from being implemented.
Port Monitors modification in Print Manager (Port Monitors)
System: Windows
Permissions: Administrator, System
Description: The attacker can organize the execution of an arbitrary DLL on behalf of the System every time Windows is started using the misuse of the Print Manager settings (Spoolsv.exe). To interact with printing devices, Spoolsv.exe uses so-called port monitors (port monitor), which are DLLs with which low-level commands are sent to printing devices via a LAN, USB, LPT, or COM interface. The above DLLs are stored in C: \ windows \ system32 and are registered in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Print \ Monitors .
Port Monitor can be installed using the AddMonitor API function or directly by editing the above registry key.
Protection recommendations: Arrange blocking of potentially dangerous software and use application launch control tools.
Rc.common
System: macOS
Rights: root
Description: An attacker can add code to the /etc/rc.common file that will be executed each time the system is started as root. Rc.common is a script that runs during OC loading, is the predecessor of Launch Agents and Launh Deamons. This is an outdated autorun technology, but it is still supported on macOS and OS X. Security tips
: Restrict user privileges to edit the rc.common file.
Re-launch applications (Re-opened Applications)
System: macOS
Permissions: User
Description: On systems starting with OS X 10.7 (Lion) , an attacker can organize the execution of a malicious file every time the OS is restarted. The technique is based on the abuse of the function of restarting applications after a system reboot. The user can use the tools built into the GUI to tell the system which applications need to be re-launched in case of an OS restart. These settings are stored in plist files:
- ~ / Library / Preferences / com.apple.loginwindow.plist;
- ~ / Library / Preferences / ByHost / com.apple.loginwindows. *. Plist.
An attacker can modify the above files to execute malicious code every time the system is rebooted. Security Tips
: The application restart function can be disabled using the console command: defaults write -g ApplePersistence -bool no .
In addition, holding the shift key while loading prevents the application from starting automatically.
Redundant Access
System: Windows, Linux, macOS
Permissions: User, Administrator, System
Description:Attackers can simultaneously use several remote access tools with different control protocols in order to diversify detection risks. So, if one of the remote access tools is detected and blocked, but the protecting party has not identified all the attacker's tools, then the remote access to the attacked network will still be preserved. Attackers can also attempt to gain access to valid accounts of remote corporate services, such as VPN, in order to gain alternative access to the system in case of blocking the main tools of remote access. Using a web shell is also one of the methods of remote access to the network through a web server.
Protection recommendations:Monitor availability and block launch of known remote access tools on your network (AmmyAdmin, Radmin, RemotePC, VNC, etc.), use application launch control tools and block potentially dangerous software. Implementing IDS and IPS systems that identify specific malicious programs with the help of signatures will reduce the likelihood of a successful attack, but over time, attackers will modify their tools to change the signature and, as a result, bypass IDS and IPS systems.
Autorun using the Run Keys key and the Startup folder (Registry Run Keys / Start Folder)
System: Windows
Permissions: User, Administrator
Description: An attacker can add a "run key (run keys)" or a link to the Startup folder in the Windows registry to launch a malicious file when a user logs on. The program will run with the rights of the current user. Attackers can disguise the launch keys in the registry so that they look like part of legitimate programs.
Run keys are stored in the following registry keys:
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Run;
- HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ RunOnce;
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run;
- HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ RunOnce.
Protection recommendations: Identification and blocking of potentially dangerous software, monitoring changes in the “Startup” folder and the registry branches listed above.
SIP and Trust Provider Capture (SIP and Trust Provider Hijacking) , Subverting Trust in Windows
System: Windows
Privileges: Administrator, System
Description: Attackers can modify the components of the signing architecture and verify the digital signature of the Windows code in order to bypass the launch control tools that allow only signed code to be run. For creating, signing and verifying the signature of files of various formats in Windows, the so-called Subject Interface Package (SIP) is used — software specifications that are unique for each type of file and provide interaction between the API functions that initiate the creation, calculation and verification of signatures and directly files. The validity of the signature is confirmed by the so-called Trust ProviderThese are OS software components that implement various procedures related to calculating and verifying digital signatures.
Popular attack methods:
- Modification of keys DLL and FuncName in the section CryptSIPDllGetSignedDataMsg :
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ OID \ EncodingType 0 \ CryptSIPDllGetSignedDataMsg \ [SIP_GUID] .
It is performed to replace the DLL library that provides the CryptSIPDllGetSignedDataMSG function .that returns a coded digital certificate from a signed file. A dummy function can always return a previously known valid signature value (for example, a Microsoft signature for executable system files) when using a modified SIP. The attacker may attempt to apply one valid signature to all files, however, this will most likely lead to the signature being invalid, since the hash returned by the function will not match the hash calculated from the file. - Modification of DLL and FuncName keys in the section:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ OID \ EncodingType 0 \ CryptSIPDllVerifyIndirectData / [SIP_GUID] .
It is executed with the purpose of replacing the DLL library that provides the CryptSIPDllVerifyIndirectData function , which checks the hash calculated from the file with the hash specified in the digital signature and returns the result of the verification (True / False). Thus, an attacker can ensure the successful verification of any file using a modified SIP. The above key values can be redirected to a suitable function from an existing library, thus eliminating the need to create a new DLL file on disk. - Modification of DLL and FuncName keys in the section:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Cryptography \ Providers \ Trust \ FinalPolicy / [Trust Provider GUID] .
It is performed to replace the DLL library that provides the FinalPolicy function for a certain Trust Provider, which decodes, analyzes the signature and makes a decision about trust. By analogy with CryptSIPDllVerifyIndirectData, the value of the above keys can be redirected to an already existing DLL library.
It is important to note that the described attack on the Windows trust mechanism can be implemented using the Search Search Hijacking DLL (DLL) technique.
Security recommendations: Make sure that the users of the protected system cannot change the registry keys related to the SIP and Trust Provider components. Consider removing unnecessary and obsolete SIPs. Use all sorts of tools to block the download of malicious DLL, for example, AppLocker and DeviceGuard built into Windows.
Scheduled Task
System: Windows
Permissions: User, Administrator, System
Description: Utilities such as at, schtasks and Windows Task Scheduler can be used to schedule the launch of programs and scripts that will be executed at a specific date and time. The task can be scheduled on the remote system, provided that RPC is used for authentication, and printer and file sharing is enabled. Scheduling tasks on a remote system requires administrative rights. An attacker could use remote code execution to gain System privileges or to launch a process under a specific account.
Protection recommendations:Restriction of user privileges. The use of tools, such as the PowerUP module in PowerSploit, which can be used to find weaknesses in the permissions of scheduled tasks. Disable the ability to launch tasks on behalf of System, disable the Allow server operators to schedule tasks option in the security policy , and enable the User Rights Assignment: Increase scheduling priority option .
Screen saver (screensaver)
System: Windows
Rights: User
Description: Attackers can use screen saver settings to launch malware after a certain period of user inactivity.
The Windows Screensaver application (scrnsave.exe) is located in C: \ Windows \ System32 , along with other screensavers included in the base OS build. An attacker can manipulate screensaver settings in the HKEY_CURRENT_USER \ Control Panel \ Desktop registry key :
- SCRNSAVE.EXE - specify the path to the malicious executable file;
- ScreenSaveActivr - set the value to "1" to activate the screensaver;
- ScreenSaverISSecure - set the value to “0” so that the system does not require a password to unlock the Windows desktop after disabling the screensaver;
- ScreenSaverTimeout - set a period of inactivity before launching the screensaver.
Security Tips : Block the ability to run * .scr files from non-standard locations. Manage screen saver settings by using Group Policy that prohibits local screen saver settings.
Security Support Provider (SPP)
System: Windows
Privileges: Administrator
Description: Attackers can configure the execution of malicious code every time the system is booted or the AddSecurityPackage API function is called by adding the Security Security Provider (SSP) to the Local Security Authority (LSA) configuration. SSP are software modules (DLLs) containing one or more authentication and cryptography schemes that are loaded into the LSASS process at system startup. SPP DLLs have access to encrypted and open text passwords that are stored in Windows. SPP configuration is stored in two registry keys:
- HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ Security Packages ;
- HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ OSConfig \ Security Packages .
Protection recommendations: In Windows 8.1, Windows Server R2 and later OS versions, you need to activate LSA protected mode (Process Protect Light - PPL), in which all SPP dll files must be signed with a Microsoft digital signature:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ RunAsPPL = dword: 00000001
Service Registry Permissions Weakness Weakness
System: Windows
Permissions: Administrator, System
Description: If user and group permissions allow you to change key values in the Windows registry that store service settings, then attackers can directly modify keys that store the paths to the service startup executable files or use various management tools services - sc.exe, PowerShell or Reg. Attackers can also change the parameters associated with the failure of services, for example, FailureCommand, indicating the command that will be executed in case of failure or deliberate damage to the service. Service settings are stored in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services .
Protection recommendations:Make sure that the users of the protected system cannot change the registry keys that store the parameters of the system components. Use various means of blocking potentially dangerous software, for example, Windows AppLocker.
Shortcut Modification
System: Windows
Rights: User, Administrator
Description: Attackers can create new shortcuts and symbolic links disguised as legitimate programs or modify the paths in existing shortcuts so that their tools are launched instead of the original application.
Security Tips : Restrict the rights of users and groups, such as Administrators, to create symbolic links using GPO:
Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> User Rights Assignment: Create symbolic links.
Use tools to block potentially dangerous software and Software Restriction Policy.
Startup Items
System: macOS
Permissions: Administrator
Description: An attacker can use an outdated, but still working in macOS Sierra, application autorun mechanism using StartupItems to customize the launch of its root code during OS boot. StartupItems is the directory in / Library / Startupitems , the command script and the StartupParameters.plist properties file. The script and the properties file should be at the top of the hierarchy: / Library / Startupitems / [MyStartupItem] .
Security Tips : Since the StartupItems mechanism is outdated, prohibiting entries in the / Library / Startupitems / directory will avoid the creation of startup items.
System Firmware (System Firmware)
System: Windows
Permissions: Administrator, System
Description: Particularly sophisticated attackers can modify or reflash Bios, UIFI or UFI in order to ensure that they can install malicious firmware updates and fix them in the system.
Protection recommendations: Direct the protection vector to prevent an attacker from accessing privileged accounts that are necessary to implement the described technique. Consider the necessity and possibility of using the protected Trusted Platform Module (TPM) system . Consider the need to use external tools to monitor and analyze the security of system firmware, for example, the CHIPSEC Framework .
Providers of time (Time Providers)
System: Windows
Permissions: Administrator, System
Description: Attackers can register a malicious DLL as a Time Provider that will be executed when the system is started or when the Windows Time Server configuration (W32Time) is changed. The time provider settings are stored in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ W32Time \ TimeProviders .
To register a time provider, administrative rights will be required, but it will be executed in the context of the local service account.
Protection recommendations:Consider using a GPO to configure blocking changes to W32Time settings. Use all sorts of tools to block the download of malicious DLL, for example, AppLocker and DeviceGuard built into Windows.
Trap Team
System: Linux, macOS
Privileges: User, Administrator
Description: The trap command is used to protect the script from interruptions ( ctrl + c, ctrl + d, ctrl + z , etc.). If the script receives an interrupt signal specified in the arguments of the trap command, then it processes the interrupt signal itself, and the command shell will not process such a signal. Attackers can use trap to register code that will be executed when the shell receives certain interrupt signals.
Protection recommendations:The use of this technique is difficult to prevent, because the attacker uses regular operating system mechanisms. The protection vector should be aimed at preventing malicious actions at earlier stages of an attack, for example, at the delivery stage or creating a malicious file in the system.
Valid Accounts (Valid Accounts)
Description: Attackers can steal credentials of a specific user or service account using access credentials technicians, capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. If the script is successfully implemented, attackers can abandon malicious programs to make their detection more difficult. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.
Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.
Web shell
System: Windows, Linux, macOS
Description: The Web Shell can be used by an attacker as a gateway to access your network or redundant access to the attacked system, as a backup mechanism for pinning in case of detection and blocking of the main access channels to the attacked environment.
Protection recommendations:Make sure that your external web servers are updated regularly and do not have known vulnerabilities that allow attackers to upload a file or script to the server and then execute it. Check that the permissions of the accounts and groups with server management rights do not match the intranet accounts that can be used to log on to the web server, launch the web shell or pin to the web server. Web Shell is hard to detect because they do not initiate connections and their server part may be small and harmless, for example, the PHP version of the China Chopper Web shell looks like a line:
[? php eval ($ _POST ['password']);]
Windows Management Instrumentation Event Subscription
System: Windows
Permissions: Administrator, System
Description: WMI Event Subscription is a functionality that allows the administrator to configure the receipt of event notifications (Events), including those that occurred on remote systems, and then automatically perform any actions (running a script, application etc.). Attackers, in order to consolidate the system, can abuse the above described functionality, setting up a subscription to events such as the system clock time or computer time, followed by the execution of code when this event occurs.
Protection recommendations:Make sure that only administrator accounts have rights to connect to WMI remotely, and that the protected system does not match the system administrator accounts with other privileged accounts. Disabling WMI can cause system instability, therefore, requires a preliminary assessment of possible negative consequences.
Winlogon helper dll
System: Windows
Permissions: Administrator, System
Description: By modifying the registry settings of the auxiliary DLL used by Winlogon.exe, an attacker can ensure that the malicious DLLs are executed repeatedly for attaching to the system. Winlogon settings are stored in sections:
- • HKEY_CURRENT_USER \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
- • HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon
Several vulnerable sections are known:
- Winlogon \ Notify - specifies the DLL that handles Windows events
- Winlogon \ Userinit - points to the userinit.exe file, the user initialization program that is executed when the user logs in;
- Winlogon \ Shell - points to the file explorer.exe, the system shell that runs when a user logs on.
Security Tips: Ensure that only authorized administrators can change Winlogon settings. Use all sorts of tools to block the download of malicious DLLs and potentially dangerous programs, for example, built-in Windows AppLocker and DeviceGuard.