Hey friend, welcome to the final instalment in this short series on hunting for persistence!
In this series I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you a virtualised battleground to test your cyber capabilities!
Each entry in this series covers a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, this series will cover:
1. Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
2. Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
3. Services — where attackers will create or modify existing services to automatically start a program when the system boots.
4. Startup Folder— where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
In the three previous instalments of this series we focused on Registry Run Keys, Scheduled Tasks, and Services. These posts were accompanied by the Registry Run Persistence, Scheduled Task Persistence, and Service Persistence campaigns. All these campaigns can be found on Cympire and it is highly recommended tackling these to round out your knowledge of how attackers maintain persistence. Try out these campaigns by following this link.
In this final instalment we will take a look at how adversaries use the Startup Folder for persistence.
What is the Windows Startup Folder?
The Startup folder in Windows is a special folder that contains shortcuts to applications that will be automatically started when the user logs in to the system. The Startup folder is located in the Start Menu but it’s location may vary depending on the version of Windows you are using. In most versions of Windows the Startup folder can be accessed by clicking on the Start button, and then navigating to All Programs > Startup. Alternatively, the Startup folder can be accessed by typing shell:startup in the Run dialog or Windows search bar.
When a shortcut to an application is placed in the Startup folder that application will be automatically started when the user logs into the system. This is a convenient way to have frequently used applications start automatically, and to ensure that essential background processes and services are running when the user starts their computer. However, putting too many items to the Startup folder slows down the system and reduces performance.
There is a greater risk than poor performance. Attackers can use the Windows Startup folder to ensure that their malicious code or payload is automatically executed each time the user logs into the system. This allows attackers to maintain persistence on the system (even after a reboot) and evade detection by security software. They can do this in one of two ways:
- Placing a malicious shortcut in the Startup folder — an attacker can place a shortcut to a malicious executable in the Startup folder. When the user logs in to the system the malicious code will be automatically executed.
- Hijacking an existing shortcut — an attacker can modify an existing, legitimate shortcut in the Startup folder to point to a malicious executable instead of the intended application.
The shortcut file placed in the Startup folder is a .lnk file which will often execute a Command and Control (C2) implant/agent or code that will automatically download a implant/agent in a obfuscated way. A C2 implant is a type of malware that allows attackers to remotely control a compromised system. The C2 implant provides the attacker with a means of communicating with the compromised system and issuing commands to it. Once installed, the implant allows an attacker to perform a variety of nefarious actions on a compromised system, including:
- Stealing sensitive data
- Exfiltrating data from the system
- Installing additional malware or tools
- Running malicious code or scripts
- Taking screenshots or capturing keyboard input
C2 implants are often highly sophisticated and are designed to be difficult to detect and remove. They can use encrypted communication channels and often have the ability to evade security software and hide their presence on the system.
Using the Startup Folder for Persistence
Unlike previous persistence mechanisms discussed in this series, one does not need admirative privileges to install this persistence mechanism. An adversary simply needs write access to a user’s Startup folder and they can drop their malware in said folder. This makes it an attractive persistence mechanism for attackers as they do not need to escalate their privileges. To create a Startup folder item in Windows:
- Locate the Startup folder: n most versions of Windows the Startup folder can be accessed by clicking on the Start button and navigating to All Programs > Startup. Alternatively, the Startup folder can be accessed by typing shell:startup in the Run dialog or Windows search bar.
- Create a new shortcut: Right-click anywhere in the Startup folder and select New > Shortcut.
- Specify the location of the executable: In the Create Shortcut wizard, enter the location of the executable file for the application you want to start automatically, or click on Browse to find it manually.
- Give the shortcut a name: Enter a name for the shortcut and click Finish.
- Verify the shortcut is in the Startup folder: Verify that the newly created shortcut is in the Startup folder and that the correct executable file is associated with it.
However, attackers will rarely use the Windows GUI as it would typically mean opening an RDP connection to a machine. This is highly suspicious if coming from an unknown IP and usually locked down in corporate environments. Instead, attackers will create a Startup folder item using a hacking tool, such as SharPersist, which will use native Windows functionality (e.g. PowerShell, Windows API calls through C#, etc.) or by using the native Windows shell (or PowerShell if available).
If an attacker chooses the Windows shell or PowerShell option, they can simply navigate to the Startup folder:
- By default, the User Startup Folder is located at:
C:\Users\<_UserName_>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup - The System Startup Folder can be found at:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
Then upload their malware, in the form of a .lnk file, and wait for the user to login again.
Hunting for persistence mechanisms is often a fertile ground for a threat hunter as the adversary usually has to make configuration changes and drop their malware (C2 implant) to disk. The Windows Startup folder is demonstrative of this as an attacker has to make changes to the compromised system’s file structure and upload a malicious .lnk file.
Let’s Get Our Hands Dirty!
I find the best way of learning is doing. Lets see how malicious Windows Startup folder items are used as persistence mechanisms in the real world.
With help from the team at Cympire I have created a threat hunting campaign which will demonstrate how attackers create and use the Windows Startup Folder to maintain persistence on a compromised Windows machine. The campaign walks you through how to create a malicious file in the Windows Startup Folder in an interactive and fun environment that uses real-world hacking tools.
Once you install your persistence mechanism you will jump over to an Attacker machine where you will be able to see how your C2 implant stays persistent even if the victim reboots their machine. The C2 implant gives you a reverse shell on the Target machine that allows you to perform various nefarious actions. When you are finished playing the role of the bad guy you can then hunt for this persistence mechanism using Splunk.
Splunk is a platform for collecting, searching, analysing, and visualizing machine-generated big data. It is commonly used for security information and event management (SIEM), log management, and IT operations. It is a powerful tool that helps large enterprises, government agencies, and small to medium-sized businesses make sense of machine data and turn it into actionable insights.
We will use the Splunk “Search & Reporting App” to hunt for the malicious startup folder item you created using special syntax known as Search Processing Language (SPL). This query language is widely used in the security industry and allows us to perform powerful searches that reveal malicious or suspicious behaviour.
Finally, we will kick the adversary off of the compromised endpoint by removing the malicious file stored in the Windows Startup Folder and regain control of the Windows machine!
To play along with this campaign simply navigate to this link and get started for FREE. Here you can sign up for the Cympire platform and tackle the Startup Folder Persistence campaign I have created just for you.
This is the last instalment of this series on persistence mechanisms. Feel free to let me know how you get on with the series and if you would like to see any other threat hunting related series in the future!
Discover more in the Hunting for Persistence with Cympire series!
