Hey friend, welcome to this short series on hunting for persistence!
In this series I have joined up with the team at Cympire to teach you how to hunt for adversary persistence mechanisms in your environment. Cympire is “The Most Advanced Cybersecurity Training & Assessment Platform” and it will provide you a virtualised battleground to test your cyber capabilities!
Each entry in this series will cover a persistence mechanism adversaries use in the real world to maintain access to systems they compromise. Accompanying this will be a gamified scenario where you can practice the skills you learn for FREE. So let’s dig in and upskill our threat hunting capabilities!
Once an attacker gains initial access to a machine they will try to keep this access by installing a persistence mechanism. There are many ways an adversary can maintain persistence, this series will cover:
- Registry Run Keys — where attackers will add registry keys to automatically start a program when the system boots.
- Scheduled Tasks — where attackers will schedule a task to automatically run a program at specific intervals.
- Services — where attackers will create or modify existing services to automatically start a program when the system boots.
- Startup Folder — where attackers will add a shortcut to a program in the startup folder to automatically run when the user logs in.
In this instalment of the series we will be focusing on Registry Run keys.
What are Registry Run Keys?
Registry run keys are locations in the Windows registry where programs and scripts can be configured to automatically start when the system boots up or when a user logs in. The registry run keys are used by attackers as a persistence mechanisms that allows their program (malicious code) to remain even after a system reboot. There are several common registry run keys in the Windows registry that are frequently used by attackers for persistence, these include:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Setup
The malicious code that an attacker will instruct a registry key to run is usually a Command and Control (C2) implant/agent or a “ downloader” which will automatically download a implant/agent in a obfuscated way. A C2 implant is a type of malware that allows attackers to remotely control a compromised system. The C2 implant provides the attacker with a means of communicating with the compromised system and issuing commands to it. Once installed, the implant allows an attacker to perform a variety of nefarious actions on a compromised system, including:
- Stealing sensitive data
- Exfiltrating data from the system
- Installing additional malware or tools
- Running malicious code or scripts
- Taking screenshots or capturing keyboard input
C2 implants are often highly sophisticated and are designed to be difficult to detect and remove. They can use encrypted communication channels and often have the ability to evade security software and hide their presence on the system.
Hunting for persistence mechanisms is often a fertile ground for a threat hunter as the adversary usually has to make configuration changes and drop their malware (C2 implant) to disk. Registry run keys are a great example of this because an attacker has to make changes to the compromised system’s registry and these changes have to point to the location of the malware stored on the system’s disk.
Let’s Get Our Hands Dirty!
I find the best way of learning is doing, so lets see how registry run keys are used as persistence mechanisms in the real world.
With help from the team at Cympire I have created a threat hunting campaign which will demonstrate how attackers create malicious registry run keys to maintain persistence on a compromised Windows machine. The campaign walks you through how to create these malicious keys in an interactive and fun environment that uses real-world hacking tools.
Once you install your persistence mechanisms you will jump over to an Attacker machine where you will be able to see how your C2 implant stays persistent even if the victim reboots their machine. The C2 implant gives you a reverse shell on the Target machine that allows you to perform various nefarious actions. When you are finished playing the role of the bad guy you can then hunt for this persistence mechanism using Splunk.
Splunk is a platform for collecting, searching, analysing, and visualizing machine-generated big data. It is commonly used for security information and event management (SIEM), log management, and IT operations. It is a powerful tool that helps large enterprises, government agencies, and small to medium-sized businesses make sense of machine data and turn it into actionable insights.
We will use the Splunk “Search & Reporting App” to hunt for the malicious registry run key you installed using special syntax known as Search Processing Language (SPL). This query language is widely used in the security industry and allows us to perform powerful searches that reveal malicious or suspicious behaviour.
Finally, we will kick the adversary off of the compromised endpoint using the Registry Editor application and regain control of the Windows machine!
To play along with this campaign simply navigate to this link and get started for FREE. Here you can sign up for the Cympire platform and tackle the Registry Run Persistence campaign I have created just for you.
Feel free to let me know how you get on and if you would like to see any other threat hunting campaigns!
Discover more in the Hunting for Persistence with Cympire series!
