Persistence and Escalation Mechanisms
Collection
*There are a lot of techniques to become persistent on a Windows machine. You can refer to the persistence and escalation mechanisms article or look those up on the MITRE website. Although it’s important to know the artefacts themselves and the technique, it would be hard to collect them all manually. *
BIOS Persistence
This is about … .
Boot Abuse
Linux
Init is the process that spawns other processes and usually has pid 1. /etc/inittab can be used to set run level for the systems. /etc/rc.d has a collection of files that define what services are running at what level. This information can also be viewed with a chkconfig command.
Run Levels
| Run Level | Mode | Action |
|---|---|---|
| 0 | Halt | Shuts down system |
| 1 | Single-User Mode โ๏ธ | Does not configure network interfaces, start daemons, or allow non-root logins. Can be used to boot to the super user account and change its password without knowing the old one. |
| 2 | Multi-User Mode | Does not configure network interfaces or start daemons. |
| 3 | Multi-User Mode with Networking โ๏ธ | Starts the system normally. Servers usually run at this level. |
| 4 | Undefined | Not used/User-definable |
| 5 | X11 | As runlevel 3 + display manager(X), main for desktop machines. |
| 6 | Reboot | Reboots the system, shuts down all services when the system is being rebooted |
[1]
Config Abuse
Some persistence and escalation techniques don’t require an exploit but only a little tweaking of some config.
Elevation Control Abuse
Linux & macOS
setuid and setgid
Platforms: macOS, Linux MITRE: https://attack.mitre.org/techniques/T1548/001/
setuid or setgid bits set in UNIX. chmod u+s [file] or chmod 4777 [file] to set the bit. To enable the setgid bit,ย chmod 2775ย andย chmod g+sย can be used. Look for the files with the bit set: find / -perm +4000 2>/dev/null and find / -perm +2000 2>/dev/null for the segid.
When a user runs an executable file with the setuid bit set, the real user ID (RUID) of the process is set to the user ID of the user who ran the file, while the effective user ID (EUID) is set to the user ID of the file owner. This means that the process runs with the privileges of the file owner while still retaining the identity of the user who executed the file.
IPC
This is about … .
Kernel
Linux
LKM
LKM for Linux. Drivers are one type of kernel extentions.
XDG
https://attack.mitre.org/techniques/T1547/013/
macOS
kext
kext for macOS. kextload and kextunload. These need to be signed with a cert approved by Apple. Otherwise, to launch the app one needs to disable SIP. That’s probably the reason why the RAM cannot be dumped on macOS with SIP enabled. Replaced by System Extentions but still can be used.
reopen
Remember the “Reopen windows when logging back in” prompt on macOS? When selected, all applications currently open are added to a property list file namedย com.apple.loginwindow.[UUID].plistย within theย ~/Library/Preferences/ByHostย directory. Applications listed in this file are automatically reopened upon the userโs next logon.
Library Abuse
Windows
DLL Search Order Hijacking
๐ - require w permissions for
WindowsandWindows\System32.
Detection:
- ๐ญ unusual locations for new DLL created or saved during the attack (especially unsigned)
- ๐ญ see RAM for DLLs loaded from the wrong locations
- ๐ญ multiple locations for one DLL
- ๐ญ behavioural analysis (C2C or other)
- ๐ ๏ธ https://github.com/adamkramer/dll_hijack_detect/releases
- IDS/IPS
- Integrity controls?
Example:
eplorer.exeloadingntshrui.dll.
Following is the search order for modern Windows systems:
Services
Services can be abused differently but are often used as escalation and persistence mechanisms.
Tasks Abuse
Windows
โ๏ธ Both
atandschtasks.execan create tasks remotely.
๐บ Artefacts:
- ๐ชต Event Log: Task Scheduler Operational.
- ๐ ๏ธ autoruns
- ๐
C: \Windows\ Tasks\ \*.job - ๐
C: \Windows\SchedLgU.txt(Win XP) - ๐
C: \Windows\System32\Tasks
at
at.exe (deprecated but can still be used) and schtasks.exe. For at see at*.job and Schdlgu.txt
WinXP: at jobs run with SYSTEM privileges.
Files are created here: \Windows\Tasks and \Windows\System32\Tasks (xml duplicate Win7+). Created with: at.exe 22:22:22 C:\mal.exe or