Section 1.4: Malware Persistence Flashcards

1
Q

Name the persistence mechanisms malware use.

A

AutoStart, Service Creation/Replacement, Service Recovery, DLL hijacking, Scheduled Tasks, WMI Event Consumers. More Advanced: MS Add-ons, Local Group Policy, and BIOS Flashing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What persistence mechanisms reside more than 80% in the wild?

A

AutoStart locations and services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are AutoStart Extension Points (ASEP) and why are they hard to secure? Is there any other locations besides the registry?

A

Microsoft has over 50 of them. They are mostly found in the registry. They can also be found in the filesystem which can be an advantage to an adversary since they wont need admin rights to create persistence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a good method to find compromised AutoStart data across many systems in the enterprise?

A

Stacking.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name two methods ASEP keys run in a system.

A

When the user logs in and/or when a system boots.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

List the registry key paths that run once a user logs in.

A

NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Run(Runonce)_
Software\Microsoft\Windows\Currentversion\Runonce
Software\Microsoft\Windows\Currentversion\policies\Explorer\Run
Software\Microsoft\Windows\Currentversion\Run
Software\Microsoft\Windows NT\Currentversion\Winglogon\Userinit

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Describe a feature Winlogon folder has for userinit.exe that can be dangerous adversary usage.

A

Winlogon executes userinit.exe and launches explorer.exe. The key can be modified to include a reference to load an binary that can be found elsewhere to also load at boot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What folder location can an adversary place a shortcut to maintain an ASEP persistence?

A

%AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are services?

A

They are designed to run applications in the background without user interaction. Many are required at system boot such as: DHCP Client, Windows Event Log, Server, and Workstation services. They can be executables or loaded DLLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is svchost.exe?

A

A Windows-generic service host process and it is typical to see 5 or more of them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Where can I do service configurations?

A

Inside the registry: HKLM\SYSTEM\CurrentControlSet\Services. Here I can find the parameters to the name, display name, start value, required priviledges, dependencies, and more. Start values can be (0x00 for Boot Start), (0x02 for Automatic). Be cautious because start type can also be triggered through events such as IP address or hardware connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is so dangerous about the “sc” command?

A

It can create a service that auto-loads a malicious DLL or executable. Type sc in powershell for help.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name three ways services can be abused by the adversary.

A

New service creation, Service replacement, and service failure recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How did Mandiant APT1 use services to load malware?

A

They replaced the rarely used RIP Listener Service (IPRIP) and loaded their malware instead. Another service to lookout for is RasAuto service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a technique to find new services in a system?

A

Baselining system services and stacking them throughout the enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Explain service recovery mode and the best way to detect it.

A

It gives the service the option to run a binary when a specific service crashes. An example would be to crash RDP service and make it run malware. Use Kansa Svcfail.ps1 script to find suspicious services.

17
Q

Methods to collect service information through live and offline systems.

A

Through live systems: sc command and powershell.
Through offline systems: Registry and Autoruns tools.
Look into service crashing as well.

18
Q

For what purposes would an adversary use scheduled tasks to establish persistence?

A

To continuously run credential dumping or lateral movement usage remotely or locally.

19
Q

What are the binary names of scheduled tasks?

A

at..exe (recorded as at*.job files and schdlgu.txt (XP)) and schtasks.exe.

20
Q

Where can scheduled tasks files be found in the filesystem?

A

Windows\Tasks or Windows\System32\Tasks

21
Q

Attack methods used for DLL hijacking.

A

DLL search order hijacking, Phantom DLL hijacking, DLL side-loading, and relative path DLL hijacking.

22
Q

What is the main issue with DLLs loading once an executable is run inside Windows?

A

DLLs, with the exception of KnownDLLs registry key, are not required to be hardcoded to a specific location. Instead, it is done through search order. Adversaries will try to find DLLs that aren’t located inside System32 and the registry key in order to run their executable from the same folder to trump the search order.

23
Q

Explain a live example of DLL search order hijacking.

A

Explorer.exe is found inside the Windows folder and one of its DLLs (ntshrui.dll) is found inside the System32 folder. This DLL isn’t protected by the key so adversary placed a malware DLL by the same name inside the Windows folder to beat the search order.

24
Q

Name the SafedllSearchMode list.

A

DLLs already loaded in memory, SxS components, KnownDLL list, Directory of the binary, System32 folder, System folder, Windows folder, Current directory, and System %PATH%.

25
Q

Explain the Phantom DLL hijacking method.

A

A bit similar to the search order method, adversaries look for very old DLLs that binaries are still trying to load into its application. Some don’t even exist in the system but will still attempt to load. If they can figure out what DLL it is, all they have to do is load it. Fax Service (fxsst.dll) is an example.

26
Q

Explain the DLL side-loading hijack method and methods to identify it.

A

The attack uses Windows SxS DLL loading mechanism to introduce an “updated” version of a DLL. Since SxS is legit, it has few validity checks for new DLLs and can be devastating if developers don’t tweak their applications right. They take advantage that it can pass through A/V with a legit hash. Methods to identify include searching for new binaries and helper files added to the system.

27
Q

Explain the relative path DLL hijacking method and methods to identify it.

A

Adversaries will copy a binary from a protected folder, (Windows32, Windows), and paste it into a writeable location. They just add the bad DLL and voila! To discover this tactic, file system timelining and memory analysis is recommened.

28
Q

A fact to keep in mind when it comes to binaries and DLLs.

A

Newly created binaries and DLLs are RARE in most systems. ProgramData folder RARELY has any binaries or DLLs.

29
Q

Describe how WMI can give adversaries the ability to establish persistence.

A

Having access to admin rights, an adversary can create an event consumer to run scripts or binaries once an event filter is triggered. WMI’s are tied through binding and saved in managed object format (MOF) file.

30
Q

Name some examples of WMI Event Filters.

A

Specific time, existence of an executable, existence of a file or folder, service starting or stopping, and a specific user authenticated.

31
Q

Name commands analysts can search when looking for WMI activity.

A

mofcomp.exe
Get-WmiObject
Set-WmiInstance
Create-Instance

32
Q

How can an analyst discover malicious WMI activity?

A

They can use Powershell commands or Kansa. Commands in Powershell are:
Get-WMIObject -Namespace root\Subscription (or root\Default) -Class _EventFilter (or _EventConsumer, _EventConsumerBinding)

33
Q

What are some WMI false positives to be aware of?

A

SCM Event Log Consumer, BVTFilter, TSlogonEvents.vbs, TSLogonFilter, RAevent.vbs, RmAssistEventFilter, KernCap.vbs, NTEventLogConsumer, and WSCEAA.exe (DEll)

34
Q

Interesting WMI search terms for analysts to consider:

A

.exe, .vbs, .dll, .ps1, .eval, ActiveObject, powershell, CommandLineTemplate, and ScriptText.

35
Q

Name the two most common consumer classes advesaries are likely to use.

A

CommandlineEventConsumer (run an binary), and ActiveScriptEventConsumer (run a script through a specific path). Scripts used in WMI are either Visual Basic or Jscript, not Powershell.

36
Q

Name the other consumer classes besides the two most common.

A

LogFileEventConsumer, NTLogEventConsumer, SMTPEventConsumer, and Custom.