Detecting Windows Persistence

The Value of Persistence

Persistence is effectively the ability of the attacker to maintain access to a compromised host through intermittent network access, system reboots, and (to a certain degree) remediation activities. The ability of an attacker to compromise a system or network and successfully carry out their objectives typically relies on their ability to maintain some sort of persistence on the target system/network.

The value of persistence to any malicious campaign hinges on the attacker's objectives and the intended functionality of their malware. For example, ransomware does not typically have a persistence component given that the malware need only execute once in order to be successful. However, more advanced campaigns typically require ongoing or persistent access (weeks, months, even years) in order to conduct reconnaissance, move laterally throughout the environment, steal information, or accomplish other objectives.

From an adversary perspective, establishing persistence must be accomplished in a way that is at least somewhat stealthy while evading security controls. In order to fly under the radar, attackers have largely made the shift to what is known as living off the land – taking advantage of native OS binaries and functionality to carry out attacks. Persistence methods have followed suit, and this short post will highlight two common techniques we have observed being used by adversaries: the creation of new services and scheduled tasks. For more information on these techniques, check out what has been documented in the MITRE ATT&CK framework for scheduled task and new service creation.

Sumo Logic CSE Special Operations (SpecOps) routinely observes malicious actors relying on a variety of persistence mechanisms in order to evade detection (by security controls) and blend in with the normal environment. The creation of new services is used as a persistence mechanism across broad swaths of crimeware and nation-state activity such as that seen in the recently disclosed attacks against German chemical companies allegedly from China involving Winnti malware. The creation of scheduled tasks often avoids heavy scrutiny/monitoring by utilizing legitimate and signed software to execute malicious services crafted to look “normal”. This technique, although somewhat less sophisticated, has been a common approach in campaigns leveraging Qbot/Qakbot and Emotet banking trojans for many years with examples referenced in these posts from the Cisco Talos Intelligence team and US-CERT. It is worth noting that host-based prevention, effective user account management, and minimizing privileges are easy steps to mitigate these techniques - especially against commodity campaigns.

Luckily for defenders, there are native Windows event logs available to detect when new scheduled tasks and services get created. These logs, combined with an understanding of the systems and environment, can enable defenders to identify when anomalous scheduled tasks or new services are created.