Geekly Articles each Day
📜 ⬆️ ⬇️

We study Adversarial Tactics, Techniques & Common Knowledge (ATT @ CK). Enterprise Tactics. Part 3

Persistence


Links to all parts:
Part 1. Getting Initial Access
Part 2. Execution
Part 3. Persistence
Part 4. Privilege Escalation
Part 5. Defense Evasion
Part 6. Obtaining Credential Access
Part 7. Discovery
Part 8. Lateral Movement (Lateral Movement)

The main task of securing access is to ensure the continuity of the presence in the attacked system, because access can be lost due to restarting the attacked system, loss of credentials or blocking remote access tools due to attack detection.

The author is not responsible for the possible consequences of the application of the information contained in the article, and also apologizes for any inaccuracies in some formulations and terms. The published information is a free recount of the content of MITER ATT & CK .

Methods to ensure consistency in the system can be divided into 3 categories:

The following are the access hardening techniques offered by ATT & CK.
')

Modifying the ~ / .bash_profile and ~ / .bashrc Files


System: Linux, macOS
Rights: User, Administrator
Description: Attackers can insert code into the ~ / .bash_profile and ~ / .bashrc files ( designed to create a user environment in the OS ) that will be executed when the user logs in or starts a new shell. The ~ / .bash_profile file is executed when a user logs on to the system, ~ / .bashrc is executed when shells are opened interactively. When a user logs in (locally or remotely, for example via SSH) using the username and password ~ ​​/ .bash_profile is executed before the user prompt is returned. After that, every time a new shell is opened, ~ / .bashrc is executed.
In macOS, Terminal.app is a little different in that it launches the login shell by default each time the terminal window is opened, thereby calling ~ / .bash_profile each time.

Security Tips: Granting permissions to modify the ~ / .bash_profile and ~ / .bashrc files only for authorized administrators.

Modifying the executable files of applications "special features Windows" (Accessibility Features)


System: Windows
Rights: Administrator
Description: "special features" applications (screen magnifier, on-screen keyboard, etc.) can be launched using keyboard shortcuts before the user logs into the system. An attacker can spoof the startup files of these programs or change the way they are launched and open the command console or get a backdoor without logging in.

In WinXP and later versions, sethc.exe and utilman.exe can be replaced, for example, with cmd.exe, and later, when you press the necessary cmd.exe key combination, start up before entering Windows with System privileges.
In Vista and later versions, you need to change the registry key that configures cmd.exe or another program as a debugger, for example, for ultiman.exe. After editing the registry and pressing the desired key combination on the login screen or when connecting to the host via RDP, cmd.exe will execute with System privileges.
There are also Windows programs that can be used when implementing this attack technique:


Security Recommendations: Configure the launch of the mandatory network authentication of remote users before creating an RDP session and displaying the login screen ( enabled by default in Windows Vista and later versions ). Use Remote Desktop Gateway to manage connections and RDP security settings.

Key modification AppCert DLLs


System: Windows
Rights: Administrator, System
Description: The DLLs specified in the AppCertDLLs key value are loaded into each process that calls commonly used API functions: CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, WinExec . The value of the AppCertDLLs key can be abused by triggering the loading of a malicious DLL and running certain processes. AppCertDLLs is stored in the following registry key:
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ Session Manager .

Security Tips : Use all sorts of tools to block potentially dangerous software and download unknown DLLs, such as AppLocker and DeviceGuard.

Key modification AppInit DLLs


System: Windows
Rights: Administrator, System
Description: The DLLs specified in the AppInit_DLLs key value are loaded into each process that loads user32.dll. In practice, this is almost every program.
AppInit_DLLs is stored in the following registry keys:

The value of the AppInit_DLLs key can be abused to exceed privileges by loading malicious DLLs and running certain processes. AppInit_DLLs functionality is disabled in Windows 8 and later versions when secure boot is activated.

Security Tips: Consider using OS no earlier than Windows 8 and enabling secure boot. Use all sorts of tools to block potentially dangerous software and download unknown DLL libraries, such as AppLocker and DeviceGuard.

Abuse of Application Compatibility Subsystem (Application Shimming)


System: Windows
Rights: Administrator
Description: Microsoft Windows Application Compatibility Infrastructure / Framework is designed to ensure software compatibility with Windows updates and OS code changes. The compatibility system uses the so-called shim (“shims”) - libraries that act as a buffer between the program and the OS. Using the shim cache, the system determines whether it is necessary to use shim pads (stored in the form of a database of the .sdb type). The .sdb files store various procedures for intercepting application code, processing it, and further redirecting to the OS. The list of all shims installed by the installer (sdbinst.exe) is stored by default in:

Custom shim bases are stored in:

To ensure protection in user mode, the possibility of changing the OS kernel using shim pads is excluded, and administrator rights are required to install them. However, some shim pads can be used to bypass User Account Control (UAC), DLL injection, disable Data Execution Prevention and Srtucture Exception Handling , as well as intercept memory addresses. The use of shim-pads by an attacker allows you to elevate privileges, install backdoors, disable OS protection, such as Windows Defender.

Security Tips : There are not many ways to prevent Application shiming. Disabling application compatibility is not recommended to avoid OS stability issues. Microsoft has released KB3045645 , which will remove the "auto-elevate" flag in the sdbinst.exe file to prevent the use of a shim system to bypass UAC.

Modifying Windows Authentication Package Components


System: Windows
Rights: Administrator
Description: The Windows Authentification Pack DLLs are loaded by the Local Security Authority (LSA) process at system startup and provide support for multiple login processes and multiple OS security protocols. Malicious users can use the LSA autorun mechanism by placing a link to a binary file in the following registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ Authentication Packages: [target binary] .
The [target binary] will be launched by the system when the Authentication Pack is loaded.

Security Tips: In Windows 8.1, Windows Server 2012 R2 and later versions of LSA, you can make it work as a secure process (PPL) using the registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ RunAsPPL = DWORD: 00000001 ,
which requires that all DLLs loaded by LSA be signed with a Microsoft digital certificate.

Creating BITS Jobs (BITS Jobs)


System: Windows
Rights: User, Administrator, System
Description: Windows Background Intelligent Transfer Service (BITS) is an asynchronous file transfer mechanism through the Component Object Model (COM) using low bandwidth. BITS is usually used by update programs, instant messengers and other applications that prefer to run in the background without interrupting the work of other network applications. File transfer tasks are represented as BITS tasks that contain a queue of one or more file operations. The interface for creating and managing BITS tasks is available in the PowerShell and BITSAdmin tool. Attackers can use BITS to download, run, and clean up after running the malicious code. BITS tasks are stored autonomously in the BITS database, and no new files or registry entries are created in the system, BITS is often allowed by the firewall. Using BITS tasks, you can gain a foothold in the system by creating lengthy tasks (90 days by default) or by calling an arbitrary program after completing a BITS task or an error (including after restarting the OS).

Protection recommendations: BITS is a standard OS functionality, the use of which is difficult to distinguish from malicious activity, therefore, the protection vector should be aimed at preventing the attacker from launching tools at the beginning of the attack chain. A complete disabling of BITS can lead to the termination of updating legitimate software, but you can consider limiting access to the BITS interface for specific users and access groups, you can also limit the lifetime of BITS tasks, which is set by changing the following keys:

Bootkits


System: Linux, Windows
Rights: Administrator, system
Description: Bootkit is a form of malware that can change the boot sectors of a hard disk, including Master Boot Record (MBR) and Volume Boot Record (VBR). Malefactors can use Bootkit for fixing in systems at the level below OS. MBR - section of the hard disk, which is loaded immediately after the completion of the hardware initialization Bios. An attacker who has access to overwrite the MBR can replace the OS bootloader code with a malicious one. VBR is the hard disk partition that receives the boot process control from the MBR. By analogy with the MBR rewrite option, an attacker can run malicious code during the system boot phase.

Security Tips: Use MBR and VBR integrity controls. Application of Trusted Platform Module (TPM) and Secure Boot.

Browser Extensions (Browser Extensions)


System: Windows, Linux, macOS
Rights: User
Description: As a rule, plug-ins have all the access and rights that a browser can get. Malicious plugins can be installed by downloading malicious applications disguised as legitimate programs by using social engineering techniques, phishing, or an attacker who has already compromised the system. Malicious plugins can in the background open websites, steal information that a user enters in a browser, including credentials, as installers of remote administration tools (RAT) and pinning in the system.

Security Tips: Install plugins from trusted sources only. Control of installed plugins using group policy. Prevent plug-in installation by regular users. Inventory and monitoring of installed plugins.

Modify File Association Settings


System: Windows
Rights: User, administrator, system
Description: Attackers can modify file associations to launch arbitrary commands. The choice of associating files with applications is stored in the Windows registry and can be edited by users, administrators, and programs that have access to the registry. Applications can modify associations to call arbitrary programs. The system association settings are stored in the registry: HKEY_CLASSES_ROOT \. [Extension] , for example, HKEY_CLASSES_ROOT \ .txt . The various commands are listed as subsections: HKEY_CLASSES_ROOT \ [handler] \ shell \ [action] \ [command] , for example:

where [command] is a command that will be executed when opening a file with the specified extension.

Security Tips: Follow Microsoft 's file association recommendations . Use all sorts of blocking tools for potentially dangerous software, such as AppLocker and DeviceGuard.

Component Firmware


System: Windows
Rights: System
Description: Some attackers can use complex tools to compromise computer components and install malicious firmware on them, which will run malicious code outside the operating system or even the main system firmware (Bios). The technique is the firmware of computer components that do not have a built-in system for checking the integrity of, for example, hard drives. A device with malicious firmware can provide constant access to the attacked system despite failures and overwriting of the hard disk. The technique is designed to overcome software protection and integrity control.

Interception of links and links Component Object Model Hijacking


System: Windows
Rights: User
Description: Microsoft Component Object Model (COM) is a technology for creating software based on interacting object components, each of which can be used in many programs simultaneously. Attackers can use COM to insert malicious code that can be executed instead of legitimate via the capture of COM links and connections. To intercept a COM object, you must replace the reference to the legitimate system component in the Windows registry. If you further call this component, the malicious code will be executed.

Protection recommendations: Preventive measures to prevent this attack are not recommended, as COM objects are part of the OS and software installed in the system. Locking changes to COM objects can affect the stability of the operating system and software. It is recommended to direct the protection vector to block malware and potentially dangerous software.

Create Account


System: Windows, Linux, macOS
Rights: Administrator
Description: Intruders who have received sufficient access can create local or domain accounts for further consolidation in the system. Network user commands can also be used to create accounts.

Security recommendations: The use of multifactor authentication. Configure security settings on important servers, configure access controls, firewalls. Prevent the use of a domain administrator account to perform daily operations during which an attacker can obtain account information. Attackers who have created accounts in the system can only get limited access to the network if access levels are properly blocked. Accounts may be required only to secure access to a separate system.

DLL search interception (DLL Search Order Hijacking)


System: Windows
Rights: User, Administrator, System
Description: The technique is to exploit the vulnerabilities of the application's search algorithm for the DLL files they need to work ( MSA2269637 ). Often, the DLL search directory is the working directory of the program, so attackers can replace the original DLL with a malicious one with the same file name.
Remote attacks on DLL search can be carried out when the program installs its current directory in a remote directory, for example, a network share. Also, attackers can directly change the way the DLL is searched and loaded by replacing the .manifest or .local files that describe the DLL search parameters. If the attacked program works with high privileges, then the malicious DLL loaded by it will also be executed with high rights. In this case, the technique can be used to elevate privileges from the user to the administrator or System.

Security Tips: Disable remote boot DLL (enabled by default in Windows Server 2012+ and is available with updates for XP + and Server 2003+). Enable the secure search mode of the DLL, which will limit the search directories to directories such as % SYSTEMROOT% before performing a DLL search in the current application directory.
Enable Secure Search DLL:
Computer Configuration> [Policies]> Administrative Templates> MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode.
Corresponding registry key:
HKLM \ SYSTEM \ CurrentControlSet \ Control \ Session Manager \ SafeDLLSearchMode.
Consider the feasibility of auditing the protected system to eliminate DLL weaknesses using tools such as the PowerUP module in PowerSploit. Do not forget about blocking malicious and potentially dangerous software, as well as the implementation of Microsoft recommendations .

Dylib Hijacking interception


System: macOS
Rights: User
Description: The technique is based on the vulnerabilities of dylib dynamic library search algorithms on macOS and OS X. The bottom line is the definition of dylib, which loads the attacked application and the subsequent placement of the malicious version of dylib with the same name in the working directory of the application. This will cause the dylib application to load, which is located in the working directory of the program. In this case, the malicious Dylib will be executed with the access rights of the attacked application.

Security Tips : Prevent users from writing files to dylib search directories. Vulnerability auditing with Objective-See Dylib Hijacking Scanner .

External Remote Services


System: Windows
Rights: User
Description: Attackers can use an organization’s external remote services, such as VPN, Citrix, and WinRM, to secure themselves within the attacked network. Access to services can be carried out with the help of valid accounts obtained using the technician redirecting users to false sites (pharming), or at the stage of network compromise.

Security recommendations: Restricting access to remote services using centrally managed switches, using VPN. Prohibit direct remote access to the internal network through the use of proxies, gateways and firewalls. Disable services that can be used remotely, for example, WinRM. The use of two-factor authentication. Monitoring the activity of using remote services outside working hours.

Lack of permissions at the file system level (File System Permissions Weakness)


System: Windows
Rights: User, Administrator
Description: The essence of the technique lies in the substitution of executable files that are automatically launched by various processes (for example, when the OS boots up or at a certain time, in case the rights to executable files are configured incorrectly). After the substitution, the malicious file will be launched with the rights of the process, so if the process has a higher level of access, the attacker will be able to escalate the privileges. As part of this technique, attackers may attempt to manipulate the binary files of Windows services.
Another type of attack is associated with deficiencies in the algorithms of self-extracting installers. During the installation process, installers often unpack various useful files, including .dll and .exe, into the% TEMP% directory, and they may not set the appropriate permissions to restrict access to the unpacked files, which allows attackers to swap files and as a result, increase privileges or bypass account control, because Some installers are run with extended permissions.

Security Tips: Restricting account rights so that only administrators can manage services and interact with the binary files used by the services. Disabling elevation of privileges for standard users in UAC. UAC settings are stored in the following registry key:

To automatically reject requests for elevation of privileges, you need to add a key:

To control the work of installers, you need to add a key:


Hidden files and folders (Hidden Files and Directories)


System: Windows, Linux, macOS
Rights: User
Description: Attackers can use the ability to hide files and folders, so as not to attract the attention of users. In Windows, users can hide files using the attrib command. It is enough to specify the attribute + h <file name> to hide the file or "+ s" to mark the file as system. By adding the "/ S" parameter, the attrib utility will apply the changes recursively. In Linux / Mac, users can hide files and folders simply by typing a "." At the beginning of the file name. After this, the files and folders will be hidden from the Finder application and such as the “ls” utility. In macOS, files can be marked with the UF_HIDDEN flag, which will turn on the prohibition of their visibility in Finder.app, but will not prohibit seeing hidden files in Terminal.app. Many applications create hidden files and folders so as not to clutter up the user's workspace. For example, SSH utilities create a hidden .ssh folder that stores a list of known hosts and user keys.

Protection recommendations: Preventing the use of this technique is difficult due to the fact that file hiding is a regular feature of the OS.

Interception of Windows API function calls (Hooking)


System: Windows
Rights: Administrator, System
Description: Windows API functions are usually stored in DLLs. The hooking technique is to redirect calls to API functions through:

Like injections, attackers can use hooking to execute malicious code, disguise its execution, access the memory of the attacked process, and elevate privileges. Attackers can capture API calls that include parameters containing authentication data. Hooking is usually used by rootkits to hide malicious activity in the system.

Protection recommendations: Interception of events in the OS is part of the normal operation of the system, so any restriction of this functionality may adversely affect the stability of legitimate applications, such as antivirus software. Efforts to prevent interception techniques need to be focused on the earlier stages of the attack chain. You can detect malicious hooking activity by monitoring calls to the SetWindowsHookEx and SetWinEventHook functions, using rootkit detectors, analyzing anomalous process behavior.

Hypervisor


System: Windows
Rights: Administrator, System
Description: A hypervisor can be compromised by an attacker and have rootkits hidden from guest systems.
Security Best Practices : Prevent attackers from accessing privileged user accounts necessary to install and configure the hypervisor.

IFEO injection (Image File Execution Options Injection)


System: Windows
Rights: Administrator, System
Description: The Image File Execution Options (IFEO) mechanism allows you to run, instead of a program, its debugger, previously specified by the developer in the registry:

Like injections, the value of [executable] can be abused by running arbitrary code to elevate privileges or gain a foothold in the system. Malicious programs can use IFEO to bypass protection by registering debuggers that redirect and reject various system and security applications.

Protection recommendations: The described technique is based on the abuse of standard OS development tools, so any restrictions may cause instability in the operation of legitimate software, for example, security applications. Efforts to prevent the use of IFEO injections need to be focused on earlier stages of the attack chain. You can detect such an attack by monitoring processes with the flags Debug_process and Debug_only_this_process .

Extensions and loadable kernel modules (Kernel Modules and Extensions)


System: Linux, macOS
Rights: Root
Description: Loadable kernel modules (LKM) are special programs that can be loaded and unloaded from the kernel without the need for a full system reboot. For example, device drivers are LKM. Attackers can load malicious LKM using different rootkits. As a rule, such rootkits disrupt themselves, files, processes, network activity, falsify audit logs, provide backdoors. Like LKM in macOS, there are so-called KEXTs that are loaded and unloaded by the kextload and kextunload commands.

Security tips : Use Linux rootkit detection tools: rkhunter, chrootkit. Restrict access to the root account, which is required to load modules into the kernel. Use the SELinux forced access control system.

Modification of the LC_LOAD_DYLIB Addition header in Mach-O files (LC_LOAD_DYLIB Addition)


System: macOS
Rights: User
Description: Mach-O files contain a series of headers that are used to perform certain operations when loading a binary file. The LC_LOAD_DYLIB header in Mach-O binaries tells the OS which dylib libraries to load. Header changes will invalidate the digital signature, however, an attacker can remove the LC_CODE_SIGNATURE command from a binary file and the system will not check the signature for correctness during its loading.

Security Tips: All binaries must be signed with the correct Apple Developer IDs, and white lists of applications are compiled using known hashes.

Local Security Authority Drivers (LSASS Driver)


System: Windows
Permissions: Administrator, system
Description: Local Security Authority (LSA) is a Windows subsystem that provides user authentication. LSA includes several dynamic interconnected DLLs that are executed in the LSASS.exe process. Attackers can attack LSASS.exe by replacing or adding illegitimate LSA drivers and then executing arbitrary code. The technique is implemented in the Pasam and Wingbird malware, which “throw” modified DLLs used when loading LSASS. In this case, the malicious code is executed before an illegitimate DLL causes a crash and a subsequent crash of the LSASS service.

Security Tips: In Windows 8.1 and Server 2012 R2, enable LSA security by activating the specified key:

This protection ensures that downloadable LSA plugins and drivers are digitally signed by Microsoft. In Windows 10 and Server 16, enable Windows Defender Credential Guard to run lsass.exe in an isolated virtual environment. In order to reduce the risk of loading malicious libraries into lsass.exe, enable the safe DLL search mode:


Launch Agents (Launch Agent)


System: macOS
Rights: User, Administrator
Description: The technique is the abuse of the functionality of creating and launching Launch Agent by users - autorun services at the user level. When each user logs on, launchd loads the Launcher settings from * .plist files. Plist files have an XML structure and contain instructions that tell launchd which executable files and when to launch. Plist files can be found in the following directories:

Attackers can also disguise the names of malicious Startup Agents using legitimate program names. For example, the Komplex Trojan creates a startup agent: $ HOME / Library / LaunchAgents / com.apple.updates.plist.

Security Tips: Using Group Policy, configure a restriction for users to create Launch Agents. Creating Startup Agents involves loading or creating plist files to disk, so concentrate protection efforts in the earlier stages of the attack.

Launch Daemon


System: macOS
Rights: Administrator
Description: The technique involves the attacker changing the parameters of the services of the system launch level - Launch Daemon, specified in the plist files. When booting the system, the Launchd process loads the parameters of services (daemons) from plist files located in the following directories:

Launch Daemon can be created with administrator privileges, but will run under the root account, so an attacker can implement privilege escalation. The permissions of the plist files must be root: while, however, the script or program specified in it may have less strict permissions. Therefore, an attacker can modify the executable files specified in the plist, and thus modify the current system services to be fixed in the system or privilege escalation.

Security Tips : Limit user privileges so that only authorized administrators can create a Launch Daemon. Consider monitoring the creation of plist files on your system using applications such as KnockKnock.

Launchctl Utility

System: macOS
Permissions: User, Administrator
Description: Launchctl is a utility for managing Launchd service. With Launchctl, you can manage system and user services (LaunchDeamons and LaunchAgents), as well as execute commands and programs. Launchctl supports command line subcommands, interactive or redirected from standard input:
launchctl submit -l [labelname] - / Path / to / thing / to / execute '' arg "'' 'arg"' '' arg ".
Starting and restarting services and daemons, attackers can execute code and even bypass the white list if the launchctl is an allowed process, however loading, unloading and reloading services and daemons may require elevated privileges.

Protection recommendations:Restricting user rights to create Launch Agents and launch Launch Deamons through group policy. Using the KnockKnock app, you can discover programs that use launchctl to manage Launch Agents and Launch Deamons.

Local Task Scheduling


System: Linux, macOS
Privileges: User, Administrator, root
Description: Attackers can create tasks in the attacked systems for unauthorized launch of programs when the system boots or on a schedule. On Linux and Apple systems, several methods for scheduling periodic background tasks are supported: cron, at, launchd. Unlike Windows Task Scheduler, task scheduling on Linux systems cannot be performed remotely, except for using remote sessions like SSH.

Protection recommendations: Restricting user rights to create scheduled tasks, blocking system utilities and other software that can be used to schedule tasks.

Login Items


System: macOS
Privileges: User
Description: In order to secure the system, attackers can configure their own autorun code using login items (user-defined settings for autorun applications at each login). Login Items created using the Service Management Framework are not displayed in the system settings and can only be deleted through the application in which they were created. Users can manage only those Login Item, which are displayed in the system settings. Such Login Item settings are stored in a plist file in the user directory:
~ / Library / Preferences / com.apple.loginitems.plist.
Applications that are part of the Login Item, at startup, can display windows visible to the user, but you can hide them using the “Hide” option.

Protection recommendations: Restrict user rights to create a Login Item. It is worth noting that holding down the shift key while logging in prohibits the automatic launch of applications. Monitor the Login Item settings ( System Settings → Users and Groups → Login Items ).

Logon Scripts


System: Windows, macOS
Description: In order to consolidate the system, an attacker can use the ability to create new or modify existing logon scripts — scripts that run whenever a particular user or group of users logs on to the system. If an attacker has access to the logon script on a Windows domain controller, he can modify it to execute code in all systems of the domain in order to “lateral movement” over the network. Depending on the permissions for accessing the logon script files (usually such scripts are stored in \\ [DC] \ NETLOGON \ ), an attacker may need local or administrative credentials.

On Mac, logon scripts ( Login / Logout Hook), unlike Login Items, which run in the context of a user, can be run as root.

Security Tips: Restricting the rights of administrators to create logon scripts. Identification and blocking of potentially dangerous software that can be used to modify login scripts.

Modifying Existing Services (Modify Existing Service)


System: Windows
Rights: Administrator, System
Description: In order to repeatedly launch malicious code in the system, an attacker can change the configuration of existing services using system utilities or tools for interacting with the Windows API. Attackers can intentionally damage or kill a service for later invoking a modified program or service recovery command. Using existing services is one of the masquerading techniques that makes it difficult to detect malicious activity. Information about the configuration of Windows services, including the path to the programs and commands to start and restore the service, is stored in the registry:

The configuration of services can be changed using the sc.exe and Reg console utilities.

Security Tips: Restricting user and group privileges to change service configurations, giving rights only to authorized administrators. Blocking potentially dangerous software. You can use the Sysinternals Autoruns utility to examine changes in system services in order to identify attempts to secure an attacker in the system.

Netsh helper utilities (Netsh Helper DLL) utilities


System: Windows
Rights: Administrator, System
Description: Attackers can execute code using the built-in console utility Netsh, which allows you to load auxiliary DLLs to expand functionality:
netsh> add helper [DLL Path]
Information about registered libraries used by netsh is stored in the registry:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ NetSh
Some corporate VPN clients and network utilities can use netsh.exe, running it on behalf of System, in such a situation, an attacker can register or modify an auxiliary DLL to be executed when the netsh VPN client uses. Tools for implementing this type of attack are included in CobaltStrike (framework for conducting penetration tests).

Security Tips: Blocking potentially dangerous software using tools such as AppLocker.

New Services (New Service)


System: Windows
Rights: Administrator, System
Description: Name access to the system, attackers can create new services and configure their automatic start. The service name can be masked using names specific to the operating system. Services can be created with administrator privileges, but run as System. Services can be created from the command line, using remote access tools with interaction functions with the Windows API or using standard Windows management tools and PowerShell.

Security Tips : Restrict the rights of users to create new services so that only authorized administrators can do this. Use AppLocker and Software Restriction Policy .

Autostart in office applications (Office Application Startup)


System: Windows
Rights: User, Administrator
Description: Some mechanisms of MS Office can be used to execute code when launching office applications and, as a result, to ensure that the attackers are consistent in the system:
• Embedding malicious VBA macros into the basic Office templates. Word uses the Normal.dotm template:
C: \ Users \ [Username] \ AppData \ Roaming \ Microsoft \ Templates \ Normal.dotm .
In Excel, there is no default template, but you can add it manually, and it will automatically load:
C: \ Users \ [Username] \ AppData \ Roaming \ Microsoft \ Excel \ XLSTART \ Personal.xls .
An attack can only be launched if the " Run all macros " option is enabled in the Office Security Control Center:
HKEY_CURRENT_USER \ Software \ Microsoft \ Office \ [Version] \ [Application] \ Security \ VBAWarnings: 1;
• Placing a reference to a DLL in the Office test section in the Windows registry causes the specified DLL to be executed each time the Office application is launched:
HKEY_CURRENT_USER \ Software \ Microsoft \ Office Test \ Special \ Perf \ [Default]: [Specify the path to the DLL];
• Add an add-in to the Office application with malicious code that will be executed when the attacked application is launched. Security Tips

: Follow Microsoft's Guidelines for Setting Macro Security Settings.. To prevent the Office Test mechanism from operating, create the specified key in the registry and set read-only permissions on it to prevent access to it without administrator rights. If possible, disable Office add-ons, if they are needed, then follow the Microsoft recommendations when organizing their work.

Path Interception


System: Windows
Rights: User, Administrator, system
Description: The technique for intercepting a path consists of placing the executable file in a directory from which the application will launch it instead of the target file. The attacker can use the following methods:

The interception of the file search order is also used to execute a DLL using the Search Hijacking DLL technique .

Security Tips: Highlight the paths specified in the configuration files, scripts, PATH variable, service settings and shortcuts. Remember to search for executable files and use only full paths. Clean up the old registry keys left over from the remote software so that there are no keys in the registry pointing to non-existent files. Set a ban on users to write to the root directory of C: \ and Windows system directories, restrict write permissions to directories with executable files.

Modifying Plist Files (Plist Modification)


System: macOS
Rights: User, Administrator
Description: Attackers can modify plist files, specifying in them their own code for its execution in the context of another user. The plist property files located in / Library / Preferences run with elevated privileges, and plist from ~ / Library / Preferences run with user privileges. Security Tips

: Prevent plist files from being modified by making them read-only.

Port knocking


System: Linux, macOS
Permissions: User
Description: Attackers can use the Port Knocking methods to hide the open ports that they use to connect to the system.

Security Tips : Using stateful firewalls can prevent some Port Knocking options from being implemented.

Port Monitors modification in Print Manager (Port Monitors)


System: Windows
Rights: Administrator, System
Description: The attacker can organize the execution of an arbitrary DLL on behalf of the System each time Windows is started using the misuse of the Print Manager settings (Spoolsv.exe). To interact with printing devices, Spoolsv.exe uses the so-called port monitors (port monitor), which are DLLs with which low-level commands are sent to printing devices via LAN, USB, LPT, or COM interfaces. The above DLLs are stored in C: \ windows \ system32 and are registered in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Print \ Monitors .
Port Monitor can be installed using the AddMonitor API function or directly by editing the above registry key.

Protection recommendations: Arrange blocking of potentially dangerous software and use application launch control tools.

Rc.common


System: macOS
Rights: root
Description: An attacker can add code to the /etc/rc.common file that will be executed each time the system is started as root. Rc.common is a script that runs during OC loading, is the predecessor of Launch Agents and Launh Deamons. This is an outdated autorun technology, but it is still supported on macOS and OS X. Security tips

: Restrict user privileges to edit the rc.common file.

Re-launch applications (Re-opened Applications)


System: macOS
Permissions: User
Description: On systems starting with OS X 10.7 (Lion) , an attacker can organize the execution of a malicious file every time the OS is rebooted. The technique is based on the abuse of the function of restarting applications after the system is rebooted. The user can use the tools built into the GUI to tell the system which applications need to be restarted in case of an OS restart. These settings are stored in plist files:

An attacker can modify the above files to execute malicious code every time the system is rebooted. Security Tips

: The application restart feature can be disabled using the console command: defaults write -g ApplePersistence -bool no .
In addition, holding the shift key while loading prevents the application from starting automatically.

Redundant Access


System: Windows, Linux, macOS
Permissions: User, Administrator, System
Description:Attackers can simultaneously use several remote access tools with different control protocols in order to diversify detection risks. So, if one of the remote access tools is detected and blocked, but the protecting party has not identified all the attacker's tools, then the remote access to the attacked network will still be preserved. Attackers can also attempt to gain access to valid accounts of remote corporate services, such as VPN, to gain alternative access to the system in the event of blocking the main tools of remote access. Using a web shell is also one of the methods of remote access to the network through a web server.

Protection recommendations:Monitor the presence and blocking the launch of known remote access tools on your network (AmmyAdmin, Radmin, RemotePC, VNC, etc.), use the application launch control tools and blocking potentially dangerous software. Implementing IDS and IPS systems that identify specific malware using signatures will reduce the likelihood of a successful attack, but over time, attackers will modify their tools to change the signature and, as a result, bypass IDS and IPS systems.

Autorun using the Run Keys key and the Startup folder (Registry Run Keys / Start Folder)


System: Windows
Rights: User, Administrator
Description: An attacker can add a "run key (run keys)" in the Windows registry or a link to the Startup folder to launch a malicious file when a user logs on. The program will run with the rights of the current user. Attackers can disguise the launch keys in the registry so that they look like part of legitimate programs.
Run keys are stored in the following registry keys:


Protection recommendations: Identification and blocking of potentially dangerous software, monitoring changes in the “Startup” folder and the above registry keys.

SIP and Trust Provider Capture (SIP and Trust Provider Hijacking) , Subverting Trust in Windows


System: Windows
Rights: Administrator, System
Description: Attackers can modify the components of the signing architecture and verification of the digital signature of a Windows code in order to bypass the launch control tools that allow only signed code to be run. To create, sign, and verify the signature of files of various formats, Windows uses the so-called Subject Interface Package (SIP) —the software specifications that are unique for each file type, which ensure interaction between the API functions that initiate the creation, calculation and verification of signatures and directly files. The validity of the signature is confirmed by the so-called Trust Provider - these are the software components of the operating system that carry out various procedures related to the calculation and verification of digital signatures.
Popular attack methods:

It is important to note that the described attack on the Windows trust mechanism can be accomplished with the help of the Search Order Hijacking DLL.

Security recommendations: Make sure that the users of the protected system cannot change the registry keys related to the SIP and Trust Provider components. Consider removing unnecessary and obsolete SIPs. Use all sorts of tools to block the download of malicious DLL, for example, AppLocker and DeviceGuard built into Windows.

Scheduled Task


System: Windows
Rights: User, Administrator, System
Description: Utilities such as at, schtasks and Windows Task Scheduler can be used to schedule the launch of programs and scripts that will be executed at a specific date and time. The task can be scheduled on the remote system, provided that RPC is used for authentication, and printer and file sharing is enabled. Scheduling tasks on a remote system requires administrative rights. An attacker can use remote code execution to gain System privileges or to launch a process under a specific account.

Security Tips: Restricting user privileges. The use of tools, such as the PowerUP module in PowerSploit, which can be used to find weaknesses in the permissions of scheduled tasks. Disable the ability to launch tasks on behalf of System, disable the Allow server operators to schedule tasks option in the security policy, and enable the User Rights Assignment: Increase scheduling priority option.

Screen saver (screensaver)


System: Windows
Rights: User
Description: Attackers can use screen saver settings to launch malware after a certain period of user inactivity.
The Windows Screensaver application (scrnsave.exe) is located in C: \ Windows \ System32 , along with other screensavers included in the base OS build. An attacker can manipulate screen saver settings in the HKEY_CURRENT_USER \ Control Panel \ Desktop registry key :


Security Tips : Block the ability to run * .scr files from non-standard locations. Manage screen saver settings by using Group Policy, which prohibits local screen saver settings.

Security Support Provider (SPP)


System: Windows
Rights: Administrator
Description: Attackers can customize the execution of malicious code every time the system is booted or the AddSecurityPackage API function is called by adding a dummy security support provider (SSP) to the Local Security Authority (LSA) configuration. SSP are software modules (DLLs) containing one or more authentication and cryptography schemes that are loaded into the LSASS process at system startup. SPP DLLs have access to encrypted and open text passwords stored in Windows. SPP configuration is stored in two registry keys:

Protection recommendations: In Windows 8.1, Windows Server R2 and later OS versions, you must activate LSA protected mode (Process Protect Light - PPL), in which all SPP dll files must be signed with a Microsoft digital signature:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa \ RunAsPPL = dword: 00000001

Service Registry Permissions Weakness Weakness


System: Windows
Rights: Administrator, System
Description: If user and group permissions allow you to change key values ​​in the Windows registry that store service settings, then attackers can directly modify the keys that store the paths to the service startup executable files or use various service management tools — sc.exe, PowerShell, or Reg. Attackers can also change the parameters associated with the failure of services, for example, FailureCommand, indicating the command that will be executed in case of failure or deliberate damage to the service. Service settings are stored in HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services .

Security recommendations: Make sure that the users of the protected system cannot change the keys in the registry that store the parameters of the system components. Use various means of blocking potentially dangerous software, for example, Windows AppLocker.

Shortcut Modification


System: Windows
Rights: User, Administrator
Description: Attackers can create new shortcuts and symbolic links disguised as legitimate programs or modify the paths in existing shortcuts so that their tools are launched instead of the original application.

Security Tips : Restrict the rights of users and groups, such as Administrators, to create symbolic links using GPO:
Computer Configuration> [Policies]> Windows Settings> Security Settings> Local Policies> Create symbolic links.
Use tools to block potentially dangerous software and Software Restriction Policy.

Startup Items


System: macOS
Rights: Administrator
Description: The attacker can use the outdated, but still working in macOS Sierra, application autorun mechanism using StartupItems to configure the launch of its code as root during the OS boot. StartupItems is the directory in / Library / Startupitems , the command script and the StartupParameters.plist properties file. The script and the properties file should be at the top of the hierarchy: / Library / Startupitems / [MyStartupItem] .

Security Tips : Since the StartupItems mechanism is outdated, prohibiting entries in the / Library / Startupitems / directory will prevent the creation of startup items.

System Firmware (System Firmware)


System: Windows
Rights: Administrator, System
Description: Particularly sophisticated attackers can modify or reflash Bios, UIFI, or UFI in order to ensure that it is possible to install malicious firmware updates and fix them on the system.

Protection recommendations: Direct the protection vector to prevent an attacker from accessing privileged accounts that are necessary to implement the described technique. Consider the necessity and possibility of using the protected Trusted Platform Module (TPM) system . Consider the need to use external tools to monitor and analyze the security of system firmware, for example, the CHIPSEC Framework .

Providers of time (Time Providers)


System: Windows
Rights: Administrator, System
Description: Attackers can register a malicious DLL as a Time Provider (Time Provider), which will be executed when the system is started or when the Windows Time Server configuration (W32Time) is changed. The time provider settings are stored in the registry:
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ services \ W32Time \ TimeProviders .
To register a time provider, administrative rights will be required, but it will be executed in the context of the local service account.

Security Tips : Consider using GPO to configure blocking changes to W32Time settings. Use all sorts of tools to block the download of malicious DLL, for example, AppLocker and DeviceGuard built into Windows.

Trap Team


System: Linux, macOS
Rights: User, Administrator
Description: The trap command is used to protect the script from interruptions ( ctrl + c, ctrl + d, ctrl + z , etc.). If the script receives an interrupt signal specified in the arguments of the trap command, then it processes the interrupt signal itself, and the command shell will not process such a signal. Attackers can use trap to register code that will be executed when the shell receives certain interrupt signals.

Protection recommendations: The use of this technique is difficult to prevent, because the attacker uses regular operating system mechanisms. The protection vector should be directed to the prevention of malicious actions at earlier stages of an attack, for example, at the delivery stage or the creation of a malicious file in the system.

Valid Accounts (Valid Accounts)


Description: Attackers can steal credentials of a particular user or service account using access credentials technician, capture credentials in the process of exploration using social engineering. Compromised credentials can be used to bypass access control systems and gain access to remote systems and external services such as VPN, OWA, remote desktop, or gain elevated privileges in certain systems and network areas. If the script is successfully implemented, attackers can abandon malicious programs to make their detection more difficult. Also, attackers can create accounts using predefined names and passwords to save backup access in case of unsuccessful attempts to use other means.

Security Recommendations: Apply password policy, follow recommendations for designing and administering a corporate network to limit the use of privileged accounts at all administrative levels. Regular checks of domain and local accounts and their rights in order to identify those that may allow an attacker to gain broad access. Monitoring account activity using SIEM systems.

Web shell


System: Windows, Linux, macOS
Description: An attacker can use the Web Shell as an access gateway to your network or redundant access to the system being attacked, as a backup mechanism for securing in case of detection and blocking of the main access channels to the attacked environment.

Protection recommendations: Ensure that your external web servers are updated regularly and do not have known vulnerabilities that allow attackers to upload a file or script to the server and then execute it. Check that the permissions of the accounts and groups with server management rights do not match the internal network accounts that can be used to log on to the web server, launch the web shell, or pin to the web server. Web Shell is hard to detect because they do not initiate connections and their server part may be small and harmless, for example, the PHP version of the China Chopper Web shell looks like a line:
[? php eval ($ _POST ['password']);]

Windows Management Instrumentation Event Subscription


System: Windows
Rights: Administrator, System
Description: WMI Event Subscription is a functionality that allows the administrator to configure the receipt of event notifications (Events), including those that occurred on remote systems, with the subsequent automatic execution of any actions (script launch, application, etc.). Attackers, in order to consolidate the system, can abuse the above described functionality, setting up a subscription to such events as the system clock time or computer time, followed by the execution of code when this event occurs.

Security Recommendations: Make sure that only administrator accounts have remote connection rights to WMI, and that the protected system does not match the system administrator accounts with other privileged accounts. Disabling WMI can cause system instability, therefore, requires a preliminary assessment of possible negative consequences.

Winlogon helper dll


System: Windows
Rights: Administrator, System
Description: By modifying the registry settings of auxiliary DLL used by Winlogon.exe, an attacker can ensure that malicious DLLs are repeatedly executed to be fixed to the system. Winlogon settings are stored in sections:

Several vulnerable subsections are known:

Security Tips: Ensure that only authorized administrators can change Winlogon settings. Use all sorts of tools to block the download of malicious DLLs and potentially dangerous programs, for example, built-in Windows AppLocker and DeviceGuard.

Source: https://habr.com/ru/post/425177/

More articles:


All Articles