Sunday, February 2, 2014

Intro to Attacker Methodology Part III - Persistence and Entrenchment

Part III - Persistence and Entrenchment

Background / Assumptions

Well you made it to part 3 of this series which either means that you're in the wrong place or you're really just interested in how attackers make their beds in a network and then proceed to camp out indefinitely. It's always very interesting to participate in remediation discussions because of how incredibly hard it is to actually cut an attacker off from a network once they've stolen the credentials and been hanging around for a while. I know that my goals were always to achieve a sort of network-zen where my actions were one with the network and overall I was in a better position to administer the network than the people who were getting paid to (by the target org).

Up to this point I've covered how to get into a network and how to move around, but unless you're on a 3-day pentest or you're just here for the smash-n-grab, persistence is something that every attacker is going to care deeply about. 

Here are the links to the first couple posts in case you want to read them first or go back for a refresher...


Persistence

This is a super TL/DR summary of persistence, for a much more in-depth treatment of the subject matter, y'all should check out the presentation that @passingthehash and I did at DerbyCon 2013...

Starting access level: Temporary access to an asset in the target network
End Goal: Persistent access to the target asset / network
Attacker Steps: Leverage access to gain persistence

So when I look at it there are really a few types of persistence:
  • Persistent during but not across power cycles
  • Across power cycles (for a single user)
  • Across power cycles (for all users of the system)
The first two do not require administrative privileges on the target asset and can be achieved simply and reliably through registry modification. Running in memory is an excellent way of staying persistent during a power cycle with almost no footprint on the asset (unless the defenders do a full memory dump during / before turning the machine off). After our DerbyCon talk a few people argued that this isn't persistence, I would ask those people how often their company's domain shuts down all of their domain controllers (and workstations) at the same time?

Common persistence methods include: 
  • Services (on Windows)
    • Services are great for attackers because they are both naturally robust as well as programmed to run as default NTAUTHORITY\SYSTEM, on boot and are remotely query-able (read - troubleshoot-able) remotely with tools such as SC.
  • Run Levels (on Linux)
    • not many people validate everything in their runtime configs all of the time
  • Registry Keys
  • Autoruns (huge category)
  • Startup scripts
  • DLL path hijacking
    • exploiting unquoted paths in loading service and other executables
  • Unquoted pathname problems
    • check using sc and sc qc <servicename>
  • Re-exploitation
    • just when you think you've kicked your attacker out, make sure that you have a full understanding of the original hole that they came in through and that you've patched that all up

Beyond these common methods, I would strongly suggest that readers refer to the PPT and Derbycon Presentation.


    Looking for persistence / backdoors


    • Look for high-entropy binaries
    • Look in prefetch
    • Audit services
    • Look for unsigned drivers and dll's (especially in relation to services)

    More Reading

    Starting access level: Temporary access to an asset in the target network
    End Goal: Persistent access to the target asset / network
    Attacker Steps: Leverage access to gain persistence

    Entrenchment is really where an attacker sets up shop in the network. It starts with expanding upon the initial foothold gained during the persistence phase of the attack by spreading that level of persistent access to the point where it is robust to defender actions.

    Steps to gaining an entrenched presence in a target network:
    • fully understand the administration structure of the network including enumerating who admins what and when - mimic that in your actions
    • gain access to and exfiltrate all credentials, authentication material (hash dump of the domain) 
    • gain multiple methods of persistence in the target network
    Secondary methods of access:
    • VPN's
    • Multiple types of backdoors in the network
    • Multiple transports in the network, e.g., HTTP & DNS command and control communications (C2)
    • Webshells
    • Infrastructure backdoors

    No comments:

    Post a Comment