When I first started researching ATT&CK last year, Persistence was the tactic which made me fall in love.

Even though I have been in the industry for some time, I learned more from digging into the various techniques here than any other tactic. While I knew about fun tricks like replacing sethc.exe with cmd.exe and hitting the shift key a bunch of times from a lock screen, there were many other techniques that were brand new to me. By looking into each of these techniques one by one, I became a better defender. Understanding the new (to me) ways an operating system could be abused was intoxicating and has led me to becoming an ATT&CK fan ever since.

Disregarding ransomware, persistence is one of the more sought-after techniques of an attacker. Persistence allows an attacker to re-infect a machine or maintain their existing connection after events such as a system reboot, changed credentials, or even a re-imaging a machine. Attackers want to do the least amount of work possible, which includes spending time getting access to their target.

The Registry Run Keys / Start Folder is the most common technique, at least in how it is used under the hood. These are registry keys or file system locations which are executed whenever a computer is booted. These are some well-known locations such as RunOnce keys or more obscure locations such as AppInit DLL’s which are loaded when the system starts.

The run keys and start folders have been well known for some time, so attackers started gaining persistence when commonly used applications started up, such as your web browser or Microsoft Office. Most desktop users in an enterprise are going to boot up a web browser and/or email client within the first minutes of logging in. Another (Read more...)