Section 25: Persistence

Persistence Techniques and Tools

Overview

• Focuses on strategies and tools attackers use to maintain presence in a compromised system over time.

• Persistence deepens control, enables long-term data monitoring, and ensures access despite system disruptions.

• Domain covers files, post-exploitation, and lateral movement.

• Objective 5.1: Maintain and establish presence in a given scenario.

Command and Control (C2) Frameworks

• Methods to remotely control compromised systems.

• Understanding C2 frameworks and protocols aids in attack setup and defense.

Empire

• Post-exploitation framework using PowerShell and Python.

• Modules for keylogging, credential dumping, and lateral movement.

• Operates without PowerShell.exe to evade detection.

• Currently maintained by the Kali Linux community.

• Example: Deploying a PowerShell agent to capture keystrokes or extract password hashes.

• Defenders are often aware of Empire's signatures.

Covenant

• .NET-based C2 framework for Windows, Linux, and macOS.

• Leverages the .NET framework for cross-platform capabilities and evasion.

• Web-based interface for managing compromised systems.

• Example: Deploying a Covenant agent on a compromised web server to execute .NET commands and dump credentials.

Mythic

• Cross-platform, command-line-based open-source C2 framework.

• Modular architecture for customization.

• User-friendly interface and robust API support.

• Supports various payloads.

• Example: Using the AppFail payload on a compromised macOS system.

Automating Persistence

Scheduled Tasks and Cron Jobs

• Automate tasks at specific times or intervals on Windows (Scheduled Tasks) and Unix-based systems (Cron Jobs).

• Ensures payload or backdoor automatically runs, maintaining access after system reboot.

• Windows Example:

  • Command: `schtasks /create /sc hourly /tn