Anatomy of Persistence Techniques & Strategies to Detect
Download as PPTX, PDF0 likes124 views
The document discusses persistence techniques used by adversaries to maintain access to systems, detailing methods such as scheduled tasks, registry run keys, and leveraging Microsoft SQL Server. It provides insights into detecting such persistence, recommending auditing, monitoring account creations, and registry changes. The presentation also highlights the importance of awareness in blue team operations to counteract these techniques.
Anatomy of Persistence Techniques & Strategies to Detect
- 1. Anatomy of persistence techniques & strategies to detect
- 2. #whoami 👉 Chirag Savla 👉 Twitter – @chiragsavla94 👉 Interest area – Red Teaming, Application Security, Penetration Testing 2 Blog – https://3xpl01tc0d3r.blogspot.com
- 3. “As an offensive researcher, if you can dream it, someone has likely already done it… and that someone isn’t the kind of person who speaks at security cons. — Matt Graeber
- 4. Agenda ▸ Attack Kill Chain ▸ About Persistence ▸ Persistence Techniques ▸ Persistence Leveraging MSSQL ▸ Approach to Detect Persistence 4
- 5. Question ▸ Which Team do you belong to ? - Blue team (The Defenders) - Red team ( The Offensive Side) - Management / Executive - Others 5
- 9. About Persistence ▸ Persistence is any access, action, or configuration change to a system that gives an adversary a persistent presence on that system. ▸ Adversaries will often need to maintain access to systems through interruptions such as system restarts, loss of credentials, or other failures that would require a remote access tool to restart or alternate backdoor for them to regain access. 9
- 10. Question ▸ Do you think Antivirus (AV) solutions are enough to detect persistent malwares? - Yes, I have a next-gen AV - No - Don’t know 10
- 12. Persistence Techniques ▸ Schedule Task ▸ Registry Run Keys ▸ Startup Folders ▸ DLL Search Order Hijacking ▸ COM Hijacking ▸ Image File Execution Options Injection ▸ Logon Scripts ▸ Windows Management Instrumentation Event Subscription ▸ Account Manipulation ▸ Account Creation 12
- 13. 13 Persistence Leveraging MSSQL ▸What & Why MSSQL ? ▸Persistence Opportunities
- 14. What & Why MSSQL ? ▸ Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications — which may run either on the same computer or on another computer across a network. ▸ SQL server mostly runs with privilege accounts which are useful for persistence. 14
- 15. Persistence Opportunities ▸ Startup Stored Procedures - Stored procedures marked for automatic execution are executed every time SQL Server starts. Its automatically executes with the same permissions as members of the sysadmin. ▸ Triggers - A trigger is a special type of stored procedure that automatically runs when an event occurs in the database server. There are 3 types of triggers DML, DDL and Logon. ▸ Registry Keys - Undocumented extended procedures allows sysadmins to read and write the registry keys. 15
- 16. Demo Time This is not rocket science. 16
- 17. 17 Approach to Detect Persistence ▸Enable auditing & logging ▸Tips for detecting persistence
- 18. Create and enable a SERVER AUDIT -- Select master database USE master -- Setup server audit to log to application log CREATE SERVER AUDIT Audit_StartUp_Procs TO APPLICATION_LOG WITH (QUEUE_DELAY = 1000, ON_FAILURE = CONTINUE) -- Enable server audit ALTER SERVER AUDIT Audit_StartUp_Procs WITH (STATE = ON) 18
- 19. Create an enabled SERVER AUDIT SPECIFICATION -- Create server audit specification CREATE SERVER AUDIT SPECIFICATION Audit_StartUp_Procs_Server_Spec FOR SERVER AUDIT Audit_StartUp_Procs ADD (SERVER_ROLE_MEMBER_CHANGE_GROUP), -- track group changes ADD (SERVER_OPERATION_GROUP), -- track server setting changes ADD (AUDIT_CHANGE_GROUP) -- track audit setting changes WITH (STATE = ON) 19
- 20. Create an enabled DATABASE AUDIT SPECIFICATION -- Create the database audit specification CREATE DATABASE AUDIT SPECIFICATION Audit_StartUp_Procs_Database_Spec FOR SERVER AUDIT Audit_StartUp_Procs ADD (EXECUTE ON master..sp_procoption BY public ) -- sp_procoption execution WITH (STATE = ON) GO 20
- 21. Demo Time This is not rocket science. 21
- 22. Tips for detecting persistence ▸Monitor Registry Changes – Sysmon Event ID 12,13,14 ▸Monitor Account Creation – Event ID 4720 ▸Monitor File Creations – Sysmon Event ID 11 ▸Monitor DLL loading – Sysmon Event ID 7 (ImageLoaded) ▸Monitor Schedule Task – Event ID 4698 22
- 23. Question ▸ How many of you are already monitoring these events? - All of them - Some of them - Haven't started yet 23
- 24. Credits Thanks to DNIF for granting me the privilege to present. Special thanks to Scott Sutherland for documenting the amazing ways to get persistence using MSSQL. 24
- 25. Reference ▸ https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/ ▸ https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/ ▸ https://blog.netspi.com/establishing-registry-persistence-via-sql-server-powerupsql/ ▸ https://attack.mitre.org/tactics/TA0003/ ▸ https://uncoder.io/ ▸ https://docs.microsoft.com/en-us/previous-versions/sql/sql-server-2008-r2/ms191129(v=sql.105) ▸ https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact- sql?view=sql-server-2017 ▸ https://docs.microsoft.com/en-us/sql/t-sql/statements/create-trigger-transact-sql?view=sql-server-2017 ▸ https://docs.microsoft.com/en-us/sql/relational-databases/triggers/implement-ddl-triggers?view=sql-server-2017 ▸ https://docs.microsoft.com/en-us/sql/relational-databases/triggers/ddl-event-groups?view=sql-server-2017 ▸ https://docs.microsoft.com/en-us/sql/relational-databases/triggers/create-dml-triggers?view=sql-server-2017 ▸ https://docs.microsoft.com/en-us/sql/relational-databases/triggers/logon-triggers?view=sql-server-2017 ▸ https://support.microsoft.com/en-us/help/887165/bug-you-may-receive-an-access-is-denied-error-message- when-a-query-cal ▸ https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon 25
- 26. 26 THANKS! Any questions? You can find me at @chiragsavla94