Persistence
Techniques
| ID | Name | Description |
|---|---|---|
| EST000034 | Account Manipulation | A Cyber Embedded Technique in which an adversary manipulates accounts to maintain access to credentials and certain permission levels within an environment. Manipulation could consist of modifying permissions, modifying credentials, adding or changing permission groups, modifying account settings, or modifying how authentication is performed. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to subvert password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain. |
| EST000035 | Bootkit | A Cyber Embedded Technique in which an adversary uses bootkits to persist on systems at a layer below the operating system. This may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly. |
| EST000036 | Persistent Firmware | A Cyber Embedded Technique in which an adversary employs sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system in firmware or BIOS. This technique may be similar to System Firmware but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: Delayed Attack: The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card: Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. "Random" Attack or Failure: The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm: The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. Attack Other Cards on the Field Device: Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module. |
| EST000037 | Create Account | A Cyber Embedded Technique in which an adversary with a sufficient level of access creates a local system, domain, or cloud tenant account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. |
| EST000038 | External Remote Services | A Cyber Embedded Technique in which an adversary uses remote services to initially access and or persist within a network. Access to valid accounts to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network. Access to remote services may be used as part of Redundant Access during an operation and could include data links used to provide services on a platform. |
| EST000039 | FIle System Permissions Weakness | A Cyber Embedded Technique in which an adversary replaces legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence. Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include root/SYSTEM/administrator/etc. |
| EST000040 | Hidden FiIes and Directories | A Cyber Embedded Technique in which an adversary hides files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS). |
| EST000041 | Persistence Hooking | A Cyber Embedded Technique in which an adversary uses hooking to load and execute malicious code within the context of another process. This technique could mask the execution while simultaneously allowing access to the process's memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use. Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. Hooking is commonly utilized by Rootkits to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. |
| EST000042 | Hypervisor | A Cyber Embedded Technique in which an adversary establishes a malicious type-1 hypervisor to persist on systems through interruption. A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. |
| EST000043 | Kernel Modules and Extensions | A Cyber Embedded Technique in which an adversary uses a loadable kernel modules to covertly persist on a system and evade defenses. Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode Rootkit that run with the highest operating system privilege (Ring 0). Examples have been found in the wild and there are some open source projects. |
| EST000044 | Local Job Scheduling | A Cyber Embedded Technique in which an adversary utilizes a job scheduling mechanisms of the operating system to schedule background tasks. |
| EST000045 | Modify Existing Service | A Cyber Embedded Technique in which an adversary modifies an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of Masquerading that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used. Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. |
| EST000046 | New Service | A Cyber Embedded Technique in which an adversary installs a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. When operating systems boot up, they can start programs or applications called services that perform background system functions. A service's configuration information, including the file path to the service's executable, is stored in the Windows Registry. The service name may be disguised by using a name from a related operating system or benign software with Masquerading. Services may be created with administrator privileges but are executed under root/admin/SYSTEM/etc privileges, so an adversary may also use a service to escalate privileges from administrator to root/admin/SYSTEM/etc. Adversaries may also directly start services through Service Execution. |
| EST000047 | Path Interception | A Cyber Embedded Technique in which an adversary uses a file placement strategies to execute malicious applications instead of the intended application. Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of cmd in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process. |
| EST000048 | Port Knocking - Serial Bus | A Cyber Embedded Technique in which an adversary unlocks hidden, undocumented, or adversary-controlled services on a serial bus by sending a specific sequence of commands to different subaddresses on a known terminal address. This sequence, analogous to 'port knocking' in network protocols, acts as a 'key' to enable the service. The adversary discovers this 'knock' sequence by observing serial bus traffic and analyzing the responses from the subsystem. Once the correct 'knock' is performed, the service is activated, potentially granting the adversary persistence. While not directly opening firewall ports as in traditional network port knocking, this technique similarly relies on a specific, pre-defined sequence to gain access to a protected resource. |
| EST000049 | Port Monitors - Serial Bus | A Cyber Embedded Technique in which an adversary gains persistence on a serial bus by exploiting a vulnerable or misconfigured port monitor. Typically, port monitors are designed to passively observe serial bus traffic in a receive-only mode for debugging or analysis purposes. The adversary exploits a weakness to switch the port monitor into transmit mode. By transmitting malicious commands or data onto the bus using the compromised port monitor, the adversary can modify system configurations, inject malicious code, or install backdoors, thereby establishing persistence on the serial bus. |
| EST000050 | Redundant Access Points | A Cyber Embedded Technique in which an adversary uses more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated. If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary's tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to Valid Accounts to use External Remote Services such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network. Adversaries may also retain access through cloud-based infrastructure and applications. Use of a Web Shell is one such way to maintain access to a network through an externally accessible Web server. |
| EST000051 | Startup Items | A Cyber Embedded Technique in which an adversary creates the appropriate folders/files in the startup directory to register their own persistence mechanism. |
| EST000052 | Evasive System Firmware | A Cyber Embedded Technique in which an adversary utilizes the BIOS (Basic Input/Output System) or similar capabilities as a way to interject executable code prior to operating system boot. The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect. |
| EST000053 | Time Providers | A Cyber Embedded Technique in which an adversary abuses this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. The Windows Time service (W32Time) enables time synchronization across and within domains. W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\. The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. |
| EST000054 | Persistence via Valid Accounts | A Cyber Embedded Technique that mirrors ATT&CK Enterprise Technique called Valid Accounts, T1078. Valid Accounts, Technique T1078 - Enterprise | MITRE ATT&CK® |
| EST000055 | Modify OS Kernel or Boot Partition | A Cyber Embedded Technique in which an adversary with escalated privileges places malicious code in the device kernel or other boot partition to maintain a persistance presence on a system. If an adversary can escalate malicious code privileges, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality. |
| EST000056 | Modify System Partition | A Cyber Embedded Technique in which an adversary escalates privileges to use those privileges to place malicious code in the device system partition. If an adversary is escalate malicious code privileges, the malicious code may persist after device resets and may not be easily removed by the device user. |
| EST000057 | Modify Trusted Executives Environment | A Cyber Embedded Technique in which an adversary escalates privileges to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE). If an adversary is escalate malicious code privileges, the code may evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior. |
| EST000058 | Modify NVRAM Code and Configuration | A Cyber Embedded Technique in which an adversary modifies code or configuration data stored in Non-Volatile Random-Access Memory (NVRAM) to achieve persistence on a subsystem. NVRAM is targeted because it retains its data even after a reboot, making it a reliable location to store malicious code or configurations. This technique exploits the fact that NVRAM often stores boot configuration data, early initialization code, or device drivers loaded during system startup. By modifying these elements, the adversary can gain control early in the boot sequence and ensure that malware is executed automatically after each reboot. This technique may involve exploiting vulnerabilities in the NVRAM update process, bypassing security mechanisms designed to protect NVRAM contents, or directly manipulating NVRAM data through hardware interfaces. Because NVRAM implementations are highly platform-specific, successful exploitation often requires detailed knowledge of the target system's hardware architecture and boot process. |
| EST000059 | Supply Chain and Third Party Library | A Cyber Embedded Technique in which an adversary utilizes COTS or GOTS third party libraries with an implanted vulnerability to gain persistence on a subsystem that meets a specific hardware and software profile. |
| EST000060 | Embedded Software | A Cyber Embedded Technique in which an adversary exploits embedded software specific vulnerabilities to implant code into persistent memory. |
| EST000061 | Operational Data Files | A Cyber Embedded Technique in which an adversary modifies operational data files to be executed in a malicious manner to gain persistence on a subsystem when they are loaded via various means. |