In this second post of our threat hunting with Corelight and CrowdStrike blog series we dive into Persistence, which is one the many tactical categories outlined in the MITRE ATT&CK framework. In our previous blog, we reviewed some of the common techniques in the Initial Access category, like Drive-By Compromise and Spearphishing. In this post, we examine and provide some useful threat hunting tips on some of the common tactics attackers use to maintain long-term access to a target's environment.
While this blog only covers a handful of Persistence techniques, you may find it helpful to download the more comprehensive Corelight Threat Hunting Guide for CrowdStrike Falcon LogScale users that we published recently in collaboration with our strategic partner CrowdStrike. Our goal was to produce a useful resource for organizations to learn more about how our native integration across the CrowdStrike Falcon portfolio can elevate their threat detection capabilities and improve their threat hunting programs. If you're a threat hunter, you can find more details and tips on these and the other common MITRE ATT&CK TTPs we cover in the guide.
Before we start, it’s helpful to understand how MITRE defines Persistence. In their words,
Persistence consists of techniques adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. These include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
When used effectively, attackers can use these Persistence techniques to maintain a stealthy foothold in your environment and remain undetected for months and even years. Insightful Corelight data in Falcon LogScale can help identify whether an adversary is hiding in your environment by monitoring your network traffic and providing the evidence that proves their existence. Without this evidence, threat hunters are often only guessing.
BITS Jobs
Let’s start with Microsoft Background Intelligent Transfer Service or “BITS.” This is a file transfer management system designed to optimize the download of Windows updates with minimal disruption to the end user. While BITS is a legitimate tool used by major software vendors for updating their software, it can be exploited by attackers in two primary ways. The one seen most often is when attackers use this trusted Windows service to create BITS transfer jobs to download malicious payloads while evading firewalls and other routine security measures. Secondly, BITS can be used to cleverly exfiltrate data through an upload job if there is a valid connection to a Microsoft IIS server, a pretty easy task even for a novice hacker.
BITS can transfer files using common protocols, such as HTTP, SSL, and SMB. For HTTP, it uses a unique identifier that doesn’t exist for SSL and SMB, which makes it easier to detect suspicious behavior. And since Windows systems regularly use this service, seeing BITS traffic isn't necessarily a red flag. If a BITS job does appear suspicious, threat hunters can follow their hunch by inspecting the Corelight http log for that unique user agent to see where BITS is sending or receiving traffic. If BITS is downloading files from a connection that doesn’t appear to be a legitimate software vendor or content network, it's worth a closer look, especially if you see file uploads, which is quite uncommon with typical software updates.
External Remote Services
Another adversary tactic in the Persistence category that is more often reflected in the Command and Control section of the ATT&CK framework is External Remote Services. This tactic allows an adversary to take advantage of a network’s external remote services to connect to internal enterprise resources from outside the organization. Services, such as VPNs and Remote Desktop connections, were designed to give legitimate users access and control to internal systems from the outside, which has become increasingly common with the surge of remote work environments. Because of this, hackers have been adept at abusing an organization’s External Remote Services capabilities to obfuscate their presence and remain undetected in the environment.
To detect suspicious external remote connections across your environment, an analyst can look through several fields in the Corelight connection log (conn log) to determine which connections are legitimate. Helpful conn log fields include:
- Id.orig_h - The IP address of the host that initiated the connection
- Id.resp_h - The IP address of the host that received the connection request
- Id.resp_p - The port number of the host that received the connection request
- Orig_bytes - The number of bytes sent by the host that initiated the connection
- Resp_bytes - The number of bytes sent by the host that received the connection request
Evidence of connections to external services that aren’t expected to be accessed from inside the network or large file transfers could be a sign of malicious behavior that should be looked into further.
The analyst might also use these Corelight logs to compile and compare a list of all the remote services being used to a list of all the remote services authorized by the IT team. Any discrepancies would either confirm a breach or expose a process error that the IT team should be made aware of.
Port Knocking
Port Knocking is a security measure designed to hide open ports on a system from access. Adversaries use this to expose these ports by sending a sequence of packets with certain characteristics to a server or firewall that they hope will unlock them. Upon receiving the correct sequence, a specific port is opened for the attacker to gain unauthorized access to the network. This method allows the attacker to bypass traditional security mechanisms that only monitor for suspicious activity on commonly used ports.
Here, too, Corelight's conn log can help threat hunters detect or confirm suspicious behavior by providing information on the protocols used for these connections. To find evidence of port knocking misuse, a threat hunter can review a variety of conn log fields, including the IP addresses and ports used to establish any suspicious connections.
- id_orig_h - This is the IP address of the system initiating the connection
- id_orig_p - This is the port from which the connection is initiated
- id_resp_h - This is the IP address of the system responding to the connection request
- id_resp_p - This is the port on which the connection response is sent
- history - The history of the connection
- conn_state - The state of the connection
Keep in mind, however, that spotting port knocking can be a challenge without additional clues because connection sequences used to subvert existing security mechanisms can easily blend in with regular network activity. Nevertheless, validating adversarial port knocking might include looking for clues in the logs of related systems that have been using these previously closed ports. Recognizing anomalous behavior here might point to suspicious activity.
This is just a sample of the Persistence techniques in the MITRE ATT&CK framework that adversaries use to maintain their foothold within the target network. With the extensive integration between Corelight's Open NDR Platform and CrowdStrike’s Falcon LogScale platform, threat hunters can easily search and visualize live and historical data that can help reveal attackers hiding in the network.
If what we covered here sparked your interest in how Corelight and CrowdStrike can help elevate your threat hunting program, I encourage you to download our free Corelight Threat Hunting Guide for CrowdStrike Falcon LogScale users. And remember, stay vigilant and take nothing for granted when it comes to threat hunting since adversaries are getting more clever and capable all the time.
