A Story of Persistance – Windows Part 1

By Ahmed Kasmani
Add comment
January 17, 2021
2 Min read
In Uncategorized
A

For a while I wanted to do a series of blog posts where I discuss the different types of persistence mechanisms in Windows, Linux and MacOS. Some procrastination has had the better of me.

This is the first part, hopefully more to come. I am going to try and add some more pertinent details.

Malwares use persistence mechanisms to keep access on a system across restarts. Mitre Att&ack talks about Persistence as a tactic, and all the persistence mechanisms are the techniques.

The way the articles will flow is as follows:

  1. Name and some details of the persistence mechanism.
  2. How it works.
  3. Threat actors or malware who use this consistently.
  4. How to set it up.
  5. How to detect it from the event logs.
  6. How to get more details about it, using tools like PowerShell, Autoruns or any other tool.
  7. How to remove it.

First persistence mechanism:

Name: Scheduled Task

Scheduled tasks are used to schedule some executable or command for execution at particular date or time. The schedule could be run periodically as well. More details here.

Threat actors/Malware which use it consistently are:

  1. Mummy Spider ( Emotet)
  2. Indrik Spider (Dridex)
  3. Wizard Spider (Trickbot)
  4. APT18 aka Dynamite Panda which is China Based Threat actor has also been known to use it.

Before setting up scheduled task, a little bit about my environment. I am using Windows 10 and I will try to use the terminal for most of the work.

Lets first enable the audit logs which will enable us to see the scheduled task creation in the Security Event Logs.

Command to enable required Audit logs:

auditpol /set /category:"Object Access" /success:enable /failure:enable

Command to setup Scheduled Task:

schtasks /create /tn "ASK Scheduled Task" /tr "c:\windows\system32\notepad.exe" /sc daily /st 04:23

Name of Task: ASK Scheduled Task

File to execute: c:\windows\system32\notepad.exe

Execution Period: Daily at 04:23.

Command to check the event logs for Scheduled Task creation, the event id for Scheduled Task Creation is 4698:

Get-WinEvent -FilterHashtable @{LogName="Security";ID=4698;} | Select *

Command to check details of the created task:

schtasks /query /fo list /v /tn "ASK Scheduled Task"

Delete the scheduled task:

schtasks /delete /F /tn "ASK Scheduled Task"

I think these details are concise enough, Screenshot of the commands executed below:

Next blog will be based on registry Run Key Persistence.

Chao!!!

About the author

Ahmed Kasmani
View all posts

Add comment

Read more

A Story of Persistance – Windows Part 2

By Ahmed Kasmani
In Uncategorized
2 Min read
A

This is the second part, first part is here. Malwares use persistence mechanisms to keep access on a system across restarts. Mitre Att&ack talks about Persistence as a tactic, and all the persistence mechanisms are the techniques. The way the articles will flow is the same as the first article: Name and some details of the persistence mechanism.How it works.Threat actors or malware...

Read onRead later

Home LAB for Security Research

By Ahmed Kasmani
In Uncategorized
5 Min read
H

In my first post, I want to talk about the setup for the homelab. As an InfoSec consultant it is imperative to have some semblance of a homelab. It serves as a playground for all things you want to learn and go deep into. Introduction My experience with setting up a homelab, has had its ups and down. Before moving to Australia my homelab was my beefed up MacBook Pro i7 – 16GB RAM and 1TB...

Read onRead later
By Ahmed Kasmani January 17, 2021
Add comment

Recent Posts

Recent Comments