Persistence is the quality by which a threat continues to exploit a target while remaining undetected for a significant period of time. Rather than hitting a target and leaving right after, attackers will look for ways to maintain their foothold in the organization long after the main attack phase has concluded. Some of the goals involved in persistence include:
- Exfiltrating portions of sensitive data over a period of time rather than all at once. This is a stealthier approach than just overloading the network with the target data in one loud task.
- Exfiltrating sensitive data that changes over time. A customer records database will probably be continuously updated with information about individuals and organizations. Rather than capturing the database once at a specific point in time, the attacker could capture the database multiple times after it changes.
- Causing a sustained or repeated denial of service. Launching a DoS attack at a server once will take it down for a while, but recovery personnel will probably bring it right back up as soon as they can. With persistent access, an attacker could take down a server over and over again, despite the recovery team's best efforts.
- Monitoring user behavior over time. Sometimes, directly accessing people information isn't feasible or isn't stealthy enough, so an attacker might choose to monitor a user's behavior for the information they're looking for. For example, a keylogger installed on a public terminal might not reveal anything useful right away, but after a while, an administrator might enter their credentials into this terminal.
- Taunting or spreading confusion within an organization. It's mostly just annoying when an attacker compromises the means of communication to send a few taunting messages to personnel. However, attackers who maintain their compromise of communications over a long period of time can cause a great deal of consternation by harassing individuals and undermining the confidence they have in their colleagues and employer.
Compromise of systems, networks, applications, and other assets can persist for days, weeks, months, and even years. As a pen tester, you probably won't be maintaining your attack efforts for very long, but it depends on the scope of the test and how willing the organization is to leave their assets in a state of compromise. What's more likely is that you'll conduct efforts to prove that persistence is possible and has a high chance of occurring, and demonstrate it during the test and/or report on it afterward.
Advanced Persistent Threat
An advanced persistent threat (APT) is an implementation of persistence that relies on highly customized, complex exploits created and launched by groups of technically skilled individuals with a common goal. APTs tend to target large financial institutions, government agencies, and other organizations that hold a great deal of power over others. APTs have been known to go years before being discovered, exfiltrating significant volumes of sensitive data from a target or conducting sustained disruption of business operations. They are therefore some of the most insidious and harmful threats to targeted organizations.
Persistence Techniques Examples
There is not one catch-all method for initiating persistence on a network or system. Various techniques can help you maintain access or control over your targets. For example, certain user accounts are more closely monitored or more tightly access controlled than others. Creating a new account can help you bypass these restrictions when you need to authenticate. On Windows, you can create a new user through the command shell: net user jsmith /add and on Linux: useradd jsmith. Escalating the account's privileges can provide you with even more access. On Windows, net localgroup Administrators jsmith /add adds the account to the local Administrators group. On Linux, there are several ways to give root privileges to a user, including editing the /etc/passwd file and changing the user's user ID (UID) and group ID (GID) to 0.
New user creation is just one example of a persistence technique. Other common persistence techniques include:
- Remote access services.
- Scheduled tasks.
- Services and daemons.