Using persistence to maintain a foothold: Example and walkthrough
In this walkthrough, Keatron Evans demonstrates how threat actors can use persistence techniques like browser extensions to maintain long-term access.
Maintaining a foothold with MITRE ATT&CK techniques
Learn how threat actors use MITRE ATT&CK® persistence techniques to maintain a foothold in an environment. Then try the techniques yourself in the Infosec Skills cyber range.
Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.
Persistence techniques demo
The edited transcript of the persistence techniques demo walkthrough video is provided below, separated into each step Keatron covers in the video.
Persistence with the MITRE ATT&CK framework
(0:00- 0:39) Hello, my name is Keatron Evans, and I'm going to be showing you some advanced adversary tactics dealing with persistence. Now in the cyber range, we've mapped all of our exercises to the MITRE ATT&CK framework. And this one is no exception.
Persistence falls under the persistence parts of the framework, as well as some of the other areas in different phases where you might do persistence earlier, such as when you first get into the environment, but you might do it again at the end as you're heading out. This walkthrough will show you how some of that works and some of the better ways to gain persistence.
Let's go ahead and start up the environment.
Browser extensions
(0:40- 2:17). Alright, so now that we're into the environment, we're going to go ahead and start up Metasploit. That's what the MSF console is there for.
root@ip-172-20-23-169:/# msfconsole
Once we've started Metasploit, we're going to use this specific exploit. So the framework is now starting up, and then we're going to give it this instruction here to tell it to use this bootstrap add-on exploit here.
Sf6 > use exploit/multi/browser/firefox_xpi_bootstrapped_addon
It warns us we haven't actually set a payload, so it's defaulting to just a generic shell. And we're okay with that for now. If you want to use Meterpreter or something like that, you just do set payload, Windows Meterpreter, reverse TCP or whatever respective payload it is you want to use. At this point, we're gonna go ahead and run the exploit.
And you can see it started, so it's listening. Alright, so it says a URL and a local IP should be displayed. So this is basically telling you what your IP is and what port you're listening on waiting for that connection to come back on. In this case, it's 172.20.23.169, and the port is 4444. In other words, this payload is configured to where it's waiting for something on the other side to come back and connect to that port.
Connecting to the session
(2:18- 6:24) Let's move on to step two. It says connecting to the session. Now we're going to move over to the target machine and start Firefox. You will need to start Firefox from the terminal. So basically, it's saying we're going to go here to this target machine, we're going to open a terminal. And then from here, we're just simply going to actually start up Firefox.
Now once Firefox is running, it tells us that, in Firefox, we need to navigate to the local IP address listed earlier. You should be prompted to install the add-on. Essentially what's going on here is we're going to exploit something in the browser by having the browser visit that specific listener that we set up with Metasploit on the other side.
So we go back over here and record this information. We're going to want to browse to this HTTP location, which is the IP and the port 8080. What's going to happen is that the payload should launch for us, which then will allow us to get a shell back that's going to come on to port 4444.
So we go over to the victim, and we put that URL in our browser. We'll have the type that: 172.20.23.169. And then the port is going to be 8080. Then the URL, it's going to be this weird string of characters and numbers here.
All right, so now you can see when we browse there, a pop-up comes up here. We're gonna say “allow” and then we're gonna go ahead and install that add-on. It says it was installed successfully.
Once that add-on was installed, that actually exploited the browser. So if we go back to the listener on Kali, you can see that there is a session that's opened up now. As a result of that, we can hit Enter and connect to that session. As it says here in this step, in this case, it's going to be session one.
Now, we've started interaction, and we actually have a shell. We're connected to the machine that just launched that browser section.
So we're going to run touch /tmp/next. It's basically just simply creating a file name next. And what you can do is you can now verify that we've actually created that file on the other machine over here. The target actually has a filename “touch” that's been created on it as a result of what we did here.
So I want to stop there because I want to leave some fun for you to have. But as you can see, what we've done is we've created an exploit of persistence on the attacker side using Metasploit.
Now, we've got a backdoor that will allow us to connect to this victim anytime we want. And we did it in the form of a browser plug-in. That's where we started. So there are all kinds of other cool things that you'll see with this.
Modifying system processes
(6:25-7:39) We go in and modify, for example. We will look at the system processes and basically set it up to be more permanent. We're looking at this file here. We're going into it with Vim. And what it's actually telling you to do, it says to add a new program at the bottom of this. And it's basically going to be the one that we created.
So we're going to go into this file that we opened with Vim, go down to the bottom and go into insert mode here. We're hoping you remember how to do “Insert” from previous exercises. We're going to paste that in there.
Alright, and then we're going to save that so that it becomes part of this file. Notice when I did that, it actually gave me the green check mark to let me know it was completed.
Try this cyber range yourself
(7:40-8:29) Again, if you're new to this, of course, all the things I did like how I open the file in Vim, how I made the change, how I went into insert mode, how I told it to quit out with the wq with the colon in front — these are things that we teach you in so many more beginner-type labs.
But the cool thing about it is, again, all of these actually map to the MITRE framework. You can see this throughout all the labs, and you can see how to map.
Thank you for watching. If you want to do exercises, just like what I just showed you so you can practice and get good with it, then head on over to our free cybersecurity training resources page and create your free account so you can do exactly what you just saw me do in the Advanced Adversary Tactics Cyber Range. Thanks for watching.
In this Series
- Using persistence to maintain a foothold: Example and walkthrough
- Advanced adversary tactics and defense evasion: Lab and walkthrough
- Privilege escalation via cross-site scripting: Lab and walkthrough
- Executing the Sandworm APT: Lab and walkthrough
- Pivoting and proxychains with MITRE ATT&CK: Example and walkthrough
- Recon and resource development with MITRE ATT&CK: Example and walkthrough
- How to use the MITRE ATT&CK Matrix for Enterprise: Video walkthrough
- How to use MITRE ATT&CK Navigator: A step-by-step guide
- Most common MITRE ATT&CK tactics and techniques: CISA shares most common RVAs
- Using MITRE ATT&CK with cyber threat intelligence
- MITRE ATT&CK framework mitigations: An overview
- MITRE ATT&CK framework techniques, sub-techniques & procedures
- MITRE Shield: An active defense and adversary engagement knowledge base
- 7 Steps of the MITRE ATT&CK®-based Analytics Development Method
- How to Use MITRE ATT&CK® to Map Defenses and Understand Gaps
- Using MITRE ATT&CK®-based analytics for threat detection: 5 principles
- Use cases for implementing the MITRE ATT&CK® framework
- How to Use the MITRE ATT&CK® Framework and the Lockheed Martin Cyber Kill Chain Together
- How to use the MITRE ATT&CK® framework and diamond model of intrusion analysis together
- MITRE ATT&CK® Framework Tactics: An Overview
- MITRE ATT&CK® Framework Matrices: An Overview
- The Ultimate Guide to the MITRE ATT&CK® Framework
- MITRE ATT&CK spotlight: Process injection
- MITRE ATT&CK: System shutdown/reboot
- MITRE ATT&CK: Credential dumping
- MITRE ATT&CK: Endpoint denial of service
- MITRE ATT&CK: Disk content wipe
- MITRE ATT&CK: Disk structure wipe
- MITRE ATT&CK: Supply chain compromise
- MITRE ATT&CK: Shortcut modification
- MITRE ATT&CK: External remote service
- MITRE ATT&CK: Port knocking
- MITRE ATT&CK vulnerability spotlight: Forced authentication
- MITRE ATT&CK vulnerability spotlight: Exploitation for credential access
- MITRE ATT&CK: External remote services
- MITRE ATT&CK: Exploiting a public-facing application
- MITRE ATT&CK: Drive-by compromise
- MITRE ATT&CK vulnerability spotlight: Credentials in registry
- MITRE ATT&CK vulnerability spotlight: Credentials in files
- MITRE ATT&CK vulnerability spotlight: Brute force
- MITRE ATT&CK: Hardware Additions
- MITRE ATT&CK vulnerability spotlight: Bash history
- MITRE ATT&CK vulnerability spotlight: Account manipulation
- MITRE ATT&CK: Replication through removable media
- MITRE ATT&CK: Command-line interface
- MITRE ATT&CK: Network sniffing
- MITRE ATT&CK: Input capture
- MITRE ATT&CK: Audio Capture
- MITRE ATT&CK: Man-in-the-browser
- MITRE ATT&CK: Browser bookmark discovery
- MITRE ATT&CK: Clipboard data
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
MITRE ATT&CK™
