MITRE ATT&CK™

Using persistence to maintain a foothold: Example and walkthrough

Bianca Gonzalez
November 29, 2022 by
Bianca Gonzalez

In this walkthrough, Keatron Evans demonstrates how threat actors can use persistence techniques like browser extensions to maintain long-term access.

 

Maintaining a foothold with MITRE ATT&CK techniques

 

Learn how threat actors use MITRE ATT&CK® persistence techniques to maintain a foothold in an environment. Then try the techniques yourself in the Infosec Skills cyber range.

Cyber Work listeners get free cybersecurity training resources. Click below to get your free courses and other materials.

 

"Free Cybersecurity Training

 

Persistence techniques demo

 

The edited transcript of the persistence techniques demo walkthrough video is provided below, separated into each step Keatron covers in the video.

 

Persistence with the MITRE ATT&CK framework

 

(0:00- 0:39) Hello, my name is Keatron Evans, and I'm going to be showing you some advanced adversary tactics dealing with persistence. Now in the cyber range, we've mapped all of our exercises to the MITRE ATT&CK framework. And this one is no exception.

Persistence falls under the persistence parts of the framework, as well as some of the other areas in different phases where you might do persistence earlier, such as when you first get into the environment, but you might do it again at the end as you're heading out. This walkthrough will show you how some of that works and some of the better ways to gain persistence.

Let's go ahead and start up the environment.

 

Browser extensions

 

(0:40- 2:17). Alright, so now that we're into the environment, we're going to go ahead and start up Metasploit. That's what the MSF console is there for.

root@ip-172-20-23-169:/# msfconsole

Once we've started Metasploit, we're going to use this specific exploit. So the framework is now starting up, and then we're going to give it this instruction here to tell it to use this bootstrap add-on exploit here.

Sf6 > use exploit/multi/browser/firefox_xpi_bootstrapped_addon

It warns us we haven't actually set a payload, so it's defaulting to just a generic shell. And we're okay with that for now. If you want to use Meterpreter or something like that, you just do set payload, Windows Meterpreter, reverse TCP or whatever respective payload it is you want to use. At this point, we're gonna go ahead and run the exploit.

And you can see it started, so it's listening. Alright, so it says a URL and a local IP should be displayed. So this is basically telling you what your IP is and what port you're listening on waiting for that connection to come back on. In this case, it's 172.20.23.169, and the port is 4444. In other words, this payload is configured to where it's waiting for something on the other side to come back and connect to that port.

 

Connecting to the session

 

(2:18- 6:24) Let's move on to step two. It says connecting to the session. Now we're going to move over to the target machine and start Firefox. You will need to start Firefox from the terminal. So basically, it's saying we're going to go here to this target machine, we're going to open a terminal. And then from here, we're just simply going to actually start up Firefox.

Now once Firefox is running, it tells us that, in Firefox, we need to navigate to the local IP address listed earlier. You should be prompted to install the add-on. Essentially what's going on here is we're going to exploit something in the browser by having the browser visit that specific listener that we set up with Metasploit on the other side.

So we go back over here and record this information. We're going to want to browse to this HTTP location, which is the IP and the port 8080. What's going to happen is that the payload should launch for us, which then will allow us to get a shell back that's going to come on to port 4444.

So we go over to the victim, and we put that URL in our browser. We'll have the type that: 172.20.23.169. And then the port is going to be 8080. Then the URL, it's going to be this weird string of characters and numbers here.

All right, so now you can see when we browse there, a pop-up comes up here. We're gonna say “allow” and then we're gonna go ahead and install that add-on. It says it was installed successfully.

Once that add-on was installed, that actually exploited the browser. So if we go back to the listener on Kali, you can see that there is a session that's opened up now. As a result of that, we can hit Enter and connect to that session. As it says here in this step, in this case, it's going to be session one.

Now, we've started interaction, and we actually have a shell. We're connected to the machine that just launched that browser section.

So we're going to run touch /tmp/next. It's basically just simply creating a file name next. And what you can do is you can now verify that we've actually created that file on the other machine over here. The target actually has a filename “touch” that's been created on it as a result of what we did here.

So I want to stop there because I want to leave some fun for you to have. But as you can see, what we've done is we've created an exploit of persistence on the attacker side using Metasploit.

Now, we've got a backdoor that will allow us to connect to this victim anytime we want. And we did it in the form of a browser plug-in. That's where we started. So there are all kinds of other cool things that you'll see with this.

 

Modifying system processes

 

(6:25-7:39) We go in and modify, for example. We will look at the system processes and basically set it up to be more permanent. We're looking at this file here. We're going into it with Vim. And what it's actually telling you to do, it says to add a new program at the bottom of this. And it's basically going to be the one that we created.

So we're going to go into this file that we opened with Vim, go down to the bottom and go into insert mode here. We're hoping you remember how to do “Insert” from previous exercises. We're going to paste that in there.

Alright, and then we're going to save that so that it becomes part of this file. Notice when I did that, it actually gave me the green check mark to let me know it was completed.

 

Try this cyber range yourself

 

(7:40-8:29) Again, if you're new to this, of course, all the things I did like how I open the file in Vim, how I made the change, how I went into insert mode, how I told it to quit out with the wq with the colon in front — these are things that we teach you in so many more beginner-type labs.

But the cool thing about it is, again, all of these actually map to the MITRE framework. You can see this throughout all the labs, and you can see how to map.

Thank you for watching. If you want to do exercises, just like what I just showed you so you can practice and get good with it, then head on over to our free cybersecurity training resources page and create your free account so you can do exactly what you just saw me do in the Advanced Adversary Tactics Cyber Range. Thanks for watching.

 

Free Cybersecurity Training

Bianca Gonzalez
Bianca Gonzalez

Bianca Gonzalez is a writer, researcher and queer Latina brain cancer survivor who specializes in inclusive B2B insights and multicultural marketing. She completed over 400 hours of community service as a college student.