Team: Huntress EDR
Environment: Platform, Portal, Persistence Mechanism
Summary: What is a Foothold?
Hunting for Persistent Footholds
Persistent Footholds was the first service developed by Huntress. While hunting for Persistent Footholds is now one of many services provided by the Huntress platform, it is still a unique differentiator that few can compete with in terms of function and no one can compete with in terms of value. The Persistent Footholds dashboard (account/footholds) gives you a clear picture of how many incidents Huntress identifies that utilized footholds to maintain persistence within your networks.
Huntress hunts for persistent footholds, but what is a foothold?
An attacker may only fool an end-user into clicking a malicious link once--only one chance to run their malware. But, often, what an attacker wants is for the malware to keep running long term, even after a reboot. To achieve this, an attacker will install persistence, or what we refer to as a foothold.
A foothold, or persistence, is simply an attacker mechanism to automatically re-trigger some malware (maybe a stub or even fully loaded malware) across potential interruptions like restarts or user logoffs.
In most cases, a foothold is implanted as soon as preventive defenses are evaded and initial access is achieved. It is an indicator that proves the attacker has already slipped by your defenses. And the thing is, a foothold is a very concrete almost tangible thing that actually can be examined on the machine—which means we should be able to hunt and detect them.
Here is a more specific definition from MITRE:
Why are removing persistent footholds important?
It’s kind of like the attacker getting a copy of the key to the front door after breaking in, giving them an opportunity to return once they’ve figured out their plan. Having access means the ability to re-execute some piece of malware code—maybe even one that beacons out waiting for further instructions.
“Malware can hide, but it must run” - Alissa Torres
Persistence gives malware the ability to run…. and run and run over and over again, even in the event of an interruption such as a machine reboot or a user logoff. No need to regain that initial access through a new phishing email, a new brute force attempt, or finding a new exploitable vulnerability.
Every time you see a ransomware attack in the news, it's fair to assume that some sort of persistence was in play on almost every occasion.
To encrypt one machine, you need one user to click. To encrypt an entire network, you need time, which starts with persistence.
Doesn't every security company remove these? They tell me they do...
The reason why it’s so important to include human threat hunters when hunting for persistent footholds is simply because these footholds are exploiting core parts of the operating system. Autostarting components of the OS, aka Autoruns, that can create persistence—such as run keys, system trays, WMI events—are necessary for the machine to keep the wheels turning in the first place so you can keep doing your work. But it’s also the perfect place for an attacker to hide.
As a defender, how can you separate the wheat from the chaff? How do you surface the autoruns that are hidden exploitations by an attacker while leaving legitimate autoruns alone?
The key here is to avoid incorrectly turning off or eliminating legitimate autoruns that are needed by the OS and applications; doing this too much or too often can actually hurt way more than it helps.
Training a machine or a system to differentiate between the two is much easier said than done. And if the machine gets it wrong, there is a potential cost of breaking these core elements needed to run the machine. Simply put, security software can't solve this problem without humans. This is why attackers have evolved to live inside core components of the operating system where your security software isn't willing to risk blocking the wrong OS component, crashing the machine, and facing their worst-case scenario: being uninstalled.
Humans are needed in this hunt—they can learn quickly and are extremely good at discerning right from wrong.
“Cyber threat hunters […] must be unleashed on these networks to look for the hidden, persistent access controls. These information security professionals actively search for, isolate and remove advanced, malicious code that evades automated safeguards.”- Thomas Brossert, Former US Homeland Security Advisor
Check out our blog post for more information on how Huntress leverages footholds to find malware that slips past Antivirus products: What is a Persistent Foothold