tively used system. Hence, they should function in a
reliable way as important OS processes are often exe-
cuted through these. Since privilege escalation is not
a goal of persistence, it was to be anticipated that only
a few methods would achieve this. This may explain
why we see no method that scores at least one point
in permission. The detection results were also to be
expected because we did not try to actively hide our
actions. More advanced malware will try to hide its
activities, in order to stay undetected from Windows
Defender among others.
In consequence, the metric provides a simple mea-
sure to compare different OS versions and methods
used by adversaries. It can be applied to more ad-
vanced methods used by APTs. The results may guide
future improvements in detection methods by defen-
sive mechanisms.
7 CONCLUSION AND OUTLOOK
The ability to assess the effectiveness of methods
compared to each other enables the understanding
of the threat each method poses to IT infrastruc-
ture. Therefore, based on related work, we explained
common persistence methods for Windows OS. Then
we described our methodology with the workflow
and metric for evaluating persistence methods. This
methodology was applied on Windows 10, Windows
11, Windows Server 2019, and Windows Server 2022
using a bind-shell executable as exemplary malware.
The evaluation was performed without and with de-
fensive mechanisms activated. The results of the eval-
uation conclude that most methods performed very
similarly, likely due to the fact that each mechanism
abused a feature integral to the Microsoft Windows
OS. The majority of methods are capable of reliably
establishing persistence which could withstand up-
dates of the OS. Enabling Windows’ built-in defen-
sive mechanisms resulted in a significant decline in
the performance of persistence methods. This points
to the effectiveness of current protection measures
against commonly used persistence methods.
In the next step, more complex and real-world
malware – with obfuscation methods – will be applied
and analyzed for the distribution of applied methods.
Last but not least, we plan to evaluate more as well as
combinations of methods.
REFERENCES
Barr-Smith, F., Ugarte-Pedrero, X., Graziano, M., Spolaor,
R., and Martinovic, I. Survivalism: Systematic Anal-
ysis of Windows Malware Living-Off-The-Land. In
2021 IEEE Symposium on Security and Privacy (SP),
pages 1557–1574. IEEE.
CISA (2022). Alert (AA22-074A). https://www.cisa.gov/
uscert/ncas/alerts/aa22-074a. Accessed 17.11.2022.
Dubey, L. (2019). Identifying The Malware Persistence us-
ing Advance Static And Advance Dynamic Method.
International Journal of Scientific & Technology Re-
search, 8.
Gittins, Z. and Soltys, M. (2020). Malware Persistence
Mechanisms. In 24th International Conference on
Knowledge-Based and Intelligent Information & En-
gineering Systems, pages 88–97. Elsevier.
Hunkeler, A. (2022). Collection of malware persis-
tence information. https://github.com/Karneades/
malware-persistence. Accessed 17.11.2022.
Laurenza, G., Lazzeretti, R., and Mazzotti, L. (2020). Mal-
ware Triage for Early Identification of Advanced Per-
sistent Threat Activities. Digital Threats, 1(3).
Mankin, J. L. (2013). Classification of malware persistence
mechanisms using low-artifact disk instrumentation.
PhD thesis, Northeastern University Boston, MA.
Microsoft (2021). Task Scheduler for developers.
https://learn.microsoft.com/en-us/windows/win32/
taskschd/task-scheduler-start-page. Accessed
17.11.2022.
MITRE (2022). MITRE ATT&ACK. https://attack.mitre.
org. Accessed 17.11.2022.
Park, D. and Yener, B. (2020). A Survey on Practical Adver-
sarial Examples for Malware Classifiers. In Reversing
and Offensive-Oriented Trends Symposium (ROOTS),
pages 23–35, New York, NY, USA. Association for
Computing Machinery.
Potter, S. and Nieh, J. (2005). Reducing Downtime Due
to System Maintenance and Upgrades. In 19th Large
Installation System Administration Conference (LISA
05). USENIX Association.
Rana, M. U., Ali Shah, M., and Ellahi, O. (2021). Malware
Persistence and Obfuscation: An Analysis on Con-
cealed Strategies. In 2021 26th International Confer-
ence on Automation and Computing (ICAC), number
Portsmouth, United Kingdom, pages 1–6. IEEE.
Reischaga, Lim, C., and Kotualubun, Y. S. (2020). Un-
covering Malware Traits Using Hybrid Analysis. In
Proceedings of the International Conference on Engi-
neering and Information Technology for Sustainable
Industry (ICONETSI), New York, NY, USA. Associa-
tion for Computing Machinery.
StatCounter (2022). Desktop Operating System Market
Share Worldwide – Sept 2021 - Sept 2022. https://gs.
statcounter.com/os-market-share/desktop/worldwide.
Accessed 17.11.2022.
Thomas, K., Li, F., Zand, A., Barrett, J., Ranieri, J., In-
vernizzi, L., Markov, Y., Comanescu, O., Eranti, V.,
Moscicki, A., Margolis, D., Paxson, V., and Bursztein,
E. (2017). Data Breaches, Phishing, or Malware?
Understanding the Risks of Stolen Credentials. In
Proceedings of the 2017 ACM SIGSAC Conference
on Computer and Communications Security (CCS),
pages 1421–1434. Association for Computing Ma-
chinery.
Evaluation of Persistence Methods Used by Malware on Microsoft Windows Systems
559