Network attacks and how they achieve persistence

[lunarlander]

Hi,

I am interested in finding out how a network based attack achieves persistance and methods to stop it from achieving persistance.

Lets say an network attack exploit succeessfully works, and a minimal payload is now in ram. How does it survive a reboot ? I have a long list of registry keys to check against for starting programs. if I had made a baseline first. But I don't know if that list is exhaustive or not.

But that registry list is for program startups. And I have an anti-executable for protection to compensate for not knowing all the program startup registry keys. Are there any other ways to start a process at boot or acc sign in ?. And how can one check for those ?

 

[Andy Ful]

Hi,

I am interested in finding out how a network based attack achieves persistance and methods to stop it from achieving persistance.

Lets say an network attack exploit succeessfully works, and a minimal payload is now in ram. How does it survive a reboot ? I have a long list of registry keys to check against for starting programs. if I had made a baseline first. But I don't know if that list is exhaustive or not.

But that registry list is for program startups. And I have an anti-executable for protection to compensate for not knowing all the program startup registry keys. Are there any other ways to start a process at boot or acc sign in ?. And how can one check for those ?

Google for fileless (or executable less) malware, COM hijacking, WMI persistence, SMB exploits, kernel exploits, etc.:

Persistence, Tactic TA0003 - Enterprise | MITRE ATT&CK®

attack.mitre.org

Anti-exe and Autoruns can help, but then all system executables have to be set to alert on the run. Next, you have to figure out what is hidden behind svchost.exe, etc.
Network attack can be made with high privileges, so the attacker can install drivers & rootkits.

 

[upnorth]

Worms and so called sleepers, malware that is dormant for a specific time. Recall reports on some that waiting weeks and sometimes even longer. Also if it's persitance in RAM, many servers aren't rebooted so that answers itself.

The Ryuk ransomware is one of those that can be extremely persistent but deeper analysis shows that those networks been attacked and gained full access before Ryuk started spread so even when Ryuk is cleaned, it pops up again. Malware that infect routers and even UEFI is specific nasty but even the real experts many times don't know exactly how the attack started. That also automatic makes it harder to know how to actually stop it.