Network attacks and how they achieve persistence

lunarlander

Level 1
Thread author
Verified
Oct 8, 2017
30
Hi,

I am interested in finding out how a network based attack achieves persistance and methods to stop it from achieving persistance.

Lets say an network attack exploit succeessfully works, and a minimal payload is now in ram. How does it survive a reboot ? I have a long list of registry keys to check against for starting programs. if I had made a baseline first. But I don't know if that list is exhaustive or not.

But that registry list is for program startups. And I have an anti-executable for protection to compensate for not knowing all the program startup registry keys. Are there any other ways to start a process at boot or acc sign in ?. And how can one check for those ?
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,004
Hi,

I am interested in finding out how a network based attack achieves persistance and methods to stop it from achieving persistance.

Lets say an network attack exploit succeessfully works, and a minimal payload is now in ram. How does it survive a reboot ? I have a long list of registry keys to check against for starting programs. if I had made a baseline first. But I don't know if that list is exhaustive or not.

But that registry list is for program startups. And I have an anti-executable for protection to compensate for not knowing all the program startup registry keys. Are there any other ways to start a process at boot or acc sign in ?. And how can one check for those ?
Google for fileless (or executable less) malware, COM hijacking, WMI persistence, SMB exploits, kernel exploits, etc.:
Anti-exe and Autoruns can help, but then all system executables have to be set to alert on the run. Next, you have to figure out what is hidden behind svchost.exe, etc.
Network attack can be made with high privileges, so the attacker can install drivers & rootkits.
 
Last edited:

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,454
Worms and so called sleepers, malware that is dormant for a specific time. Recall reports on some that waiting weeks and sometimes even longer. Also if it's persitance in RAM, many servers aren't rebooted so that answers itself.

The Ryuk ransomware is one of those that can be extremely persistent but deeper analysis shows that those networks been attacked and gained full access before Ryuk started spread so even when Ryuk is cleaned, it pops up again. Malware that infect routers and even UEFI is specific nasty but even the real experts many times don't know exactly how the attack started. That also automatic makes it harder to know how to actually stop it.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top