Lockheed Martin kill chain
Types of Persistence
Long-haul persistence refers to techniques employed by attackers to maintain access to a compromised system over an extended period, often with the objective of establishing persistent control. It involves using stealthy and persistent mechanisms that survive system reboots and are difficult to detect. Examples of long-haul persistence techniques include:
Rootkits: Malicious software that modifies the operating system to conceal its presence and provide ongoing access for the attacker.
Backdoors: Unauthorized access points left behind by attackers to enable future entry into the compromised system.
Malicious Services: Creating or modifying system services to execute malicious code automatically during system startup.
The primary focus of long haul persistence is to ensure long-term access and control without being easily detected or removed.
Short haul persistence refers to techniques used by attackers to maintain access to a compromised system for a limited period. Unlike long haul persistence, these techniques are not intended for prolonged control but for achieving immediate goals, such as lateral movement or data exfiltration. Examples of short haul persistence techniques include:
Credential Theft: Acquiring and using stolen credentials to maintain access to other systems or escalate privileges.
Pass-the-Hash: Leveraging captured password hashes to authenticate and gain unauthorized access to other systems without needing to know the actual passwords.
Remote Access Tools (RATs): Deploying remote administration tools or malware to maintain control and facilitate further actions within the compromised system.
Short haul persistence techniques focus on maximizing the attacker's immediate objectives while minimizing the chances of detection and removal.
Interactive persistence refers to techniques that require direct interaction or involvement from an attacker to maintain access to a compromised system. This form of persistence relies on an ongoing connection or continuous manual effort by the attacker to maintain control. Examples of interactive persistence techniques include:
Remote Desktop Sessions: Actively connecting to the compromised system using remote desktop software to control and manipulate it.
Command-and-Control (C2) Channels: Establishing a persistent communication channel between the attacker and the compromised system for ongoing control and interaction.
Malware with Beaconing: Deploying malware that periodically contacts a remote server to check for commands or instructions from the attacker.
Interactive persistence techniques allow the attacker to actively control and manipulate the compromised system while maintaining a level of stealth to avoid detection.
Payload Types
In the context of exploit development, a staged payload refers to a payload that is delivered in multiple stages. It involves breaking the payload into multiple parts or stages and delivering them separately to the target system. The initial stage often called the stager, is typically small and contains just enough code to establish communication with the attacker's server or exploit handler. Once the stager is executed on the target system, it establishes a connection back to the attacker's system and retrieves additional stages of the payload. The subsequent stages are then delivered and executed, allowing for more complex functionality.
The main advantage of using staged payloads is their smaller initial size, making them useful when there are limitations on payload size or when evading detection. Additionally, staged payloads can provide flexibility in terms of delivering different components of the payload at different times, allowing for dynamic updates or evasion techniques.
A stageless payload, on the other hand, is a self-contained payload that does not require multiple stages for execution. It contains all the necessary code and functionality within a single payload. When the payload is executed on the target system, it performs its intended actions without the need for additional stages or communication with an external handler.
The advantage of using a stageless payload is its simplicity and ease of use. It eliminates the need for additional communication and reduces the complexity associated with multiple stages. It can be particularly useful in scenarios where network connectivity is limited or where there is a need for a standalone payload.
Malware
Average size is a few hundred kilobytes to a few megabytes
