🥷
Red
  • 🟥Overview
  • 📚Education
    • 🧐Guides
    • 🏋️Training
    • 📕Books
    • 🥳Conventions
    • 📰News
    • 🗝️Physical Tools
    • 🗣️Podcasts
    • 📹YT Channels
  • Setup
    • ctf setup
    • Exploitation Frameworks
    • Learning Offense
    • rando
  • ⭕Attacker Lifecycle
    • Steps
      • Engagement
      • 🔬Recon
        • OSINT
        • Active Recon / footprinting
      • 👀Initial Access
        • Exploit
          • SMB
        • Internal Recon
        • Linux Custom Enum Script
        • enumerate Script
        • Windows Privilege Escalation
      • 🧞Privilege Escalation
        • Ways To Privelege Escalate
      • Data Exfil
        • Data Exfil 1
      • Reporting
  • Bug Bounty
    • Bug Bounty Sites
    • OWASP Top 10
      • Injection
      • Broken Authentication
      • Sensitive Data Exposure
      • XML External Entities (XXE)
      • Broken Access Control
      • Security Misconfigurations
      • Cross-Site Scripting (XSS)
      • Insecure Deserialization
      • Using Components with Known Vulnerabilities
      • Insufficient Logging and Monitoring
Powered by GitBook
On this page
  • Lockheed Martin kill chain
  • Types of Persistence
  • Payload Types
  1. Setup

Learning Offense

PreviousExploitation FrameworksNextrando

Last updated 1 year ago

Lockheed Martin kill chain

How to remember - RWD EICA

  1. Recon

  2. Weaponization

  3. Delivery

  4. Exploitation

  5. Installation

  6. C2

  7. Actions on objectives

Types of Persistence

Slow persistence

Long-haul persistence refers to techniques employed by attackers to maintain access to a compromised system over an extended period, often with the objective of establishing persistent control. It involves using stealthy and persistent mechanisms that survive system reboots and are difficult to detect. Examples of long-haul persistence techniques include:

  1. Rootkits: Malicious software that modifies the operating system to conceal its presence and provide ongoing access for the attacker.

  2. Backdoors: Unauthorized access points left behind by attackers to enable future entry into the compromised system.

  3. Malicious Services: Creating or modifying system services to execute malicious code automatically during system startup.

The primary focus of long haul persistence is to ensure long-term access and control without being easily detected or removed.

Medium Persistence, meant to be burned eventually but not currently.

Short haul persistence refers to techniques used by attackers to maintain access to a compromised system for a limited period. Unlike long haul persistence, these techniques are not intended for prolonged control but for achieving immediate goals, such as lateral movement or data exfiltration. Examples of short haul persistence techniques include:

  1. Credential Theft: Acquiring and using stolen credentials to maintain access to other systems or escalate privileges.

  2. Pass-the-Hash: Leveraging captured password hashes to authenticate and gain unauthorized access to other systems without needing to know the actual passwords.

  3. Remote Access Tools (RATs): Deploying remote administration tools or malware to maintain control and facilitate further actions within the compromised system.

Short haul persistence techniques focus on maximizing the attacker's immediate objectives while minimizing the chances of detection and removal.

Fast persistence to grab information.

Interactive persistence refers to techniques that require direct interaction or involvement from an attacker to maintain access to a compromised system. This form of persistence relies on an ongoing connection or continuous manual effort by the attacker to maintain control. Examples of interactive persistence techniques include:

  • Remote Desktop Sessions: Actively connecting to the compromised system using remote desktop software to control and manipulate it.

  • Command-and-Control (C2) Channels: Establishing a persistent communication channel between the attacker and the compromised system for ongoing control and interaction.

  • Malware with Beaconing: Deploying malware that periodically contacts a remote server to check for commands or instructions from the attacker.

Interactive persistence techniques allow the attacker to actively control and manipulate the compromised system while maintaining a level of stealth to avoid detection.

Payload Types

  • Less secure

  • More brittle

  • Easier to detect

  • Bigger in size

In the context of exploit development, a staged payload refers to a payload that is delivered in multiple stages. It involves breaking the payload into multiple parts or stages and delivering them separately to the target system. The initial stage often called the stager, is typically small and contains just enough code to establish communication with the attacker's server or exploit handler. Once the stager is executed on the target system, it establishes a connection back to the attacker's system and retrieves additional stages of the payload. The subsequent stages are then delivered and executed, allowing for more complex functionality.

The main advantage of using staged payloads is their smaller initial size, making them useful when there are limitations on payload size or when evading detection. Additionally, staged payloads can provide flexibility in terms of delivering different components of the payload at different times, allowing for dynamic updates or evasion techniques.

Staged payload is something you reach out to.

Delivered in multiple stages, with an initial small stager that establishes communication and retrieves additional stages from the attacker's system.

All at once

Typically lower than the standard packet size

A stageless payload, on the other hand, is a self-contained payload that does not require multiple stages for execution. It contains all the necessary code and functionality within a single payload. When the payload is executed on the target system, it performs its intended actions without the need for additional stages or communication with an external handler.

The advantage of using a stageless payload is its simplicity and ease of use. It eliminates the need for additional communication and reduces the complexity associated with multiple stages. It can be particularly useful in scenarios where network connectivity is limited or where there is a need for a standalone payload.

Self-contained payload that does not require additional stages or external communication.

Malware

Average size is a few hundred kilobytes to a few megabytes

LogoGitHub - VirtualAlllocEx/Payload-Download-Cradles: This are different types of download cradles which should be an inspiration to play and create new download cradles to bypass AV/EPP/EDR in context of download cradle detections.GitHub