Let's Try: Persistent

Our second requirement to become among those ranks is to be 'persistent'. To take it a bit further than establishing persistence, persistent means the attacker maintains a longer dwell time on the network to achieve a specific objective, rather than an opportunistic attack once initial access has been made.

Note: this means a high dwell time on the network, not that we are very persistent in our attempts to break in.

Persistence to survive reboots is fairly straightforward, but to be APT-level persistent (which often involves no persistence and memory only implants) we want dwell time, which means our implants have to be quiet and our C2 needs to be durable.

"Low and slow" and long haul C2 is good and all, but you know what is better? Not having to ever, ever, ever worry about your domains getting sinkholed and losing your implants. In the past, the primary way malware authors tried to do long term retention was with a domain generation algorithm that allowed implants to know which new domains to connect back to and when. I want my implants to last for 10 years, and I don't want some pesky internet researchers reversing my DGA, sinkholing my botnet, and writing a blog post about it.

(To any threat intel weenies reading this, I'd be sooo mad if you called us something like the Hopping Roppers)

Last modified: Thursday, 7 January 2021, 12:01 PM