Comment by lima

13 days ago

Red teams (internal or consultants) use this sort of tooling in the real world. Their job is to emulate a real, competent threat actor. APTs routinely use high-quality rootkits for EDR evasion.

Persistence is actually quite rare nowadays - since it's the most easily detected, red teams usually prefer not to and stay memory-only.

5 comments

lima

Reply
flipped  13 hours ago

Most workloads are cloud-native these days so a k8s/docker rootkit would make a lot more sense.

kachapopopow  13 days ago

I guess it makes sense - as for persistence I guess no point in having any if you can just compromise the target again.

  • flipped  13 hours ago

    >persistence I guess no point in having any

    The most obvious reason would be the fear of patching a vulnerability which the attacker used to gain initial access. Persistence is required.

  • ronsor  13 days ago

    Many servers and systems are rarely rebooted, and many campaigns are not that long term. There may not be a reason to compromise the target again.

    For example, a ransomware gang may compromise a company's network, steal data, deploy the cryptolocker, and then get out. There's no need to have persistent access; they got what they wanted.

    • kachapopopow  13 days ago

      I know that very well considering I have servers that have 5 years of uptime, but generally the environment isn't the same as it was with cloud services living less than a few hours (or even seconds for functional endpoints) this becomes a problem.

      my first thoughts is that this is actually a vector against people rather than servers which do reboot daily.