Comment by lima
14 days ago
Red teams (internal or consultants) use this sort of tooling in the real world. Their job is to emulate a real, competent threat actor. APTs routinely use high-quality rootkits for EDR evasion.
Persistence is actually quite rare nowadays - since it's the most easily detected, red teams usually prefer not to and stay memory-only.
Most workloads are cloud-native these days so a k8s/docker rootkit would make a lot more sense.
I guess it makes sense - as for persistence I guess no point in having any if you can just compromise the target again.
>persistence I guess no point in having any
The most obvious reason would be the fear of patching a vulnerability which the attacker used to gain initial access. Persistence is required.
Many servers and systems are rarely rebooted, and many campaigns are not that long term. There may not be a reason to compromise the target again.
For example, a ransomware gang may compromise a company's network, steal data, deploy the cryptolocker, and then get out. There's no need to have persistent access; they got what they wanted.
I know that very well considering I have servers that have 5 years of uptime, but generally the environment isn't the same as it was with cloud services living less than a few hours (or even seconds for functional endpoints) this becomes a problem.
my first thoughts is that this is actually a vector against people rather than servers which do reboot daily.