[kachapopopow]

first thing comes to mind is just grabbing the cr3 and finding it in physical memory for detection.

also this feels a little bit too much effort for something that was never used in the real world not going to lie.

ICMP reverse shell is a really cool idea, no persistence makes it rather harmless compared to what is possible.

[lima]

Red teams (internal or consultants) use this sort of tooling in the real world. Their job is to emulate a real, competent threat actor. APTs routinely use high-quality rootkits for EDR evasion.

Persistence is actually quite rare nowadays - since it's the most easily detected, red teams usually prefer not to and stay memory-only.

[flipped]

Most workloads are cloud-native these days so a k8s/docker rootkit would make a lot more sense.

[kachapopopow]

I guess it makes sense - as for persistence I guess no point in having any if you can just compromise the target again.

[flipped]

>persistence I guess no point in having any

The most obvious reason would be the fear of patching a vulnerability which the attacker used to gain initial access. Persistence is required.

[ronsor]

Many servers and systems are rarely rebooted, and many campaigns are not that long term. There may not be a reason to compromise the target again.

For example, a ransomware gang may compromise a company's network, steal data, deploy the cryptolocker, and then get out. There's no need to have persistent access; they got what they wanted.

[kachapopopow]

I know that very well considering I have servers that have 5 years of uptime, but generally the environment isn't the same as it was with cloud services living less than a few hours (or even seconds for functional endpoints) this becomes a problem.

my first thoughts is that this is actually a vector against people rather than servers which do reboot daily.