Host Analysis

Once an attacker gains access to a machine, the timer starts ticking for the defender to notice their activity and kick them off the system. This could be done by terminating a network connection or changing the password on a compromised account. Because of this, threat actors are always trying to find ways to persist in an environment, in other words leaving a backdoor unlocked to let themselves back in. An easy way to do this is to create a new account on a machine to log back into at a later time.

While I’ve been in the industry for a while, I’ve never had the opportunity to work in an environment where commands were monitored or recorded for analysis. For most of the red team exposure I have been focused on gaining initial access using hacking tools (nmap, mimikatz, metasploit, etc) rather than persisting in an environment. As a result of this background, there’s a bit of a gap in my knowledge around what native applications that attackers use to live off the land and persist inside of environments.