REF2924: How to Maintain Persistence as an Advanced Threat
In a recent update, we explored how the threat group behind SIESTAGRAPH, NAPLISTENER, and SOMNIRECORD maintains persistence in victim environments. Their toolkit includes custom malware, such as .NET webshells, and open-source tools like TFirewall and AdFind. These tools enable the attackers to blend into legitimate processes, establish footholds, and escalate privileges using scheduled tasks, DLL injections, and stealthy HTTP listeners.
For a more detailed breakdown of these persistence techniques and insights into how the group evades detection, check out the full post on the ESL blog: