Chapter 6. Post Exploit – Persistence

The final stage of the attacker's kill chain is the "command, control, and communicate" phase, where the attacker relies on a persistent connection with the compromised system to ensure that they can continue to maintain their control.

To be effective, the attacker must be able to maintain interactive persistence—they must have a two-way communication channel with the exploited system (interactive) that remains on the compromised system for a long period of time without being discovered (persistence). This type of connectivity is a requirement because of the following reasons:

  • Network intrusions may be detected, and the compromised systems may be identified and patched
  • Some exploits only work once because the vulnerability is intermittent, exploitation causes the system to fail, or because exploit forces the system to change, rendering the vulnerability unusable
  • Attackers may need to return multiple times to the same...