This article details how attackers can misuse AWS CLI aliases to stealthily maintain persistence in cloud environments. It explains the mechanics of creating malicious aliases that preserve normal command functionality while executing harmful actions, such as credential exfiltration. A proof of concept demonstrates the technique in action.

This article introduces Swarmer, a tool designed for stealthy modification of the Windows Registry without triggering endpoint detection systems. It leverages legacy Windows features, specifically mandatory user profiles and the Offline Registry API, to achieve persistence without typical detection methods. The authors share insights from its operational use in engagements over the past year.

MacPersistenceChecker is a macOS app that identifies all items set to run automatically on your system. It helps detect malware and unwanted software by scoring each persistence mechanism based on risk factors. Users can analyze and decide what to keep or remove.

This article explains a technique for establishing registry persistence using an NTUSER.MAN file, which allows for registry writes without triggering typical monitoring callbacks. By placing a crafted NTUSER.MAN in a user's profile directory, attackers can load persistence keys directly into HKCU during logon, avoiding detection by conventional EDR solutions.

PowerDodder is a stealthy post-exploitation utility that embeds execution commands into frequently accessed but rarely modified script files, minimizing detection by traditional security measures. It scans for potential script files, allows users to append payload commands, and preserves the original file's modification timestamps to evade scrutiny. The tool's name reflects its method of attaching to host scripts for persistent execution.

Attackers can exploit AWS CodeBuild to gain long-term access to compromised accounts by configuring it as a GitHub Actions runner and backdooring an IAM role. This process allows them to persistently execute commands in the AWS environment, even after the original credentials are revoked. Defenders must monitor CloudTrail logs and audit IAM trust relationships to detect such abuses.