Episode 37 — Detect Malware Delivery, Persistence Footholds, and Early Intrusion Indicators
In this episode, we’re going to talk about what often happens right after an attacker succeeds in getting something to run or in getting a foothold on a system. That foothold might come from a malicious attachment, a compromised download, a stolen credential, or an exploited vulnerability, but the next goals tend to be similar. The attacker wants a way to deliver malware reliably, keep access even if the system reboots, and begin operating without being noticed. For beginners, it is easy to imagine malware as a single obvious virus, but modern intrusions often involve small, modular components that do one job at a time. One component might open a communication channel, another might steal credentials, and another might maintain persistence. Detecting early intrusion indicators means noticing the signs that this activity is starting, before it becomes a full crisis. The big theme is that early detection is about recognizing unusual patterns, not memorizing every malware family name.
Before we continue, a quick note: this audio course is a companion to our course companion books. The first book is about the exam and provides detailed information on how to pass it best. The second book is a Kindle-only eBook that contains 1,000 flashcards that can be used on your mobile device or Kindle. Check them both out at Cyber Author dot me, in the Bare Metal Study Guides Series.
Malware delivery is the process of getting malicious code onto a system and causing it to execute. Delivery can happen through files, links, drive-by downloads, compromised software updates, or scripts triggered by user actions. Even when a user believes they are opening something normal, like a document or installer, the payload can be hidden inside. Some attacks rely on the user being tricked into enabling extra capabilities, such as granting permissions or allowing a macro-like feature, which changes a simple file into an execution path. In other cases, no user interaction is required beyond visiting a vulnerable service, because exploitation can cause the system to run attacker-controlled code. The key beginner idea is that delivery is not the same as impact. Delivery is just the initial placement and execution, and attackers often keep the first stage small and quiet so it is less likely to be caught.
Once malware executes, an attacker often attempts to establish command and control, which is how they remotely direct the infected system. On first mention, think of that as Command and Control (C 2). This is the communication channel that allows the attacker to send instructions and receive results. C 2 might use web-like traffic that blends into normal outbound activity, or it might use other protocols depending on what is allowed out of the network. In many environments, outbound traffic is less restricted than inbound traffic, which gives attackers room to communicate. Early intrusion indicators can include unusual outbound connections to unfamiliar destinations, unusual frequency of connections, or connections at odd times. You do not need to know how to decode every packet to understand the concept. If a system that normally talks to a small set of services suddenly begins reaching out to new places, that change can be meaningful.
Attackers also care about persistence, which is any mechanism that helps them keep access over time. Persistence is necessary because systems reboot, users log out, passwords change, and defenders may remove obvious malware files. A foothold that disappears quickly is less valuable, so attackers try to create something that survives ordinary cleanup. Persistence can involve configuring the system to run something automatically at startup, creating scheduled tasks that run periodically, or installing services that appear legitimate. It can also involve creating new user accounts, adding credentials, or modifying settings so that the attacker can re-enter later. For beginners, it helps to define persistence as the attacker’s insurance policy. Even if the initial path closes, the attacker wants a second path that remains open.
A subtle but important early indicator is the creation of unusual auto-start behavior. Systems have many legitimate reasons to run programs at startup, so the challenge is detecting what is abnormal. Indicators can include new startup entries that do not match known software, scheduled tasks that run at strange intervals, or services with names designed to look like system components. Another indicator is a process spawning pattern that is unusual, such as a document application launching a command interpreter or a scripting engine, which is not typical behavior. You do not need to memorize specific process names to understand the logic. The logic is that applications tend to behave in predictable ways, and attackers often force them into unusual roles. When a user-facing application suddenly acts like an automation tool, that is worth investigating.
Another early indicator is credential access behavior. Attackers often try to steal credentials soon after gaining a foothold because credentials allow them to move to other systems and to maintain access even if the infected machine is cleaned. They may attempt to extract saved passwords, harvest session tokens, or capture credentials as users log in. This often shows up as unusual access to credential stores, unusual attempts to read system memory, or unusual authentication attempts from the infected machine to other systems. Even without advanced tools, the beginner can understand the sequence: foothold first, credential theft second, expansion third. If you see a pattern where a system suddenly begins attempting logins to many other systems, that can indicate lateral movement preparation. This is why monitoring authentication logs and internal traffic patterns is so valuable.
Attackers also tend to perform internal reconnaissance after initial access. They may enumerate network shares, search for documents, identify installed software, and map internal systems that might be valuable. This can produce early signals such as unusual queries to directory services, unusual access to many file paths, or an unusual spike in file access events. Many organizations have normal background activity that can mask these signals, so detection depends on baselines. Baselines are simply an understanding of what normal looks like for a given system or user. A file server might normally see many file reads, but a workstation might not. When a workstation suddenly starts touching large numbers of files across many shares, that is a change worth noticing. The beginner insight is that detection is easier when you compare behavior to the expected role of the system.
Malware delivery often includes attempts to evade defenses, and evasion itself can be an indicator. An attacker might try to disable security software, alter logging settings, or run in memory to reduce file artifacts. They might use legitimate tools already present on the system to avoid introducing new binaries that trigger alerts. This is sometimes called living off the land, where attackers abuse normal administrative tools and scripting capabilities. The point for beginners is not to memorize every technique, but to understand that attackers actively try to look normal. That means your detection strategy should not rely solely on catching obvious malware files. It should also watch for unusual uses of legitimate tools, unusual privilege changes, and unusual configuration modifications. Normal tools used at abnormal times or in abnormal ways can be as suspicious as unknown tools.
Communication patterns are a major area for early intrusion indicators because many attacks require outbound connectivity. If a system begins making repeated connections to the same external destination at regular intervals, that can indicate a beaconing pattern. Beaconing is when malware checks in periodically to receive commands. This can be subtle, such as small requests every few minutes, and it may use common ports to blend in. Another indicator is when a system that normally communicates mainly with internal resources begins making significant outbound connections, especially to unfamiliar destinations. Not every new connection is malicious, but changes in patterns matter. This is where egress controls and proxy logs can help because they provide visibility into outbound destinations and can highlight anomalies. The beginner takeaway is that outbound traffic is not just a convenience feature; it is a space where early intrusion behavior often shows up.
Persistence and early intrusion also connect back to identity controls. If an attacker creates a new account, changes group memberships, or modifies access rules, those changes can provide durable access without needing the original malware to remain. These actions may appear in identity system logs as new accounts, unexpected privilege grants, or unusual changes to authentication methods. Another indicator is the use of accounts at unusual times or from unusual devices. This is why Privileged Access Management and careful monitoring of administrative actions matter. Attackers prefer to gain legitimate-looking access that survives cleanup efforts. If you treat identity logs as core security signals, you increase your chances of detecting early intrusion steps. Beginners often focus only on antivirus alerts, but identity events are often more reliable indicators of meaningful compromise.
Early detection also benefits from understanding what normal looks like at the system level. A workstation usually runs a predictable set of programs, contacts a predictable set of services, and changes configuration relatively rarely. A server has different patterns and may run scheduled jobs, accept inbound connections, and generate more consistent background traffic. When a server begins spawning interactive processes, or when a workstation begins hosting services, that role mismatch can indicate intrusion. Similarly, if a system starts consuming unusual amounts of C P U, disk, or network bandwidth, that could indicate malicious activity like data staging or encryption. Performance changes are not proof, but they are signals. The beginner habit is to treat unexplained changes in role or behavior as worth investigating, especially when combined with other indicators.
A common misconception is that malware always announces itself with obvious symptoms. Many intrusions aim to be quiet, because loud malware gets removed quickly. Another misconception is that detecting malware is purely a matter of signature-based scanning, when many modern detections focus on behavior. Behavior-based detection looks at what a process does, not just what it is named. A third misconception is that persistence is always a single obvious file in a startup folder. Persistence can be distributed across configuration changes, scheduled tasks, accounts, and network pathways. This is why defenders focus on early indicators across multiple layers: endpoint behavior, network patterns, and identity events. You do not have to be an expert to understand this approach. You just need to follow the logic that attackers must do certain things to remain effective, and those actions can leave traces.
In conclusion, detecting malware delivery, persistence footholds, and early intrusion indicators is about spotting unusual patterns that suggest an attacker is trying to establish and maintain control. Malware delivery is the initial placement and execution, often designed to be small and quiet. Command and Control establishes remote direction, often visible through unusual outbound communication patterns. Persistence mechanisms help the attacker survive reboots and cleanup, often through auto-start behavior, scheduled tasks, services, or account changes. Early indicators also include credential theft attempts, internal reconnaissance, and evasion actions that misuse legitimate tools. The decision rule to remember is this: if a system begins behaving outside its normal role by making new outbound connections, creating new auto-run behavior, or triggering unusual identity changes, treat it as a potential early intrusion signal and investigate before the foothold becomes a full compromise.
