Mandiant pays special attention to advanced persistent threats (APT) groups that receive direction and support from an established nation state. Like other attackers, APT groups try to steal data, disrupt operations or destroy infrastructure. Unlike most cyber criminals, APT attackers pursue their objectives over months or years. They adapt to cyber defenses and frequently retarget the same victim. Just because you have APT-linked malware variants in your system doesn't mean that you're an APT target. But your security team should be aware of this list of the most active APT groups and take extra precautions when they detect malware linked to previous APT attacks.

For an attacker to maintain a foothold inside your network they will typically install a piece of backdoor malware on at least one of your systems. The malware needs to be installed persistently, meaning that it will remain active in the event of a reboot. Most persistence techniques on a Microsoft Windows platform involve the use of the Registry. Notable exceptions include the Startup Folder and trojanizing system binaries. Examining malware persistence locations in the Windows Registry and startup locations is a common technique employed by forensic investigators to identify malware on a host. Each persistence technique commonly seen today leaves a forensic footprint which can be easily collected using most forensic software on the market.

A new Windows Persistence Toolkit created by FireEye Mandiant’s Red Team called SharPersist.

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, and a unique aspect of the incidents was how the group leveraged an application shim database to achieve persistence on systems in multiple environments.