Persistence

A set of the limited-flavors of Linux persistence.

Cron jobs

One of the most know and used persistence mecanism on Linux. Either a malicious cronjob is added, or a legitimate one weaponized : check everything !

Location

  • /etc/crontab - System wide cron jobs

  • /var/spool/cron/crontabs - User cron jobs

Shell RC

When shells are starting, they execute rc and profiles files. These can be used as persistence mechanism.

Location

  • <user_profile>/.bashrc

  • <user_profile>/.bash_profile

  • /etc/bash.bashrc

  • /profile

Daemons

Some Unix systems uses Run Levels to specify a certain state of operation of the OS. There are mainly 6 run levels. At runlevel 0, the system is halting. At runlevel 1, the user is a Single Mode. Etc.

For each of these levels, a specific script can associated. It will then be executed at startup and if the corresponding runlevel is selected.

A very good explanation from Linux.com :

When you boot your computer, the first thing that it will do is load the bootloader — either GRUB or LILO in most cases. The bootloader will then load the Linux kernel — the core operating system. Next, a process called init starts. This process reads the file /etc/inittab to establish the runlevel to use. The runlevel is the start mode for the computer.

Once init knows the runlevel it will look for the appropriate files or directories as defined in /etc/initab.

Init will then either run the script files defined by /etc/initab, or run the script files in the directories defined by /etc/initab (depending on the set up of your system).

Finally, init will present you with the logon mode that you’ve selected.

Note that init was replaced by UpStart in some systems. Or that some systems might use another daemon.

Location

  • /etc/init.d/* - SystemV

  • /etc/rd[0–6].d/* - RC

  • /lib/systemd/system/* - Systemd

  • /etc/systemd/system/* - Systemd

Setuid binary

A setuid binary will run with the rights of the owner. Creating a binary with setuid rights on the system might allow someone to keep privilege access to an already compromised machine.

To find binaries with setuid

Accounts / SSH Keys

While these are not direct persistence mecanims since it doesn't imply code execution, it is widely used by attackers to keep a hand on the compromised system.

Location

  • /etc/passwd - Addition of a user

  • <userprofile>/.ssh/authorized_keys - Addition of a SSH key

PreviousExecution / User activitiesNextMemory capture

Last updated

Was this helpful?