Linux persistence mechanisms are used by an attacker to maintain access to a compromised system, even after reboots or system updates. These allow attackers to regain control of a system without re-exploiting initial vulnerabilities. Persistence methods can vary in sophistication, from simple cron jobs to more advanced kernel-level hooks. Some common Linux persistence methods include:
- System Services:
– Systemd Service Persistence: This method involves creating or modifying systemd service files to execute malicious code upon system initialization.
– SysV Init (init.d) Persistence: This leverages the older SysV init system, using scripts placed in /etc/init.d/ to run malware during system initialization. - User-level Persistence:
– SSH Key Persistence: This method adds a backdoor SSH key to the authorized keys, allowing an attacker to log in remotely.
– Shell Profile Persistence: Modifying shell profile files like .bashrc ensures that malicious scripts run each time a user starts a shell session. - Cron Jobs and Scheduled Tasks:
– Cron Job Persistence: An attacker can add cron jobs to ensure a script is executed at regular intervals or during system reboots.
– At Job Persistence: This can schedule one-time or recurring tasks to maintain persistence. - File and Package Modifications:
– Malicious Packages (DPKG/RPM): Attackers can create malicious Debian or RPM packages that install backdoors and ensure persistence during package installations or updates.
– Password and User Modifications: adding new users to /etc/passwd or modifying existing user passwords to maintain access. - Other Techniques:
– SUID Backdoor: Modifying SUID (Set User ID) binaries can grant an attacker elevated privileges when running specific programs.
– Docker Container Persistence: Attackers can use a Docker container with a host escape mechanism to maintain access across reboots.
Each of these methods offers different levels of stealth and effectiveness depending on the system’s configuration and the attacker’s goals. We are going to cover some of them here.
To enable execution of the various persistence mechanisms we utilized a tool called PANIX (