A Five-Part Linux Persistence Series: Techniques, Detection, And Simulation

After six months of research, Ruben Groenewoud has completed a comprehensive five-part series on Linux Persistence Mechanisms, covering undocumented MITRE ATT&CK techniques, simulation methods, and detection strategies.

🔗 Series Links:

1️⃣ A Primer on Persistence Mechanisms
2️⃣ A Sequel on Persistence Mechanisms
3️⃣ A Continuation on Persistence Mechanisms
4️⃣ Approaching the Summit on Persistence Mechanisms
5️⃣ The Grand Finale on Linux Persistence

🧪 PANIX Tool for Safe Simulation:

👉 PANIX – Linux Persistence Simulator

You Should Know: Practical Linux Persistence Techniques & Detection

1. Cron Job Persistence

Attackers often use cron jobs to maintain persistence.

Malicious Cron Job Example:

echo "     /tmp/backdoor.sh" | crontab -

Detection:

crontab -l  Check current user's cron jobs 
ls -la /etc/cron.  Inspect system cron directories

2. SSH Key Injection

Adding an attacker’s SSH key to `authorized_keys`.

Attack Command:

echo "attacker_public_key" >> ~/.ssh/authorized_keys

Detection:

grep -vE '^' ~/.ssh/authorized_keys  Check for unauthorized keys

3. LD_PRELOAD Hijacking

Injecting malicious libraries via `LD_PRELOAD`.

Malicious Library Injection:

echo "/tmp/malicious_lib.so" > /etc/ld.so.preload

Detection:

cat /etc/ld.so.preload  Check for suspicious preloads

4. Systemd Service Persistence

Creating a malicious systemd service.

Attack Command:

cat <<EOF > /etc/systemd/system/evil.service 
[bash] 
Description=Evil Service

[bash] 
ExecStart=/bin/bash -c "while true; do /tmp/backdoor; sleep 10; done" 
Restart=always

[bash] 
WantedBy=multi-user.target 
EOF

systemctl enable evil.service

Detection:

systemctl list-units --type=service  Check for unknown services

5. Bashrc / Profile Modification

Appending malicious commands to shell profiles.

Attack Command:

echo "nohup /tmp/backdoor &" >> ~/.bashrc

Detection:

tail -n 10 ~/.bashrc ~/.profile  Inspect shell profiles

What Undercode Say

Linux persistence techniques are evolving, and defenders must stay ahead. Key takeaways:
– Monitor cron jobs (crontab -l, /etc/cron.).
– Audit SSH keys (~/.ssh/authorized_keys).
– Check LD_PRELOAD hijacking (/etc/ld.so.preload).
– Inspect systemd services (systemctl list-units).
– Review shell profiles (~/.bashrc, ~/.profile).

🔍 Expected Output:

 Example detection script snippet 
crontab -l 
grep -vE '^' ~/.ssh/authorized_keys 
cat /etc/ld.so.preload 
systemctl list-units --type=service 
tail -n 10 ~/.bashrc ~/.profile

For deeper analysis, explore Ruben’s full series and PANIX tool. 🚀

References:

Reported By: Ruben Groenewoud – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Listen to this Post

🔗 Series Links:

🧪 PANIX Tool for Safe Simulation:

1. Cron Job Persistence

Attackers often use cron jobs to maintain persistence.

Malicious Cron Job Example:

Detection:

2. SSH Key Injection

Adding an attacker’s SSH key to `authorized_keys`.

Attack Command:

Detection:

3. LD_PRELOAD Hijacking

Injecting malicious libraries via `LD_PRELOAD`.

Malicious Library Injection:

Detection:

4. Systemd Service Persistence

Creating a malicious systemd service.

Attack Command:

Detection:

5. Bashrc / Profile Modification

Appending malicious commands to shell profiles.

Attack Command:

Detection:

What Undercode Say

🔍 Expected Output:

References:

Join Our Cyber World:

Related Posts: